CERT-SEI

Multiple Vulnerabilities in CDE ToolTalk

Original release date: July 10, 2002
Last revised: November 7, 2002
Source: CERT/CC

A complete revision history can be found at the end of this file.


Systems Affected

  • Systems running CDE ToolTalk

Overview

Two vulnerabilities have been discovered in the Common Desktop Environment (CDE) ToolTalk RPC database server. The first vulnerability could be used by a remote attacker to delete arbitrary files, cause a denial of service, or possibly execute arbitrary code or commands. The second vulnerability could allow a local attacker to overwrite arbitrary files with contents of the attacker's choice.


I. Description

The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. CDE ToolTalk is a message brokering system that provides an architecture for applications to communicate with each other across hosts and platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages communication between ToolTalk applications. For more information about CDE, see

http://www.opengroup.org/cde/

http://www.opengroup.org/desktop/faq/



This advisory addresses two new vulnerabilities in the CDE ToolTalk RPC database server. These vulnerabilities are summarized below and are described in further detail in their respective vulnerability notes. A list previously documented problems in CDE can be found in Appendix B.

Both of these vulnerabilities were discovered and reported by CORE SECURITY TECHNOLOGIES and are described in CORE-20020528.

VU#975403 - Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file descriptor argument to _TT_ISCLOSE()

The ToolTalk RPC database server does not validate the range of an argument passed to the procedure _TT_ISCLOSE(). As a result, certain locations in memory can be overwritten with zeros. For more information, please see VU#975403:

http://www.kb.cert.org/vuls/id/975403

This vulnerability has been assigned CAN-2002-0677 by the Common Vulnerabilities and Exposures (CVE) group.

VU#299816 - Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file operations

The ToolTalk RPC database server does not ensure that the target of a file write operation is a valid file and not a symbolic link. For more information, please see VU#299816:

http://www.kb.cert.org/vuls/id/299816


This vulnerability has been assigned CAN-2002-0678 by the Common Vulnerabilities and Exposures (CVE) group.


II. Impact

VU#975403 - Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file descriptor argument to _TT_ISCLOSE()

By issuing a specially crafted call to the procedure _TT_ISCLOSE(), a remote attacker could overwrite certain locations in memory with zeros. Using a combination of techniques that include valid ToolTalk RPC requests, an attacker could leverage this vulnerability to delete any file that is accessible by the ToolTalk RPC database server. Since the server typically runs with root privileges, any file on a vulnerable system could be deleted. Overwriting memory or deleting files could cause a denial of service. It may also be possible to execute arbitrary code and commands.

VU#299816 - Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file operations

By referencing a specially crafted symbolic link in certain ToolTalk RPC requests, a local attacker could overwrite any file that is accessible by the the ToolTalk RPC database server with contents of the attacker's choice. Since the server typically runs with root privileges, any file on a vulnerable system could be overwritten. Overwriting root-owned files could lead to lead to privilege escalation or cause a denial of service.


III. Solution

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly.

Disable vulnerable service

Until patches are available and can be applied, you may wish to disable the ToolTalk RPC database service. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical CDE system, it should be possible to disable rpc.ttdbserverd by commenting out the relevant entries in /etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the inetd process.

The program number for the ToolTalk RPC database server is 100083. If references to 100083 or rpc.ttdbserverd appear in /etc/inetd.conf or /etc/rpc or in output from the rpcinfo(1M) and ps(1) commands, then the ToolTalk RPC database server may be running.

The following example was taken from a system running SunOS 5.8 (Solaris 8):


/etc/inetd.conf
...
#
# Sun ToolTalk Database Server
#
100083/1     tli   rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
... 


# rpcinfo -p 
    program vers proto    port  service
    ...
    100083    1   tcp   32773
    ...


# ps -ef
     UID   PID  PPID  C    STIME TTY      TIME CMD
    ...
    root   355   164  0 19:31:27 ?        0:00 rpc.ttdbserverd     
    ...


Before deciding to disable the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements.

Block access to vulnerable service

Until patches are available and can be applied, you may wish to block access to the ToolTalk RPC database server and possibly the RPC portmapper service from untrusted networks such as the Internet. Use a firewall or other packet-filtering technology to block the appropriate network ports. The ToolTalk RPC database server may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo(1M) command. In the example above, the ToolTalk RPC database server is configured to use port 32773/tcp. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from attacks that originate from the internal network.

Before deciding to block or restrict access to the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements.


Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Caldera, Inc.

Caldera Open UNIX and Caldera UnixWare provide the CDE ttdbserverd daemon, and are vulnerable to these issues. Please see Caldera Security Advisory CSSA-2002-SCO.28 for more information.

SCO OpenServer and Caldera OpenLinux do not provide CDE, and are therefore not vulnerable.

Compaq Computer Corporation

SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team

CROSS REFERENCE: SSRT2251

[Compaq (Hewlett-Packard) has released a security bulletin (SRB0039W/SSRT2251) that addresses VU#975403, VU#299816, and other vulnerabilities.]

A recommended workaround however is to disable rpc.ttdbserver until solutions are available. This should only create a potential problem for public software packages applications that use the RPC-based ToolTalk database server. This step should be evaluated against the risks identified, your security measures environment, and potential impact of other products that may use the ToolTalk database server.

To disable rpc.ttdbserverd:

  • Comment out the following line in /etc/inetd.conf:

    rpc.ttdbserverd stream tcp swait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd

  • Force inetd to re-read the configuration file by executing the inetd -h command.


Note: The internet daemon should kill the currently running rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd process.

Cray, Inc.

Cray, Inc. does include ToolTalk within the CrayTools product. However, rpc.ttdbserverd is not turned on or used by any Cray provided application. Since a site may have turned this on for their own use, they can always remove the binary /opt/ctl/bin/rpc.ttdbserverd if they are concerned.

Fujitsu

Fujitsu's UXP/V operating system is not affected by the vulnerability reported in VU#975403 [or VU#299816] because UXP/V does not support any CDE functionalties.

Hewlett-Packard Company

HP9000 Series 700/800 running HP-UX releases 10.10, 10.20, 11.00, and 11.11 are vulnerable.

Until patches are available, install the appropriate file to replace rpc.ttdbserver.

Download rpc.ttdbserver.tar.gz from the ftp site. This file is temporary and will be deleted when patches are available from the standard HP web sites, including itrc.hp.com.

System: hprc.external.hp.com (192.170.19.51)
Login: ttdb1
Password: ttdb1
FTP Access: ftp://ttdb1:ttdb1@hprc.external.hp.com/
ftp://ttdb1:ttdb1@192.170.19.51/
File: rpc.ttdbserver.tar.gz
MD5: da1be3aaf70d0e2393bd9a03feaf4b1d

Hewlett-Packard has also released HP-UX Security Bulletin HPSBUX0207-199.



IBM Corporation

The CDE desktop product shipped with AIX is vulnerable to both the issues detailed above in the advisory. This affects AIX releases 4.3.3 and 5.1.0 An efix package will be available shortly from the IBM software ftp site. The efix packages can be downloaded from ftp.software.ibm.com/aix/efixes/security. This directory contains a README file that gives further details on the efix packages.

The following APARs will be available in the near future:

AIX 4.3.3: IY32368

AIX 5.1.0: IY32370



SGI

Please see SGI Security Advisories 20021101-01-P (CDE ToolTalk) and 20021102-01-P (IRIX ToolTalk).

Sun Microsystems, Inc.

The Solaris RPC-based ToolTalk database server, rpc.ttdbserver, is vulnerable to the two vulnerabilities [VU#975403 VU#299816] described in this advisory in all currently supported versions of Solaris:

Solaris 2.5.1, 2.6, 7, 8, and 9

Patches are being generated for all of the above releases. Sun will publish a Sun Security Bulletin and a Sun Alert for this issue. The Sun Alert will be available from:

http://sunsolve.sun.com

The patches will be available from:

http://sunsolve.sun.com/securitypatch

Sun Security Bulletins are available from:

http://sunsolve.sun.com/security



Xi Graphics

Xi Graphics deXtop CDE v2.1 is vulnerable to this attack. When announced, the update and accompanying text file will be:

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

Most sites do not need to use the ToolTalk server daemon. Xi Graphics Security recommends that non-essential services are never enabled. To disable the ToolTalk server on your system, edit /etc/inetd.conf and comment out, or remove, the 'rpc.ttdbserver' line. Then, either restart inetd, or reboot your machine.


Appendix B. - References


The CERT Coordination Center thanks the reporters, Iván Arce and Ricardo Quesada of CORE SECURITY TECHNOLOGIES, for their assistance and cooperation in producing this document.


Author: Art Manion

Copyright 2002 Carnegie Mellon University.

Revision History

July 10, 2002:  Initial release
July 11, 2002:  Fixed formatting, added link to CORE-20020528, updated Caldera statement, corrected Fujitsu statement to read "is not affected"
July 19, 2002:  Updated HP statement
September 9, 2002:  Updated Compaq statement
November 5, 2002:  Updated SGI statement (CDE ToolTalk)
November 7, 2002:  Updated SGI statement (IRIX ToolTalk)