• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: BSD talkd Remote Format String Vulnerability

Severity: HIGH

Description:

talkd is a client-server application shipped with many unix variants that is used for user communication between hosts on a network. The version of talkd that ships with older Linux distributions and OpenBSD (possibly others) is vulnerable to a remotely exploitatable format string vulnerability.

When a talk client connects to a talk server and requests communication with a user, talkd (the server program) will check to see whether the user is accepting messages. If so, it will print a message to the users terminal telling them that "username@hostname" wants to chat with them. This is done via an fprintf() function, which happens to have passed to it client-supplied data as part of the format string.

The fprintf() call, in announce.c, uses as its format string argument the caller's username and the remote host. The caller's username is provided in the datagram sent by the client. It is thus possible for an attacker to modify a talk client so that a username value containing malicious format specifiers is sent and overwrite memory on the remote server process' stack.

It may be possible to execute arbitrary code remotely, leading to a root compromise.

talkd is enabled by default in OpenBSD. NetBSD may be vulnerable (unverified), though their implementation method of writing to the users terminal in talkd is slightly different. FreeBSD may also be vulnerable to this attack.

Affected Products:

• Conectiva Linux 8.0.0
• KDE KDE 1.1.0
• KDE KDE 2.0.0
• KDE KDE 3.0.0
• KDE KDE 3.0.1
• OpenBSD OpenBSD 2.3.0
• OpenBSD OpenBSD 2.4.0
• OpenBSD OpenBSD 2.5.0
• OpenBSD OpenBSD 2.6.0
• OpenBSD OpenBSD 2.7.0
• RedHat Linux 5.0.0
• RedHat Linux 5.1.0
• RedHat Linux 5.2.0 alpha
• RedHat Linux 5.2.0 i386
• RedHat Linux 5.2.0 sparc
• SGI IRIX 6.5.0
• SGI IRIX 6.5.1
• SGI IRIX 6.5.2
• SGI IRIX 6.5.3
• SGI IRIX 6.5.4
• SGI IRIX 6.5.5
• SGI IRIX 6.5.6
• SGI IRIX 6.5.7
• SGI IRIX 6.5.8
• SGI IRIX 6.5.9

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.