||Home : Advisories : Vulnerability in ToolTalk RPC Service|
||Vulnerability in ToolTalk RPC Service
||3rd September 1998
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-98.11
Original issue date: Sept. 3, 1998
Last Revised: July 22, 1999 Added link IN-99-04 to the "Updates"
Topic: Vulnerability in ToolTalk RPC Service
The text of this advisory was originally released on August 31, 1998,
as NAI-29, developed by Network Associates, Inc. (NAI). To more widely
broadcast this information, we are reprinting the NAI advisory here
with their permission.
As we receive additional information it will be placed in an "Updates"
section at the end of this advisory.
Stack Overflow in ToolTalk RPC Service
NAI Advisory 29
Network Associates, Inc.
August 31, 1998
An implementation fault in the ToolTalk object database server allows
a remote attacker to run arbitrary code as the superuser on hosts
supporting the ToolTalk service. The affected program runs on many
popular UNIX operating systems supporting CDE and some Open Windows
installs. This vulnerability is being actively exploited by attackers
on the Internet.
Confirmed Vulnerable Operating Systems and Third Party Vendors
SunOS 5.6, 5.6_x86
SunOS 5.5.1, 5.5.1_x86
SunOS 5.5, 5.5_x86
SunOS 5.4, 5.4_x86
HP-UX release 10.10
HP-UX release 10.20
HP-UX release 10.30
HP-UX release 11.00
TriTeal CDE - TED versions 4.3 and previous.
Xi Graphics Maximum CDE v1.2.3
It should be noted here that this not an exhaustive list of vulnerable
vendors. These are only the *confirmed vulnerable* vendors. Also, any
OS installation that is not configured to use or start up the ToolTalk
service is not vulnerable to this problem. To determine whether the
ToolTalk database server is running on a host, use the "rpcinfo"
command to print a list of the RPC services running on it, as:
$ rpcinfo -p hostname
Because many operating systems do not include an entry for the
ToolTalk database service in the RPC mapping table ("/etc/rpc" on most
Unix platforms), the vulnerable service may not appear by name in the
listing. The RPC program number for the ToolTalk database service is
100083. If an entry exists for this program, such as,
100083 1 tcp 692
then the service is running on the host. Until additional information
is made available from the OS vendor, it should be assumed that the
system is vulnerable to the attack described in this advisory.
The ToolTalk service allows independently developed applications to
communicate with each other by exchanging ToolTalk messages. Using
ToolTalk, applications can create open protocols which allow different
programs to be interchanged, and new programs to be plugged into the
system with minimal reconfiguration.
The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service
which manages objects needed for the operation of the ToolTalk
service. ToolTalk-enabled processes communicate with each other using
RPC calls to this program, which runs on each ToolTalk-enabled host.
This program is a standard component of the ToolTalk system, which
ships as a standard component of many commercial Unix operating
systems. The ToolTalk database server runs as root.
Due to an implementation fault in rpc.ttdbserverd, it is possible for
a malicious remote client to formulate an RPC message that will cause
the server to overflow an automatic variable on the stack. By
overwriting activation records stored on the stack, it is possible to
force a transfer of control into arbitrary instructions provided by
the attacker in the RPC message, and thus gain total control of the
Source code and XDR specifications for the ToolTalk database protocol
and server were not available at the time this advisory was drafted.
What follows is information based on analysis of the rpc.ttdbserverd
binary and a captured attack trace from a network on which an
exploitation script for this problem was run.
The observed attack utilized the ToolTalk Database (TTDB) RPC
procedure number 7, with an XDR-encoded string as its sole argument.
TTDB procedure 7 corresponds to the _tt_iserase_1() function symbol in
the Solaris binary (/usr/openwin/bin/rpc.ttdbserverd). This function
implements an RPC procedure which takes an ASCII string as an
argument, which is treated as a pathname.
The pathname string is passed to the function isopen(), which in turn
passes it to _am_open(), then to _amopen(), _openfcb(), _isfcb_open(),
and finally to _open_datfile(), where it, as the first argument to the
function, is passed directly to a strcpy() to a pointer on the stack.
If the pathname string is suitably large, the string overflows the
stack buffer and overwrites an activation record, allowing control to
transfer into instructions stored in the pathname string.
This is an implementation problem and can only be resolved completely
by applying patches to or replacing affected software. As a temporary
workaround, it is possible to eliminate vulnerability to this problem
by disabling the ToolTalk database service. This can be done by
killing the "rpc.ttdbserverd" process and removing it from any OS
startup scripts. It should be noted that this may impair system
The following vendors have been confirmed vulnerable, contacted, and
have responded with repair information:
Sun plans to release patches this week that relate to the ToolTalk
vulnerability for SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and
Patches for SunOS 5.4, 5.4_x86, 5.3, 4.1.4 and 4.1.3_U1 will be
released in about 4 weeks.
Sun recommended security patches (including checksums) are available
HP-UX has been confirmed vulnerable in releases 10.XX and 11.00. HP
has made patches available with the following identifications:
HP-UX release 10.10 HP9000 Series 7/800 PHSS_16150
HP-UX release 10.20 HP9000 Series 7/800 PHSS_16147
HP-UX release 10.24 HP9000 Series 7/800 PHSS_16197
HP-UX release 10.30 HP9000 Series 7/800 PHSS_16151
HP-UX release 11.00 HP9000 Series 7/800 PHSS_16148
IBM AIX has been confirmed vulnerable. IBM's response is as follows:
The version of ttdbserver shipped with AIX is vulnerable. We are
currently working on the following fixes which will be available soon:
APAR 4.1.x: IX81440
APAR 4.2.x: IX81441
APAR 4.3.x: IX81442
Until the official APARs are available, a temporary fix can be
downloaded via anonymous ftp from:
An official response from TriTeal is as follows:
The ToolTalk vulnerability will be fixed in the TED4.4 release. For
earlier versions of TED, please contact the TriTeal technical support
department at firstname.lastname@example.org or at
An official response from Xi Graphics is as follows:
Xi Graphics Maximum CDE v1.2.3 is vulnerable to this attack. A patch
to correct this problem will be placed on our FTP site by 8/28/1998:
Users of Maximum CDE v1.2.3 are urged to install this update.
Please refer to Silicon Graphics Inc. Security Advisory,
"Vulnerability in ToolTalk RPC Service," Number: 19981101-01-A,
distributed November 19, 1998 for additional information relating to
The primary SGI anonymous FTP site for security information and
patches is sgigate.sgi.com (184.108.40.206). Security information and
patches are located under the directories ~ftp/security and
~ftp/patches, respectively. The Silicon Graphics Security Headquarters
Web page is accessible at the URL
If any uncertainty exists with regards to whether a given vendor not
listed in this advisory is vulnerable to this attack, we recommend
contacting them via their support/security channels for more
The NAI Security Labs Team would like to thank the HP & IBM Security
Response Teams, CERT/CC & AUSCERT for their contributions to this
ABOUT THE NETWORK ASSOCIATES SECURITY LABS
The Security Labs at Network Associates hosts some of the most
important research in computer security today. With over 28 published
security advisories published in the last 2 years, the Network
Associates security auditing teams have been responsible for the
discovery of many of the Internet's most serious security flaws. This
advisory represents our ongoing commitment to provide critical
information to the security community.
For more information about the Security Labs at Network Associates,
see our website at http://www.nai.com or contact us at
For more information about attacks using various RPC Services please
see CERT Incident Note IN-99-04
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send
email to email@example.com and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
July 22, 1999 Added link IN-99-04 to the "Updates" section.
Dec. 9, 1998 Updated RESOLUTION information for Silicon Graphics.
Sept. 4, 1998 Updated RESOLUTION information for Hewlett Packard.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
-----END PGP SIGNATURE-----