route of #phrack is a funny man!

[gobbles () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note to Moderator:
Woops, GOBBLES drink too much boxed wine today...

here important advisory

ALERT!  ALERT!  Multiple vendor talkd vulnerability  ALERT!  ALERT!

Forward
*******

Certain #phrack op have big mouth and do stuff like /topic #phrack
www.bugtraq.org stuff hoping to get greet in advisory.

Shut up lamer.


GOBBLES Advance Warning System
******************************

fc is heavily ridiculed in next GOBBLES advisory.


GOBBLES Advance Warning System
******************************

Next advisory is in comic book format.


Vulnerable
**********
  KDE 1 - all platforms
  KDE 2 - all platforms
  KDE 3 - all platforms
  talkd in older linux netkits (like 0.9).
  Possibly many other talkd implementations based on drunk
  student's announce.cpp from 1983.


Problem
*******

A formatstring vulnerability exist in many talkd implementations.


Technical details
*****************

In print_mesg(), located in announce.cpp GOBBLES see this
piece of newbie code:


  void print_mesg(FILE * tf, NEW_CTL_MSG * request, const char *
                  remote_machine, int usercfg, int force_no_sound)
  {

  ..
          const char *remotename = gethostbyname(remotemach)->h_name;
  ..
          snprintf(buffer, N_CHARS, "%s@%s", request->l_name, remotename);
          snprintf(line_buf[i], N_CHARS, Options.announce2, buffer);
  ..
          if (!(strcmp(localname,remotename))) {
            snprintf(line_buf[i], N_CHARS, Options.announce3, request->l_name);
          } else {
            snprintf(line_buf[i], N_CHARS, Options.announce3, buffer);
          }
  ..
          bptr = big_buf;
          if (!force_no_sound) /* set if a X announce has been done */
              if (sound_or_beep(usercfg)) /* if no sound then : */
                  *bptr++ = '^G'; /* send something to wake them up */
          *bptr++ = '\r'; /* add a \r in case of raw mode */
          *bptr++ = '\n';
          for (i = 0; i < N_LINES; i++) {
                  /* copy the line into the big buffer */
                  lptr = line_buf[i];
                  while (*lptr != '\0')
                          *(bptr++) = *(lptr++);

  ..
          fprintf(tf, big_buf);

  ..


Unless reader havent spotted offending code yet, it's the fprintf() line!

In top of file announce.cpp GOBBLES read:

   * Copyright (c) 1983 Regents of the University of California.
   * All rights reserved.

License go on to say crap about "no code based off this can be promoted
without the prior consent of the copyright holder. . ." and other junk, so
GOBBLES will not do promotion of exploit code for this vulnerability, just
will make fun of sloppy code.

The Origin of syslog() Bug
**************************

During extensive grep syslog stuff of code, GOBBLES search back and discover
some thing of historical importance concerning where original syslog() bug
come from, and here is what GOBBLES Security did discover.

The test code that comes with sysklogd-1.4.1 contains unformatted syslog()
calls.

syslog_tst.c:
...
 if (argc > 1)
        {
                if ( (*argv[1] == '-') && (*(argv[1]+1) == '\0') )
                {
                        while (!feof(stdin))
                                if ( fgets(bufr, sizeof(bufr), stdin) !=
                             (char *) 0 )
                                {
                                        if ( (nl = strrchr(bufr, '\n')) !=
                                       (char *) 0)
                                                *nl = '\0';
                                        syslog(LOG_INFO, bufr);
                                        logged += strlen(bufr);
                                        if ( logged > 1024 )
                                        {
                                                sleep(1);
                                                logged = 0;
                                        }

                                }
                }
                else
                        while (argc-- > 1)
                                syslog(LOG_INFO, argv++[1]);
        }
...

Of course, Paul Vixie's ftpd from ftp.vix.com contains more format bugs
that scut's paper on the subject, but what do you expect from someone like
Vix?  Real point to all of this is to show that syslogd programmer try to
encourage poor use of syslog() not understanding ramficiation of problems
that evolve from that style people learned in later years and such.

On other note, check out ftp.vix.com/pub/vixie/ftpd.tar.gz if you need
something to laugh at...

Workaround
**********

1. Find and chmod -x all *talkd*-binaries until official patch is released.
2. sed 's/fprintf\(tf, big_buf\);/fprintf\(tf, "%s", big_buf\);/'


History
*******

Similar hole discovered and disclosed by antisec/K2 in OpenBSD, that was
said to not be exploitable... (unexploitable? hehehe, no strvis wizards?)

That one only take GOBBLES Security researchers three hours to write fully
automated, multiarchitecture remote root exploit, but whatever, writing it
was completely trivial for us. . .  very beginner stuff.


Closing
*******

Huge, big, important announcements coming soon from GOBBLES Security. . .
GOBBLES suggest staying bright and attentive for details concerning these
things which will be announced and made public very soon. . .


Funny Links
***********

* Pine Internet Advisory: Setuid application execution may give local root
  in FreeBSD Patrick Oonk (Mon Apr 22 2002 - 03:58:25 CDT)
  http://archives.neohapsis.com/archives/bugtraq/2002-04/0305.html

* Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Theo de Raadt (Mon
  Apr 22 2002 - 14:23:51 CDT)
  http://archives.neohapsis.com/archives/bugtraq/2002-04/0304.html

  (In this post, Theo try to make fun of Patrick saying that only reason
   Patrick find this bug is that Theo find it first and patch Theo-BSD with
   it, showing off that he smarter than everyone else as usual (well, not
   that Theo smarter than anyone else really, since even the average scriptkid
   find owning OpenBSD to be trivial task, but in he own mind he > * . . .))

* OpenBSD local DoS and root exploit fozzy () dmpfrance com (Thu May 09 2002 -
  08:11:31 CDT)
  http://archives.neohapsis.com/archives/bugtraq/2002-05/0066.html

  (In this advisory, Fozzy show that Theo attempt to patch bug in OpenBSD was
   completely vain and that OpenBSD was still vulnerable to same bug as
   FreeBSD, and that Theo really just lamer with ego who not good enough to
   be on NetBSD team anymore.  Notice greets to GOBBLES, hehe, thankx Fozzy!
   Come to defcon for free tshirt, hehe :PPPPPppppp!)

Congradulations to Theo for making himself look like asshole.  Everyone
already know that Theo lame, but few realize that he also is just asshole. . .

http://udp.livejournal.com  --  #phrack's finest, grab your magic decoder ring
and pray to sweet jebus that you'll be able to understand just a single word...

Greetz
******

The Bronc Buster, who have nothing better to do at important cisco.com job
than to beg GOBBLES for attention.  You too, like op in #phrack, need to
shut up.  No tshirt for you, homie.  You are not funny, at all...


GOBBLES Security
"Often imitated, never cloned."


Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjzqbvkVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPma8A
nRl8pGs6YdyDPlwe0DAKQqZrVxg+AJ9akYd2idfOQZnHkLbNrS7HNhkXuA==
=BcsW
-----END PGP SIGNATURE-----