Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3190
HistoryJul 11, 2002 - 12:00 a.m.

[CORE-20020528] Multiple vulnerabilities in ToolTalk Database server

2002-07-1100:00:00
vulners.com
19

0.031 Low

EPSS

Percentile

91.1%

JSON
                          CORE SECURITY TECHNOLOGIES
                                  http://www.corest.com

     Multiple vulnerabilities in Tooltalk database server

Date Published: 2002-07-10

Last Update: 2002-07-10

Advisory ID: CORE-20020528

Bugtraq ID: 5082,5083

CVE: CAN-2002-0677, CAN-2002-0678

CERT: VU#975403 VU#299816

Title: Multiple vulnerabilities in Tooltalk database server.

Class: Implementation flaws

Remotely Exploitable: Yes

Locally Exploitable: Yes

Vendors contacted:

  • Sun
    CORE notification: 2002-06-10
    CERT notification: 2002-06-11 4:32pm
    Status:
    .Vulnerable (original bug discovery on Solaris)
    .Acknowledged notification on 2002-06-10
    .Research in progress, no confirmation
    from Sun as of 2002-06-18
    .Official statement forwardr by CERT: 2002-07-10

  • HP
    CORE notification: 2002-06-10
    CERT notification: 2002-06-11
    Status:
    .Acknowledged notification on 2002-06-10
    .Confirmed HP-UX vulnerable on 2002-06-11
    and issued high priority lab fix request
    .Official statement forwarded by CERT: 2002-07-10

  • Compaq Computer Corporation
    CORE notification: 2002-06-10
    CERT notification: 2002-06-11 4:32pm
    Status:
    .Acknowledged notification on 2002-06-10
    .Official statement forwarded by CERT: 2002-07-10

  • SGI
    CORE notification: 2002-06-10
    CERT notification: 2002-06-11
    Status:
    .Acknowledged notification on 2002-06-18

  • Xi Graphics (CDE for Linux)
    CERT notification: 2002-06-12
    Status:
    .Confirmed vulnerable, fixes are available
    at the release date of this advisory
    .Patches available : 2002-06-20

  • IBM
    CORE notification: 2002-06-10
    CERT notification: 2002-06-11 4:32pm EST
    Status:
    .Confirmed vulnerable
    .Official statement forwarded by CERT: 2002-07-10

  • Caldera (SCO)
    CERT notification: 2002-06-12 1:32pm
    Status:
    .Confirmed vulnerable
    .Official statement forwarded by CERT: 2002-07-10

  • Cray Inc.
    CERT notification: 2002-06-12 1:19pm
    Status:
    .Acknoledged notification.
    "Cray Inc. ships ToolTAlk wiht the CrayTools
    product but is not enabled by default or used
    by any Cray provided application"

  • Data General
    CERT notification: 2002-06-12 1:19pm
    Status:
    N/A

  • Fujitsu
    CERT notification: 2002-06-12 1:19pm
    Status:
    .Acknowledged notification.
    "Fujitsu's UXP/V is not vulnerable. Does
    not support any CDE functionalities"

  • The Open Group
    CERT notification: 2002-06-12 1:31pm
    Status:
    N/A

Release Mode: USER RELEASE

Vulnerability Description:

The ToolTalk service allows independently developed applications to
communicate with each other by exchanging ToolTalk messages. Using ToolTalk,
applications can create open protocols which allow different programs to be
interchanged, and new programs to be plugged into the system with minimal
reconfiguration.

The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service which
manages objects needed for the operation of the ToolTalk service.
ToolTalk-enabled processes communicate with each other using RPC calls to
this program, which runs on each ToolTalk-enabled host. This program is a
standard component of the ToolTalk system, which ships as a standard
component of many commercial Unix operating systems. The ToolTalk database
server runs as root.

Several security bugs were discovered in the rpc.ttdbserverd program
that allow an attacker to:

  • Overwrite 4 bytes of memory the running process with a zero
    (0x0L) value
  • Remotely delete any file on the vulnerable host
  • Locally create or overwrite any file on the vulnerable host
    with arbitrary contents.
  • Remotely create arbitrary directory entries on the vulnerable
    host

These vulnerabilities by themselves can lead to remote and local
compromise of the privilege root account on the vulnerable system.

Additionally these vulnerabilities may be used to build more reliable
and effective exploit programs for previously published ToolTalk
Database server vulnerabilities.

Exploit modules for the vulnerabilities described in this advisory
are available inmediately for CORE IMPACT customers through the
product support channel or as part of CORE IMPACT v1.1 or
the July 2002 module update pack.

Vulnerable Packages:
Solaris 2.5.1 2.6 7 8 9
HP-UX 10.10 10.20 11.00 11.11
Tru64 v4.0f, v4.0g, v5.0a, v5.1, v5.1a
Xi Graphics deXtop CDE v2.1
IBM AIX 4.3.3 and 5.1.0
Caldera Open UNIX and Caldera UNIXware

Not confirmed but suspected vulnerable

  • SGI IRIX 5.2-6.5.x

Not vulnerable

  • Fujitsu UXP/V
  • Cray Inc, CrayTools
  • Caldera OpenLinux
  • SCO OpenServer

Solution/Vendor Information/Workaround

Caldera, Inc.

Caldera Open UNIX and Caldera UnixWare provide the
CDE ttdbserverd daemon, and are vulnerable to these issues.
We have prepared fixes for those two operating systems,
and will make them available as soon as these issues are
made public.

SCO OpenServer and Caldera OpenLinux do not provide CDE,
and are therefore not vulnerable.

Compaq Computer Corporation

CROSS REFERENCE: SSRT2251

At this time Compaq does have solutions in final testing
and will publish HP Tru64 UNIX security bulletin
(SSRT2251) with patch information as soon as testing has
completed and kits are available from the support ftp web
site.

A recommended workaround however is to disable
rpc.ttdbserver until solutions are available. This
should only create a potential problem for public
software packages applications that use the RPC-based
ToolTalk database server. This step should be evaluated
against the risks identified, your security measures
environment, and potential impact of other products that
may use the ToolTalk database server.

To disable rpc.ttdbserverd:

  • Comment out the following line in /etc/inetd.conf:
    rpc.ttdbserverd stream tcp swait root
    /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
  • Force inetd to re-read the configuration file by
    executing the inetd -hcommand.

Note: The internet daemon should kill the currently
running rpc.ttdbserver. If not, manually kill any
existing rpc.ttdbserverd process.

Cray, Inc.

Cray, Inc. does include ToolTalk within the CrayTools
product. However, rpc.ttdbserverd is not turned on or used
by any Cray provided application. Since a site may have
turned this on for their own use, they can always
remove the binary /opt/ctl/bin/rpc.ttdbserverd if they
are concerned.

Fujitsu

Fujitsu's UXP/V operating system is not affected by
the vulnerability reported in VU#975403 [or VU#299816]
because UXP/V does not support any CDE functionalties.

Hewlett-Packard Company

HP9000 Series 700/800 running HP-UX releases 10.10,
10.20, 11.00, and 11.11 are vulnerable.

Until patches are available, install the appropriate file
to replace rpc.ttdbserver.

Download rpc.ttdbserver.tar.gz from the ftp site. This file
is temporary and will be deleted when patches are
available from the standard HP web sites, including
itrc.hp.com.

System: hprc.external.hp.com (192.170.19.51)
Login: ttdb1
Password: ttdb1
FTP Access: ftp://ttdb1:[email protected]/
ftp://ttdb1:[email protected]/
File: rpc.ttdbserver.tar.gz
MD5: da1be3aaf70d0e2393bd9a03feaf4b1d

An HP security bulletin will be released with more
information.

IBM Corporation

The CDE desktop product shipped with AIX is vulnerable to
both the issues detailed above in the advisory. This
affects AIX releases 4.3.3 and 5.1.0 An efix package
will be available shortly from the IBM software ftp site.
The efix packages can be downloaded from
ftp.software.ibm.com/aix/efixes/security. This directory
contains a README file that gives further details on
the efix packages.

The following APARs will be available in the near future:

AIX 4.3.3: IY32368
AIX 5.1.0: IY32370

SGI

SGI acknowledges the ToolTalk vulnerabilities reported by
CERT and is currently investigating. No further
information is available at this time.

For the protection of all our customers, SGI does not
disclose, discuss or confirm vulnerabilities until a full
investigation has occurred and any necessary patch(es) or
release streams are available for all vulnerable and
supported IRIX operating systems. Until SGI has more
definitive information to provide, customers are encouraged
to assume all security vulnerabilities as exploitable and
take appropriate steps according to local site security
policies and requirements. As further information becomes
available, additional advisories will be issued via the
normal SGI security information distribution methods
including the wiretap mailing list on
http://www.sgi.com/support/security/.

Sun Microsystems, Inc.

The Solaris RPC-based ToolTalk database
server, rpc.ttdbserverd, is vulnerable to the two
vulnerabilities [VU#975403 VU#299816] described in this
advisory in all currently supported versions of Solaris:

Solaris 2.5.1, 2.6, 7, 8, and 9

Patches are being generated for all of the above releases.
Sun will publish a Sun Security Bulletin and a Sun Alert
for this issue. The Sun Alert will be available from:

http://sunsolve.sun.com

The patches will be available from:

http://sunsolve.sun.com/securitypatch

Sun Security Bulletins are available from:

http://sunsolve.sun.com/security

The Open Group

N/A

Xi Graphics

Xi Graphics deXtop CDE v2.1 is vulnerable to this
attack. A update correcting this issue will be available on
our ftp site once this vulnerability has been publically
announced.

When announced, the update and accompanying text file will
be:

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

Most sites do not need to use the ToolTalk server daemon.
Xi Graphics Security recommends that non-essential
services are never enabled. To disable the ToolTalk server
on your system, edit /etc/inetd.conf and comment
out, or remove, the 'rpc.ttdbserver' line. Then,
either restart inetd, or reboot your machine.

Workarounds

If patches are not available from your vendor these
workarounds can be implemented:

  • Disable the vulnerable service
    To do so, it is needed to comment out or remove the
    lines that refer to rpc.ttdbserverd in /etc/inetd.conf
    and restart the inetd daemon.

  • Block connections to the vulnerable service
    Block access from untrusted networks to the ToolTalk
    Database server program.
    The program is identified as RPC program number
    100083 and may service requests on port 629/tcp
    or any other port. Use the rpcinfo program to
    determine on which port ttdbserver is servicing
    requests and block access to that port and the
    portmapper (111/tcp 111/udp) at the perimeter.
    This will not prevent exploitation from trusted
    networks.
    In general it is advisable to block access from
    untrusted networks to ALL RPC services.

Credits:

These vulnerabilities were discovered and researched by Ricardo Quesada
of the CORE IMPACT team at CORE Security Technologies.
We would like to thank CERT for their efforts coordinating the
release of this advisory with CORE and the vendors.

Technical Description - Exploit/Concept Code

1) Overwriting portions of memory with 0L

The _TT_ISCLOSE procedure in ttdbserverd allows a client to close
an open ToolTalk Database. The client needs only to perform a
client call to the mentioned procedure passing a valid file descriptor
as argument.

The server first checks if the authentication credentials passed in
the procedure call (AUTH_UNIX) are valid for the requested operation.
To do so, the server uses the file descriptor received as argument
to index into a statically allocated table of structs of 24 bytes
each named _tt_db_table.
The table has 128 entries and each entry contains an struct with
the following fields (the names given to the fields were chosen
arbitrarly):

struct _tt_db_table_entry {
char * path;
int uid;
int mode;
int isopen;
int isopen2;
int aux;
};

The value in uid specifies the owner of the open database and
a non zero value in the isopen field indicates that the file is
open and in use.
Once the file is closed (or even if the operation fails) the
_TT_ISCLOSE procedure resets the value of the isopen field to 0
to indicate that this entry in the table belongs to a file
that is no longer open and in use.

A failure to perform proper range checks on the file descriptor
used as index into the table allows an attacker to specify arbitrary
portions of memory as table entries.
By abusing this vulnerability an attacker could use the _TT_ISCLOSE
procedure to overwrite portions of memory with a value of 0L.
This attack is restricted to overwritting portions of memory at
24 bytes intervals (since that is the overall size of each
table entry).
As we will see, the ability to do so will provide the means
to perform more sophisticated attacks.

2) Deleting files remotely

The ttdbserverd program provides also a procedure to log
transactions on a ToolTalk Database to a logfile. For this
purpose the _TT_TRANSACTION procedure is used.

_TT_TRANSACTION receives a file descriptor and a list of
records to log to the log file.
The filename for the logfile is kept in a statically allocated
variable _tt_log_file.

Upon failure of a transaction operation, a generic error
handler function is called and the logfile is deleted from
the filesystem using the unlink() function call.

In Solaris 8 ( patch 110286-6 applied) the variable is located
at:
0x0007636c 0x00000401 OBJT GLOB 0 .bss _tt_log_file

The filename for the log file is generated by concatenating the
full pathname for the TT Database and the fixed string 'log_file'.

The variable is populated by the _TT_ISOPEN and _TT_TRANSACTION
procedures, available to any local or remote ttdbserverd client.

A client can create a new TT database using the _TT_ISBUILD
procedure call and subsequently use the _TT_TRANSACTION
procedure to log transations on the newly created database
to the file specified in _tt_log_file.

As described above, _TT_TRANSACTION will populate the
_tt_log_file variable with the filename of the TT Database
concatenated with the string 'log_file'.
Therefore by creating (using _TT_ISBUILD) a TTDB named
"////////etc/passwd012345689ABCDEF/file_table" and subsequently
calling _TT_TRANSACTION with the valid file descriptor
for that DB (received as result of the ISBUILD call)
the _tt_log_file variable will end up as:

_tt_log_file = "////////etc/passwd012345689ABCDEF/log_file"

An attacker can now abuse the vulnerability described in
1) to insert a zero (and null terminate the string) leaving
the _tt_log_file variable as follows:

_tt_log_file = "////////etc/passwd\0\0\0\045689ABCDEF/log_file"

Once this has been done, a call to _TT_TRANSACTION with
an invalid file descriptor as argument (i.e. -2) will
trigger the unlink in the error handler function, effectively
removing the file specified in the _tt_log_file variable
from the file system.

This technique can be used by an attacker to remove any
file or directory on the vulnerable host.

3) Creating / Overwriting any local file

The _TT_TRANSACTION procedure follows symlinks when opening
the log file in order to write the transaction log.
By using a combination of the techniques described above an
attacker can locally overwrite any file with any contents
of her choice since the list of transaction records to log
is passed by the client program.

Conclusion

This advisory describes techniques to abuse two
vulnerabilities found in the CDE ttdbserver program:

  • Improper checks on user suplied RPC arguments that
    lead to memory overwriting.
    BID:5082 CERT: VU#975403 CVE:CAN-2002-0677

    This is the file descriptor range check problem
    described in 1) and later used in 2)

  • Lack of file system checks for file operations that
    lead to local file creation or overwriting.
    This is the symlink problem described in 3)
    BID:5083 CERT: VU#299816 CVE: CAN-2002-0678

The vulnerabilities and techniques described in this
advisory can be abused by an attacker in order to gain
privileged access to a vulnerable system both remotelly
and locally, or in order to perform a denial of service
attack (ie. deletion of ANY file remotely)

It is relevant to mention that vulnerabilities
disclosed very recently (see BID:4639/CVE:NOT-ASSIGNED
and BID:3382 /CVE:CAN-2001-0717) rely on the attacker's ability
to make file system operations to fail in order
to exploit those bugs.

Additionally, the ability to overwrite any portion
of the process memory with a value of 0L may provide
other possible attack scenarios for remote or local
compromise of the vulnerable host.

DISCLAIMER:

The contents of this advisory are copyright (c) 2002 CORE Security
Technologies and may be distributed freely provided that no fee is charged
for this distribution and proper credit is given.

$Id: ttdbserver.txt,v 1.9 2002/07/11 00:27:43 iarce Exp $

Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A

— for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?=
<[email protected]>

Related

coresecurity 1
openvas 2
securityvulns 2
nvd 3
cvelist 3
cve 3
cert 3
coresecurity
coresecurity
Multiple Vulnerabilities in Tooltalk Database Server
2016-05-18 00:00:00
openvas
openvas
CDE ToolTalk RPC Database Server Multiple Vulnerabilities
2011-09-27 00:00:00
CDE ToolTalk RPC Database Server Multiple Vulnerabilities
2011-09-27 00:00:00
securityvulns
securityvulns
Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk
2002-07-11 00:00:00
ISSalert: ISS Security Advisory: Multi-Vendor Format String Vulnerability in ToolTalk Service
2001-10-02 00:00:00
nvd
nvd
CVE-2001-0717
2001-10-30 05:00:00
CVE-2002-0678
2002-07-23 04:00:00
CVE-2002-0677
2002-07-23 04:00:00
cvelist
cvelist
CVE-2001-0717
2002-03-09 05:00:00
CVE-2002-0678
2003-04-02 05:00:00
CVE-2002-0677
2002-07-12 04:00:00
cve
cve
CVE-2001-0717
2002-03-09 05:00:00
CVE-2002-0678
2003-04-02 05:00:00
CVE-2002-0677
2002-07-23 04:00:00
cert
cert
Common Desktop Environment (CDE) ToolTalk RPC Server rpc.ttdbserverd contains format string vulnerability
2001-10-03 00:00:00
Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file descriptor arguement to _TT_ISCLOSE()
2002-07-11 00:00:00
Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file operations
2002-07-11 00:00:00

0.031 Low

EPSS

Percentile

91.1%

JSON
Related for SECURITYVULNS:DOC:3190
coresecurity1openvas2securityvulns2nvd3cvelist3cve3cert3