Original release date: September 13, 1999<BR>
Last revised: March 02, 2000 <BR>
Updated vendor information for Sun Microsystems, Inc.<br>
Source: CERT/CC<BR>
<P>A complete revision history is at the end of this file.
<H3>Systems Affected</H3>
<UL>
<LI>Systems running the Common Desktop Environment (CDE)<p>
</UL>
<H2>I. Description</H2>
<P>
Multiple vulnerabilities have been identified in some distributions of
the Common Desktop Environment (CDE). These vulnerabilities are
different from those discussed in <A
HREF=http://www.cert.org/advisories/CA-98.02.CDE.html>CA-98.02</A>. We
recommend that you install appropriate vendor patches as soon as
possible (see <A HREF="#Solution">Section III</A> below). Until you
can do so, we encourage you to disable or uninstall vulnerable copies
of the CDE package. Note that disabling these programs will severely
affect the utility of the CDE environment.
<P>
At this time, the CERT/CC has not received any reports of these
vulnerabilities being exploited by intruders.
<P>
<H4>
Vulnerability #1: ToolTalk <i>ttsession</i> uses weak RPC authentication mechanism
</H4>
<P>
The ToolTalk messaging server <I>ttsession</I> allows independent
applications to communicate without having direct knowledge of each
other. Applications can communicate through an associated
<I>ttsession</I> which delivers messages via RPC calls between
interested agents.
<P>
On many systems, <i>ttsession</I> uses AUTH_UNIX authentication (a
client-based security option) by default. When messages are received,
<i>ttsession</i> uses certain environment variables supplied by the
client to determine how the message is handled. Because of this, the
<i>ttsession</i> process can be manipulated to execute unauthorized
arbitrary programs with the privileges of the running ttsession.
<P>
<H4>Vulnerability #2: CDE <i>dtspcd</i> relies on file-system based authentication</H4>
<P>
The network daemon <i>dtspcd</i> (a CDE desktop subprocess control
program) accepts CDE requests from clients to execute commands and
launch applications remotely.
<P>
When a client makes a request, the <i>dtspcd</i> daemon asks the
client to create a file that has a predictable name so that the daemon
can authenticate the request. If a local user can manipulate the files
used for authentication, then that user can craft arbitrary commands
that may run as root.
<P>
<H4>Vulnerability #3: CDE <i>dtaction</I> buffer overflow</H4>
<P>
The <i>dtaction</I> utility allows applications or shell scripts that
otherwise are not connected into the CDE development environment, to
request that CDE actions be performed.
<P>
A buffer overflow can occur in some implementations of <i>dtaction</I> when a
username argument greater than 1024 bytes is used.
<P>
<H4>Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION</H4>
<P>
There is a vulnerability in some implementations of the ToolTalk
shared library which allows the TT_SESSION environment variable buffer
to overflow. A setuid root program using a vulnerable ToolTalk
library, such as <i>dtsession</i>, can be exploited to run arbitrary code as
root.
<P>
<P>
<H2>II. Impact</H2>
<P>
<H4>Vulnerability #1: ToolTalk <i>ttsession</I> uses weak RPC authentication mechanism</H4>
<P>
A local or remote user may be able to use this vulnerability to run
commands on a vulnerable system with the same privileges of the
attacked <i>ttsession</i>. For this attack to work, a <i>ttsession</i>
must be actively running on the system attacked. The <i>ttsession</i>
daemon is started whenever a user logs in using the CDE desktop, or
upon interaction with CDE at some future point.
<P>
<H4>Vulnerability #2: CDE <i>dtspcd</i> relies on file-system based authentication</H4>
<P>
A vulnerable <i>dtspcd</i> may allow a local user to run arbitrary commands
as root.
<P>
<H4>Vulnerability #3: CDE <i>dtaction</i> buffer overflow</H4>
<P>
A local user may be able to exploit this vulnerability to execute
arbitrary code with root privileges.
<P>
<H4>Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION</H4>
<P>
A local user may be able to exploit this vulnerability to execute
arbitrary code with root privileges.
<H2><A NAME="Solution"</A>III. Solution</H2>
<P><B>Install appropriate patches from your vendor</B>
<P>
We recommend installing vendor patches as soon as possible and
disabling the vulnerable programs until you can do so (or uninstalling
the entire CDE package if not needed). Note that disabling these
programs will severely affect the utility of the CDE environment.
<P>
Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly.
<P>
<H2><A NAME="Appendix A - Vendor"></A>Appendix A. Vendor Information</H2>
<p>
<B><U>Compaq Computer Corporation</U></B><BR>
<DL><DD>
<p>
<U>Problem #1
</U>
<p>
CDE ToolTalk session daemon
& ToolTalk shared library overflow
<P>
This potential security problem has been resolved and a patch
for this problem has been made available for
Tru64 UNIX V4.0D, V4.0E, V4.0F and V5.0.
<P>
This patch can be installed on:
<PRE>
V4.0D-F, all patch kits
V5.0, all patch kits
</PRE>
<p>
*This solution will be included in a future distributed
release of Compaq's Tru64/ DIGITAL UNIX.
<P>
This patch may be obtained from the World Wide Web at the following FTP
address:
<p>
<A HREF=http://www.service.digital.com/patches>http://www.service.digital.com/patches</A>
<P>
The patch file name is <b>SSRT0617_ttsession.tar.Z</b>
<P>
<U>Problem #2
</U>
<P>
Compaq's Tru64/DIGITAL UNIX is not vulnerable.
<P>
<U>Problem #3
</U>
<P>
CDE dtaction buffer overflow
<P>
This potential security problem has been resolved and a patch for this
problem has been made available for Tru64 UNIX V4.0D, V4.0E and V4.0F.
<P>
This patch can be installed on:
<PRE>
V4.0D Patch kit BL11 or BL12
V4.0E Patch kit BL1 or BL12
V4.0F Patch kit BL1
</PRE>
<p>
*This solution will be included in a future distributed release of Compaq's
Tru64/ DIGITAL UNIX.
<p>
This patch may be obtained from the World Wide Web at the following FTP
address:
<p>
<A HREF=http://www.service.digital.com/patches>http://www.service.digital.com/patches</A>
<p>
The patch file name is <b>SSRT0615U_dtaction.tar.Z</b>
<p>
<U>Problem #4
</U>
<P>
CDE ToolTalk shared library overflow
<P><B>See solution fix described in in Problem #1.</b>
</DL>
<B><U>Data General</U></B><BR>
<DL><DD>
DG/UX is not subject to any of these vulnerabilities.
</DL>
<B><U>Fujitsu</U></B><BR>
<DL><DD>
Fujitsu's UXP/V operating system is not vulnerable to any of these vulnerabilities.
</DL>
<B><U>Hewlett-Packard Company</U></B><BR>
<DL><DD>
<P>
HP-9000 Series 700/800 HP-UX releases 10.X and 11.0 systems with CDE
patches previously recommended in HP Security Bulletins are not
vulnerable to vulnerabilities #2, #3, and #4.
<P>
All HP-UX 10.X and 11.0 systems running CDE are vulnerable to
vulnerability #1.
<P>
Patches are in progress.
</DL>
<B><U>IBM Corporation</U></B><BR>
<DL><DD>
<P>
All releases of AIX version 4 are vulnerable to vulnerabilities #1,
#3, and #4. AIX is not vulnerable to #2. The following APARs will
be available soon:
<pre>
AIX 4.1.x: IY03125 IY03847
AIX 4.2.x: IY03105 IY03848
AIX 4.3.x: IY02944 IY03849
</pre>
<p>
Customers that do not require the CDE desktop functionality can
disable CDE by restricting access to the CDE daemons and removing the
<b>dt</b> entry from /etc/inittab. Run the following commands as root to
disable CDE:
</p>
</FONT><SMALL><FONT FACE="monospace">
<pre>
# /usr/dt/bin/dtconfig -d
# chsubserver -d -v dtspc
# chsubserver -d -v ttdbserver
# chsubserver -d -v cmsd
# chown root.system /usr/dt/bin/*
# chmod 0 /usr/dt/bin/*
</pre>
</FONT><FONT FACE="Verdana">
<p>
For customers that require the CDE desktop functionality, a temporary
fix is available via anonymous ftp from:
<P>
<A HREF="ftp://aix.software.ibm.com/aix/efixes/security/cdecert.tar.Z">
ftp://aix.software.ibm.com/aix/efixes/security/cdecert.tar.Z</A>
</FONT><FONT FACE="monospace">
<pre>
Filename sum md5
=================================================================
dtaction_4.1 32885 18 82af470bbbd334b240e874ff6745d8ca
dtaction_4.2 52162 18 b10f21abf55afc461882183fbd30e602
dtaction_4.3 56550 19 6bde84b975db2506ab0cbf9906c275ed
libtt.a_4.1 29234 2132 f5d5a59956deb8b1e8b3a14e94507152
libtt.a_4.2 21934 2132 73f32a73873caff06057db17552b8560
libtt.a_4.3 12154 2118 b0d14b9fe4a483333d64d7fd695f084d
ttauth 56348 31 495828ea74ec4c8f012efc2a9e6fa731
ttsession_4.1 19528 337 bfac4a06b90cbccc0cd494a44bd0ebc9
ttsession_4.2 46431 338 05949a483c4e390403055ff6961b0816
ttsession_4.3 54031 339 e1338b3167c7edf899a33520a3adb060
</pre>
</FONT><FONT FACE="Verdana">
<P>
<b> NOTE - This temporary fix has not been fully regression tested. Use
the following steps (as root) to install the temporary fix.
</b>
</FONT><FONT FACE="monospace">
<pre>
1. Uncompress and extract the fix.
# uncompress < cdecert.tar.Z | tar xf -
# cd cdecert
2. Replace the vulnerable executables with the temporary fix for
your version of AIX.
# (cd /usr/dt/lib && mv libtt.a libtt.a.before_security_fix)
# (cd /usr/dt/bin && mv ttsession ttsession.before_security_fix)
# (cd /usr/dt/bin && mv dtaction dtaction.before_security_fix)
# chown root.system /usr/dt/lib/libtt.a.before_security_fix
# chown root.system /usr/dt/bin/ttsession.before_security_fix
# chown root.system /usr/dt/bin/dtaction.before_security_fix
# chmod 0 /usr/dt/lib/libtt.a.before_security_fix
# chmod 0 /usr/dt/bin/ttsession.before_security_fix
# chmod 0 /usr/dt/bin/dtaction.before_security_fix
# cp ./libtt.a_<your AIX version> /usr/dt/lib/libtt.a
# cp ./ttsession_<your AIX version> /usr/dt/bin/ttsession
# cp ./dtaction_<your AIX version> /usr/dt/bin/dtaction
# cp ./ttauth /usr/dt/bin/ttauth
# chmod 555 /usr/dt/lib/libtt.a
# chmod 555 /usr/dt/bin/ttsession
# chmod 555 /usr/dt/bin/dtaction
# chmod 555 /usr/dt/bin/ttauth
</pre>
</FONT><FONT FACE="Verdana">
<p>
IBM AIX APARs may be ordered using Electronic Fix Distribution (via
the FixDist program), or from the IBM Support Center. For more
information on FixDist, and to obtain fixes via the Internet, please
reference
<P>
<a href=http://techsupport.services.ibm.com/support/rs6000.support/downloads>
http://techsupport.services.ibm.com/support/rs6000.support/downloads</a>
<p>
or send electronic mail to "aixserv@austin.ibm.com" with the word
"FixDist" in the "Subject:" line. To facilitate ease of ordering all
security related APARs for each AIX release, security fixes are
periodically bundled into a cumulative APAR. For more information on
these cumulative APARs including last update and list of individual
fixes, send electronic mail to "aixserv@austin.ibm.com" with the word
"subscribe Security_APARs" in the "Subject:" line.
</DL>
<B><U>Santa Cruz Operation, Inc.</U></B><BR>
<DL><DD>
<P>
SCO is investigating these vulnerabilities on SCO UnixWare 7. Other
SCO products (OpenServer 5.0.x, UnixWare 2.1.x, Open Server / Open
Desktop 3.0 and CMW+) are not vulnerable as CDE is not a component of
these releases.
<P>
SCO will make patches and status information available at
<P>
<A HREF="http://www.sco.com/security">http://www.sco.com/security</A>.
</DL>
<B><U>Silicon Graphics, Inc.</U></B><BR>
<DL><DD>
<p>
SGI acknowledges the CDE vulnerabilities reported and is currently
investigating. No further information is available at this time.
As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list.
<p>
Until SGI has more definitive information to provide, customers
are encouraged to assume all security vulnerabilities as exploitable
and take appropriate steps according to local site security policies
and requirements.
<p>
The SGI Security Headquarters Web page is accessible at
the URL
<p>
<A HREF=http://www.sgi.com/Support/security/security.html>http://www.sgi.com/Support/security/security.html</a>
</DL>
<A NAME="sun"></A>
<B><U>Sun Microsystems, Inc.</U></B><BR>
<DL><DD>
<p>Please see Sun Security Bulletin #00192: CDE and OpenWindows at
<BR>
<P>
<a href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192&type=0&nav=sec.sba">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192&type=0&nav=sec.sba</a>
</DL>
<HR NOSHADE>
<P>The CERT Coordination Center would like to thank Job de Haas for
reporting these vulnerabilities and working with the vendors to effect
fixes. We would also like to thank Solutions Atlantic for their
efforts in coordinating vendor solutions.
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1999 Carnegie Mellon University.</p>
<HR>
Revision History
<PRE>
Mar 02, 2000: Updated vendor information for Sun Microsystems, Inc.
Oct 04, 1999: Updated vendor information for Sun Microsystems, Inc.
Oct 01, 1999: Added vendor information for Data General
Sep 13, 1999: Initial release
</PRE>
|