Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ca-9811.txt

CERT Advisory 98-11 Tooltalk RPC Service Vulnerability




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT Advisory CA-98.11

   Original issue date: Sept. 3, 1998
   Last Revised: July 22, 1999   Added link IN-99-04 to the "Updates"
   section.
     _________________________________________________________________
   
Topic: Vulnerability in ToolTalk RPC Service
     _________________________________________________________________
   
   The text of this advisory was originally released on August 31, 1998,
   as NAI-29, developed by Network Associates, Inc. (NAI). To more widely
   broadcast this information, we are reprinting the NAI advisory here
   with their permission.
   
   As we receive additional information it will be placed in an "Updates"
   section at the end of this advisory.
     _________________________________________________________________
   
Stack Overflow in ToolTalk RPC Service

                                                          NAI Advisory 29
                                                                         
                                                 Network Associates, Inc.
                                                                         
                                                        SECURITY ADVISORY
                                                                         
                                                          August 31, 1998
                                                                         
   SYNOPSIS
   
   An implementation fault in the ToolTalk object database server allows
   a remote attacker to run arbitrary code as the superuser on hosts
   supporting the ToolTalk service. The affected program runs on many
   popular UNIX operating systems supporting CDE and some Open Windows
   installs. This vulnerability is being actively exploited by attackers
   on the Internet.
   
   Confirmed Vulnerable Operating Systems and Third Party Vendors
   
   Sun Microsystems
   SunOS 5.6, 5.6_x86
       SunOS 5.5.1, 5.5.1_x86
       SunOS 5.5, 5.5_x86
       SunOS 5.4, 5.4_x86
       SunOS 5.3
       SunOS 4.1.
       SunOS 4.1.3_U1
       
   Hewlett Packard
   HP-UX release 10.10
       HP-UX release 10.20
       HP-UX release 10.30
       HP-UX release 11.00
       
   SGI
   IRIX 5.3
       IRIX 5.4
       IRIX 6.2
       IRIX 6.3
       IRIX 6.4
       
   IBM
   AIX 4.1.X
       AIX 4.2.X
       AIX 4.3.X
       
   TriTeal
   TriTeal CDE - TED versions 4.3 and previous.
       
   Xi Graphics
   Xi Graphics Maximum CDE v1.2.3
       
   It should be noted here that this not an exhaustive list of vulnerable
   vendors. These are only the *confirmed vulnerable* vendors. Also, any
   OS installation that is not configured to use or start up the ToolTalk
   service is not vulnerable to this problem. To determine whether the
   ToolTalk database server is running on a host, use the "rpcinfo"
   command to print a list of the RPC services running on it, as:
$ rpcinfo -p hostname
       
   Because many operating systems do not include an entry for the
   ToolTalk database service in the RPC mapping table ("/etc/rpc" on most
   Unix platforms), the vulnerable service may not appear by name in the
   listing. The RPC program number for the ToolTalk database service is
   100083. If an entry exists for this program, such as,
100083 1 tcp 692
       
   then the service is running on the host. Until additional information
   is made available from the OS vendor, it should be assumed that the
   system is vulnerable to the attack described in this advisory.
   
   DETAILS
   
   The ToolTalk service allows independently developed applications to
   communicate with each other by exchanging ToolTalk messages. Using
   ToolTalk, applications can create open protocols which allow different
   programs to be interchanged, and new programs to be plugged into the
   system with minimal reconfiguration.
   
   The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service
   which manages objects needed for the operation of the ToolTalk
   service. ToolTalk-enabled processes communicate with each other using
   RPC calls to this program, which runs on each ToolTalk-enabled host.
   This program is a standard component of the ToolTalk system, which
   ships as a standard component of many commercial Unix operating
   systems. The ToolTalk database server runs as root.
   
   Due to an implementation fault in rpc.ttdbserverd, it is possible for
   a malicious remote client to formulate an RPC message that will cause
   the server to overflow an automatic variable on the stack. By
   overwriting activation records stored on the stack, it is possible to
   force a transfer of control into arbitrary instructions provided by
   the attacker in the RPC message, and thus gain total control of the
   server process.
   
   TECHNICAL DETAILS
   
   Source code and XDR specifications for the ToolTalk database protocol
   and server were not available at the time this advisory was drafted.
   What follows is information based on analysis of the rpc.ttdbserverd
   binary and a captured attack trace from a network on which an
   exploitation script for this problem was run.
   
   The observed attack utilized the ToolTalk Database (TTDB) RPC
   procedure number 7, with an XDR-encoded string as its sole argument.
   TTDB procedure 7 corresponds to the _tt_iserase_1() function symbol in
   the Solaris binary (/usr/openwin/bin/rpc.ttdbserverd). This function
   implements an RPC procedure which takes an ASCII string as an
   argument, which is treated as a pathname.
   
   The pathname string is passed to the function isopen(), which in turn
   passes it to _am_open(), then to _amopen(), _openfcb(), _isfcb_open(),
   and finally to _open_datfile(), where it, as the first argument to the
   function, is passed directly to a strcpy() to a pointer on the stack.
   If the pathname string is suitably large, the string overflows the
   stack buffer and overwrites an activation record, allowing control to
   transfer into instructions stored in the pathname string.
   
   RESOLUTION
   
   This is an implementation problem and can only be resolved completely
   by applying patches to or replacing affected software. As a temporary
   workaround, it is possible to eliminate vulnerability to this problem
   by disabling the ToolTalk database service. This can be done by
   killing the "rpc.ttdbserverd" process and removing it from any OS
   startup scripts. It should be noted that this may impair system
   functionality.
   
   The following vendors have been confirmed vulnerable, contacted, and
   have responded with repair information:
   
   Sun Microsystems
   
   Sun plans to release patches this week that relate to the ToolTalk
   vulnerability for SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and
   5.5_x86.
   
   Patches for SunOS 5.4, 5.4_x86, 5.3, 4.1.4 and 4.1.3_U1 will be
   released in about 4 weeks.
   
   Sun recommended security patches (including checksums) are available
   from: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html
   
   Hewlett Packard
   
   HP-UX has been confirmed vulnerable in releases 10.XX and 11.00. HP
   has made patches available with the following identifications:
   HP-UX release 10.10 HP9000 Series 7/800 PHSS_16150
       HP-UX release 10.20 HP9000 Series 7/800 PHSS_16147
       HP-UX release 10.24 HP9000 Series 7/800 PHSS_16197
       HP-UX release 10.30 HP9000 Series 7/800 PHSS_16151
       HP-UX release 11.00 HP9000 Series 7/800 PHSS_16148
       
   IBM
   
   IBM AIX has been confirmed vulnerable. IBM's response is as follows:
   
   The version of ttdbserver shipped with AIX is vulnerable. We are
   currently working on the following fixes which will be available soon:
 APAR 4.1.x: IX81440
 APAR 4.2.x: IX81441
 APAR 4.3.x: IX81442

   Until the official APARs are available, a temporary fix can be
   downloaded via anonymous ftp from:
   ftp://aix.software.ibm.com/aix/efixes/security/ttdbserver.tar.Z
       
   TriTeal
   
   An official response from TriTeal is as follows:
   The ToolTalk vulnerability will be fixed in the TED4.4 release. For
   earlier versions of TED, please contact the TriTeal technical support
   department at support@triteal.com or at
   http://www.triteal.com/support.
   
   Xi Graphics
   
   An official response from Xi Graphics is as follows:
   Xi Graphics Maximum CDE v1.2.3 is vulnerable to this attack. A patch
   to correct this problem will be placed on our FTP site by 8/28/1998:
     * ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.tar.gz
     * ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.txt
       
   Users of Maximum CDE v1.2.3 are urged to install this update.
   
   Silicon Graphics
   
   Please refer to Silicon Graphics Inc. Security Advisory,
   "Vulnerability in ToolTalk RPC Service," Number: 19981101-01-A,
   distributed November 19, 1998 for additional information relating to
   this vulnerability.
   
   The primary SGI anonymous FTP site for security information and
   patches is sgigate.sgi.com (204.94.209.1). Security information and
   patches are located under the directories ~ftp/security and
   ~ftp/patches, respectively. The Silicon Graphics Security Headquarters
   Web page is accessible at the URL
   http://www.sgi.com/Support/security/security.html.
       
   Other Vendors
   
   If any uncertainty exists with regards to whether a given vendor not
   listed in this advisory is vulnerable to this attack, we recommend
   contacting them via their support/security channels for more
   information.
   
   ACKNOWLEDGEMENTS
   
   The NAI Security Labs Team would like to thank the HP & IBM Security
   Response Teams, CERT/CC & AUSCERT for their contributions to this
   advisory.
   
   ABOUT THE NETWORK ASSOCIATES SECURITY LABS
   
   The Security Labs at Network Associates hosts some of the most
   important research in computer security today. With over 28 published
   security advisories published in the last 2 years, the Network
   Associates security auditing teams have been responsible for the
   discovery of many of the Internet's most serious security flaws. This
   advisory represents our ongoing commitment to provide critical
   information to the security community.
   
   For more information about the Security Labs at Network Associates,
   see our website at http://www.nai.com or contact us at
   seclabs@nai.com.
   
   UPDATES
   
   For more information about attacks using various RPC Services please
   see CERT Incident Note IN-99-04
   http://www.cert.org/incident_notes/IN-99-04.html
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/advisories/CA-98.11.tooltalk.html.
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site http://www.cert.org/.
   
   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.
   
   Copyright 1999 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in http://www.cert.org/legal_stuff.html.
   
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________
   
   Revision History

   July 22, 1999  Added link IN-99-04 to the "Updates" section.
   Dec.  9, 1998  Updated RESOLUTION information for Silicon Graphics.
   Sept. 4, 1998  Updated RESOLUTION information for Hewlett Packard.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOBCTOFr9kb5qlZHQEQKMNQCgw9Nwgn4dLhNFu7RHJ5rMGPtKSioAoNKz
KI/oGROUdG9rsye1Zcud51vp
=tAw3
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH