COMMAND

	Tooltalk database server local and remote compromise

SYSTEMS AFFECTED

	 Vulnerable Packages

	

	  Solaris 2.5.1 2.6 7 8 9

	  HP-UX 10.10 10.20 11.00 11.11

	  Tru64 v4.0f, v4.0g, v5.0a, v5.1, v5.1a

	  Xi Graphics deXtop CDE v2.1

	  IBM AIX 4.3.3 and 5.1.0

	  Caldera Open UNIX and Caldera UNIXware

	

	 Not confirmed but suspected vulnerable

	

	  SGI IRIX 5.2-6.5.x

	

	 Not vulnerable

	

	  Fujitsu UXP/V

	  Cray Inc, CrayTools

	  Caldera OpenLinux

	  SCO OpenServer

	

PROBLEM

	These vulnerabilities were discovered and researched by Ricardo  Quesada
	of the CORE IMPACT team at CORE Security Technologies. CORE  would  like
	to thank CERT  for  their  efforts  coordinating  the  release  of  this
	advisory with CORE and the vendors, [http://www.corest.com] :
	

	The ToolTalk service  allows  independently  developed  applications  to
	communicate with each  other  by  exchanging  ToolTalk  messages.  Using
	ToolTalk, applications can create open protocols which  allow  different
	programs to be interchanged, and new programs to  be  plugged  into  the
	system with minimal reconfiguration.
	

	The ToolTalk database server (rpc.ttdbserverd) is  an  ONC  RPC  service
	which manages objects needed for the operation of the ToolTalk  service.
	ToolTalk-enabled processes communicate with each other using  RPC  calls
	to this program, which runs on each ToolTalk-enabled host. This  program
	is a standard component  of  the  ToolTalk  system,  which  ships  as  a
	standard component  of  many  commercial  Unix  operating  systems.  The
	ToolTalk database server runs as root.
	

	Several security bugs were discovered  in  the  rpc.ttdbserverd  program
	that allow an attacker to:
	

	 - Overwrite 4 bytes of memory the running process with a zero

	   (0x0L) value

	 - Remotely delete any file on the vulnerable host

	 - Locally create or overwrite any file on the vulnerable host

	   with arbitrary contents.

	 - Remotely create arbitrary directory entries on the vulnerable

	   host

	

	These vulnerabilities  by  themselves  can  lead  to  remote  and  local
	compromise of the privilege  root  account  on  the  vulnerable  system.
	Additionally these vulnerabilities may be used to  build  more  reliable
	and  effective  exploit  programs  for  previously  published   ToolTalk
	Database server vulnerabilities.
	

	 Technical Description - Exploit/Concept Code

	 ============================================

	

	 1) Overwriting portions of memory with 0L

	

	The _TT_ISCLOSE procedure in ttdbserverd allows a  client  to  close  an
	open ToolTalk Database. The client needs only to perform a  client  call
	to the mentioned procedure passing a valid file descriptor as argument.
	

	The server first checks if the authentication credentials passed in  the
	procedure call (AUTH_UNIX) are valid for the requested operation. To  do
	so, the server uses the file descriptor received as  argument  to  index
	into a statically allocated table of structs  of  24  bytes  each  named
	_tt_db_table. The table has 128  entries  and  each  entry  contains  an
	struct with the following fields (the names given  to  the  fields  were
	chosen arbitrarly):
	

	 struct _tt_db_table_entry {

	        char *    path;

	        int       uid;

	        int       mode;

	        int       isopen;

	        int       isopen2;

	        int       aux;

	 };

	

	The value in uid specifies the owner of the  open  database  and  a  non
	zero value in the isopen field indicates that the file is  open  and  in
	use. Once the file is closed  (or  even  if  the  operation  fails)  the
	_TT_ISCLOSE procedure resets the value of  the  isopen  field  to  0  to
	indicate that this entry in the table belongs  to  a  file  that  is  no
	longer open and in use.
	

	A failure to perform proper range checks on the file descriptor used  as
	index into the table allows an attacker to  specify  arbitrary  portions
	of memory as table entries. By abusing this  vulnerability  an  attacker
	could use the _TT_ISCLOSE procedure  to  overwrite  portions  of  memory
	with a value of 0L. This attack is restricted to  overwritting  portions
	of memory at 24 bytes intervals (since that is the overall size of  each
	table entry). As we will see, the ability to  do  so  will  provide  the
	means to perform more sophisticated attacks.
	

	

	 2) Deleting files remotely

	

	The ttdbserverd program provides also a procedure  to  log  transactions
	on  a  ToolTalk  Database  to  a   logfile.   For   this   purpose   the
	_TT_TRANSACTION procedure is used.
	

	_TT_TRANSACTION receives a file descriptor and a list of records to  log
	to the log file. The filename for the logfile is kept  in  a  statically
	allocated variable _tt_log_file.
	

	Upon failure  of  a  transaction  operation,  a  generic  error  handler
	function is called and the logfile is deleted from the filesystem  using
	the unlink() function call.
	

	In Solaris 8 ( patch 110286-6 applied) the variable is located at:
	

	        0x0007636c 0x00000401  OBJT GLOB 0   .bss        _tt_log_file

	

	The filename for the log file is generated  by  concatenating  the  full
	pathname for the TT Database and the fixed string \'log_file\'.
	

	The  variable  is  populated  by  the  _TT_ISOPEN  and   _TT_TRANSACTION
	procedures, available to any local or remote ttdbserverd client.
	

	A client can create a new TT database using  the  _TT_ISBUILD  procedure
	call  and  subsequently  use  the  _TT_TRANSACTION  procedure   to   log
	transations on the newly created  database  to  the  file  specified  in
	_tt_log_file.
	

	As described  above,  _TT_TRANSACTION  will  populate  the  _tt_log_file
	variable with the filename of the  TT  Database  concatenated  with  the
	string \'log_file\'. Therefore by creating (using  _TT_ISBUILD)  a  TTDB
	named
	

	 \"////////etc/passwd012345689ABCDEF/file_table\" 

	

	and subsequently calling _TT_TRANSACTION with the valid file  descriptor
	for that DB (received as result of the ISBUILD  call)  the  _tt_log_file
	variable will end up as:
	

	 _tt_log_file = \"////////etc/passwd012345689ABCDEF/log_file\"

	

	An attacker can now abuse the vulnerability described in 1) to insert  a
	zero (and null terminate the string) leaving the  _tt_log_file  variable
	as follows:
	

	 _tt_log_file = \"////////etc/passwd\\0\\0\\0\\045689ABCDEF/log_file\"

	

	Once this has been done, a call to  _TT_TRANSACTION  with  an  *invalid*
	file descriptor as argument (i.e. -2) will trigger  the  unlink  in  the
	error handler function, effectively removing the file specified  in  the
	_tt_log_file variable from the file system.
	

	This technique can be  used  by  an  attacker  to  remove  any  file  or
	directory on the vulnerable host.
	

	 3) Creating / Overwriting any local file

	

	The _TT_TRANSACTION procedure follows  symlinks  when  opening  the  log
	file in order to write the transaction log. By using  a  combination  of
	the techniques described above an attacker  can  locally  overwrite  any
	file with any contents of her  choice  since  the  list  of  transaction
	records to log is passed by the client program.
	

	 Conclusion

	 ==========

	

	This advisory describes techniques to abuse  two  vulnerabilities  found
	in the CDE ttdbserver program:
	

	 - Improper checks on user suplied RPC arguments that

	   lead to memory overwriting.

	   BID:5082 CERT: VU#975403 CVE:CAN-2002-0677

	

	This is the file descriptor range check  problem  described  in  1)  and
	later used in 2)
	

	 - Lack of file system checks for file operations that

	   lead to local file creation or overwriting.

	   This is the symlink problem described in 3)

	   BID:5083 CERT: VU#299816 CVE: CAN-2002-0678

	

	The vulnerabilities and techniques described in  this  advisory  can  be
	abused  by  an  attacker  in  order  to  gain  privileged  access  to  a
	vulnerable system both remotelly and locally, or in order to  perform  a
	denial of service attack (ie. deletion of *ANY* file remotely)
	

	It is relevant to mention that vulnerabilities disclosed  very  recently
	(see BID:4639/CVE:NOT-ASSIGNED and BID:3382 /CVE:CAN-2001-0717) rely  on
	the attacker\'s ability to make file system operations to fail in  order
	to exploit those bugs.
	

	Additionally, the ability to overwrite  *any*  portion  of  the  process
	memory with a value of 0L may provide other  possible  attack  scenarios
	for remote or local compromise of the vulnerable host.

SOLUTION

	If patches are not available from your vendor these workarounds  can  be
	implemented:
	

	 - Disable the vulnerable service

	

	To do so, it is needed to comment out or remove the lines that refer  to
	rpc.ttdbserverd in /etc/inetd.conf and restart the inetd daemon.
	

	 - Block connections to the vulnerable service

	

	Block access from untrusted networks to  the  ToolTalk  Database  server
	program. The program is identified as RPC program number 100083 and  may
	service requests on port 629/tcp or any  other  port.  Use  the  rpcinfo
	program to determine on which port ttdbserver is servicing requests  and
	block access to that port and the portmapper (111/tcp  111/udp)  at  the
	perimeter. This will not prevent exploitation from trusted networks.  In
	general it is advisable to block access from untrusted networks  to  ALL
	RPC services.
	

	 Pacth

	 =====

	

	Check the original advisory post and see your vendor information :
	

	http://www.corest.com/common/showdoc.php?idx=251&idxseccion=10