-----BEGIN
PGP SIGNED MESSAGE-----
CERT Advisory
CA-2002-26 Buffer Overflow in CDE ToolTalk
Original
release date: August 12, 2002
Last revised: --
Source: CERT/CC
A complete
revision history can be found at the end of this file.
Systems Affected
* Systems
running CDE ToolTalk
Overview
The Common
Desktop Environment (CDE) ToolTalk RPC database server
contains a buffer overflow vulnerability that could allow a remote
attacker to execute arbitrary code or cause a denial of service.
I. Description
The Common
Desktop Environment (CDE) is an integrated graphical user
interface that runs on UNIX and Linux operating systems. CDE ToolTalk
is a message brokering system that provides an architecture for
applications to communicate with each other across hosts and
platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. For more information
about CDE, see
http://www.opengroup.org/cde/
http://www.opengroup.org/desktop/faq/
The CDE
ToolTalk database server is vulnerable to a heap buffer
overflow via an argument passed to the procedure _TT_CREATE_FILE().
An
attacker with access to the ToolTalk RPC database service could
exploit this vulnerability with a specially crafted RPC message.
Vulnerability
Note VU#387387 includes a list of vendors who have been
contacted about this vulnerability.
This vulnerability
was discovered and reported by the Entercept
Ricochet Team and is described in the following Entercept Security
Alert:
http://www.entercept.com/news/uspr/08-12-02.asp
This vulnerability
has been assigned CAN-2002-0679 by the Common
Vulnerabilities and Exposures (CVE) group.
A list
previously documented problems in CDE can be found in Appendix
B.
II. Impact
Using
an RPC message containing a specially crafted argument to
_TT_CREATE_FILE(), a remote attacker could execute arbitrary code or
cause a denial of service. The ToolTalk database server process runs
with root privileges on most systems. Note that the non-executable
stack protection provided by some operating systems will not prevent
the execution of code located on the heap.
III. Solution
Apply a
patch from your vendor
Appendix
A contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below, we have not received their comments.
Please contact your vendor directly.
Disable
vulnerable service
Until
patches are available and can be applied, you may wish to
disable the ToolTalk RPC database service. As a best practice, the
CERT/CC recommends disabling all services that are not explicitly
required. On a typical CDE system, it should be possible to disable
rpc.ttdbserverd by commenting out the relevant entries in
/etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the
inetd process.
The program
number for the ToolTalk RPC database server is 100083. If
references to 100083 or rpc.ttdbserverd appear in /etc/inetd.conf or
/etc/rpc or in output from the rpcinfo(1M) and ps(1) commands, then
the ToolTalk RPC database server may be running.
The following
example was taken from a system running SunOS 5.8
(Solaris 8):
/etc/inetd.conf
...
#
# Sun ToolTalk Database Server
#
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd
rpc.ttdbsrverd
...
# rpcinfo
-p
program vers proto port service
...
100083 1 tcp 32773
...
# ps -ef
UID PID PPID C STIME TTY TIME CMD
...
root 355 164 0 19:31:27 ? 0:00 rpc.ttdbserverd
...
Before
deciding to disable the ToolTalk RPC database server or the RPC
portmapper service, carefully consider your network configuration and
service requirements.
Block access
to vulnerable service
Until
patches are available and can be applied, you may wish to block
access to the ToolTalk RPC database server and possibly the RPC
portmapper service from untrusted networks such as the Internet. Use
a
firewall or other packet-filtering technology to block the appropriate
network ports. The ToolTalk RPC database server may be configured to
use port 692/tcp or another port as indicated in output from the
rpcinfo(1M) command. In the example above, the ToolTalk RPC database
server is configured to use port 32773/tcp. The RPC portmapper service
typically runs on ports 111/tcp and 111/udp. Keep in mind that
blocking ports at a network perimeter does not protect the vulnerable
service from attacks that originate from the internal network.
Before
deciding to block or restrict access to the ToolTalk RPC
database server or the RPC portmapper service, carefully consider your
network configuration and service requirements.
Appendix A. - Vendor Information
This appendix
contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If
a
particular vendor is not listed below, we have not received their
comments.
Caldera,
Inc.
Caldera
Open UNIX and Caldera UnixWare are vulnerable to this
issue. A fix will be announced and made available as soon as the
CERT advisory is made public.
Cray, Inc.
Cray,
Inc. does include ToolTalk within the CrayTools product.
However, rpc.ttdbserverd is not turned on or used by any Cray
provided application. Since a site may have turned this on for
their own use, they can always remove the binary
/opt/ctl/bin/rpc.ttdbserverd if they are concerned.
Hewlett-Packard
Company
SOURCE:
Hewlett-Packard Company Software Security Response Team
CROSS
REFERENCE ID: SSRT2274
HP-UX
HP Tru64 UNIX
At the
time of writing this document, Hewlett Packard is currently
investigating the potential impact to HP-UX and HP Tru64 UNIX
released operating system software.
HP will
provide notice of the availability of any necessary patches
through standard security bulletin announcements and be available
from your normal HP Services support channel.
NOT IMPACTED:
HP-MPE/ix
HP OpenVMS HP NonStop Servers
HP Recommended
Workaround:
A recommended
workaround is to disable rpc.ttdbserverd until
solutions are available. This should only create a potential
problem for public software packages applications that use the
RPC-based ToolTalk database server. This step should be evaluated
against the risks identified, your security measures environment,
and potential impact of other products that may use the ToolTalk
database server.
To disable
rpc.ttdbserverd:
Comment
out the following line in /etc/inetd.conf:
rpc.ttdbserverd
stream tcp swait root /usr/dt/bin/rpc.ttdbserverd
rpc.ttdbserverd
Force
inetd to re-read the configuration file by executing the
inetd -h command.
Note:
The internet daemon should kill the currently running
rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd
process.
IBM Corporation
The CDE
desktop product shipped with AIX is vulnerable to the issue
detailed above in the advisory. This affects AIX releases 4.3.3 and
5.1.0. The efix package is currently being generated and will soon
be available from the IBM software ftp site.
The efix
packages can be downloaded via anonymous ftp from
ftp.software.ibm.com/aix/efixes/security/. This directory contains
a README file that gives further details on the efix packages.
The following
APARs will be available in the near future:
AIX 4.3.3:
IY32792
AIX 5.1.0: IY32793
SGI
SGI acknowledges
the ToolTalk vulnerabilities reported by CERT and
is currently investigating. No further information is available at
this time.
For the
protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are
available for all vulnerable and supported IRIX operating systems.
Until SGI has more definitive information to provide, customers are
encouraged to assume all security vulnerabilities as exploitable
and take appropriate steps according to local site security
policies and requirements. As further information becomes
available, additional advisories will be issued via the normal SGI
security information distribution methods including the wiretap
mailing list on http://www.sgi.com/support/security/.
Sun Microsystems,
Inc.
The Solaris
RPC-based ToolTalk database server, rpc.ttdbserverd, is
vulnerable to the buffer overflow described in this advisory in all
currently supported versions of Solaris:
Solaris
2.5.1, 2.6, 7, 8, and 9
Patches
are being generated for all of the above releases. Sun will
be publishing Sun Alert 46366 for this issue which will be located
here:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46366
The Sun
Alert will be updated as more information or patches become
available. The patches will be available from:
http://sunsolve.sun.com/securitypatch
Sun will
be publishing a Sun Security Bulletin for this issue once
all of the patches are available which will be located at:
http://sunsolve.sun.com/security
Xi Graphics
Xi Graphics
deXtop CDE v2.1 is vulnerable to this attack. The
update and accompanying text file will be:
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt
DeXtop
version 3.0 already contains this fix.
Most sites
do not need to use the ToolTalk server daemon. Xi
Graphics Security recommends that non-essential services are never
enabled. To disable the ToolTalk server on your system, edit
/etc/inetd.conf and comment out, or remove, the 'rpc.ttdbserver'
line. Then, either restart inetd, or reboot your machine.
Appendix B. - References
* http://www.opengroup.org/cde/
* http://www.opengroup.org/desktop/faq/
* http://www.entercept.com/news/uspr/08-12-02.asp
* http://www.cert.org/advisories/CA-2002-20.html
* http://www.kb.cert.org/vuls/id/975403
* http://www.kb.cert.org/vuls/id/299816
* http://www.cert.org/advisories/CA-2002-01.html
* http://www.cert.org/advisories/CA-2001-31.html
* http://www.kb.cert.org/vuls/id/172583
* http://www.cert.org/advisories/CA-2001-27.html
* http://www.kb.cert.org/vuls/id/595507
* http://www.kb.cert.org/vuls/id/860296
* http://www.cert.org/advisories/CA-1999-11.html
* http://www.cert.org/advisories/CA-1998-11.html
* http://www.cert.org/advisories/CA-1998-02.html
_________________________________________________________________
The CERT
Coordination Center thanks Sinan Eren of the Entercept
Richochet Team for reporting this vulnerability.
_________________________________________________________________
Author:
Art Manion
______________________________________________________________________
This document
is available from:
http://www.cert.org/advisories/CA-2002-26.html
______________________________________________________________________
CERT/CC
Contact Information
Email:
cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you
prefer to use DES, please call the CERT hotline for more
information.
Getting
security information
CERT publications
and other security information are available from
our web site
http://www.cert.org/
To subscribe
to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe
cert-advisory
* "CERT"
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions
for use, disclaimers, and sponsorship information
Copyright
2002 Carnegie Mellon University.
Revision
History
August
12, 2002: Initial release
-----BEGIN
PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPVfnj6CVPMXQI2HJAQETLwP9HC51o4vnkJ7xuF4om98hl5Cad5zxvQia
YmsXxqnKL5baSF2DZCb8218sxwMusDCXK+n3cQR6qNiShLoL9zsDMWk4tAzFGbJO
BceIVqf3kyLTe8tZcrMkmLmWASADNKbxLZtK/0XjJVAkC/I27pfUgW4keqz7fpBv
a9WjSnTU7kI=
=KED+
-----END PGP SIGNATURE-----
