BSD talkd Remote Format String Vulnerability

talkd is a client-server application shipped with many unix variants that is used for user communication between hosts on a network. The version of talkd that ships with older Linux distributions and OpenBSD (possibly others) is vulnerable to a remotely exploitatable format string vulnerability.

When a talk client connects to a talk server and requests communication with a user, talkd (the server program) will check to see whether the user is accepting messages. If so, it will print a message to the users terminal telling them that "username@hostname" wants to chat with them. This is done via an fprintf() function, which happens to have passed to it client-supplied data as part of the format string.

The fprintf() call, in announce.c, uses as its format string argument the caller's username and the remote host. The caller's username is provided in the datagram sent by the client. It is thus possible for an attacker to modify a talk client so that a username value containing malicious format specifiers is sent and overwrite memory on the remote server process' stack.

It may be possible to execute arbitrary code remotely, leading to a root compromise.

talkd is enabled by default in OpenBSD. NetBSD may be vulnerable (unverified), though their implementation method of writing to the users terminal in talkd is slightly different. FreeBSD may also be vulnerable to this attack.


Privacy Statement
Copyright 2010, SecurityFocus