Date: Fri, 29 Mar 2024 09:57:10 -0400 (EDT) Message-ID: <1839875258.39.1711720630755@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_38_375126733.1711720630754" ------=_Part_38_375126733.1711720630754 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history can be found at the end of this file.
Two vulnerabilities have been discovered in the Common Desktop Environme= nt (CDE) ToolTalk RPC database server. The first vulnerability could be use= d by a remote attacker to delete arbitrary files, cause a denial of service= , or possibly execute arbitrary code or commands. The second vulnerability = could allow a local attacker to overwrite arbitrary files with contents of = the attacker's choice.
The Common Desktop Environment (CDE) is an integrated graphical user int= erface that runs on UNIX and Linux operating systems. CDE ToolTalk is a mes= sage brokering system that provides an architecture for applications to com= municate with each other across hosts and platforms. The ToolTalk RPC datab= ase server, rpc.ttdbserverd, manages communic= ation between ToolTalk applications. For more information about CDE, see
This advisory addresses two new vulnerabilities in the CDE ToolTalk RPC = database server. These vulnerabilities are summarized below and are describ= ed in further detail in their respective vulnerability notes. A list previo= usly documented problems in CDE can be found in App= endix B.
Both of these vulnerabilities were discovered and reported by CORE SECUR= ITY TECHNOLOGIES and are described in CORE-20020528.
VU#975403 - Common De= sktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file descriptor argu= ment to _TT_ISCLOSE()=20The ToolTalk RPC database server does not validate the range of an argum= ent passed to the procedure _TT_ISCLOSE(). As a result, certain locations i= n memory can be overwritten with zeros. For more information, please see VU= #975403:
This vulnerability has been assigned CAN-2002-0677 by the Common Vuln= erabilities and Exposures (CVE) group= .
The ToolTalk RPC database server does not ensure that the target of a fi= le write operation is a valid file and not a symbolic link. For more inform= ation, please see VU#299816:
This vulnerability has been assigned CAN-2002-0678 by the Common Vuln= erabilities and Exposures (CVE) group= .
By issuing a specially crafted call to the procedure _TT_ISCLOSE(), a re= mote attacker could overwrite certain locations in memory with zeros. Using= a combination of techniques that include valid ToolTalk RPC requests, an a= ttacker could leverage this vulnerability to delete any file that is access= ible by the ToolTalk RPC database server. Since the server typically runs w= ith root privileges, any file on a vulnerable system could be deleted. Over= writing memory or deleting files could cause a denial of service. It may al= so be possible to execute arbitrary code and commands.
By referencing a specially crafted symbolic link in certain ToolTalk RPC= requests, a local attacker could overwrite any file that is accessible by = the the ToolTalk RPC database server with contents of the attacker's choice= . Since the server typically runs with root privileges, any file on a vulne= rable system could be overwritten. Overwriting root-owned files could lead = to lead to privilege escalation or cause a denial of service.
Appendix A contains information provided by ven= dors for this advisory. As vendors report new information to the CERT/CC, w= e will update this section and note the changes in our revision history. If= a particular vendor is not listed below, we have not received their commen= ts. Please contact your vendor directly.
Until patches are available and can be applied, you may wish to disable = the ToolTalk RPC database service. As a best practice, the CERT/CC recommen= ds disabling all services that are not explicitly required. On a typical CD= E system, it should be possible to disable rpc.ttdbs= erverd by commenting out the relevant entries in /etc/inetd.conf and if necessary, /etc/rp= c, and then by restarting the inetd pr= ocess.
The program number for the ToolTalk RPC database server is 100083. If re= ferences to 100083 or rpc.ttdbserverd appear = in /etc/inetd.conf or = /etc/rpc or in output from the rpcinfo(1M) and ps(1) commands, then the ToolTalk RP= C database server may be running.
The following example was taken from a system running SunOS 5.8 (Solaris= 8):
/etc/inetd.conf ... # # Sun ToolTalk Database Server # 100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbse= rverd ...=20 # rpcinfo -p=20 program vers proto port service ... 100083 1 tcp 32773 ... # ps -ef UID PID PPID C STIME TTY TIME CMD ... root 355 164 0 19:31:27 ? 0:00 rpc.ttdbserverd =20 ...
Before deciding to disable the ToolTalk RPC databas= e server or the RPC portmapper service, carefully consider your network con= figuration and service requirements.
Until patches are available and can be applied, you may wish to = block access to the ToolTalk RPC database server and possibly the RPC portm= apper service from untrusted networks such as the Internet. Use a firewall = or other packet-filtering technology to block the appropriate network ports= . The ToolTalk RPC database server may be configured to use port 692/tcp or= another port as indicated in output from the rpcinf= o(1M) command. In the example above, the ToolTalk RPC database serve= r is configured to use port 32773/tcp. The RPC portmapper service typically= runs on ports 111/tcp and 111/udp. Keep in mind that blocking ports at a n= etwork perimeter does not protect the vulnerable service from attacks that = originate from the internal network.
Before deciding to block or rest= rict access to the ToolTalk RPC database server or the RPC portmapper servi= ce, carefully consider your network configuration and service requirements.=
Caldera Open UNIX and Caldera UnixWare provide the CDE ttdbserverd daemo= n, and are vulnerable to these issues. Please see Caldera Security Advisory= CSSA-2002-SCO.28 for more information.
SCO OpenServer and Caldera OpenLinux do not provide CDE, and are therefo= re not vulnerable.
SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlet= t-Packard Company and Hewlett-Packard Company HP Services Software Security= Response Team
CROSS REFERENCE: SSRT2251
[Compaq (Hewlett-Packard) has released a security bulletin (SRB0039W/SSRT2251) that addresses VU#97540= 3, VU#299816, and other vulnerabilities.]
A recommended workaround however is to disable rp= c.ttdbserver until solutions are available. This should only create = a potential problem for public software packages applications that use the = RPC-based ToolTalk database server. This step should be evaluated against t= he risks identified, your security measures environment, and potential impa= ct of other products that may use the ToolTalk database server.
To disable rpc.ttdbserverd:
rpc.ttdbserverd stream tcp swait root = /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
Note: The internet daemon should kill the currently running rpc.ttdbserver. If not, manually kill any existing
Cray, Inc. does include ToolTalk within the CrayTools product. However, = rpc.ttdbserverd is not turned on or used by a= ny Cray provided application. Since a site may have turned this on for thei= r own use, they can always remove the binary /opt/ct= l/bin/rpc.ttdbserverd if they are concerned.
Fujitsu's UXP/V operating system is not affected by the vulnerability re= ported in VU#975403 [or VU#299816] because UXP/V does not support any CDE f= unctionalties.
HP9000 Series 700/800 running HP-UX releases 10.10, 10.20, 11.00, and 11= .11 are vulnerable.
Until patches are available, install the appropriate file to replace
Download rpc.ttdbserver.tar.gz from the ftp site. This file is temporary= and will be deleted when patches are available from the standard HP web si= tes, including itrc.hp.com.
System:<= /small> | hprc.external.hp.com (19= 2.170.19.51) |
Login:= small> | ttdb1 |
Password= : | ttdb1 |
FTP Acce= ss: | ftp://ttdb1:ttdb1@hprc.external.hp.com/ |
= | ftp://ttdb1:ttdb1@192.170.19.51/ |
File: | rpc.ttdbserver.tar.gz |
MD5: | da1be3aaf70d0e2393bd9a03= feaf4b1d |
Hewlett-Packard has also released HP-UX Security Bulletin HPSBUX0207-199= .
The CDE desktop product shipped with AIX is vulnerable to both the issue= s detailed above in the advisory. This affects AIX releases 4.3.3 and 5.1.0= An efix package will be available shortly from the IBM software ftp site. = The efix packages can be downloaded from ftp.software.ibm.com/aix/efixes/security. Thi= s directory contains a README file that gives further details on the efix p= ackages.
The following APARs will be available in the near future:
AIX 4.3.3: IY32368
AIX 5.1.0: IY32370
Please see SGI Security Advisories 20021101-01-P (CDE ToolTalk= ) and 20021102-01-P (IRIX ToolTalk).
The Solaris RPC-based ToolTalk database server, r= pc.ttdbserver, is vulnerable to the two vulnerabilities [VU#975403 V= U#299816] described in this advisory in all currently supported versions of= Solaris:
Solaris 2.5.1, 2.6, 7, 8, and 9
=
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz
ftp://ftp=
.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt
Most sites do not need to use the ToolTalk server daemon. Xi Graphics Se= curity recommends that non-essential services are never enabled. To disable= the ToolTalk server on your system, edit /etc/inetd= .conf and comment out, or remove, the 'rpc.ttdbserver' line. Then, e= ither restart inetd, or reboot your machine.<= /p>
The CERT Coordination Center thanks the reporters, Iv=C3=A1n= Arce and Ricardo Quesada of CORE SECURI= TY TECHNOLOGIES, for their assistance and cooperation in producing this= document.
Author: Art Manion
Copyright 2002 Carnegie Mel= lon University.
Revision History
July 10, 2002: Initial rele= ase July 11, 2002: Fixed formatting, added link to CORE-20020528, updated Cald= era statement, corrected Fujitsu statement to read "is not affected" July 19, 2002: Updated HP statement September 9, 2002: Updated Compaq statement November 5, 2002: Updated SGI statement (CDE ToolTalk) November 7, 2002: Updated SGI statement (IRIX ToolTalk)