__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Common Desktop Environment (CDE) ToolTalk Buffer Overflow [CERT Advisory CA-2002-26] August 12, 2002 20:00 GMT Number M-109 ______________________________________________________________________________ PROBLEM: The CDE ToolTalk database server is vulnerable to a heap buffer overflow through an argument passed to the procedure _TT_CREATE_FILE(). An attacker with access to the ToolTalk RPC database service could exploit this vulnerability with a specially crafted RPC message. PLATFORM: Any UNIX or Linux operating system running CDE ToolTalk. DAMAGE: Using an RPC message containing a specially crafted argument to _TT_CREATE_FILE(), a remote attacker could execute arbitrary code or cause a denial of service. The ToolTalk database server process runs with root privileges on most systems. SOLUTION: Apply available patches, or disable the ToolTalk RPC database service as recommended within CERT's bulletin. (The recommendation by CERT is dependent upon your network configuration and service requirements). ______________________________________________________________________________ VULNERABILITY The risk is HIGH. This is a common service used by most ASSESSMENT: versions of UNIX and Linux operating systems. The vulnerability could allow a remote attacker to execute arbitrary code or cause a denial of service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-109.shtml ORIGINAL BULLETIN: http://www.cert.org/advisories/CA-2002-26.html PATCHES: NOTE: PLEASE REVIEW CERT'S BULLETIN APPENDIX A FOR VENDOR PRODUCT UPDATES AND REVISIONS. ______________________________________________________________________________ [***** Start CERT Advisory CA-2002-26 *****] CERT Advisory CA-2002-26 Buffer Overflow in CDE ToolTalk Original release date: August 12, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running CDE ToolTalk Overview The Common Desktop Environment (CDE) ToolTalk RPC database server contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code or cause a denial of service. I. Description The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. CDE ToolTalk is a message brokering system that provides an architecture for applications to communicate with each other across hosts and platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages communication between ToolTalk applications. For more information about CDE, see http://www.opengroup.org/cde/ http://www.opengroup.org/desktop/faq/ The CDE ToolTalk database server is vulnerable to a heap buffer overflow via an argument passed to the procedure _TT_CREATE_FILE(). An attacker with access to the ToolTalk RPC database service could exploit this vulnerability with a specially crafted RPC message. Vulnerability Note VU#387387 includes a list of vendors who have been contacted about this vulnerability. This vulnerability was discovered and reported by the Entercept Ricochet Team and is described in the following Entercept Security Alert: http://www.entercept.com/news/uspr/08-12-02.asp This vulnerability has been assigned CAN-2002-0679 by the Common Vulnerabilities and Exposures (CVE) group. A list previously documented problems in CDE can be found in Appendix B. II. Impact Using an RPC message containing a specially crafted argument to _TT_CREATE_FILE(), a remote attacker could execute arbitrary code or cause a denial of service. The ToolTalk database server process runs with root privileges on most systems. Note that the non-executable stack protection provided by some operating systems will not prevent the execution of code located on the heap. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Disable vulnerable service Until patches are available and can be applied, you may wish to disable the ToolTalk RPC database service. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical CDE system, it should be possible to disable rpc.ttdbserverd by commenting out the relevant entries in /etc/inetd.conf and if necessary, /etc/rpc, and then by restarting the inetd process. The program number for the ToolTalk RPC database server is 100083. If references to 100083 or rpc.ttdbserverd appear in /etc/inetd.conf or /etc/rpc or in output from the rpcinfo(1M) and ps(1) commands, then the ToolTalk RPC database server may be running. The following example was taken from a system running SunOS 5.8 (Solaris 8): /etc/inetd.conf ... # # Sun ToolTalk Database Server # 100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbsrverd ... # rpcinfo -p program vers proto port service ... 100083 1 tcp 32773 ... # ps -ef UID PID PPID C STIME TTY TIME CMD ... root 355 164 0 19:31:27 ? 0:00 rpc.ttdbserverd ... Before deciding to disable the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements. Block access to vulnerable service Until patches are available and can be applied, you may wish to block access to the ToolTalk RPC database server and possibly the RPC portmapper service from untrusted networks such as the Internet. Use a firewall or other packet-filtering technology to block the appropriate network ports. The ToolTalk RPC database server may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo(1M) command. In the example above, the ToolTalk RPC database server is configured to use port 32773/tcp. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from attacks that originate from the internal network. Before deciding to block or restrict access to the ToolTalk RPC database server or the RPC portmapper service, carefully consider your network configuration and service requirements. [***** End CERT Advisory CA-2002-26 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT Coordination Center for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-099: Microsoft Cumulative Patch for SQL Server M-100: MS Server Response To SMTP Client EHLO Command M-101: MS Unchecked Buffer in SQL Server 2000 Utilities M-102: MS SQL Server 2000 Resolution Service Buffer Overflow M-103: Multiple Vulnerabilities in OpenSSL M-104: Red Hat Linux Passwork Locking Race Vulnerability M-105: Unchecked Buffer in MDAC Function Vulnerability M-106: Cisco Concentrator RADIUS PAP Authentication Vulnerability M-107: Unchecked Buffer in Content Management Server M-108: Vulnerability in HP Apache Server PHP