CERT^® Advisory CA-1998-11 Vulnerability in ToolTalk RPC Service

A complete revision history is at the end of this file.

The text of this advisory was originally released on August 31, 1998, as NAI-29, developed by Network Associates, Inc. (NAI). To more widely broadcast this information, we are reprinting the NAI advisory here with their permission.

As we receive additional information it will be placed in an "Updates" section at the end of this advisory.

Stack Overflow in ToolTalk RPC Service

An implementation fault in the ToolTalk object database server allows a remote attacker to run arbitrary code as the superuser on hosts supporting the ToolTalk service. The affected program runs on many popular UNIX operating systems supporting CDE and some Open Windows installs. This vulnerability is being actively exploited by attackers on the Internet.

Confirmed Vulnerable Operating Systems and Third Party Vendors

Sun Microsystems

SunOS 5.6, 5.6_x86
SunOS 5.5.1, 5.5.1_x86
SunOS 5.5, 5.5_x86
SunOS 5.4, 5.4_x86
SunOS 5.3
SunOS 4.1.
SunOS 4.1.3_U1

HP-UX release 10.10
HP-UX release 10.20
HP-UX release 10.30
HP-UX release 11.00

IRIX 5.3
IRIX 5.4
IRIX 6.2
IRIX 6.3
IRIX 6.4

AIX 4.1.X
AIX 4.2.X
AIX 4.3.X

TriTeal CDE - TED versions 4.3 and previous.

Xi Graphics Maximum CDE v1.2.3

$ rpcinfo -p hostname

100083 1 tcp 692

DETAILS

The ToolTalk service allows independently developed applications to communicate with each other by exchanging ToolTalk messages. Using ToolTalk, applications can create open protocols which allow different programs to be interchanged, and new programs to be plugged into the system with minimal reconfiguration.

The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service which manages objects needed for the operation of the ToolTalk service. ToolTalk-enabled processes communicate with each other using RPC calls to this program, which runs on each ToolTalk-enabled host. This program is a standard component of the ToolTalk system, which ships as a standard component of many commercial Unix operating systems. The ToolTalk database server runs as root.

Due to an implementation fault in rpc.ttdbserverd, it is possible for a malicious remote client to formulate an RPC message that will cause the server to overflow an automatic variable on the stack. By overwriting activation records stored on the stack, it is possible to force a transfer of control into arbitrary instructions provided by the attacker in the RPC message, and thus gain total control of the server process.

TECHNICAL DETAILS

Source code and XDR specifications for the ToolTalk database protocol and server were not available at the time this advisory was drafted. What follows is information based on analysis of the rpc.ttdbserverd binary and a captured attack trace from a network on which an exploitation script for this problem was run.

The observed attack utilized the ToolTalk Database (TTDB) RPC procedure number 7, with an XDR-encoded string as its sole argument. TTDB procedure 7 corresponds to the _tt_iserase_1() function symbol in the Solaris binary (/usr/openwin/bin/rpc.ttdbserverd). This function implements an RPC procedure which takes an ASCII string as an argument, which is treated as a pathname.

The pathname string is passed to the function isopen(), which in turn passes it to _am_open(), then to _amopen(), _openfcb(), _isfcb_open(), and finally to _open_datfile(), where it, as the first argument to the function, is passed directly to a strcpy() to a pointer on the stack. If the pathname string is suitably large, the string overflows the stack buffer and overwrites an activation record, allowing control to transfer into instructions stored in the pathname string.

RESOLUTION

This is an implementation problem and can only be resolved completely by applying patches to or replacing affected software. As a temporary workaround, it is possible to eliminate vulnerability to this problem by disabling the ToolTalk database service. This can be done by killing the "rpc.ttdbserverd" process and removing it from any OS startup scripts. It should be noted that this may impair system functionality.

The following vendors have been confirmed vulnerable, contacted, and have responded with repair information:

Sun Microsystems

Sun plans to release patches this week that relate to the ToolTalk vulnerability for SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and 5.5_x86.

Patches for SunOS 5.4, 5.4_x86, 5.3, 4.1.4 and 4.1.3_U1 will be released in about 4 weeks.

Sun recommended security patches (including checksums) are available from: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

Hewlett Packard

HP-UX has been confirmed vulnerable in releases 10.XX and 11.00. HP has made patches available with the following identifications:

HP-UX release 10.10 HP9000 Series 7/800 PHSS_16150
HP-UX release 10.20 HP9000 Series 7/800 PHSS_16147
HP-UX release 10.24 HP9000 Series 7/800 PHSS_16197
HP-UX release 10.30 HP9000 Series 7/800 PHSS_16151
HP-UX release 11.00 HP9000 Series 7/800 PHSS_16148

IBM AIX has been confirmed vulnerable. IBM's response is as follows:

The version of ttdbserver shipped with AIX is vulnerable. We are currently working on the following fixes which will be available soon:

 APAR 4.1.x: IX81440
 APAR 4.2.x: IX81441
 APAR 4.3.x: IX81442

ftp://aix.software.ibm.com/aix/efixes/security/ttdbserver.tar.Z

An official response from TriTeal is as follows:
The ToolTalk vulnerability will be fixed in the TED4.4 release. For earlier versions of TED, please contact the TriTeal technical support department at support@triteal.com or at http://www.triteal.com/support.

Xi Graphics

An official response from Xi Graphics is as follows:
Xi Graphics Maximum CDE v1.2.3 is vulnerable to this attack. A patch to correct this problem will be placed on our FTP site by 8/28/1998:

• ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.tar.gz
• ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.txt

Silicon Graphics

Please refer to Silicon Graphics Inc. Security Advisory, "Vulnerability in ToolTalk RPC Service," Number: 19981101-01-A, distributed November 19, 1998 for additional information relating to this vulnerability.

The primary SGI anonymous FTP site for security information and patches is sgigate.sgi.com (204.94.209.1). Security information and patches are located under the directories ~ftp/security and ~ftp/patches, respectively. The Silicon Graphics Security Headquarters Web page is accessible at the URL

http://www.sgi.com/Support/security/security.html.

Other Vendors

If any uncertainty exists with regards to whether a given vendor not listed in this advisory is vulnerable to this attack, we recommend contacting them via their support/security channels for more information.

ACKNOWLEDGEMENTS

The NAI Security Labs Team would like to thank the HP & IBM Security Response Teams, CERT/CC & AUSCERT for their contributions to this advisory.

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 28 published security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community.

For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at seclabs@nai.com.

UPDATES

For more information about attacks using various RPC Services please see CERT® Incident Note IN-99-04 http://www.cert.org/incident_notes/IN-99-04.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 1998, 1999 Carnegie Mellon University.

July 22, 1999  Added link IN-99-04 to the "Updates" section.
Dec.  9, 1998  Updated RESOLUTION information for Silicon Graphics.
Sept. 4, 1998  Updated RESOLUTION information for Hewlett Packard.