Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ca200226.txt

CERT Advisory CA-2002-26 Buffer Overflow in CDE ToolTalk




-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2002-26 Buffer Overflow in CDE ToolTalk

   Original release date: August 12, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.


Systems Affected

     * Systems running CDE ToolTalk


Overview

   The  Common  Desktop  Environment  (CDE)  ToolTalk RPC database server
   contains  a  buffer  overflow  vulnerability that could allow a remote
   attacker to execute arbitrary code or cause a denial of service.


I. Description

   The  Common  Desktop Environment (CDE) is an integrated graphical user
   interface  that runs on UNIX and Linux operating systems. CDE ToolTalk
   is  a  message  brokering  system  that  provides  an architecture for
   applications   to   communicate  with  each  other  across  hosts  and
   platforms.  The ToolTalk RPC database server, rpc.ttdbserverd, manages
   communication  between  ToolTalk  applications.  For  more information
   about CDE, see

     http://www.opengroup.org/cde/

     http://www.opengroup.org/desktop/faq/

   The  CDE  ToolTalk  database  server  is  vulnerable  to a heap buffer
   overflow via an argument passed to the procedure _TT_CREATE_FILE(). An
   attacker  with  access  to  the  ToolTalk  RPC  database service could
   exploit this vulnerability with a specially crafted RPC message.

   Vulnerability  Note VU#387387 includes a list of vendors who have been
   contacted about this vulnerability.

   This  vulnerability  was  discovered  and  reported  by  the Entercept
   Ricochet  Team  and  is  described in the following Entercept Security
   Alert:

     http://www.entercept.com/news/uspr/08-12-02.asp

   This  vulnerability  has  been  assigned  CAN-2002-0679  by the Common
   Vulnerabilities and Exposures (CVE) group.

   A  list previously documented problems in CDE can be found in Appendix
   B.


II. Impact

   Using  an  RPC  message  containing  a  specially  crafted argument to
   _TT_CREATE_FILE(),  a  remote attacker could execute arbitrary code or
   cause  a  denial of service. The ToolTalk database server process runs
   with  root  privileges  on  most systems. Note that the non-executable
   stack  protection  provided by some operating systems will not prevent
   the execution of code located on the heap.


III. Solution

Apply a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   As  vendors report new information to the CERT/CC, we will update this
   section  and note the changes in our revision history. If a particular
   vendor  is  not  listed  below,  we  have not received their comments.
   Please contact your vendor directly.

Disable vulnerable service

   Until  patches  are  available  and  can  be  applied, you may wish to
   disable  the  ToolTalk  RPC  database service. As a best practice, the
   CERT/CC  recommends  disabling  all  services  that are not explicitly
   required.  On  a  typical CDE system, it should be possible to disable
   rpc.ttdbserverd   by   commenting   out   the   relevant   entries  in
   /etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the
   inetd process.

   The  program number for the ToolTalk RPC database server is 100083. If
   references  to  100083 or rpc.ttdbserverd appear in /etc/inetd.conf or
   /etc/rpc  or  in  output from the rpcinfo(1M) and ps(1) commands, then
   the ToolTalk RPC database server may be running.

   The  following  example  was  taken  from  a  system running SunOS 5.8
   (Solaris 8):


    /etc/inetd.conf
    ...
    #
    # Sun ToolTalk Database Server
    #
    100083/1     tli   rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd
    rpc.ttdbsrverd
    ...

# rpcinfo -p
    program vers proto    port  service
    ...
    100083    1   tcp   32773
    ...


# ps -ef
     UID   PID  PPID  C    STIME TTY      TIME CMD
    ...
    root   355   164  0 19:31:27 ?        0:00 rpc.ttdbserverd
    ...

   Before deciding to disable the ToolTalk RPC database server or the RPC
   portmapper  service, carefully consider your network configuration and
   service requirements.

Block access to vulnerable service

   Until  patches are available and can be applied, you may wish to block
   access  to  the  ToolTalk  RPC  database  server  and possibly the RPC
   portmapper service from untrusted networks such as the Internet. Use a
   firewall or other packet-filtering technology to block the appropriate
   network  ports.  The ToolTalk RPC database server may be configured to
   use  port  692/tcp  or  another  port  as indicated in output from the
   rpcinfo(1M)  command.  In the example above, the ToolTalk RPC database
   server is configured to use port 32773/tcp. The RPC portmapper service
   typically  runs  on  ports  111/tcp  and  111/udp.  Keep  in mind that
   blocking  ports at a network perimeter does not protect the vulnerable
   service from attacks that originate from the internal network.

   Before  deciding  to  block  or  restrict  access  to the ToolTalk RPC
   database server or the RPC portmapper service, carefully consider your
   network configuration and service requirements.


Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Caldera, Inc.

     Caldera  Open  UNIX  and  Caldera  UnixWare  are vulnerable to this
     issue.  A  fix  will be announced and made available as soon as the
     CERT advisory is made public.

Cray, Inc.

     Cray,  Inc.  does  include  ToolTalk  within the CrayTools product.
     However,  rpc.ttdbserverd  is  not  turned  on  or used by any Cray
     provided  application.  Since  a  site  may have turned this on for
     their    own    use,    they   can   always   remove   the   binary
     /opt/ctl/bin/rpc.ttdbserverd if they are concerned.

Hewlett-Packard Company

     SOURCE: Hewlett-Packard Company Software Security Response Team

     CROSS REFERENCE ID: SSRT2274

     HP-UX HP Tru64 UNIX

     At  the time of writing this document, Hewlett Packard is currently
     investigating  the  potential  impact  to  HP-UX  and HP Tru64 UNIX
     released operating system software.

     HP will provide notice of the availability of any necessary patches
     through  standard  security bulletin announcements and be available
     from your normal HP Services support channel.

     NOT IMPACTED:

     HP-MPE/ix HP OpenVMS HP NonStop Servers

     HP Recommended Workaround:

     A  recommended  workaround  is  to  disable  rpc.ttdbserverd  until
     solutions  are  available.  This  should  only  create  a potential
     problem  for  public  software  packages  applications that use the
     RPC-based  ToolTalk  database server. This step should be evaluated
     against  the  risks identified, your security measures environment,
     and  potential  impact  of other products that may use the ToolTalk
     database server.

     To disable rpc.ttdbserverd:

     Comment out the following line in /etc/inetd.conf:

     rpc.ttdbserverd  stream  tcp swait root /usr/dt/bin/rpc.ttdbserverd
     rpc.ttdbserverd

     Force  inetd  to  re-read  the  configuration file by executing the
     inetd -h command.

     Note:  The  internet  daemon  should  kill  the  currently  running
     rpc.ttdbserver.  If not, manually kill any existing rpc.ttdbserverd
     process.

IBM Corporation

     The CDE desktop product shipped with AIX is vulnerable to the issue
     detailed above in the advisory. This affects AIX releases 4.3.3 and
     5.1.0.  The efix package is currently being generated and will soon
     be available from the IBM software ftp site.

     The  efix  packages  can  be  downloaded  via  anonymous  ftp  from
     ftp.software.ibm.com/aix/efixes/security/.  This directory contains
     a README file that gives further details on the efix packages.

     The following APARs will be available in the near future:

     AIX 4.3.3: IY32792
     AIX 5.1.0: IY32793

SGI

     SGI  acknowledges the ToolTalk vulnerabilities reported by CERT and
     is  currently investigating. No further information is available at
     this time.

     For  the  protection  of  all our customers, SGI does not disclose,
     discuss  or  confirm vulnerabilities until a full investigation has
     occurred  and  any  necessary  patch(es)  or  release  streams  are
     available  for all vulnerable and supported IRIX operating systems.
     Until SGI has more definitive information to provide, customers are
     encouraged  to  assume  all security vulnerabilities as exploitable
     and  take  appropriate  steps  according  to  local  site  security
     policies   and   requirements.   As   further  information  becomes
     available,  additional advisories will be issued via the normal SGI
     security  information  distribution  methods  including the wiretap
     mailing list on http://www.sgi.com/support/security/.

Sun Microsystems, Inc.

     The Solaris RPC-based ToolTalk database server, rpc.ttdbserverd, is
     vulnerable to the buffer overflow described in this advisory in all
     currently supported versions of Solaris:

     Solaris 2.5.1, 2.6, 7, 8, and 9

     Patches are being generated for all of the above releases. Sun will
     be  publishing Sun Alert 46366 for this issue which will be located
     here:

     http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46366

     The Sun Alert will be updated as more information or patches become
     available. The patches will be available from:

     http://sunsolve.sun.com/securitypatch

     Sun  will be publishing a Sun Security Bulletin for this issue once
     all of the patches are available which will be located at:

     http://sunsolve.sun.com/security

Xi Graphics

     Xi  Graphics  deXtop  CDE  v2.1  is  vulnerable to this attack. The
     update and accompanying text file will be:

     ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz
     ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

     DeXtop version 3.0 already contains this fix.

     Most  sites  do  not  need  to  use  the ToolTalk server daemon. Xi
     Graphics  Security recommends that non-essential services are never
     enabled.  To  disable  the  ToolTalk  server  on  your system, edit
     /etc/inetd.conf  and  comment  out, or remove, the 'rpc.ttdbserver'
     line. Then, either restart inetd, or reboot your machine.


Appendix B. - References

     * http://www.opengroup.org/cde/
     * http://www.opengroup.org/desktop/faq/
     * http://www.entercept.com/news/uspr/08-12-02.asp
     * http://www.cert.org/advisories/CA-2002-20.html
     * http://www.kb.cert.org/vuls/id/975403
     * http://www.kb.cert.org/vuls/id/299816
     * http://www.cert.org/advisories/CA-2002-01.html
     * http://www.cert.org/advisories/CA-2001-31.html
     * http://www.kb.cert.org/vuls/id/172583
     * http://www.cert.org/advisories/CA-2001-27.html
     * http://www.kb.cert.org/vuls/id/595507
     * http://www.kb.cert.org/vuls/id/860296
     * http://www.cert.org/advisories/CA-1999-11.html
     * http://www.cert.org/advisories/CA-1998-11.html
     * http://www.cert.org/advisories/CA-1998-02.html
     _________________________________________________________________

   The  CERT  Coordination  Center  thanks  Sinan  Eren  of the Entercept
   Richochet Team for reporting this vulnerability.
     _________________________________________________________________

   Author: Art Manion
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2002-26.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

Revision History

   August 12, 2002:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPVfnj6CVPMXQI2HJAQETLwP9HC51o4vnkJ7xuF4om98hl5Cad5zxvQia
YmsXxqnKL5baSF2DZCb8218sxwMusDCXK+n3cQR6qNiShLoL9zsDMWk4tAzFGbJO
BceIVqf3kyLTe8tZcrMkmLmWASADNKbxLZtK/0XjJVAkC/I27pfUgW4keqz7fpBv
a9WjSnTU7kI=
=KED+
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH