PGP SIGNED MESSAGE-----
CA-2001-27 Format String Vulnerability in CDE ToolTalk
release date: October 5, 2001
Last revised: Thu Oct 5 14:17:55 EDT 2001
revision history can be found at the end of this file.
running CDE ToolTalk
is a remotely exploitable format string vulnerability in the CDE
ToolTalk RPC database service. This vulnerability could be used to
crash the service or execute arbitrary code, potentially allowing an
intruder to gain root access. This vulnerability is documented in
Desktop Environment (CDE) is an integrated graphical user
interface that runs on Unix and Linux operating systems. CDE ToolTalk
is a message brokering system that provides an architecture for
applications to communicate with each other across hosts and
platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. For more information
about CDE, see
is a remotely exploitable format string vulnerability in the CDE
ToolTalk RPC database server. While handling an error condition, a
syslog(3) function call is made without providing a format string
specifier argument. Since rpc.ttdbserverd does not perform adequate
input validation or provide the format string specifier argument, a
crafted RPC request containing format string specifiers will be
interpreted by the vulnerable syslog(3) function call. Such a request
can be designed to overwrite specific locations in memory, thus
executing code with the privileges of rpc.ttdbserverd, typically root.
was discovered by Internet Security Systems (ISS)
X-Force. For more information, see
has been assigned the identifier CAN-2001-00717 by
the Common Vulnerabilities and Exposures (CVE) group:
UNIX systems ship with CDE ToolTalk installed and enabled
by default. The rpcinfo command may help determine if a system is
running the ToolTalk RPC database service:
number for the ToolTalk RPC database service is 100083.
References to this number in the output from rpcinfo or in /etc/rpc
may indicate that the ToolTalk RPC database service is running. Any
system that does not run the ToolTalk RPC database service is not
vulnerable to this problem.
can execute arbitrary code with the privileges of the
rpc.ttdbserverd process, typically root.
A contains information from vendors who have provided
information for this advisory. We will update the appendix as we
receive more information. If a vendor's name does not appear, then the
CERT/CC did not hear from that vendor. Please contact your vendor
to vulnerable service
patches are available and can be applied, you may wish to block
access to the RPC portmapper service and the ToolTalk RPC service from
untrusted networks such as the internet. Using a firewall or other
packet-filtering technology, block the ports used by the RPC
portmapper and ToolTalk RPC services. The RPC portmapper service
typically runs on ports 111/tcp and 111/udp. The ToolTalk RPC service
may be configured to use port 692/tcp or another port as indicated in
output from the rpcinfo command. Keep in mind that blocking ports at
network perimeter does not protect the vulnerable service from the
internal network. It is important to understand your network
configuration and service requirements before deciding what changes
Appendix A. - Vendor Information
contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If
particular vendor is not listed below, we have not received their
UnixWare and Open Linux are vulnerable, and a fix is
Compaq Computer Corporation
Software Security Response Team
ToolTalk RPC Server Format String Vulnerability
This potential security vulnerability has not been
reproduced for any release of Compaq Tru64 Unix.
However with the information available, we are providing
a patch that will further reduce any potential
A patch has been made available for all supported
versions of Tru64/ DIGITAL UNIX V4.0f, V4.0g, V5.0a,
V5.1, and V5.1a.
*This solution will be included in a future distributed release of
Compaq's Tru64/ DIGITAL UNIX.
This patch may be obtained from the following URL address:
Select BROWSE PATCH TREE and choose the version directory
The patch names are:
Note: Te asterisk in the filename indicates the remainder of the
tarfile name may change depending on the applicable date.
This patch can be installed on:
V4.0f, V4.0g all patch kits
V5.0a, V5.1, and V5.1a all patch kits
and UNICOS/mk are not vulnerable to [this] advisory. For
further inform ation see Cray SPR 721061. Cray SPRs are available
to licensed Cray customers.
are now available from HP. See HPSBUX0110-168 for details.
5.1 and 4.3 are vulnerable. IBM has released an emergency
fix (efix) w hich contains patched binaries for both AIX 5.1 and
AIX 4.3 as well as an advis ory:
IBM is working on APARs which will not be available until late
October or Novem ber of 2001.
AIX 4.3: Pending assignment
AIX 5.1: APAR #IY23846
The Open Group
Group maintains source code for the Common Desktop
Environment (CDE). Source licensees of The Open Group's CDE product
can contact firstname.lastname@example.org for advice and a source patch that
address this issue.
the CDE vulnerabilities reported by CERT and is
currently investigating. No further information is available at this
time. For the protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are available
for all vulnerable and supported IRIX operating systems. Until SGI has
more definitive information to provide, customers are encouraged to
assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and
requirements. As further information becomes available, additional
advisories will be issued via the normal SGI security information
distribution methods including the wiretap mailing list.
reproduced the vulnerability and is testing a fix. The Sun
patches will be made available at the following location:
is investigating this report and will provide more
information when it is available.
Appendix B. - References
Coordination Center thanks Internet Security Systems (ISS)
X-Force, who published an advisory on this issue. We would also like
to thank The Open Group for technical assistance.
Art Manion and Shawn V. Hernan
is available from:
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to email@example.com. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2001 Carnegie Mellon University.
5, 2001: initial release
Version: PGP 6.5.8
-----END PGP SIGNATURE-----