View Source

Original release date: July 10, 2002<br>
Last revised: November 7, 2002<br>
Source: CERT/CC<br>

<p>A complete revision history can be found at the end of this file.</p>


<br>
<a name="affected"></a>
<h3>Systems Affected</h3>
<ul>
<li>Systems running CDE ToolTalk</li>
</ul>


<br>
<a name="overview"></a>
<h2>Overview</h2>
<p>
Two vulnerabilities have been discovered in the Common Desktop
Environment (CDE) ToolTalk RPC database server.  The first
vulnerability could be used by a remote attacker to delete arbitrary
files, cause a denial of service, or possibly execute arbitrary code
or commands.  The second vulnerability could allow a local attacker to
overwrite arbitrary files with contents of the attacker's choice.
</p>


<br>
<a name="description"></a>
<h2>I. Description</h2>
<p>
The Common Desktop Environment (CDE) is an integrated graphical user
interface that runs on UNIX and Linux operating systems.  CDE ToolTalk
is a message brokering system that provides an architecture for
applications to communicate with each other across hosts and
platforms.  The ToolTalk RPC database server, <font
face="courier">rpc.ttdbserverd</font>, manages communication between
ToolTalk applications.  For more information about CDE, see
<dl>
<dd>
<a href="http://www.opengroup.org/cde/">http://www.opengroup.org/cde/</a>
<br>
<br>
<a href="http://www.opengroup.org/desktop/faq/">http://www.opengroup.org/desktop/faq/</a>
</p>
</dd>
</dl>
</p>
<p>
This advisory addresses two new vulnerabilities in the CDE ToolTalk
RPC database server.  These vulnerabilities are summarized below and
are described in further detail in their respective vulnerability
notes.  A list previously documented problems in CDE can be found in <a
href="#references">Appendix B</a>.
</p>
<p>
Both of these vulnerabilities were discovered and reported by CORE
SECURITY TECHNOLOGIES and are described in <a href="http://www.corest.com/common/showdoc.php?idx=251&idxseccion=10">CORE-20020528</a>.
</p>

<b><a href="http://www.kb.cert.org/vuls/id/975403">VU#975403</a></b> - Common
Desktop Environment (CDE) ToolTalk RPC database server
(<font face="courier">rpc.ttdbserverd</font>) does not adequately validate file descriptor
argument to _TT_ISCLOSE()
<dl>
<dd>
<p>
The ToolTalk RPC database server does not validate the range of an
argument passed to the procedure _TT_ISCLOSE().  As a result, certain
locations in memory can be overwritten with zeros.  For more
information, please see VU#975403:
</p>
<dl>
<dd>
<a href="http://www.kb.cert.org/vuls/id/975403">http://www.kb.cert.org/vuls/id/975403</a>
</dd>
</dl>
<p>
This vulnerability has been assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0677">CAN-2002-0677</a> by the Common Vulnerabilities and Exposures (<a href="http://cve.mitre.org/">CVE</a>) group.
</p>
</dd>
</dl>

<b><a href="http://www.kb.cert.org/vuls/id/299816">VU#299816</a></b> - Common
Desktop Environment (CDE) ToolTalk RPC database server
(<font face="courier">rpc.ttdbserverd</font>) does not adequately validate file operations
<dl>
<dd>
<p>
The ToolTalk RPC database server does not ensure that the target of a
file write operation is a valid file and not a symbolic link.  For more information,
please see VU#299816:
</p>
<dl>
<dd>
<a href="http://www.kb.cert.org/vuls/id/299816">http://www.kb.cert.org/vuls/id/299816</a>
</dd>
</dl>
</p>
<p>
This vulnerability has been assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0678">CAN-2002-0678</a> by the Common Vulnerabilities and Exposures (<a href="http://cve.mitre.org/">CVE</a>) group.
</p>
</dd>
</dl>

<br>
<a name="impact"></a>
<h2>II. Impact</h2>
<b><a href="http://www.kb.cert.org/vuls/id/975403">VU#975403</a></b> - Common
Desktop Environment (CDE) ToolTalk RPC database server
(<font face="courier">rpc.ttdbserverd</font>) does not adequately validate file descriptor
argument to _TT_ISCLOSE()
<dl>
<dd>
<p>
By issuing a specially crafted call to the procedure _TT_ISCLOSE(), a
remote attacker could overwrite certain locations in memory with
zeros.  Using a combination of techniques that include valid ToolTalk
RPC requests, an attacker could leverage this vulnerability to delete
any file that is accessible by the ToolTalk RPC database server.
Since the server typically runs with root privileges, any file on a
vulnerable system could be deleted.  Overwriting memory or deleting
files could cause a denial of service.  It may also be
possible to execute arbitrary code and commands.
</p>
</dd>
</dl>

<b><a href="http://www.kb.cert.org/vuls/id/299816">VU#299816</a></b> - Common
Desktop Environment (CDE) ToolTalk RPC database server
(<font face="courier">rpc.ttdbserverd</font>) does not adequately validate file operations
<dl>
<dd>
<p>
By referencing a specially crafted symbolic link in certain ToolTalk
RPC requests, a local attacker could overwrite any file that is
accessible by the the ToolTalk RPC database server with contents of
the attacker's choice.  Since the server typically runs with
root privileges, any file on a vulnerable system could be overwritten.
Overwriting root-owned files could lead to lead to privilege
escalation or cause a denial of service.
</p>
</dd>
</dl>


<br>
<a name="solution"></a>
<h2>III. Solution</h2>

<h4>Apply a patch from your vendor</h4>

<p>
<a href="#vendors">Appendix A</a> contains information provided by
vendors for this advisory.  As vendors report new information to the
CERT/CC, we will update this section and note the changes in our revision
history.  If a particular vendor is not listed below, we have not received
their comments.  Please contact your vendor directly.
</p>

<H4>Disable vulnerable service</H4>
<p>
Until patches are available and can be applied, you may wish to
disable the ToolTalk RPC database service.  As a best practice, the
CERT/CC recommends disabling all services that are not explicitly
required.  On a typical CDE system, it should be possible to disable
<font face="courier">rpc.ttdbserverd</font> by commenting out the
relevant entries in <font face="courier">/etc/inetd.conf</font> and
if necessary, <font face="courier">/etc/rpc</font>, and then by
restarting the <font face="courier">inetd</font> process.
</p>
<p>
The program number for the ToolTalk RPC database server is 100083.  If
references to 100083 or <font face="courier">rpc.ttdbserverd</font>
appear in <font face="courier">/etc/inetd.conf</font> or <font
face="courier">/etc/rpc</font> or in output from the <font
face="courier">rpcinfo(1M)</font> and <font
face="courier">ps(1)</font> commands, then the ToolTalk RPC database
server may be running.
</p>
<p>
The following example was taken from a system running SunOS 5.8 (Solaris 8):
</small>
<pre wrap>
<font face="courier">
/etc/inetd.conf
...
#
# Sun ToolTalk Database Server
#
100083/1     tli   rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
... 


# rpcinfo -p 
    program vers proto    port  service
    ...
    100083    1   tcp   32773
    ...


# ps -ef
     UID   PID  PPID  C    STIME TTY      TIME CMD
    ...
    root   355   164  0 19:31:27 ?        0:00 rpc.ttdbserverd     
    ...
</font>
</pre>
<small>
</p>
<p>
Before deciding to disable the ToolTalk RPC database server or the RPC
portmapper service, carefully consider your network configuration and
service requirements.
</p>

<H4>Block access to vulnerable service</H4>
<p>
Until patches are available and can be applied, you may wish to block
access to the ToolTalk RPC database server and possibly the RPC
portmapper service from untrusted networks such as the Internet.  Use
a firewall or other packet-filtering technology to block the
appropriate network ports.  The ToolTalk RPC database server may be
configured to use port 692/tcp or another port as indicated in output
from the <font face="courier">rpcinfo(1M)</font> command.  In the
example above, the ToolTalk RPC database server is configured to use
port 32773/tcp.  The RPC portmapper service typically runs on ports
111/tcp and 111/udp.  Keep in mind that blocking ports at a network
perimeter does not protect the vulnerable service from attacks that
originate from the internal network.
</p>
<p>
Before deciding to block or restrict access to the ToolTalk RPC
database server or the RPC portmapper service, carefully consider your
network configuration and service requirements.
</p>


<br>
<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>

<p>
This appendix contains information provided by vendors for this
advisory.  As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history.  If a
particular vendor is not listed below, we have not received their
comments.
</p>


<a name="caldera"></a>
<h4>Caldera, Inc.</h4>
<dl>
<dd>
<p>
Caldera Open UNIX and Caldera UnixWare provide the CDE ttdbserverd
daemon, and are vulnerable to these issues.  Please see Caldera Security Advisory <a href="ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28/CSSA-2002-SCO.28.txt">CSSA-2002-SCO.28</a> for more information.
</p>
<p>
SCO OpenServer and Caldera OpenLinux do not provide CDE, and are
therefore not vulnerable.
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="compaq"></a>
<h4>Compaq Computer Corporation</h4>
<dl>
<dd>
<p>
SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of
Hewlett-Packard Company and Hewlett-Packard Company HP Services
Software Security Response Team
</p>
<p>
CROSS REFERENCE: SSRT2251
</p>
<p>
[Compaq (Hewlett-Packard) has released a security bulletin (<a href="http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?source=SRB0039W.xml&dt=11">SRB0039W</a>/SSRT2251) that addresses VU#975403, VU#299816, and other vulnerabilities.]
</p>
<p>
A recommended workaround however is to disable <font
face="courier">rpc.ttdbserver</font> until solutions are
available. This should only create a potential problem for public
software packages applications that use the RPC-based ToolTalk
database server. This step should be evaluated against the risks
identified, your security measures environment, and potential impact
of other products that may use the ToolTalk database server.
</p>
<p>
To disable <font face="courier">rpc.ttdbserverd</font>:
</p>
<p>
<ul type="disc">
<li>Comment out the following line in <font face="courier">/etc/inetd.conf</font>:
<p>
<font face="courier">
rpc.ttdbserverd  stream tcp swait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
</font>
</p>
</li>
<li>
Force <font face="courier">inetd</font> to re-read the configuration
file by executing the <font face="courier">inetd -h</font> command.
</li>
</ul>
</p>
<p> Note: The internet daemon should kill the currently running <font
face="courier">rpc.ttdbserver</font>. If not, manually kill any
existing <font face="courier">rpc.ttdbserverd</font> process.
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="cray"></a>
<h4>Cray, Inc.</h4>
<dl>
<dd>
<p>
Cray, Inc. does include ToolTalk within the CrayTools product.
However, <font face="courier">rpc.ttdbserverd</font> is not turned
on or used by any Cray provided application.  Since a site may have
turned this on for their own use, they can always remove the binary
<font face="courier">/opt/ctl/bin/rpc.ttdbserverd</font> if they are
concerned.
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="fujitsu"></a>
<h4>Fujitsu</h4>
<dl>
<dd>
<p>
Fujitsu's UXP/V operating system is not affected by the vulnerability
reported in VU#975403 [or VU#299816] because UXP/V does not support any CDE
functionalties.
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="hp"></a>
<h4>Hewlett-Packard Company</h4>
<dl>
<dd>
<p>
HP9000 Series 700/800 running HP-UX releases 10.10,
10.20, 11.00, and 11.11 are vulnerable.
</p>
<p>
Until patches are available, install the appropriate file to
replace <font face="courier">rpc.ttdbserver</font>.
</p>
<p>
Download rpc.ttdbserver.tar.gz from the ftp site.
This file is temporary and will be deleted when patches
are available from the standard HP web sites, including
<a href="http://itrc.hp.com/">itrc.hp.com</a>.
</p>
<table>
<tr><td align="right"><font face="arial, geneva, helvetica"><small>System:</td><td><font face="arial, geneva, helvetica"><small>hprc.external.hp.com (192.170.19.51)</td></tr>
<tr><td align="right"><font face="arial, geneva, helvetica"><small>Login:</td><td><font face="arial, geneva, helvetica"><small>ttdb1</td></tr>
<tr><td align="right"><font face="arial, geneva, helvetica"><small>Password:</td><td><font face="arial, geneva, helvetica"><small>ttdb1</td></tr>
<tr><td align="right"><font face="arial, geneva, helvetica"><small>FTP Access:</td><td><font face="arial, geneva, helvetica"><small><a href="ftp://ttdb1:ttdb1@hprc.external.hp.com/">ftp://ttdb1:ttdb1@hprc.external.hp.com/</a></td></tr>
<tr><td align="right"><font face="arial, geneva, helvetica"><small></td><td><font face="arial, geneva, helvetica"><small><a href="ftp://ttdb1:ttdb1@192.170.19.51/">ftp://ttdb1:ttdb1@192.170.19.51/</a></td></tr>
<tr><td align="right"><font face="arial, geneva, helvetica"><small>File:</td><td><font face="arial, geneva, helvetica"><small>rpc.ttdbserver.tar.gz</td></tr>
<tr><td align="right"><font face="arial, geneva, helvetica"><small>MD5:</td><td><font face="arial, geneva, helvetica"><small>da1be3aaf70d0e2393bd9a03feaf4b1d</td></tr>
</table>
<p>
Hewlett-Packard has also released HP-UX Security Bulletin HPSBUX0207-199.
</p>
</dd>
</dl>
</p>
<!-- end vendor -->


<a name="ibm"></a>
<h4>IBM Corporation</h4>
<dl>
<dd>
<p>
The CDE desktop product shipped with AIX is vulnerable to both the
issues detailed above in the advisory. This affects AIX releases 4.3.3
and 5.1.0 An efix package will be available shortly from the IBM
software ftp site. The efix packages can be downloaded from <a
href="ftp://ftp.software.ibm.com/aix/efixes/security/">ftp.software.ibm.com/aix/efixes/security</a>.
This directory contains a README file that gives further details on
the efix packages.
</p>
<p>
The following APARs will be available in the near future:
<dl>
<dd>
<p>
AIX 4.3.3: IY32368
<br><br>
AIX 5.1.0: IY32370
</p>
</dd>
</dl>
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="sgi"></a>
<h4>SGI</h4>
<dl>
<dd>
<p>
Please see SGI Security Advisories <a href="ftp://patches.sgi.com/support/free/security/advisories/20021101-01-P">20021101-01-P</a> (CDE ToolTalk) and <a href="ftp://patches.sgi.com/support/free/security/advisories/20021102-01-P">20021102-01-P</a> (IRIX ToolTalk).
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="sun"></a>
<h4>Sun Microsystems, Inc.</h4>
<dl>
<dd>
<p>
The Solaris RPC-based ToolTalk database server, <font
face="courier">rpc.ttdbserver</font>, is vulnerable to the two
vulnerabilities [VU#975403 VU#299816] described in this advisory in
all currently supported versions of Solaris:
<dl>
<dd>
<p>
Solaris 2.5.1, 2.6, 7, 8, and 9 
</p>
</dd>
</dl>
Patches are being generated for all of the above releases. Sun will publish
a Sun Security Bulletin and a Sun Alert for this issue.  The Sun Alert will
be available from:
<dl>
<dd>
<p>
<a href="http://sunsolve.sun.com">http://sunsolve.sun.com</a> 
</p>
</dd>
</dl>
The patches will be available from:
<dl>
<dd>
<p>
<a href="http://sunsolve.sun.com/securitypatch">http://sunsolve.sun.com/securitypatch</a>
</p>
</dd>
</dl>
Sun Security Bulletins are available from:
<dl>
<dd>
<p>
<a href="http://sunsolve.sun.com/security">http://sunsolve.sun.com/security</a>
</p>
</dd>
</dl>
</p>
</dd>
</dl>
<!-- end vendor -->


<a name="xig"></a>
<h4>Xi Graphics</h4>
<p>
<dl>
<dd>
Xi Graphics deXtop CDE v2.1 is vulnerable to this attack.  When
announced, the update and accompanying text file will be:
<dl>
<dd>
<p>
<a href="ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz">ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz</a>
<br><br>
<a href="ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt">ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt</a>
</p>
</dd>
</dl>
<p>
Most sites do not need to use the ToolTalk server daemon.  Xi Graphics
Security recommends that non-essential services are never enabled.  To
disable the ToolTalk server on your system, edit <font face="courier">/etc/inetd.conf</font> and
comment out, or remove, the 'rpc.ttdbserver' line.  Then, either
restart <font face="courier">inetd</font>, or reboot your machine.
</p>
</dd>
</dl>
<!-- end vendor -->


<br>
<a name="references"></a>
<h2>Appendix B. - References</h2>
<ul>
<li><a href="http://www.opengroup.org/cde/">http://www.opengroup.org/cde/</a></li>
<li><a href="http://www.opengroup.org/desktop/faq/">http://www.opengroup.org/desktop/faq/</a></li>
<li><a href="http://www.cert.org/advisories/CA-2002-01.html">http://www.cert.org/advisories/CA-2002-01.html</a></li>
<li><a href="http://www.cert.org/advisories/CA-2001-31.html">http://www.cert.org/advisories/CA-2001-31.html</a></li>
<li><a href="http://www.kb.cert.org/vuls/id/172583">http://www.kb.cert.org/vuls/id/172583</a></li>
<li><a href="http://www.cert.org/advisories/CA-2001-27.html">http://www.cert.org/advisories/CA-2001-27.html</a></li>
<li><a href="http://www.kb.cert.org/vuls/id/595507">http://www.kb.cert.org/vuls/id/595507</a></li>
<li><a href="http://www.kb.cert.org/vuls/id/860296">http://www.kb.cert.org/vuls/id/860296</a></li>
<li><a href="http://www.cert.org/advisories/CA-1999-11.html">http://www.cert.org/advisories/CA-1999-11.html</a></li>
<li><a href="http://www.cert.org/advisories/CA-1998-11.html">http://www.cert.org/advisories/CA-1998-11.html</a></li>
<li><a href="http://www.cert.org/advisories/CA-1998-02.html">http://www.cert.org/advisories/CA-1998-02.html</a></li>
<li><a href="http://www.corest.com/common/showdoc.php?idx=251&idxseccion=10">http://www.corest.com/common/showdoc.php?idx=251&idxseccion=10</a></li>
</ul>

<hr noshade>

<p>
The CERT Coordination Center thanks the reporters, Iv&#225;n Arce and
Ricardo Quesada of <a href="http://www.corest.com/">CORE SECURITY
TECHNOLOGIES</a>, for their assistance and cooperation in producing
this document.
</p>

<p></p>

<hr noshade>

<p>Author: <a
href="mailto:cert@cert.org?subject=CA-2002-20%20Feedback%20%5bVU%23975403%5d">Art
Manion</a>

<p></p>


<!--#include virtual="/include/footer_nocopyright.html" -->

<p>Copyright 2002 Carnegie Mellon University.</p>

<p>Revision History
<pre>
July 10, 2002:  Initial release
July 11, 2002:  Fixed formatting, added link to CORE-20020528, updated Caldera statement, corrected Fujitsu statement to read "is not affected"
July 19, 2002:  Updated HP statement
September 9, 2002:  Updated Compaq statement
November 5, 2002:  Updated SGI statement (CDE ToolTalk)
November 7, 2002:  Updated SGI statement (IRIX ToolTalk)
</pre>
</p>