Advisory CA-2002-26 Buffer Overflow in CDE ToolTalk

2002-08-13T00:00:00
ID SECURITYVULNS:DOC:3349
Type securityvulns
Reporter Securityvulns
Modified 2002-08-13T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2002-26 Buffer Overflow in CDE ToolTalk

Original release date: August 12, 2002 Last revised: -- Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

 * Systems running CDE ToolTalk

Overview

The Common Desktop Environment (CDE) ToolTalk RPC database server contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code or cause a denial of service.

I. Description

The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. CDE ToolTalk is a message brokering system that provides an architecture for applications to communicate with each other across hosts and platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages communication between ToolTalk applications. For more information about CDE, see

 http://www.opengroup.org/cde/

 http://www.opengroup.org/desktop/faq/

The CDE ToolTalk database server is vulnerable to a heap buffer overflow via an argument passed to the procedure _TT_CREATE_FILE(). An attacker with access to the ToolTalk RPC database service could exploit this vulnerability with a specially crafted RPC message.

Vulnerability Note VU#387387 includes a list of vendors who have been contacted about this vulnerability.

This vulnerability was discovered and reported by the Entercept Ricochet Team and is described in the following Entercept Security Alert:

 http://www.entercept.com/news/uspr/08-12-02.asp

This vulnerability has been assigned CAN-2002-0679 by the Common Vulnerabilities and Exposures (CVE) group.

A list previously documented problems in CDE can be found in Appendix B.

II. Impact

Using an RPC message containing a specially crafted argument to _TT_CREATE_FILE(), a remote attacker could execute arbitrary code or cause a denial of service. The ToolTalk database server process runs with root privileges on most systems. Note that the non-executable stack protection provided by some operating systems will not prevent the execution of code located on the heap.

III. Solution

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly.

Disable vulnerable service

Until patches are available and can be applied, you may wish to disable the ToolTalk RPC database service. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical CDE system, it should be possible to disable rpc.ttdbserverd by commenting out the relevant entries in /etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the inetd process.

The program number for the ToolTalk RPC database server is 100083. If references to 100083 or rpc.ttdbserverd appear in /etc/inetd.conf or /etc/rpc or in output from the rpcinfo(1M) and ps(1) commands, then the ToolTalk RPC database server may be running.

The following example was taken from a system running SunOS 5.8 (Solaris 8):

/etc/inetd.conf
...
#
# Sun ToolTalk Database Server
#
100083/1     tli   rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd
rpc.ttdbsrverd
...

rpcinfo -p

program vers proto    port  service
...
100083    1   tcp   32773
...

ps -ef

 UID   PID  PPID  C    STIME TTY      TIME CMD
...
root   355   164  0 19:31:27 ?        0:00 rpc.ttdbserverd
...

Before deciding to disable the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements.

Block access to vulnerable service

Until patches are available and can be applied, you may wish to block access to the ToolTalk RPC database server and possibly the RPC portmapper service from untrusted networks such as the Internet. Use a firewall or other packet-filtering technology to block the appropriate network ports. The ToolTalk RPC database server may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo(1M) command. In the example above, the ToolTalk RPC database server is configured to use port 32773/tcp. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from attacks that originate from the internal network.

Before deciding to block or restrict access to the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Caldera, Inc.

 Caldera  Open  UNIX  and  Caldera  UnixWare  are vulnerable to this
 issue.  A  fix  will be announced and made available as soon as the
 CERT advisory is made public.

Cray, Inc.

 Cray,  Inc.  does  include  ToolTalk  within the CrayTools product.
 However,  rpc.ttdbserverd  is  not  turned  on  or used by any Cray
 provided  application.  Since  a  site  may have turned this on for
 their    own    use,    they   can   always   remove   the   binary
 /opt/ctl/bin/rpc.ttdbserverd if they are concerned.

Hewlett-Packard Company

 SOURCE: Hewlett-Packard Company Software Security Response Team

 CROSS REFERENCE ID: SSRT2274

 HP-UX HP Tru64 UNIX

 At  the time of writing this document, Hewlett Packard is currently
 investigating  the  potential  impact  to  HP-UX  and HP Tru64 UNIX
 released operating system software.

 HP will provide notice of the availability of any necessary patches
 through  standard  security bulletin announcements and be available
 from your normal HP Services support channel.

 NOT IMPACTED:

 HP-MPE/ix HP OpenVMS HP NonStop Servers

 HP Recommended Workaround:

 A  recommended  workaround  is  to  disable  rpc.ttdbserverd  until
 solutions  are  available.  This  should  only  create  a potential
 problem  for  public  software  packages  applications that use the
 RPC-based  ToolTalk  database server. This step should be evaluated
 against  the  risks identified, your security measures environment,
 and  potential  impact  of other products that may use the ToolTalk
 database server.

 To disable rpc.ttdbserverd:

 Comment out the following line in /etc/inetd.conf:

 rpc.ttdbserverd  stream  tcp swait root /usr/dt/bin/rpc.ttdbserverd
 rpc.ttdbserverd

 Force  inetd  to  re-read  the  configuration file by executing the
 inetd -h command.

 Note:  The  internet  daemon  should  kill  the  currently  running
 rpc.ttdbserver.  If not, manually kill any existing rpc.ttdbserverd
 process.

IBM Corporation

 The CDE desktop product shipped with AIX is vulnerable to the issue
 detailed above in the advisory. This affects AIX releases 4.3.3 and
 5.1.0.  The efix package is currently being generated and will soon
 be available from the IBM software ftp site.

 The  efix  packages  can  be  downloaded  via  anonymous  ftp  from
 ftp.software.ibm.com/aix/efixes/security/.  This directory contains
 a README file that gives further details on the efix packages.

 The following APARs will be available in the near future:

 AIX 4.3.3: IY32792
 AIX 5.1.0: IY32793

SGI

 SGI  acknowledges the ToolTalk vulnerabilities reported by CERT and
 is  currently investigating. No further information is available at
 this time.

 For  the  protection  of  all our customers, SGI does not disclose,
 discuss  or  confirm vulnerabilities until a full investigation has
 occurred  and  any  necessary  patch(es)  or  release  streams  are
 available  for all vulnerable and supported IRIX operating systems.
 Until SGI has more definitive information to provide, customers are
 encouraged  to  assume  all security vulnerabilities as exploitable
 and  take  appropriate  steps  according  to  local  site  security
 policies   and   requirements.   As   further  information  becomes
 available,  additional advisories will be issued via the normal SGI
 security  information  distribution  methods  including the wiretap
 mailing list on http://www.sgi.com/support/security/.

Sun Microsystems, Inc.

 The Solaris RPC-based ToolTalk database server, rpc.ttdbserverd, is
 vulnerable to the buffer overflow described in this advisory in all
 currently supported versions of Solaris:

 Solaris 2.5.1, 2.6, 7, 8, and 9

 Patches are being generated for all of the above releases. Sun will
 be  publishing Sun Alert 46366 for this issue which will be located
 here:

 http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46366

 The Sun Alert will be updated as more information or patches become
 available. The patches will be available from:

 http://sunsolve.sun.com/securitypatch

 Sun  will be publishing a Sun Security Bulletin for this issue once
 all of the patches are available which will be located at:

 http://sunsolve.sun.com/security

Xi Graphics

 Xi  Graphics  deXtop  CDE  v2.1  is  vulnerable to this attack. The
 update and accompanying text file will be:

 ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz
 ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

 DeXtop version 3.0 already contains this fix.

 Most  sites  do  not  need  to  use  the ToolTalk server daemon. Xi
 Graphics  Security recommends that non-essential services are never
 enabled.  To  disable  the  ToolTalk  server  on  your system, edit
 /etc/inetd.conf  and  comment  out, or remove, the 'rpc.ttdbserver'
 line. Then, either restart inetd, or reboot your machine.

Appendix B. - References

 * http://www.opengroup.org/cde/
 * http://www.opengroup.org/desktop/faq/
 * http://www.entercept.com/news/uspr/08-12-02.asp
 * http://www.cert.org/advisories/CA-2002-20.html
 * http://www.kb.cert.org/vuls/id/975403
 * http://www.kb.cert.org/vuls/id/299816
 * http://www.cert.org/advisories/CA-2002-01.html
 * http://www.cert.org/advisories/CA-2001-31.html
 * http://www.kb.cert.org/vuls/id/172583
 * http://www.cert.org/advisories/CA-2001-27.html
 * http://www.kb.cert.org/vuls/id/595507
 * http://www.kb.cert.org/vuls/id/860296
 * http://www.cert.org/advisories/CA-1999-11.html
 * http://www.cert.org/advisories/CA-1998-11.html
 * http://www.cert.org/advisories/CA-1998-02.html
 _________________________________________________________________

The CERT Coordination Center thanks Sinan Eren of the Entercept Richochet Team for reporting this vulnerability. ___________

Author: Art Manion


This document is available from: http://www.cert.org/advisories/CA-2002-26.html


CERT/CC Contact Information

Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message

subscribe cert-advisory

  • "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ___________

Conditions for use, disclaimers, and sponsorship information

Copyright 2002 Carnegie Mellon University.

Revision History

August 12, 2002: Initial release

-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8

iQCVAwUBPVfnj6CVPMXQI2HJAQETLwP9HC51o4vnkJ7xuF4om98hl5Cad5zxvQia YmsXxqnKL5baSF2DZCb8218sxwMusDCXK+n3cQR6qNiShLoL9zsDMWk4tAzFGbJO BceIVqf3kyLTe8tZcrMkmLmWASADNKbxLZtK/0XjJVAkC/I27pfUgW4keqz7fpBv a9WjSnTU7kI= =KED+ -----END PGP SIGNATURE-----