Common Desktop Environment (CDE) ToolTalk RPC Server rpc.ttdbserverd contains format string vulnerability

2001-10-03T00:00:00
ID VU:595507
Type cert
Reporter CERT
Modified 2004-03-24T15:01:00

Description

Overview

A vulnerability exists in CDE ToolTalk that may allow a remote attacker to execute arbitrary code with root privileges.

Description

Internet Security Systems (ISS) X-Force has discovered a format string vulnerability in the Common Desktop Environment (CDE) ToolTalk Remote Procedure Call (RPC) server, rpc.ttdbserverd. The ToolTalk architecture allows custom applications to communicate with each other via RPC calls, and CDE and ToolTalk are installed and enabled by default on many common UNIX platforms. rpc.ttdbserverd manages RPC communication between ToolTalk applications. rpc.ttdbserverd contains a syslog(3) function call that does not include a format string specifier. As a result, a crafted RPC open request containing user-supplied format string specifiers is interpreted by syslog(), possibly overwriting arbitrary locations in memory. By carefully designing such a request an attacker may execute arbitrary code with the privileges of rpc.ttdbserverd, typically root.

For more information, see the ISS X-Force advisory at: <http://xforce.iss.net/alerts/advise98.php>.

The rpcinfo command may be able to help you determine if rpc.ttdbserverd is running on your system.

On SunOS:

% rpcinfo -p
``program vers proto port service
100000 4 tcp 111 rpcbind
104567 5 tcp 112 custom

On MacOS X:

% rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
200100001 1 udp 745 netinfobind
200100001 1 tcp 748 netinfobind
The program number for rpc.ttdbserverd is 100083. If 100083 shows up in the rpcinfo output, you may be running the rpc.ttdbserverd service. Additionally, the service may be listed in /etc/rpc. For example, the following entry may indicate rpc.ttdbserverd is running on your system:

100083 1 tcp 692
Systems that are not running rpc.ttdbserverd are not exposed to this vulnerability.


Impact

A remote attacker may send crafted RPC traffic causing the ToolTalk RPC server to crash or allowing the attacker to execute arbitrary code on the vulnerable system.


Solution

Apply Patch
Apply the appropriate vendor supplied patch as described in the vendor section below.


Disable Vulnerable Service

Until a patch can be applied, you may wish to consider disabling the ToolTalk service. As a general practice, CERT/CC recommends disabling any services not explicitly required.

Block or Restrict Access

Your router or firewall may be able to block access to the ToolTalk service at your network perimeter. Additionally, an application-level firewall may be able to filter requests made to the ToolTalk service.


Vendor Information

595507

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Compaq Computer Corporation __ Affected

Notified: August 14, 2001 Updated: October 08, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

NO RESTRICTION FOR DISTRIBUTION PROVIDED THE ADVISORY REMAINS INTACT
TITLE: SSRT0767U Potential rpc.ttdbserverd buffer overflow
CASE ID: SSRT0767U (X-REF: CVE CAN-2001-0717, x-force 02-oct-2001, CERT CA-2001-27)
SOURCE: Compaq Computer Corporation Software Security Response Team DATE: 02-Oct-2001
(c) Copyright 2001 Compaq Computer Corporation. All rights reserved.

"Compaq is broadly distributing this Security Advisory in order to bring to the attention of users of Compaq products the important security information contained in this Advisory. Compaq recommends that all users determine the applicability of this information to their individual situations and take appropriate action.
Compaq does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Compaq will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory."
Severity: low
This potential security vulnerability has not been reproduced for any release of Compaq Tru64 Unix. However with the information available, we are providing a patch that will further reduce any potential vulnerability.
A patch has been made available for all supported versions of Tru64/ DIGITAL UNIX V4.0f, V4.0g, V5.0a, V5.1, and V5.1a. To obtain a patch for prior versions contact your normal Compaq Services support channel.
*This solution will be included in a future distributed release of Compaq's Tru64 / DIGITAL UNIX.

The patches identified are available from the Compaq FTP site &lt;http://ftp1.support.compaq.com/public/dunix/&gt; then choose the version directory needed and search for the patch by name.
The patch names are:
DUV40F17-C0056200-11703-ER-20010928.tar T64V40G17-C0007000-11704-ER-20010928.tar T64V50A17-C0015500-11705-ER-20010928.tar T64V5117-C0065200-11706-ER-20010928.tar T64V51Assb-C0000800-11707-ER-20010928.tar

To subscribe to automatically receive future NEW Security Advisories from the Software Security Response Team at Compaq via electronic mail,
Use your browser to get to the &lt;http://www.support.compaq.com/patches/mailing-list.shtml&gt; and sign up. Select "Security and Individual Notices" for immediate dispatch notifications.
To report a potential security vulnerability for Compaq products, send email to security-ssrt@compaq.com
If you need further information, please contact your normal Compaq Services support channel.
Compaq appreciates your cooperation and patience. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems.
-----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1
iQA/AwUBO78nlDnTu2ckvbFuEQKetQCg4wWYlBghvodt3FcggpMWzoYYQNIAoOBu 59ftYye4zJnazHWnZHQqEPBY =JKbN -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company __ Affected

Notified: August 14, 2001 Updated: December 06, 2001

Status

Affected

Vendor Statement

Document ID: HPSBUX0110-168

Date Loaded: 20011205
Title: Sec. Vulnerability in rpc.ttdbserverd (rev.3)

---------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0168,
Originally issued: 01 October '01
**Revision 01**: 03 October '01
**Revision 02**: 19 November '01
**Revision 03**: 05 December '01
---------------------------------------------------------------

The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from customer's
failure to fully implement instructions in this Security Bulletin as
soon as possible.

---------------------------------------------------------------
PROBLEM: Buffer overflow in rpc.ttdbserver

PLATFORM: HP9000 Series 700/800 running HP-UX releases 10.10,
10.20, 10.24, 11.00, 11.04, and 11.11.

DAMAGE: Unauthorized access, increased privileges.

SOLUTION: Install the appropriate patch:
10.10 PHSS_25136,
10.20 PHSS_25137,
10.24 PHSS_25419,
11.00 PHSS_25138,
11.04 PHSS_25420,
11.11 PHSS_25139.

MANUAL ACTIONS: none

AVAILABILITY: All listed patches are available now.

CHANGE SUMMARY: Rev.01 Updated patch information, deleted old
instructions.
Rev.02 Updated patch information again.
Rev.03 Updated instructions for disabling
rpc.ttdbserver
---------------------------------------------------------------
A. Background
A remotely exploitable buffer overflow in rpc.ttdbserver has
been reported to HP.

B. Fixing the problem

Install the appropriate patch. An alternative is to disable
rpc.ttdbserver. The rpc.ttdbserver process is not needed for
the programs provided in HP's CDE product. It may be needed
by third party applications using ToolTalk. If you are not
using ToolTalk applications rpc.ttdbserver may be disabled.

**Rev.03**

Edit /etc/inetd.conf and comment out the rpc.ttdbserver
line as follows:

#rpc stream tcp swait root /usr/dt/bin/rpc.ttdbserver ...

Restart inetd:

/usr/sbin/inetd -c

Kill any instances of rpc.ttdbserver that might be
running.

C. Recommended solution
Install the appropriate patch:
10.10 PHSS_25136,
10.20 PHSS_25137,
10.24 PHSS_25419,
11.00 PHSS_25138,
11.04 PHSS_25420,
11.11 PHSS_25139.

D. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to get to the HP IT Resource Center page
at:

``_&lt;http://itrc.hp.com&gt;_

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC. Remember to save the
User ID assigned to you, and your password.

In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.

To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive". (near the
bottom of the page) Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic. Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems.

For information on the Security Patch Check tool, see:
``_&lt;http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/&gt;_
displayProductInfo.pl?productNumber=B6834AA"

The security patch matrix is also available via anonymous
ftp:

ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix

On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".

E. To report new security vulnerabilities, send email to

security-alert@hp.com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@hp.com.

Permission is granted for copying and circulating this
Bulletin to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Bulletin is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
________________________________________________________________
-----End of Document ID: HPSBUX0110-168--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM __ Affected

Notified: August 14, 2001 Updated: October 31, 2001

Status

Affected

Vendor Statement

[from IBM Security Advisory contained in: <ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z>]

A. Official fix

IBM is working on the following fixes which will be available soon:

AIX 4.3:

Pending assignment - the Advisory copy in the efix download package will be updated as soon as the assignment is made. Also, the CERT Vulnerability Note will be updated and we will post a note to SecurityFocus BUGTRAQ. IBM's Managed Security Service will also distribute notification of when this happens.AIX 5.1:APAR #IY23846
The APARs for AIX 4.3 and 5.1 will not be available until late October - November 2001.

NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 at the latest maintenance level, or to 5.1.

B. How to minimize the vulnerability

WORKAROUND

None, other than disabling the CDE Tooltalk RPC database server.

EMERGENCY FIX (efix):

Temporary fixes for AIX 4.3.x and 5.1 systems are available.

The temporary fixes can be downloaded via ftp from:

The name of the efix you want to download to close this vulnerability is tooltalk_efix.tar.Z.

The efix compressed tarball contains a copy of this Advisory and another tarfile, efix_binaries.tar. This latter tarfile will untar into two subdirectories, tooltalk_rpc_aix43_efix and tooltalk_rpc_aix51_efix, for AIX 4.3 and 5.1, respectively. Each subdirectory contains a patched rpc.ttdbserver and libtt.a binary, plus an INSTALL textfile that is a synopsis of the installation instructions given below. In the same directory level with the Advisory is a detached PGP signature file for the tarfile containing the fixes, efix_binaries.tar.asc.

These temporary fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See also:

<http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2001.425.1>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. __ Affected

Notified: August 14, 2001 Updated: November 14, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----


Sun Microsystems, Inc. Security Bulletin

Bulletin Number: #00212
Date: November 13, 2001
Cross-Ref: CERT Advisory CA-2001-27
Title: rpc.ttdbserverd


The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.


1. Bulletins Topics

Sun announces the release of patches for Solaris(tm) 8, 7, 2.6,
2.5.1, and 2.5 (SunOS(tm) 5.8, 5.7, 5.6, 5.5.1, and 5.5) which
relate to a format string vulnerability in rpc.ttdbserverd.

Sun recommends that you install the patches listed in section 4
immediately on systems running the CDE ToolTalk database server,
rpc.ttdbserverd, on SunOS 5.8, 5.7, 5.6, 5.5.1 and 5.5.

2. Who is Affected

Vulnerable: SunOS 5.8, 5.8_x86, 5.7, 5.7_x86, 5.6,
5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and
5.5_x86

3. Understanding the Vulnerability

The RPC-based ToolTalk database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. A format string
vulnerability has been discovered in rpc.ttdbserverd which may be
exploited by a local or a remote attacker to gain root access on the
affected system. Any system that does not run the ToolTalk RPC
database service is not vulnerable to this problem. This issue was
discovered by ISS X-Force who published an advisory at:

<http://xforce.iss.net/alerts/advise98.php>

CERT Advisory CA-2001-27 is available from:

<http://www.cert.org/advisories/CA-2001-27.html>

4. List of Patches

The following patches are available in relation to the above issue.

OS Version Patch ID


SunOS 5.8 110286-04
SunOS 5.8_x86 110287-04
SunOS 5.7 107893-15
SunOS 5.7_x86 107894-14
SunOS 5.6 105802-16
SunOS 5.6_x86 105803-18
SunOS 5.5.1 104489-14
SunOS 5.5.1_x86 105496-12
SunOS 5.5 104428-12
SunOS 5.5_x86 105495-10


APPENDICES

A. Patches listed in this bulletin are available to all Sun customers at:

<http://sunsolve.sun.com/securitypatch>

B. Checksums for the patches listed in this bulletin are available at:

<ftp://sunsolve.sun.com/pub/patches/CHECKSUMS>

C. Sun security bulletins are available at:

<http://sunsolve.sun.com/security>

D. Sun Security Coordination Team's PGP key is available at:

<http://sunsolve.sun.com/pgpkey.txt>

E. To report or inquire about a security problem with Sun software, contact
one or more of the following:

- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:

security-alert@sun.com

F. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:

security-alert@sun.com

with a subject line (not body) containing one of the following commands:

Command Information Returned/Action Taken


help An explanation of how to get information

key Sun Security Coordination Team's PGP key

list A list of current security topics

query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team

report [topic] The email is treated as a security report and is
forwarded to the Security Coordination Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key

send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):

send #138

subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):

subscribe cws your-email-address

Note that your-email-address should be substituted
by your email address.

unsubscribe Sender is removed from the CWS mailing list.


Copyright 2001 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries. This
Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBO/GUHbdzzzOFBFjJAQFqSwP+MIdnt8E9JYPubpxT9qmOiLZ64LuLEnKp
IZD2coi7rpObSoxwdLh3lZ0+7+wn/EBDPRLusiFTW5s0ycxDjsusRI9sRr2eywfs
BRaqZhQXCIAVpE4u+Jem+AJr3jFiXBzQILjRbnchErVpxt1QvsOFdwdK9M6+RjIL
BheyLWWC58E=
=7l7y
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The Open Group __ Affected

Notified: August 15, 2001 Updated: October 31, 2001

Status

Affected

Vendor Statement

Source licensees of The Open Group's CDE product can contact desktop@opengroup.org for advice and a source patch that address this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare) __ Affected

Notified: August 15, 2001 Updated: September 13, 2002

Status

Affected

Vendor Statement

Caldera Open Unix and UnixWare are vulnerable. Caldera has released Security Advisory CSSA-2001-SCO.28.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xi Graphics __ Affected

Notified: October 03, 2001 Updated: October 09, 2001

Status

Affected

Vendor Statement

Xi Graphics DeXtop 2.1 is vulnerable. Further information and a patch are available at the following locations:

&lt;ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.txt&gt;

<ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.tar.gz>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc. __ Not Affected

Notified: August 20, 2001 Updated: October 09, 2001

Status

Not Affected

Vendor Statement

UNICOS and UNICOS/mk are not vulnerable to either of these two advisories. For further information see Cray SPR 721061. Cray, Inc. does include ToolTalk within the CrayTools product. However, this implementation does not use rpc.ttdbserverd. Therefore, Cray, Inc. is not vulnerable to this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Cray SPRs are available to licensed Cray customers.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General Unknown

Notified: August 15, 2001 Updated: August 27, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Unknown

Notified: August 15, 2001 Updated: August 27, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI __ Unknown

Notified: August 14, 2001 Updated: April 03, 2002

Status

Unknown

Vendor Statement

SGI acknowledges the CDE vulnerabilities reported by CERT and is currently investigating. No further information is available at this time.

For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems.

Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements.

As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has released SGI Security Advisory 20020302-01-A which addresses a number of vulnerabilities in CDE and ToolTalk.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TriTeal __ Unknown

Updated: November 12, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

TriTeal went bankrupt in December 1999. It is possible that TriTeal Enterprise Desktop (TED) and CDE distributions based on TriTeal code are vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 12 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <http://xforce.iss.net/alerts/advise98.php>
  • <http://www.securityfocus.com/bid/3382>
  • <http://www.securitytracker.com/alerts/2001/Oct/1002479.html>
  • <http://www.opengroup.org/desktop/faq/>

Acknowledgements

The CERT Coordination Center thanks Internet Security Systems (ISS) X-Force and The Open Group for information used in this document.

This document was written by Art Manion, Shawn V. Hernan, and Jeffrey S. Havrilla.

Other Information

CVE IDs: | CVE-2001-0717
---|---
CERT Advisory: | CA-2001-27
Severity Metric: | 17.70
Date Public: | 2001-10-02
Date First Published: | 2001-10-03
Date Last Updated: | 2004-03-24 15:01 UTC
Document Revision: | 47