CERTVU:387387Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) vulnerable to buffer overflow via _TT_CREATE_FILE()
0.017 Low
EPSS
Percentile
87.8%
Overview
The Common Desktop Environment (CDE) ToolTalk RPC database server contains a buffer overflow condition that could let an attacker execute arbitrary code or cause a denial of service on a vulnerable system. The ToolTalk RPC database server typically runs with root privileges.
Description
A buffer overflow vulnerability has been reported in the CDE ToolTalk RPC database server (rpc.ttdbserverd). A component of CDE, the ToolTalk architecture allows applications to communicate with each other via remote procedure calls (RPC) across different hosts and platforms. The ToolTalk RPC database server manages connections between ToolTalk applications. CDE and ToolTalk are installed and enabled by default on many common UNIX platforms.
The ToolTalk RPC database server is vulnerable to a heap buffer overflow via an argument to the procedure _TT_CREATE_FILE(). As noted by the reporter, the non-executable stack feature of some operating systems may not prevent exploitation of this vulnerability if the payload can be located on the heap. An attacker with access to the ToolTalk RPC database service could exploit this vulnerability with a specially crafted RPC message.
Impact
A remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The ToolTalk RPC database server typically runs with root privileges.
Solution
Apply a Patch
Apply the appropriate patch from your vendor as specified in the Systems Affected section below.
Disable rpc.ttdbserverd
Until patches are available and can be applied, you may wish to consider disabling the ToolTalk RPC database service. As a general best practice, the CERT/CC recommends disabling any services that are not explicitly required. The ToolTalk RPC database service may be enabled in /etc/rpc or in /etc/inetd.conf. For example, on a Solaris 8 system, comment out the following entry in /etc/inetd.conf to disable the ToolTalk RPC database service (rpc.ttdbserverd):
#
# Sun ToolTalk Database Server
#
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
The rpcinfo(1M) and ps(1) commands may be useful in determining if you system is running the ToolTalk RPC database server. On a Solaris 8 system, the following examples indicate that the ToolTalk RPC database server is running:
# rpcinfo -p | grep 100083
100083 1 tcp 32773
# ps -ef | grep rpc.ttdbserverd
root 355 164 0 19:31:27 ? 0:00 rpc.ttdbserverd
Block or Restrict Access
Until patches are available and can be applied, block or restrict access to the RPC portmapper service and the ToolTalk RPC database service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block the ports used by the RPC portmapper and ToolTalk RPC services. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. The ToolTalk RPC service may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo command. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate.
Vendor Information
387387
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Caldera __ Affected
Notified: July 04, 2002 Updated: August 20, 2002
Status
Affected
Vendor Statement
Caldera Open UNIX and Caldera UnixWare provide the CDE ttdbserverd daemon, and is vulnerable to this issue. Please see Caldera Security Advisory CSSA-2002-SCO.28.1 for more information.
SCO OpenServer and Caldera OpenLinux do not provide CDE, and are therefore not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23387387 Feedback>).
Hewlett-Packard Company __ Affected
Notified: July 04, 2002 Updated: September 09, 2002
Status
Affected
Vendor Statement
SOURCE: Hewlett-Packard Company Software Security Response Team (SSRT)
Date: 15 August, 2002
CROSS REFERENCE ID: SSRT2274
HP Tru64 UNIX
> At the time of writing this document, Hewlett Packard is currentlyinvestigating the potential impact to HP-UX and HP Tru64 UNIX releasedoperating system software.
HP will provide notice of the availability of any necessary patchesthrough standard security bulletin announcements and be available fromyour normal HP Services support channel.
HP-UX
> A preliminary fix for HP-UX is avaiable:
Originally issued: 12 July 2002
Last revision: 14 Aug 2002
<ftp://ttdb1:[email protected]/>
file: rpc.ttdbserver.2.tar.gz
Details can be found in HPSBUX0207-199 at http://itrc.hp.com
NOT IMPACTED:
> HP-MPE/ix
HP OpenVMS
HP NonStop Servers
HP Recommended Workaround:
A recommended workaround is to disable rpc.ttdbserverd until solutionsare available. This should only create a potential problem for publicsoftware packages applications that use the RPC-based ToolTalkdatabase server. This step should be evaluated against the risksidentified, your security measures environment, and potential impactof other products that may use the ToolTalk database server.
To disable rpc.ttdbserverd:
HP Tru64 Unix:
> Comment out the following line in /etc/inetd.conf:
>
> rpc.ttdbserverd stream tcp swait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
>
> Force inetd to re-read the configuration file by executing the inetd -h command.
>
> Note: The internet daemon should kill the currently running rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd process.
HP-UX:
> Comment out the following line in /etc/inetd.conf:
>
> rpc stream tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1 /usr/dt/bin/rpc.ttdbserver [10.20]
>
>> or
>
> rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1 /usr/dt/bin/rpc.ttdbserver [11.0/11.11]
>
> Force inetd to re-read the configuration file by executing the inetd -c command.
>
> Note: The internet daemon should kill the currently running rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd process.
To report potential security vulnerabilities in HP software, send anE-mail message to: [email protected]
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Hewlett-Packard has released a security bulletin (SRB0039W/SSRT2274) that addresses VU#387387 and other vulnerabilities.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23387387 Feedback>).
IBM __ Affected
Notified: July 04, 2002 Updated: August 13, 2002
Status
Affected
Vendor Statement
The CDE desktop product shipped with AIX is vulnerable to the issue detailed above in the advisory. This affects AIX releases 4.3.3 and 5.1.0. An efix package for this issue is currently available from the IBM software ftp site.
The efix packages can be downloaded via anonymous ftp from ftp.software.ibm.com/aix/efixes/security. This directory contains a README file that gives further details on the efix packages.
The following APARs will be available in the near future:
AIX 4.3.3: IY32792
AIX 5.1.0: IY32793
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23387387 Feedback>).
Sun Microsystems Inc. __ Affected
Notified: July 04, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
The Solaris RPC-based ToolTalk database server, rpc.ttdbserverd, is vulnerable to the buffer overflow described in this advisory in all currently supported versions of Solaris:
Solaris 2.5.1, 2.6, 7, 8, and 9
Patches are being generated for all of the above releases. Sun will be publishing Sun Alert 46366 for this issue which will be located here:
<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46366>
The Sun Alert will be updated as more information or patches become available. The patches will be available from:
<http://sunsolve.sun.com/securitypatch>
Sun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at:
<http://sunsolve.sun.com/security>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23387387 Feedback>).
Xi Graphics __ Affected
Notified: July 04, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
Xi Graphics deXtop CDE v2.1 is vulnerable to this attack. The update and accompanying text file will be:
<ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz><ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt>
Most sites do not need to use the ToolTalk server daemon. Xi Graphics Security recommends that non-essential services are never enabled. To disable the ToolTalk server on your system, edit /etc/inetd.conf and comment out, or remove, the ‘rpc.ttdbserver’ line. Then, either restart inetd, or reboot your machine.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23387387 Feedback>).
Cray Inc. __ Unknown
Notified: July 04, 2002 Updated: August 09, 2002
Status
Unknown
Vendor Statement
Cray, Inc. does include ToolTalk within the CrayTools product. However, rpc.ttdbserverd is not turned on or used by any Cray provided application. Since a site may have turned this on for their own use, they can always remove the binary /opt/ctl/bin/rpc.ttdbserverd if they are concerned.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Given the history of CDE source code, it is likely that the CrayTools ToolTalk RPC database server is vulnerable.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23387387 Feedback>).
Data General Unknown
Notified: July 04, 2002 Updated: July 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23387387 Feedback>).
SGI __ Unknown
Notified: July 04, 2002 Updated: August 09, 2002
Status
Unknown
Vendor Statement
SGI acknowledges the ToolTalk vulnerabilities reported by CERT and is currently investigating. No further information is available at this time.
For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on <http://www.sgi.com/support/security/>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23387387 Feedback>).
The Open Group Unknown
Notified: July 04, 2002 Updated: July 05, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23387387 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
The CERT/CC thanks Sinan Eren of the Entercept Ricochet Team for reporting this vulnerability.
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2002-0679 |
|---|---|
| Severity Metric: | 14.04 Date Public: |
Related
