COMMAND

    talkd

SYSTEMS AFFECTED

    Systems running talkd

PROBLEM

    As part of the  talk connection, talkd does  a DNS lookup for  the
    name of  the host  that the  connection is  being initiated  from.
    Because there is insufficient bounds checking on the buffer  where
    the hostname is stored, it  is possible to overwrite the  internal
    stack space of talkd.

    It is  possible to  force talkd  to execute  arbitrary commands by
    carefully  manipulating  the  hostname  information. As talkd runs
    with  root  privileges,  this  may  allow  intruders  to  remotely
    execute arbitrary commands with these privileges.

    This attack  requires an  intruder to  be able  to make  a network
    connection to a vulnerable  talkd program and provide  corrupt DNS
    information  to  that  host.   Be  aware  that there are different
    versions of  the talkd  program.   Depending on  your system,  the
    program  may  have  any  of  the  following  names: talkd, otalkd,
    ntalkd.

SOLUTION

    Sites  that  use  BIND  4.9.4  Patch  Level  1  or  later  are NOT
    vulnerable  to  the  general  class  of  hostname/ip-address-based
    buffer overflow attacks (including this specific problem).

    You should install a patch from your vendor or disable the talkd
    program(s).  After editing /etc/inetd.conf, restart inetd.

    For SYSV:

        # ps -ef | grep inetd | grep -v grep
        # kill -HUP {inetd PID}

    For BSD:

        # ps -aux | grep inetd | grep -v grep
        # kill -HUP {inetd PID}

    The following is list of patches now available:

    Berkeley Software Design, Inc. (BSDI)

        ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-035

    FreeBSD, Inc.

        ftp://freebsd.org/pub/CERT/patches/SA-96:21
        or see talkd #2 description at this page.

    Hewlett-Packard Company

        PHNE_10042 for all platforms with HP-UX releases 10.0X/10.10
        PHNE_10043 for all platforms with HP-UX release 10.20

    IBM Corporation

        AIX 3.2:   APAR IX65474
        AIX 4.1:   APAR IX65472
        AIX 4.2:   APAR IX65473

    Linux

        ftp://ftp.uk.linux.org/pub/linux/Networking/base/NetKit-0.09.tar.gz

    SunOS

        OS version      Patch ID
        __________      ________
        SunOS 5.5.1     104692-01
        SunOS 5.5.1_x86 104693-01
        SunOS 5.5       104690-01
        SunOS 5.5_x86   104691-01
        SunOS 5.4       104701-01
        SunOS 5.4_x86   104702-01
        SunOS 5.3       104698-01
        SunOS 4.1.4     104998-01
        SunOS 4.1.3_U1  104997-01

    SGI

       OS Version     Vulnerable?     Patch #      Other Actions
       ----------     -----------     -------      -------------
       IRIX 3.x          yes          not avail    Note 1
       IRIX 4.x          yes          not avail    Note 1
       IRIX 5.0.x        yes          not avail    Note 1
       IRIX 5.1.x        yes          not avail    Note 1
       IRIX 5.2          yes          not avail    Note 1
       IRIX 5.3          yes          2132
       IRIX 6.0.x        yes          not avail    Note 1
       IRIX 6.1          yes          not avail    Note 1
       IRIX 6.2          yes          2133
       IRIX 6.3          yes          2133
       IRIX 6.4          yes          2133

       Note 1) upgrade operating system