Copyright 2024 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2002-20 Multiple Vulnerabilities in CDE ToolTalk

   Original release date: July 10, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.


Systems Affected

     * Systems running CDE ToolTalk


Overview

   Two  vulnerabilities  have  been  discovered  in  the  Common  Desktop
   Environment   (CDE)   ToolTalk   RPC   database   server.   The  first
   vulnerability  could  be used by a remote attacker to delete arbitrary
   files,  cause  a denial of service, or possibly execute arbitrary code
   or  commands. The second vulnerability could allow a local attacker to
   overwrite arbitrary files with contents of the attacker's choice.


I. Description

   The  Common  Desktop Environment (CDE) is an integrated graphical user
   interface  that runs on UNIX and Linux operating systems. CDE ToolTalk
   is  a  message  brokering  system  that  provides  an architecture for
   applications   to   communicate  with  each  other  across  hosts  and
   platforms.  The ToolTalk RPC database server, rpc.ttdbserverd, manages
   communication  between  ToolTalk  applications.  For  more information
   about CDE, see

          http://www.opengroup.org/cde/

          http://www.opengroup.org/desktop/faq/

   This  advisory  addresses  two new vulnerabilities in the CDE ToolTalk
   RPC  database  server.  These vulnerabilities are summarized below and
   are  described  in  further  detail  in their respective vulnerability
   notes.  A  list  previously  documented  problems  in CDE can be found
   Appendix B.


   VU#975403  -  Common  Desktop  Environment (CDE) ToolTalk RPC database
   server  (rpc.ttdbserverd) does not adequately validate file descriptor
   argument to _TT_ISCLOSE()

          The ToolTalk RPC database server does not validate the range of
          an argument passed to the procedure _TT_ISCLOSE(). As a result,
          certain  locations in memory can be overwritten with zeros. For
          more information, please see VU#975403:

                http://www.kb.cert.org/vuls/id/975403

          This  vulnerability  has  been  assigned  CAN-2002-0677  by the
          Common Vulnerabilities and Exposures (CVE) group.


   VU#299816  -  Common  Desktop  Environment (CDE) ToolTalk RPC database
   server (rpc.ttdbserverd) does not adequately validate file operations

          The  ToolTalk  RPC  database  server  does  not ensure that the
          target  of  a  file  write  operation is a valid file and not a
          symbolic link. For more information, please see VU#299816:

                http://www.kb.cert.org/vuls/id/299816

          This  vulnerability  has  been  assigned  CAN-2002-0678  by the
          Common Vulnerabilities and Exposures (CVE) group.


II. Impact

   VU#975403  -  Common  Desktop  Environment (CDE) ToolTalk RPC database
   server  (rpc.ttdbserverd) does not adequately validate file descriptor
   argument to _TT_ISCLOSE()

          By   issuing   a   specially  crafted  call  to  the  procedure
          _TT_ISCLOSE(),   a  remote  attacker  could  overwrite  certain
          locations   in  memory  with  zeros.  Using  a  combination  of
          techniques   that  include  valid  ToolTalk  RPC  requests,  an
          attacker  could  leverage this vulnerability to delete any file
          that  is  accessible by the ToolTalk RPC database server. Since
          the  server  typically runs with root privileges, any file on a
          vulnerable  system  could  be  deleted.  Overwriting  memory or
          deleting  files could cause a denial of service. It may also be
          possible to execute arbitrary code and commands.

   VU#299816  -  Common  Desktop  Environment (CDE) ToolTalk RPC database
   server (rpc.ttdbserverd) does not adequately validate file operations

          By  referencing  a  specially  crafted symbolic link in certain
          ToolTalk  RPC  requests,  a  local attacker could overwrite any
          file that is accessible by the the ToolTalk RPC database server
          with  contents  of  the  attacker's  choice.  Since  the server
          typically  runs  with root privileges, any file on a vulnerable
          system could be overwritten. Overwriting root-owned files could
          lead  to  lead  to  privilege  escalation  or cause a denial of
          service.

III. Solution

Apply a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   As  vendors report new information to the CERT/CC, we will update this
   section  and note the changes in our revision history. If a particular
   vendor  is  not  listed  below,  we  have not received their comments.
   Please contact your vendor directly.


Disable vulnerable service

   Until  patches  are  available  and  can  be  applied, you may wish to
   disable  the  ToolTalk  RPC  database service. As a best practice, the
   CERT/CC  recommends  disabling  all  services  that are not explicitly
   required.  On  a  typical CDE system, it should be possible to disable
   rpc.ttdbserverd   by   commenting   out   the   relevant   entries  in
   /etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the
   inetd process.

   The  program number for the ToolTalk RPC database server is 100083. If
   references  to  100083 or rpc.ttdbserverd appear in /etc/inetd.conf or
   /etc/rpc  or  in  output from the rpcinfo(1M) and ps(1) commands, then
   the ToolTalk RPC database server may be running.

   The  following  example  was  taken  from  a  system running SunOS 5.8
   (Solaris 8):

   /etc/inetd.conf
   ...
   #
   # Sun ToolTalk Database Server
   #
   100083/1     tli    rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd\
                       rpc.ttdbserverd  (line wrapped)
   ...


   # rpcinfo -p
       program vers proto    port  service
       ...
        100083    1   tcp   32773
       ...


   # ps -ef
        UID   PID  PPID  C    STIME TTY      TIME CMD
       ...
       root   355   164  0 19:31:27 ?        0:00 rpc.ttdbserverd
       ...


   Before deciding to disable the ToolTalk RPC database server or the RPC
   portmapper  service, carefully consider your network configuration and
   service requirements.


Block access to vulnerable service

   Until  patches are available and can be applied, you may wish to block
   access  to  the  ToolTalk  RPC  database  server  and possibly the RPC
   portmapper service from untrusted networks such as the Internet. Use a
   firewall or other packet-filtering technology to block the appropriate
   network  ports.  The ToolTalk RPC database server may be configured to
   use  port  692/tcp  or  another  port  as indicated in output from the
   rpcinfo(1M)  command.  In the example above, the ToolTalk RPC database
   server is configured to use port 32773/tcp. The RPC portmapper service
   typically  runs  on  ports  111/tcp  and  111/udp.  Keep  in mind that
   blocking  ports at a network perimeter does not protect the vulnerable
   service from attacks that originate from the internal network.

   Before  deciding  to  block  or  restrict  access  to the ToolTalk RPC
   database server or the RPC portmapper service, carefully consider your
   network configuration and service requirements.


Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.


Caldera, Inc.

          Caldera   Open  UNIX  and  Caldera  UnixWare  provide  the  CDE
          ttdbserverd daemon, and are vulnerable to these issues. We have
          prepared  fixes  for those two operating systems, and will make
          them available as soon as these issues are made public.

          SCO  OpenServer  and  Caldera OpenLinux do not provide CDE, and
          are therefore not vulnerable.


Compaq Computer Corporation

          SOURCE:  Compaq Computer Corporation, a wholly-owned subsidiary
          of  Hewlett-Packard  Company  and  Hewlett-Packard  Company  HP
          Services Software Security Response Team

          CROSS REFERENCE: SSRT2251

          At  this  time  Compaq does have solutions in final testing and
          will  publish  HP  Tru64 UNIX security bulletin (SSRT2251) with
          patch information as soon as testing has completed and kits are
          available from the support ftp web site.

          A  recommended  workaround however is to disable rpc.ttdbserver
          until  solutions  are  available.  This  should  only  create a
          potential  problem  for  public  software packages applications
          that  use  the  RPC-based  ToolTalk  database server. This step
          should be evaluated against the risks identified, your security
          measures  environment,  and  potential impact of other products
          that may use the ToolTalk database server.

          To disable rpc.ttdbserverd:

          + Comment out the following line in /etc/inetd.conf:
            rpc.ttdbserverd stream tcp swait root
            /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd  (line wrapped)

          + Force  inetd  to  re-read the configuration file by executing
            the inetd -h command.

          Note:  The  internet  daemon  should kill the currently running
          rpc.ttdbserver.    If   not,   manually   kill   any   existing
          rpc.ttdbserverd process.


Cray, Inc.

          Cray,  Inc. does include ToolTalk within the CrayTools product.
          However,  rpc.ttdbserverd  is not turned on or used by any Cray
          provided  application. Since a site may have turned this on for
          their   own   use,   they   can   always   remove   the  binary
          /opt/ctl/bin/rpc.ttdbserverd if they are concerned.


Fujitsu

          Fujitsu's   UXP/V   operating   system   is   affected  by  the
          vulnerability  reported  in  VU#975403  [or  VU#299816] because
          UXP/V does not support any CDE functionalties.


Hewlett-Packard Company

          HP9000  Series  700/800  running  HP-UX  releases 10.10, 10.20,
          11.00, and 11.11 are vulnerable.

          Until  patches  are  available, install the appropriate file to
          replace rpc.ttdbserver.

          Download  rpc.ttdbserver.tar.gz from the ftp site. This file is
          temporary  and  will be deleted when patches are available from
          the standard HP web sites, including itrc.hp.com.

              System: hprc.external.hp.com (192.170.19.51)
               Login: ttdb1
            Password: ttdb1
          FTP Access: ftp://ttdb1:This email address is being protected from spambots. You need JavaScript enabled to view it./
                      ftp://ttdb1:This email address is being protected from spambots. You need JavaScript enabled to view it./
                File: rpc.ttdbserver.tar.gz
                 MD5: da1be3aaf70d0e2393bd9a03feaf4b1d

          An HP security bulletin will be released with more information.


IBM Corporation

          The  CDE desktop product shipped with AIX is vulnerable to both
          the  issues  detailed  above  in the advisory. This affects AIX
          releases  4.3.3  and  5.1.0  An  efix package will be available
          shortly  from  the IBM software ftp site. The efix packages can
          be  downloaded  from  ftp.software.ibm.com/aix/efixes/security.
          This  directory  contains  a  README  file  that  gives further
          details on the efix packages.

          The following APARs will be available in the near future:

                AIX 4.3.3: IY32368

                AIX 5.1.0: IY32370


SGI

          SGI  acknowledges the ToolTalk vulnerabilities reported by CERT
          and  is  currently  investigating.  No  further  information is
          available at this time.

          For the protection of all our customers, SGI does not disclose,
          discuss  or  confirm vulnerabilities until a full investigation
          has occurred and any necessary patch(es) or release streams are
          available  for  all  vulnerable  and  supported  IRIX operating
          systems.  Until SGI has more definitive information to provide,
          customers are encouraged to assume all security vulnerabilities
          as  exploitable  and  take appropriate steps according to local
          site security policies and requirements. As further information
          becomes available, additional advisories will be issued via the
          normal  SGI security information distribution methods including
          the wiretap mailing list on
          http://www.sgi.com/support/security/.


Sun Microsystems, Inc.

          The Solaris RPC-based ToolTalk database server, rpc.ttdbserver,
          is  vulnerable to the two vulnerabilities [VU#975403 VU#299816]
          described  in this advisory in all currently supported versions
          of Solaris:

                Solaris 2.5.1, 2.6, 7, 8, and 9

          Patches  are being generated for all of the above releases. Sun
          will  publish  a Sun Security Bulletin and a Sun Alert for this
          issue. The Sun Alert will be available from:

                http://sunsolve.sun.com

          The patches will be available from:

                http://sunsolve.sun.com/securitypatch

          Sun Security Bulletins are available from:

                http://sunsolve.sun.com/security


Xi Graphics

          Xi  Graphics deXtop CDE v2.1 is vulnerable to this attack. When
          announced, the update and accompanying text file will be:

                ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.\
                gz  (line wrapped)

                ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

          Most  sites  do  not need to use the ToolTalk server daemon. Xi
          Graphics  Security  recommends  that non-essential services are
          never  enabled.  To disable the ToolTalk server on your system,
          edit   /etc/inetd.conf   and   comment   out,  or  remove,  the
          'rpc.ttdbserver'  line.  Then,  either restart inetd, or reboot
          your machine.


Appendix B. - References

     * http://www.opengroup.org/cde/
     * http://www.opengroup.org/desktop/faq/
     * http://www.cert.org/advisories/CA-2002-01.html
     * http://www.cert.org/advisories/CA-2001-31.html
     * http://www.kb.cert.org/vuls/id/172583
     * http://www.cert.org/advisories/CA-2001-27.html
     * http://www.kb.cert.org/vuls/id/595507
     * http://www.kb.cert.org/vuls/id/860296
     * http://www.cert.org/advisories/CA-1999-11.html
     * http://www.cert.org/advisories/CA-1998-11.html
     * http://www.cert.org/advisories/CA-1998-02.html

     _________________________________________________________________

   The  CERT  Coordination  Center  thanks  the  reporters, Iván Arce and
   Ricardo  Quesada  of  CORE SECURITY TECHNOLOGIES, for their assistance
   and cooperation in producing this document.
     _________________________________________________________________


   Author: Art Manion

   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2002-20.html
   ______________________________________________________________________


CERT/CC Contact Information

   Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.


Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.


Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to This email address is being protected from spambots. You need JavaScript enabled to view it.. Please include in the body of your
   message

   subscribe cert-advisory


   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.


Revision History

   July 10, 2002:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPSzfNKCVPMXQI2HJAQGb3AP9Fh4bIxXmwBxxhlcJc+OCvbwWAcOYhO4X
ymhM/lO/3MvlBof2iANKGAgC0+DNGg+NTHuvpFnfCDdyUR6teiPfxBxJZWTLrPGQ
bWmYzgs3A+K1Tl+b0wMbLm0BuizzCyoKegTUQ8Qygt4kWQ26NEMMoeE/XCtID0LX
L5PLJReDnJY=
=sjVU
-----END PGP SIGNATURE-----

Powered by: MHonArc

Login Form

Search

School of Engineering and technologies     Asian Institute of Technology