View Source

Original release date: October 5, 2001<BR>
Last revised:  November 14, 2001<BR>
Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

<ul>
<li>Systems running CDE ToolTalk</li>
</ul>

<A NAME="overview">
<H2>Overview</H2>

<P>
There is a remotely exploitable format string vulnerability in the CDE ToolTalk RPC database service.  This vulnerability could be used to crash the service or execute arbitrary code, potentially allowing an intruder to gain root access.  This vulnerability is documented in <a href="http://www.kb.cert.org/vuls/id/595507">VU#595507</a>.
</P>
<A NAME="description">
<H2>I. Description</H2>
The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on Unix and Linux operating systems.  CDE ToolTalk is a message brokering system that provides an architecture for applications to communicate with each other across hosts and platforms.  The ToolTalk RPC database server, <font face="Courier">rpc.ttdbserverd</font>, manages communication between ToolTalk applications.  For more information about CDE, see
<dl>
<dd>
<a href="http://www.opengroup.org/cde/">http://www.opengroup.org/cde/</a>
<br>
<br>
<a href="http://www.opengroup.org/desktop/faq/">http://www.opengroup.org/desktop/faq/</a>
</p>
</dd>
</dl>
<P> There is a remotely exploitable format string vulnerability in the CDE ToolTalk RPC database server.  While handling an error condition, a <font face="Courier">syslog(3)</font> function call is made without providing a format string specifier argument.  Since <font face="Courier">rpc.ttdbserverd</font> does not perform adequate input validation or provide the format string specifier argument, a crafted RPC request containing format string specifiers will be interpreted by the vulnerable <font face="Courier">syslog(3)</font> function call.  Such a request can be designed to overwrite specific locations in memory, thus executing code with the privileges of <font face="Courier">rpc.ttdbserverd</font>, typically root.</P>

<p>The vulnerability was discovered by Internet Security Systems (ISS) <a href="http://xforce.iss.net/">X-Force</a>.  For more information, see
<dl>
<dd>
<a href="http://xforce.iss.net/alerts/advise98.php">http://xforce.iss.net/alerts/advise98.php</a>
</p>
</dd>
</dl>

<P>This vulnerability has been assigned the identifier CAN-2001-0717
by the Common Vulnerabilities and Exposures (<a href="http://cve.mitre.org/">CVE</a>) group:
 
<dl>
<dd><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717</a>
</dd>
</dl>
</p>

<p>
Many common UNIX systems ship with CDE ToolTalk installed and enabled by default.  The <font face="Courier">rpcinfo</font> command may help determine if a system is running the ToolTalk RPC database service:
<dl>
<dd>
<font face="Courier">$ rpcinfo -p <i>hostname</i></font>
</p>
</dd>
</dl>
The program number for the ToolTalk RPC database service is 100083.  References to this number in the output from <font face="Courier">rpcinfo</font> or in <font face="Courier">/etc/rpc</font> may indicate that the ToolTalk RPC database service is running.

Any system that does not run the ToolTalk RPC database service is not vulnerable to this problem.


<A NAME="impact">
<H2>II. Impact</H2>

<p>An attacker can execute arbitrary code with the privileges of the <font face="Courier">rpc.ttdbserverd</font> process, typically root.</p>

<A NAME="solution">
<H2>III. Solution</H2>

<p>
<H4>Apply a patch</H4>
<A HREF="#vendors">Appendix A</a> contains information from vendors who have provided information for this advisory.  We will update the appendix as we receive more information. If a vendor's name does not appear, then the CERT/CC did not hear from that vendor.  Please contact your vendor directly.
</P>

<p>
<H4>Block access to vulnerable service</H4>

<p>Until patches are available and can be applied, you may wish to block access to the RPC portmapper service and the ToolTalk RPC service from untrusted networks such as the Internet.  Using a firewall or other packet-filtering technology, block the ports used by the RPC portmapper and ToolTalk RPC services.  The RPC portmapper service typically runs on ports 111/tcp and 111/udp.  The ToolTalk RPC service may be configured to use port 692/tcp or another port as indicated in output from the <font face="Courier">rpcinfo</font> command.  Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network.  It is important to understand your network configuration and service requirements before deciding what changes are appropriate.
</p>

<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>

<P>This appendix contains information provided by vendors for this advisory.  When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history.  If a particular vendor is not listed below, we have not received their comments.</P>

<p>
<A NAME="caldera">
<H4>Caldera, Inc.</H4>
<p>Caldera Open Unix and UnixWare are vulnerable.  Caldera has released Security Advisory <a href="ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.28/CSSA-2001-SCO.28.txt">CSSA-2001-SCO.28</a>.
</p>
<!-- end vendor -->


<A NAME="compaq">
<H4>Compaq Computer Corporation</H4>
<p>Compaq has released Advisory SSRT0767U:
<dl>
<dd>
<a href="http://ftp.support.compaq.com/patches/.new/html/SSRT0767U.shtml">http://ftp.support.compaq.com/patches/.new/html/SSRT0767U.shtml</a>
</dd>
</dl>
</p>
<!-- end vendor -->


<A NAME="cray">
<H4>Cray Inc.</H4>
<p> 
UNICOS and UNICOS/mk are not vulnerable to [this] advisory.  Cray, Inc. does include ToolTalk within the CrayTools product.  However, this implementation does not use <font face="Courier">rpc.ttdbserverd</font>.  Therefore, Cray, Inc. is not vulnerable to this advisory.  See Cray SPR 721061 for more details.  Cray SPRs are available to licensed Cray customers.
</p>
<!-- end vendor -->


<A NAME="hp">
<H4>Hewlett-Packard Company</H4>
Patches are now available from HP.  See HPSBUX0110-168 for details.
</p>
<!-- end vendor -->


<A NAME="ibm">
<H4>IBM Corporation</H4>
IBM AIX 5.1 and 4.3 are vulnerable.  IBM has released an emergency fix (efix) which contains patched binaries for both AIX 5.1 and AIX 4.3 as well as an advisory:
<dl>
<dd>
<a href="ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z">ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z</a>
</p>
</dd>
</dl>
IBM is working on APARs which will not be available until late October or November of 2001.
<dl>
<dd>
AIX 4.3:
     Pending assignment<br>
AIX 5.1:
     APAR #IY23846
</p>
</dd>
</dl>
<!-- end vendor -->


<A NAME="opengroup">
<H4>The Open Group</H4>

<p>The Open Group maintains source code for the Common Desktop Environment (CDE).  Source licensees of The Open Group's CDE product can contact <a href="mailto:desktop@opengroup.org">desktop@opengroup.org</a> for advice and a source patch that address this issue.</p>
<!-- end vendor -->

<A NAME="sgi">
<H4>SGI</H4>

<p>SGI acknowledges the CDE vulnerabilities reported by CERT and is currently investigating.  No further information is available at this time.  For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems.  Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements.  As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list.
<dl>
<dd>
<a href="http://www.sgi.com/support/security/">http://www.sgi.com/support/security/</a>
</dd>
</dl>
</p>
<!-- end vendor -->

<A NAME="sun">
<H4>Sun</H4>
<p>Sun has released Security Bulletin #00212 (URL wrapped):
<dl>
<dd>
<a href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/212&type=0&nav=sec.sba">http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=<br>secbull/212&type=0&nav=sec.sba</a>
</dd>
</dl>
Sun patches are available at the following location:
<dl>
<dd>
<a href="http://sunsolve.sun.com/securitypatch/">http://sunsolve.sun.com/securitypatch/</a>
</p>
</dd>
</dl>
</p>
<!-- end vendor -->

<A NAME="xig">
<H4>Xi Graphics</H4>
<p>Xi Graphics DeXtop 2.1 is vulnerable.  Further information and a patch are available at the following locations:
<dl>
<dd>
<a href="ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.txt
">ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.txt</a>
<p>
<a href="ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.tar.gz">ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.tar.gz</a>
</a>
</dd>
</dl>
</p>
<!-- end vendor -->

</p>

<A NAME="references"><H2>Appendix B. - References</H2></A>

<ol>
<li><a href="http://www.opengroup.org/cde/">http://www.opengroup.org/cde/</a><br>
<li><a href="http://www.opengroup.org/desktop/faq/">http://www.opengroup.org/desktop/faq/</a><BR>
<li><a href="http://xforce.iss.net/alerts/advise98.php">http://xforce.iss.net/alerts/advise98.php</a><br>
<li><a href="http://www.kb.cert.org/vuls/id/595507">http://www.kb.cert.org/vuls/id/595507</a><BR>
<li><a href="http://www.cert.org/advisories/CA-1998-11.html">http://www.cert.org/advisories/CA-1998-11.html</a><br>
</ol>
	
<HR>

<HR NOSHADE>

<P>The CERT Coordination Center thanks Internet Security Systems (ISS) <a href="http://xforce.iss.net/">X-Force</a>, who published an <a href="http://xforce.iss.net/alerts/advise98.php">advisory</a> on this issue.  We would also like to thank <a href="http://www.opengroup.org/">The Open Group</a> for technical assistance.</P>

<P></P>

<HR NOSHADE>

<P>Authors: <A HREF="mailto:cert@cert.org?subject=CA-2001-27%20Feedback%20VU%23595507">Art Manion and Shawn V. Hernan</A>

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
October  5, 2001:  initial release
October  8, 2001:  updated vendor information for Caldera, Compaq, Cray, fixed Authors and X-Force links
October  9, 2001:  updated vendor information for Cray, Xi Graphics
October 17, 2001:  updated vendor information for Caldera
November 14, 2001:  updated vendor information for Compaq, Sun
</PRE>