View Source

Original issue date: September 3, 1998<BR>
Last revised: July 22, 1999<BR>
Added link IN-99-04 to the "Updates" section.<BR>

<P>A complete revision history is at the end of this file.

<P>The text of this advisory was originally released on August 31, 1998,
as NAI-29, developed by Network Associates, Inc. (NAI). To more widely
broadcast this information, we are reprinting the NAI advisory here with
their permission.

<P>As we receive additional information it will be placed in an
"Updates" section at the end of this advisory.

<P><HR>
<H3>Stack Overflow in ToolTalk RPC Service</H3>

<DIV ALIGN=right><B>NAI Advisory 29</B></DIV>

<DIV ALIGN=right>Network Associates, Inc.</DIV>

<DIV ALIGN=right>SECURITY ADVISORY</DIV>

<DIV ALIGN=right>August 31, 1998</DIV>
<B>SYNOPSIS</B>

<P>An implementation fault in the ToolTalk object database server allows
a remote attacker to run arbitrary code as the superuser on hosts supporting
the ToolTalk service. The affected program runs on many popular UNIX operating
systems supporting CDE and some Open Windows installs. This vulnerability
is being actively exploited by attackers on the Internet.

<P>Confirmed Vulnerable Operating Systems and Third Party Vendors

<P><B>Sun Microsystems</B>
<UL>SunOS 5.6, 5.6_x86
<BR>SunOS 5.5.1, 5.5.1_x86
<BR>SunOS 5.5, 5.5_x86
<BR>SunOS 5.4, 5.4_x86
<BR>SunOS 5.3
<BR>SunOS 4.1.
<BR>SunOS 4.1.3_U1</UL>
<B>Hewlett Packard</B>
<UL>HP-UX release 10.10
<BR>HP-UX release 10.20
<BR>HP-UX release 10.30
<BR>HP-UX release 11.00</UL>
<B>SGI</B>
<UL>IRIX 5.3
<BR>IRIX 5.4
<BR>IRIX 6.2
<BR>IRIX 6.3
<BR>IRIX 6.4</UL>
<B>IBM</B>
<UL>AIX 4.1.X
<BR>AIX 4.2.X
<BR>AIX 4.3.X</UL>
<B>TriTeal</B>
<UL>TriTeal CDE - TED versions 4.3 and previous.</UL>
<B>Xi Graphics</B>
<UL>Xi Graphics Maximum CDE v1.2.3</UL>
It should be noted here that this not an exhaustive list of vulnerable
vendors. These are only the *confirmed vulnerable* vendors. Also, any OS
installation that is not configured to use or start up the ToolTalk service
is not vulnerable to this problem. To determine whether the ToolTalk database
server is running on a host, use the "rpcinfo" command to print a list
of the RPC services running on it, as:
<UL>
<PRE>$ rpcinfo -p <I>hostname</I></PRE>
</UL>
Because many operating systems do not include an entry for the ToolTalk
database service in the RPC mapping table ("/etc/rpc" on most Unix platforms),
the vulnerable service may not appear by name in the listing. The RPC program
number for the ToolTalk database service is 100083. If an entry exists
for this program, such as,
<UL>
<PRE>100083 1 tcp 692</PRE>
</UL>
then the service is running on the host. Until additional information is
made available from the OS vendor, it should be assumed that the system
is vulnerable to the attack described in this advisory.

<P><B>DETAILS</B>

<P>The ToolTalk service allows independently developed applications to
communicate with each other by exchanging ToolTalk messages. Using ToolTalk,
applications can create open protocols which allow different programs to
be interchanged, and new programs to be plugged into the system with minimal
reconfiguration.

<P>The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service
which manages objects needed for the operation of the ToolTalk service.
ToolTalk-enabled processes communicate with each other using RPC calls
to this program, which runs on each ToolTalk-enabled host. This program
is a standard component of the ToolTalk system, which ships as a standard
component of many commercial Unix operating systems. The ToolTalk database
server runs as root.

<P>Due to an implementation fault in rpc.ttdbserverd, it is possible for
a malicious remote client to formulate an RPC message that will cause the
server to overflow an automatic variable on the stack. By overwriting activation
records stored on the stack, it is possible to force a transfer of control
into arbitrary instructions provided by the attacker in the RPC message,
and thus gain total control of the server process.

<P><B>TECHNICAL DETAILS</B>

<P>Source code and XDR specifications for the ToolTalk database protocol
and server were not available at the time this advisory was drafted. What
follows is information based on analysis of the rpc.ttdbserverd binary
and a captured attack trace from a network on which an exploitation script
for this problem was run.

<P>The observed attack utilized the ToolTalk Database (TTDB) RPC procedure
number 7, with an XDR-encoded string as its sole argument. TTDB procedure
7 corresponds to the _tt_iserase_1() function symbol in the Solaris binary
(/usr/openwin/bin/rpc.ttdbserverd). This function implements an RPC procedure
which takes an ASCII string as an argument, which is treated as a pathname.

<P>The pathname string is passed to the function isopen(), which in turn
passes it to _am_open(), then to _amopen(), _openfcb(), _isfcb_open(),
and finally to _open_datfile(), where it, as the first argument to the
function, is passed directly to a strcpy() to a pointer on the stack. If
the pathname string is suitably large, the string overflows the stack buffer
and overwrites an activation record, allowing control to transfer into
instructions stored in the pathname string.

<P><B>RESOLUTION</B>

<P>This is an implementation problem and can only be resolved completely
by applying patches to or replacing affected software. As a temporary workaround,
it is possible to eliminate vulnerability to this problem by disabling
the ToolTalk database service. This can be done by killing the "rpc.ttdbserverd"
process and removing it from any OS startup scripts. It should be noted
that this may impair system functionality.

<P>The following vendors have been confirmed vulnerable, contacted, and
have responded with repair information:

<P><B>Sun Microsystems</B>

<P>Sun plans to release patches this week that relate to the ToolTalk vulnerability
for SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and 5.5_x86.

<P>Patches for SunOS 5.4, 5.4_x86, 5.3, 4.1.4 and 4.1.3_U1 will be released
in about 4 weeks.

<P>Sun recommended security patches (including checksums) are available
from: <A HREF="http://sunsolve.sun.com/sunsolve/pubpatches/patches.html">http://sunsolve.sun.com/sunsolve/pubpatches/patches.html</A>

<P><B>Hewlett Packard</B>

<P>HP-UX has been confirmed vulnerable in releases 10.XX and 11.00. HP
has made patches available with the following identifications:
<UL>HP-UX release 10.10  HP9000 Series 7/800   PHSS_16150
<BR>  HP-UX release 10.20  HP9000 Series 7/800   PHSS_16147
<BR>  HP-UX release 10.24  HP9000 Series 7/800   PHSS_16197
<BR>  HP-UX release 10.30  HP9000 Series 7/800   PHSS_16151
<BR>  HP-UX release 11.00  HP9000 Series 7/800   PHSS_16148</UL>

<B>IBM</B>

<P>IBM AIX has been confirmed vulnerable. IBM's response is as follows:

<P>The version of ttdbserver shipped with AIX is vulnerable. We are currently
working on the following fixes which will be available soon:
<PRE>&nbsp;APAR 4.1.x: IX81440
&nbsp;APAR 4.2.x: IX81441
&nbsp;APAR 4.3.x: IX81442</PRE>
Until the official APARs are available, a temporary fix can be downloaded
via anonymous ftp from:
<UL><A HREF="ftp://aix.software.ibm.com/aix/efixes/security/ttdbserver.tar.Z">ftp://aix.software.ibm.com/aix/efixes/security/ttdbserver.tar.Z</A></UL>
<B>TriTeal</B>

<P>An official response from TriTeal is as follows:
<BR>The ToolTalk vulnerability will be fixed in the TED4.4 release. For
earlier versions of TED, please contact the TriTeal technical support department
at <A HREF="mailto:support@triteal.com">support@triteal.com</A> or at <A HREF="http://www.triteal.com/support">http://www.triteal.com/support</A>.

<P><B>Xi Graphics</B>

<P>An official response from Xi Graphics is as follows:
<BR>Xi Graphics Maximum CDE v1.2.3 is vulnerable to this attack. A patch
to correct this problem will be placed on our FTP site by 8/28/1998:
<UL>
<LI><A HREF="ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.tar.gz">
ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.tar.gz</A>
<LI><A HREF="ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.txt">
ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.txt</A>
</UL>
Users of Maximum CDE v1.2.3 are urged to install this update.

<P><B>Silicon Graphics</B>

<P>Please refer to Silicon Graphics Inc. Security Advisory, "Vulnerability in
ToolTalk RPC Service," Number: 19981101-01-A, distributed November 19, 1998
for additional information relating to this vulnerability.

<P>The primary SGI anonymous FTP site for security information and patches is
sgigate.sgi.com (204.94.209.1).  Security information and patches are located
under the directories ~ftp/security and ~ftp/patches, respectively. The
Silicon Graphics Security Headquarters Web page is accessible at the URL
<UL><A HREF="http://www.sgi.com/Support/security/security.html">http://www.sgi.com/Support/security/security.html</A>.</UL>

<P><B>Other Vendors</B>

<P>If any uncertainty exists with regards to whether a given vendor not
listed in this advisory is vulnerable to this attack, we recommend contacting
them via their support/security channels for more information.

<P><B>ACKNOWLEDGEMENTS</B>

<P>The NAI Security Labs Team would like to thank the HP &amp; IBM Security
Response Teams, CERT/CC &amp; AUSCERT for their contributions to this advisory.

<P><B>ABOUT THE NETWORK ASSOCIATES SECURITY LABS</B>

<P>The Security Labs at Network Associates hosts some of the most important
research in computer security today. With over 28 published security advisories
published in the last 2 years, the Network Associates security auditing
teams have been responsible for the discovery of many of the Internet's
most serious security flaws. This advisory represents our ongoing commitment
to provide critical information to the security community.

<P>For more information about the Security Labs at Network Associates,
see our website at http://www.nai.com or contact us at <A
HREF="mailto: seclabs@nai.com">seclabs@nai.com</A>.

<P><B>UPDATES</B>

<P>For more information about attacks using various RPC Services
please see CERT&reg Incident Note IN-99-04
<A HREF="http://www.cert.org/incident_notes/IN-99-04.html">
http://www.cert.org/incident_notes/IN-99-04.html</A>

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1998, 1999 Carnegie Mellon University.</p>



<HR>

Revision History
<PRE>
July 22, 1999  Added link IN-99-04 to the "Updates" section.
Dec.  9, 1998  Updated RESOLUTION information for Silicon Graphics.
Sept. 4, 1998  Updated RESOLUTION information for Hewlett Packard.
</PRE>