Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: m-109.txt

Common Desktop Environment CDE ToolTalk Buffer Overflow (CIAC M-109)




             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

           Common Desktop Environment (CDE) ToolTalk Buffer Overflow
                           [CERT Advisory CA-2002-26]

August 12, 2002 20:00 GMT                                         Number M-109
______________________________________________________________________________
PROBLEM:       The CDE ToolTalk database server is vulnerable to a heap buffer 
               overflow through an argument passed to the procedure 
               _TT_CREATE_FILE(). An attacker with access to the ToolTalk RPC 
               database service could exploit this vulnerability with a 
               specially crafted RPC message. 
PLATFORM:      Any UNIX or Linux operating system running CDE ToolTalk. 
DAMAGE:        Using an RPC message containing a specially crafted argument to 
               _TT_CREATE_FILE(), a remote attacker could execute arbitrary 
               code or cause a denial of service. The ToolTalk database server 
               process runs with root privileges on most systems. 
SOLUTION:      Apply available patches, or disable the ToolTalk RPC database 
               service as recommended within CERT's bulletin. (The 
               recommendation by CERT is dependent upon your network 
               configuration and service requirements). 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. This is a common service used by most 
ASSESSMENT:    versions of UNIX and Linux operating systems. The vulnerability 
               could allow a remote attacker to execute arbitrary code or 
               cause a denial of service. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-109.shtml 
 ORIGINAL BULLETIN:  http://www.cert.org/advisories/CA-2002-26.html 
 PATCHES:            NOTE: PLEASE REVIEW CERT'S BULLETIN APPENDIX A FOR VENDOR 
                     PRODUCT UPDATES AND REVISIONS.
______________________________________________________________________________

[***** Start CERT Advisory CA-2002-26 *****]

CERT Advisory CA-2002-26 Buffer Overflow in CDE ToolTalk

   Original release date: August 12, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Systems running CDE ToolTalk

Overview

   The  Common  Desktop  Environment  (CDE)  ToolTalk RPC database server
   contains  a  buffer  overflow  vulnerability that could allow a remote
   attacker to execute arbitrary code or cause a denial of service.

I. Description

   The  Common  Desktop Environment (CDE) is an integrated graphical user
   interface  that runs on UNIX and Linux operating systems. CDE ToolTalk
   is  a  message  brokering  system  that  provides  an architecture for
   applications   to   communicate  with  each  other  across  hosts  and
   platforms.  The ToolTalk RPC database server, rpc.ttdbserverd, manages
   communication  between  ToolTalk  applications.  For  more information
   about CDE, see

     http://www.opengroup.org/cde/

     http://www.opengroup.org/desktop/faq/

   The  CDE  ToolTalk  database  server  is  vulnerable  to a heap buffer
   overflow via an argument passed to the procedure _TT_CREATE_FILE(). An
   attacker  with  access  to  the  ToolTalk  RPC  database service could
   exploit this vulnerability with a specially crafted RPC message.

   Vulnerability  Note VU#387387 includes a list of vendors who have been
   contacted about this vulnerability.

   This  vulnerability  was  discovered  and  reported  by  the Entercept
   Ricochet  Team  and  is  described in the following Entercept Security
   Alert:

     http://www.entercept.com/news/uspr/08-12-02.asp

   This  vulnerability  has  been  assigned  CAN-2002-0679  by the Common
   Vulnerabilities and Exposures (CVE) group.

   A  list previously documented problems in CDE can be found in Appendix
   B.

II. Impact

   Using  an  RPC  message  containing  a  specially  crafted argument to
   _TT_CREATE_FILE(),  a  remote attacker could execute arbitrary code or
   cause  a  denial of service. The ToolTalk database server process runs
   with  root  privileges  on  most systems. Note that the non-executable
   stack  protection  provided by some operating systems will not prevent
   the execution of code located on the heap.

III. Solution

Apply a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   As  vendors report new information to the CERT/CC, we will update this
   section  and note the changes in our revision history. If a particular
   vendor  is  not  listed  below,  we  have not received their comments.
   Please contact your vendor directly.

Disable vulnerable service

   Until  patches  are  available  and  can  be  applied, you may wish to
   disable  the  ToolTalk  RPC  database service. As a best practice, the
   CERT/CC  recommends  disabling  all  services  that are not explicitly
   required.  On  a  typical CDE system, it should be possible to disable
   rpc.ttdbserverd   by   commenting   out   the   relevant   entries  in
   /etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the
   inetd process.

   The  program number for the ToolTalk RPC database server is 100083. If
   references  to  100083 or rpc.ttdbserverd appear in /etc/inetd.conf or
   /etc/rpc  or  in  output from the rpcinfo(1M) and ps(1) commands, then
   the ToolTalk RPC database server may be running.

   The  following  example  was  taken  from  a  system running SunOS 5.8
   (Solaris 8):


    /etc/inetd.conf
    ...
    #
    # Sun ToolTalk Database Server
    #
    100083/1     tli   rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd
    rpc.ttdbsrverd
    ...


# rpcinfo -p
    program vers proto    port  service
    ...
    100083    1   tcp   32773
    ...


# ps -ef
     UID   PID  PPID  C    STIME TTY      TIME CMD
    ...
    root   355   164  0 19:31:27 ?        0:00 rpc.ttdbserverd
    ...


   Before deciding to disable the ToolTalk RPC database server or the RPC
   portmapper  service, carefully consider your network configuration and
   service requirements.

Block access to vulnerable service

   Until  patches are available and can be applied, you may wish to block
   access  to  the  ToolTalk  RPC  database  server  and possibly the RPC
   portmapper service from untrusted networks such as the Internet. Use a
   firewall or other packet-filtering technology to block the appropriate
   network  ports.  The ToolTalk RPC database server may be configured to
   use  port  692/tcp  or  another  port  as indicated in output from the
   rpcinfo(1M)  command.  In the example above, the ToolTalk RPC database
   server is configured to use port 32773/tcp. The RPC portmapper service
   typically  runs  on  ports  111/tcp  and  111/udp.  Keep  in mind that
   blocking  ports at a network perimeter does not protect the vulnerable
   service from attacks that originate from the internal network.

   Before  deciding  to  block  or  restrict  access  to the ToolTalk RPC
   database server or the RPC portmapper service, carefully consider your
   network configuration and service requirements.

[***** End CERT Advisory CA-2002-26 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT Coordination Center for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-099: Microsoft Cumulative Patch for SQL Server
M-100: MS Server Response To SMTP Client EHLO Command 
M-101: MS Unchecked Buffer in SQL Server 2000 Utilities  
M-102: MS SQL Server 2000 Resolution Service Buffer Overflow 
M-103: Multiple Vulnerabilities in OpenSSL
M-104: Red Hat Linux Passwork Locking Race Vulnerability
M-105: Unchecked Buffer in MDAC Function Vulnerability
M-106: Cisco Concentrator RADIUS PAP Authentication Vulnerability
M-107: Unchecked Buffer in Content Management Server
M-108: Vulnerability in HP Apache Server PHP



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH