__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Common Desktop Environment (CDE) ToolTalk Buffer Overflow
[CERT Advisory CA-2002-26]
August 12, 2002 20:00 GMT Number M-109
______________________________________________________________________________
PROBLEM: The CDE ToolTalk database server is vulnerable to a heap buffer
overflow through an argument passed to the procedure
_TT_CREATE_FILE(). An attacker with access to the ToolTalk RPC
database service could exploit this vulnerability with a
specially crafted RPC message.
PLATFORM: Any UNIX or Linux operating system running CDE ToolTalk.
DAMAGE: Using an RPC message containing a specially crafted argument to
_TT_CREATE_FILE(), a remote attacker could execute arbitrary
code or cause a denial of service. The ToolTalk database server
process runs with root privileges on most systems.
SOLUTION: Apply available patches, or disable the ToolTalk RPC database
service as recommended within CERT's bulletin. (The
recommendation by CERT is dependent upon your network
configuration and service requirements).
______________________________________________________________________________
VULNERABILITY The risk is HIGH. This is a common service used by most
ASSESSMENT: versions of UNIX and Linux operating systems. The vulnerability
could allow a remote attacker to execute arbitrary code or
cause a denial of service.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-109.shtml
ORIGINAL BULLETIN: http://www.cert.org/advisories/CA-2002-26.html
PATCHES: NOTE: PLEASE REVIEW CERT'S BULLETIN APPENDIX A FOR VENDOR
PRODUCT UPDATES AND REVISIONS.
______________________________________________________________________________
[***** Start CERT Advisory CA-2002-26 *****]
CERT Advisory CA-2002-26 Buffer Overflow in CDE ToolTalk
Original release date: August 12, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Systems running CDE ToolTalk
Overview
The Common Desktop Environment (CDE) ToolTalk RPC database server
contains a buffer overflow vulnerability that could allow a remote
attacker to execute arbitrary code or cause a denial of service.
I. Description
The Common Desktop Environment (CDE) is an integrated graphical user
interface that runs on UNIX and Linux operating systems. CDE ToolTalk
is a message brokering system that provides an architecture for
applications to communicate with each other across hosts and
platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. For more information
about CDE, see
http://www.opengroup.org/cde/
http://www.opengroup.org/desktop/faq/
The CDE ToolTalk database server is vulnerable to a heap buffer
overflow via an argument passed to the procedure _TT_CREATE_FILE(). An
attacker with access to the ToolTalk RPC database service could
exploit this vulnerability with a specially crafted RPC message.
Vulnerability Note VU#387387 includes a list of vendors who have been
contacted about this vulnerability.
This vulnerability was discovered and reported by the Entercept
Ricochet Team and is described in the following Entercept Security
Alert:
http://www.entercept.com/news/uspr/08-12-02.asp
This vulnerability has been assigned CAN-2002-0679 by the Common
Vulnerabilities and Exposures (CVE) group.
A list previously documented problems in CDE can be found in Appendix
B.
II. Impact
Using an RPC message containing a specially crafted argument to
_TT_CREATE_FILE(), a remote attacker could execute arbitrary code or
cause a denial of service. The ToolTalk database server process runs
with root privileges on most systems. Note that the non-executable
stack protection provided by some operating systems will not prevent
the execution of code located on the heap.
III. Solution
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below, we have not received their comments.
Please contact your vendor directly.
Disable vulnerable service
Until patches are available and can be applied, you may wish to
disable the ToolTalk RPC database service. As a best practice, the
CERT/CC recommends disabling all services that are not explicitly
required. On a typical CDE system, it should be possible to disable
rpc.ttdbserverd by commenting out the relevant entries in
/etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the
inetd process.
The program number for the ToolTalk RPC database server is 100083. If
references to 100083 or rpc.ttdbserverd appear in /etc/inetd.conf or
/etc/rpc or in output from the rpcinfo(1M) and ps(1) commands, then
the ToolTalk RPC database server may be running.
The following example was taken from a system running SunOS 5.8
(Solaris 8):
/etc/inetd.conf
...
#
# Sun ToolTalk Database Server
#
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd
rpc.ttdbsrverd
...
# rpcinfo -p
program vers proto port service
...
100083 1 tcp 32773
...
# ps -ef
UID PID PPID C STIME TTY TIME CMD
...
root 355 164 0 19:31:27 ? 0:00 rpc.ttdbserverd
...
Before deciding to disable the ToolTalk RPC database server or the RPC
portmapper service, carefully consider your network configuration and
service requirements.
Block access to vulnerable service
Until patches are available and can be applied, you may wish to block
access to the ToolTalk RPC database server and possibly the RPC
portmapper service from untrusted networks such as the Internet. Use a
firewall or other packet-filtering technology to block the appropriate
network ports. The ToolTalk RPC database server may be configured to
use port 692/tcp or another port as indicated in output from the
rpcinfo(1M) command. In the example above, the ToolTalk RPC database
server is configured to use port 32773/tcp. The RPC portmapper service
typically runs on ports 111/tcp and 111/udp. Keep in mind that
blocking ports at a network perimeter does not protect the vulnerable
service from attacks that originate from the internal network.
Before deciding to block or restrict access to the ToolTalk RPC
database server or the RPC portmapper service, carefully consider your
network configuration and service requirements.
[***** End CERT Advisory CA-2002-26 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of CERT Coordination Center for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-099: Microsoft Cumulative Patch for SQL Server
M-100: MS Server Response To SMTP Client EHLO Command
M-101: MS Unchecked Buffer in SQL Server 2000 Utilities
M-102: MS SQL Server 2000 Resolution Service Buffer Overflow
M-103: Multiple Vulnerabilities in OpenSSL
M-104: Red Hat Linux Passwork Locking Race Vulnerability
M-105: Unchecked Buffer in MDAC Function Vulnerability
M-106: Cisco Concentrator RADIUS PAP Authentication Vulnerability
M-107: Unchecked Buffer in Content Management Server
M-108: Vulnerability in HP Apache Server PHP
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
