Original release date: January 14, 2002<BR>
Last revised: --<BR>
Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

<LI>Systems running CDE</LI>

<A NAME="overview">

<P>The CERT/CC has received credible reports of scanning and
exploitation of Solaris systems running the CDE Subprocess Control
Service buffer overflow vulnerability identified in <a
and discussed in <a

<A NAME="description">
<H2>I. Description</H2>

<p>Since <a
was originally released last November, the CERT/CC has received
reports of scanning for <FONT FACE="Courier New">dtspcd</FONT> (6112/tcp).  Just recently,
however, we have received credible reports of an exploit for Solaris
systems.  Using network traces provided by <A
HREF="http://project.honeynet.org">The Honeynet Project</A>, we have
confirmed that the <FONT FACE="Courier New">dtspcd</FONT> vulnerability identified in <a
and discussed in <A
HREF="http://www.kb.cert.org/vuls/id/172583">VU#172583</A> is actively
being exploited.</p>

<p>The Common Desktop Environment (CDE) is an integrated graphical
user interface that runs on UNIX and Linux operating systems.  The CDE
Subprocess Control Service (<FONT FACE="Courier New">dtspcd</FONT>) is a network daemon that
accepts requests from clients to execute commands and launch
applications remotely.  On systems running CDE, <FONT FACE="Courier New">dtspcd</FONT> is
spawned by the Internet services daemon (typically <FONT FACE="Courier New">inetd</FONT> or
<FONT FACE="Courier New">xinetd</FONT>) in response to a CDE client request.  <FONT FACE="Courier New">dtspcd</FONT>
is typically configured to run on port 6112/tcp with root privileges.

<P> There is a remotely exploitable buffer overflow vulnerability in a
shared library that is used by <FONT FACE="Courier New">dtspcd</FONT>.  During client
negotiation, <FONT FACE="Courier New">dtspcd</FONT> accepts a length value and subsequent
data from the client without performing adequate input validation.  As
a result, a malicious client can manipulate data sent to
<FONT FACE="Courier New">dtspcd</FONT> and cause a buffer overflow, potentially executing
code with root privileges.  The overflow occurs in a fixed-size 4K
buffer that is exploited by the contents of one of the attack packets.
The signature can be found at bytes 0x3e-0x41 in the following attack
packet from a tcpdump log  (lines may wrap):</p>

<FONT FACE="Courier New" Size=-1>
09:46:04.378306 &gt; P 1:1449(1448) ack 1 win 16060 &lt;nop,nop,timestamp 463986683 4158792&gt; (DF)<BR>
0x0000 &nbsp; 4500 05dc a1ac 4000 3006 241c 0a0a 0a01 &nbsp; &nbsp; &nbsp; &nbsp;E.....@.0.$..... &nbsp; <BR>
0x0010 &nbsp; 0a0a 0a02 0e08 17e0 fee2 c115 5f66 192f &nbsp; &nbsp; &nbsp; &nbsp;...f........_f./<BR>
0x0020 &nbsp; 8018 3ebc e1e9 0000 0101 080a 1ba7 dffb &nbsp; &nbsp; &nbsp; &nbsp;..&gt;.............<BR>
0x0030 &nbsp; 003f 7548 3030 3030 3030 3032 3034 <b>3130</b> &nbsp; &nbsp; &nbsp; &nbsp;.?uH0000000204<b>10</b><BR>
0x0040 &nbsp; <b>3365</b> 3030 3031 2020 3420 0000 0031 3000 &nbsp; &nbsp; &nbsp; &nbsp;<b>3e</b>0001..4....10.<BR>
0x0050 &nbsp; 801c 4011 801c 4011 1080 0101 801c 4011 &nbsp; &nbsp; &nbsp; &nbsp;..@...@.......@.<BR>
0x0060 &nbsp; 801c 4011 801c 4011 801c 4011 801c 4011 &nbsp; &nbsp; &nbsp; &nbsp;..@...@...@...@.<BR>
<p>The value 0x103e in the ASCII (right) column above is interpreted
by the server as the number of bytes in the packet to copy into the
internal 4K (0x1000) buffer.  Since 0x103e is greater than 0x1000, the
last 0x3e bytes of the packet will overwrite memory after the end of
the 4K buffer.  This is the same compromise vector identified in <A

<p>It is important to note that several Internet-enabled games may
also use port 6112/tcp as a legitimate part of their normal operation,
therefore, not all network activity involving this service may be
malicious. Network administrators monitoring this type of activity may
wish to verify whether probes of this type are actually attempts to
exploit <a href="http://www.kb.cert.org/vuls/id/172583">VU#172583</a>.</p>

Many common UNIX systems ship with CDE installed and enabled by
default.  To determine if your system is configured to run
<FONT FACE="Courier New">dtspcd</FONT>, check for the following entries (lines may

in <FONT FACE="Courier New">/etc/services</FONT>
<FONT FACE="Courier New">dtspc  6112/tcp</FONT>
in <FONT FACE="Courier New">/etc/inetd.conf</FONT>
<FONT FACE="Courier New">dtspc  stream  tcp  nowait  root  /usr/dt/bin/dtspcd  /usr/dt/bin/dtspcd</FONT>

<p>Any system that does not run the CDE Subprocess Control Service is
not vulnerable to this problem.</p>

<A NAME="impact">
<H2>II. Impact</H2>

<p>An attacker can execute arbitrary code with root privileges.</p>

<A NAME="solution">
<H2>III. Solution</H2>

<H4>Apply a patch</H4> <A HREF="http://www.kb.cert.org/vuls/id/172583">VU#172583</a> contains
information from vendors who have provided information for this
advisory.  We will update the vulnerability note as we receive more
information. If a vendor's name does not appear, then the CERT/CC did
not hear from that vendor.  Please contact your vendor directly.

<p>Vendor information can be found in the "Systems Affected" section of VU#172583</p> 

<H4>Limit access to vulnerable service</H4>
<p>Until patches are available and can be applied, you may wish to
limit or block access to the Subprocess Control Service from untrusted
networks such as the Internet.  Using a firewall or other
packet-filtering technology, block or restrict access to the port used
by the Subprocess Control Service.  As noted above, <FONT FACE="Courier New">dtspcd</FONT> is
typically configured to listen on port 6112/tcp.  It may be possible
to use <a href="ftp://ftp.porcupine.org/pub/security/index.html">TCP
Wrapper</a> or a similar technology to provide improved access control
and logging functionality for <FONT FACE="Courier New">dtspcd</FONT> connections.  Keep in
mind that blocking ports at a network perimeter does not protect the
vulnerable service from the internal network.  It is important to
understand your network configuration and service requirements before
deciding what changes are appropriate.  </p>

href="ftp://ftp.porcupine.org/pub/security/index.html">TCP Wrapper</a>
is available from


<H4>Disable vulnerable service</H4>

You may wish to consider disabling <FONT FACE="Courier New">dtspcd</FONT> by commenting out
the appropriate entry in <FONT FACE="Courier New">/etc/inetd.conf</FONT>.  As a best
practice, the CERT/CC recommends disabling any services that are not
explicitly required.  As noted above, it is important to consider the
consequences of such a change in your environment.

<A NAME="references"><H2>Appendix A. - References</H2></A>

<li><a href="http://www.kb.cert.org/vuls/id/172583">http://www.kb.cert.org/vuls/id/172583</a><BR>
<li><a href="http://www.cert.org/advisories/CA-2001-31.html">http://www.cert.org/advisories/CA-2001-31.html</a>
<li><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803</a><br>
<li><a href="http://xforce.iss.net/alerts/advise101.php">http://xforce.iss.net/alerts/advise101.php</a><br>
<li><a href="http://www.opengroup.org/cde/">http://www.opengroup.org/cde/</a><br>
<li><a href="http://www.opengroup.org/desktop/faq/">http://www.opengroup.org/desktop/faq/</a><BR>

<P>The CERT Coordination Center thanks <a
href="http://project.honeynet.org">The Honeynet Project</a> for their
assistance in providing network traces of the exploitation.



<P>Authors: <A
Householder and Art Manion</A>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2002 Carnegie Mellon University.</P>

<P>Revision History
January 14, 2002:  Initial release