Pakistan Computer Emergency Response Team

The Security Standard


HOME | ABOUT US | SERVICES | ADVISORIES | RESOURCES | DEFACEMENT ARCHIVE | MEMBERS AREA | TRAINING | CONTACT US

Copyright | Disclaimer

 

 

 


 
CA-2001-27 Format String Vulnerability in CDE ToolTalk

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2001-27 Format String Vulnerability in CDE ToolTalk

Original release date: October 5, 2001
Last revised: Thu Oct 5 14:17:55 EDT 2001
Source: CERT/CC

A complete revision history can be found at the end of this file.


Systems Affected

* Systems running CDE ToolTalk


Overview

There is a remotely exploitable format string vulnerability in the CDE
ToolTalk RPC database service. This vulnerability could be used to
crash the service or execute arbitrary code, potentially allowing an
intruder to gain root access. This vulnerability is documented in
VU#595507.


I. Description

The Common Desktop Environment (CDE) is an integrated graphical user
interface that runs on Unix and Linux operating systems. CDE ToolTalk
is a message brokering system that provides an architecture for
applications to communicate with each other across hosts and
platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. For more information
about CDE, see

http://www.opengroup.org/cde/
http://www.opengroup.org/desktop/faq/

There is a remotely exploitable format string vulnerability in the CDE
ToolTalk RPC database server. While handling an error condition, a
syslog(3) function call is made without providing a format string
specifier argument. Since rpc.ttdbserverd does not perform adequate
input validation or provide the format string specifier argument, a
crafted RPC request containing format string specifiers will be
interpreted by the vulnerable syslog(3) function call. Such a request
can be designed to overwrite specific locations in memory, thus
executing code with the privileges of rpc.ttdbserverd, typically root.

The vulnerability was discovered by Internet Security Systems (ISS)
X-Force. For more information, see

http://xforce.iss.net/alerts/advise98.php

This vulnerability has been assigned the identifier CAN-2001-00717 by
the Common Vulnerabilities and Exposures (CVE) group:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717

Many common UNIX systems ship with CDE ToolTalk installed and enabled
by default. The rpcinfo command may help determine if a system is
running the ToolTalk RPC database service:

$ rpcinfo -p hostname

The program number for the ToolTalk RPC database service is 100083.
References to this number in the output from rpcinfo or in /etc/rpc
may indicate that the ToolTalk RPC database service is running. Any
system that does not run the ToolTalk RPC database service is not
vulnerable to this problem.


II. Impact

An attacker can execute arbitrary code with the privileges of the
rpc.ttdbserverd process, typically root.


III. Solution

Apply a patch

Appendix A contains information from vendors who have provided
information for this advisory. We will update the appendix as we
receive more information. If a vendor's name does not appear, then the
CERT/CC did not hear from that vendor. Please contact your vendor
directly.

Block access to vulnerable service

Until patches are available and can be applied, you may wish to block
access to the RPC portmapper service and the ToolTalk RPC service from
untrusted networks such as the internet. Using a firewall or other
packet-filtering technology, block the ports used by the RPC
portmapper and ToolTalk RPC services. The RPC portmapper service
typically runs on ports 111/tcp and 111/udp. The ToolTalk RPC service
may be configured to use port 692/tcp or another port as indicated in
output from the rpcinfo command. Keep in mind that blocking ports at a
network perimeter does not protect the vulnerable service from the
internal network. It is important to understand your network
configuration and service requirements before deciding what changes
are appropriate.


Appendix A. - Vendor Information

This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.


Caldera, Inc.

Caldera UnixWare and Open Linux are vulnerable, and a fix is
forthcoming.


Compaq Computer Corporation

Compaq Computer Corporation
============================
Software Security Response Team

Severity: low

ToolTalk RPC Server Format String Vulnerability

This potential security vulnerability has not been
reproduced for any release of Compaq Tru64 Unix.
However with the information available, we are providing
a patch that will further reduce any potential
vulnerability.

A patch has been made available for all supported
versions of Tru64/ DIGITAL UNIX V4.0f, V4.0g, V5.0a,
V5.1, and V5.1a.

*This solution will be included in a future distributed release of
Compaq's Tru64/ DIGITAL UNIX.

This patch may be obtained from the following URL address:

http://www.support.compaq.com/patches/

Select BROWSE PATCH TREE and choose the version directory
required.

The patch names are:

DUV40F17-C0056200-11703-ER-*.tar
T64V40G17-C0007000-11704-ER-*.tar
T64V50A17-C0015500-11705-ER-*.tar
T64V5117-C0065200-11706-ER-*.tar
T64V51Assb-C0000800-11707-ER-*.tar

Note: Te asterisk in the filename indicates the remainder of the
tarfile name may change depending on the applicable date.

This patch can be installed on:

V4.0f, V4.0g all patch kits
V5.0a, V5.1, and V5.1a all patch kits


Cray Inc.

UNICOS and UNICOS/mk are not vulnerable to [this] advisory. For
further inform ation see Cray SPR 721061. Cray SPRs are available
to licensed Cray customers.


Hewlett-Packard Company

Patches are now available from HP. See HPSBUX0110-168 for details.


IBM Corporation

IBM AIX 5.1 and 4.3 are vulnerable. IBM has released an emergency
fix (efix) w hich contains patched binaries for both AIX 5.1 and
AIX 4.3 as well as an advis ory:

ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z


IBM is working on APARs which will not be available until late
October or Novem ber of 2001.

AIX 4.3: Pending assignment
AIX 5.1: APAR #IY23846


The Open Group

The Open Group maintains source code for the Common Desktop
Environment (CDE). Source licensees of The Open Group's CDE product
can contact desktop@opengroup.org for advice and a source patch that
address this issue.


SGI

SGI acknowledges the CDE vulnerabilities reported by CERT and is
currently investigating. No further information is available at this
time. For the protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are available
for all vulnerable and supported IRIX operating systems. Until SGI has
more definitive information to provide, customers are encouraged to
assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and
requirements. As further information becomes available, additional
advisories will be issued via the normal SGI security information
distribution methods including the wiretap mailing list.

http://www.sgi.com/support/security/


Sun

Sun has reproduced the vulnerability and is testing a fix. The Sun
patches will be made available at the following location:

http://sunsolve.sun.com/securitypatch/


Xi Graphics

Xi Graphics is investigating this report and will provide more
information when it is available.


Appendix B. - References

1. http://www.opengroup.org/cde/
2. http://www.opengroup.org/desktop/faq/
3. http://xforce.iss.net/alerts/advise98.php
4. http://www.kb.cert.org/vuls/id/595507
5. http://www.cert.org/advisories/CA-1998-11.html
_________________________________________________________________
_________________________________________________________________

The CERT Coordination Center thanks Internet Security Systems (ISS)
X-Force, who published an advisory on this issue. We would also like
to thank The Open Group for technical assistance.
_________________________________________________________________

Authors: Art Manion and Shawn V. Hernan
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-2001-27.html
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2001 Carnegie Mellon University.

Revision History

October 5, 2001: initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBO738iqCVPMXQI2HJAQHZFgP+Pr97BrhjEZKFE+MnpJMrGzy7fyWS9YTb
Q07LB4f/q7RWx/aaj09xh15G7OSrAIS32Nw5Ksdgr1AqObGDsEvkVb4rflb7VcuM
UJ+43zAAuv3uww/BR40itprqCw5aL8GomBvnUyVj/VDzGQHa26Vj8nILFo/dmASt
ouGA2RLQI/s=
=mdjA
-----END PGP SIGNATURE-----

All rights reserved. Copyright© PakCERT 2000-2017