[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in ToolTalk RPC Service

Title: Vulnerability in ToolTalk RPC Service
Released by: CERT
Date: 3rd September 1998
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



CERT Advisory CA-98.11



   Original issue date: Sept. 3, 1998

   Last Revised: July 22, 1999   Added link IN-99-04 to the "Updates"

   section.

     _________________________________________________________________

   

Topic: Vulnerability in ToolTalk RPC Service

     _________________________________________________________________

   

   The text of this advisory was originally released on August 31, 1998,

   as NAI-29, developed by Network Associates, Inc. (NAI). To more widely

   broadcast this information, we are reprinting the NAI advisory here

   with their permission.

   

   As we receive additional information it will be placed in an "Updates"

   section at the end of this advisory.

     _________________________________________________________________

   

Stack Overflow in ToolTalk RPC Service



                                                          NAI Advisory 29

                                                                         

                                                 Network Associates, Inc.

                                                                         

                                                        SECURITY ADVISORY

                                                                         

                                                          August 31, 1998

                                                                         

   SYNOPSIS

   

   An implementation fault in the ToolTalk object database server allows

   a remote attacker to run arbitrary code as the superuser on hosts

   supporting the ToolTalk service. The affected program runs on many

   popular UNIX operating systems supporting CDE and some Open Windows

   installs. This vulnerability is being actively exploited by attackers

   on the Internet.

   

   Confirmed Vulnerable Operating Systems and Third Party Vendors

   

   Sun Microsystems

   SunOS 5.6, 5.6_x86

       SunOS 5.5.1, 5.5.1_x86

       SunOS 5.5, 5.5_x86

       SunOS 5.4, 5.4_x86

       SunOS 5.3

       SunOS 4.1.

       SunOS 4.1.3_U1

       

   Hewlett Packard

   HP-UX release 10.10

       HP-UX release 10.20

       HP-UX release 10.30

       HP-UX release 11.00

       

   SGI

   IRIX 5.3

       IRIX 5.4

       IRIX 6.2

       IRIX 6.3

       IRIX 6.4

       

   IBM

   AIX 4.1.X

       AIX 4.2.X

       AIX 4.3.X

       

   TriTeal

   TriTeal CDE - TED versions 4.3 and previous.

       

   Xi Graphics

   Xi Graphics Maximum CDE v1.2.3

       

   It should be noted here that this not an exhaustive list of vulnerable

   vendors. These are only the *confirmed vulnerable* vendors. Also, any

   OS installation that is not configured to use or start up the ToolTalk

   service is not vulnerable to this problem. To determine whether the

   ToolTalk database server is running on a host, use the "rpcinfo"

   command to print a list of the RPC services running on it, as:

$ rpcinfo -p hostname

       

   Because many operating systems do not include an entry for the

   ToolTalk database service in the RPC mapping table ("/etc/rpc" on most

   Unix platforms), the vulnerable service may not appear by name in the

   listing. The RPC program number for the ToolTalk database service is

   100083. If an entry exists for this program, such as,

100083 1 tcp 692

       

   then the service is running on the host. Until additional information

   is made available from the OS vendor, it should be assumed that the

   system is vulnerable to the attack described in this advisory.

   

   DETAILS

   

   The ToolTalk service allows independently developed applications to

   communicate with each other by exchanging ToolTalk messages. Using

   ToolTalk, applications can create open protocols which allow different

   programs to be interchanged, and new programs to be plugged into the

   system with minimal reconfiguration.

   

   The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service

   which manages objects needed for the operation of the ToolTalk

   service. ToolTalk-enabled processes communicate with each other using

   RPC calls to this program, which runs on each ToolTalk-enabled host.

   This program is a standard component of the ToolTalk system, which

   ships as a standard component of many commercial Unix operating

   systems. The ToolTalk database server runs as root.

   

   Due to an implementation fault in rpc.ttdbserverd, it is possible for

   a malicious remote client to formulate an RPC message that will cause

   the server to overflow an automatic variable on the stack. By

   overwriting activation records stored on the stack, it is possible to

   force a transfer of control into arbitrary instructions provided by

   the attacker in the RPC message, and thus gain total control of the

   server process.

   

   TECHNICAL DETAILS

   

   Source code and XDR specifications for the ToolTalk database protocol

   and server were not available at the time this advisory was drafted.

   What follows is information based on analysis of the rpc.ttdbserverd

   binary and a captured attack trace from a network on which an

   exploitation script for this problem was run.

   

   The observed attack utilized the ToolTalk Database (TTDB) RPC

   procedure number 7, with an XDR-encoded string as its sole argument.

   TTDB procedure 7 corresponds to the _tt_iserase_1() function symbol in

   the Solaris binary (/usr/openwin/bin/rpc.ttdbserverd). This function

   implements an RPC procedure which takes an ASCII string as an

   argument, which is treated as a pathname.

   

   The pathname string is passed to the function isopen(), which in turn

   passes it to _am_open(), then to _amopen(), _openfcb(), _isfcb_open(),

   and finally to _open_datfile(), where it, as the first argument to the

   function, is passed directly to a strcpy() to a pointer on the stack.

   If the pathname string is suitably large, the string overflows the

   stack buffer and overwrites an activation record, allowing control to

   transfer into instructions stored in the pathname string.

   

   RESOLUTION

   

   This is an implementation problem and can only be resolved completely

   by applying patches to or replacing affected software. As a temporary

   workaround, it is possible to eliminate vulnerability to this problem

   by disabling the ToolTalk database service. This can be done by

   killing the "rpc.ttdbserverd" process and removing it from any OS

   startup scripts. It should be noted that this may impair system

   functionality.

   

   The following vendors have been confirmed vulnerable, contacted, and

   have responded with repair information:

   

   Sun Microsystems

   

   Sun plans to release patches this week that relate to the ToolTalk

   vulnerability for SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and

   5.5_x86.

   

   Patches for SunOS 5.4, 5.4_x86, 5.3, 4.1.4 and 4.1.3_U1 will be

   released in about 4 weeks.

   

   Sun recommended security patches (including checksums) are available

   from: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

   

   Hewlett Packard

   

   HP-UX has been confirmed vulnerable in releases 10.XX and 11.00. HP

   has made patches available with the following identifications:

   HP-UX release 10.10 HP9000 Series 7/800 PHSS_16150

       HP-UX release 10.20 HP9000 Series 7/800 PHSS_16147

       HP-UX release 10.24 HP9000 Series 7/800 PHSS_16197

       HP-UX release 10.30 HP9000 Series 7/800 PHSS_16151

       HP-UX release 11.00 HP9000 Series 7/800 PHSS_16148

       

   IBM

   

   IBM AIX has been confirmed vulnerable. IBM's response is as follows:

   

   The version of ttdbserver shipped with AIX is vulnerable. We are

   currently working on the following fixes which will be available soon:

 APAR 4.1.x: IX81440

 APAR 4.2.x: IX81441

 APAR 4.3.x: IX81442



   Until the official APARs are available, a temporary fix can be

   downloaded via anonymous ftp from:

   http://aix.software.ibm.com/aix/efixes/security/ttdbserver.tar.Z

       

   TriTeal

   

   An official response from TriTeal is as follows:

   The ToolTalk vulnerability will be fixed in the TED4.4 release. For

   earlier versions of TED, please contact the TriTeal technical support

   department at support@triteal.com or at

   http://www.triteal.com/support.

   

   Xi Graphics

   

   An official response from Xi Graphics is as follows:

   Xi Graphics Maximum CDE v1.2.3 is vulnerable to this attack. A patch

   to correct this problem will be placed on our FTP site by 8/28/1998:

     * http://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.tar.gz

     * http://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.txt

       

   Users of Maximum CDE v1.2.3 are urged to install this update.

   

   Silicon Graphics

   

   Please refer to Silicon Graphics Inc. Security Advisory,

   "Vulnerability in ToolTalk RPC Service," Number: 19981101-01-A,

   distributed November 19, 1998 for additional information relating to

   this vulnerability.

   

   The primary SGI anonymous FTP site for security information and

   patches is sgigate.sgi.com (204.94.209.1). Security information and

   patches are located under the directories ~ftp/security and

   ~ftp/patches, respectively. The Silicon Graphics Security Headquarters

   Web page is accessible at the URL

   http://www.sgi.com/Support/security/security.html.

       

   Other Vendors

   

   If any uncertainty exists with regards to whether a given vendor not

   listed in this advisory is vulnerable to this attack, we recommend

   contacting them via their support/security channels for more

   information.

   

   ACKNOWLEDGEMENTS

   

   The NAI Security Labs Team would like to thank the HP & IBM Security

   Response Teams, CERT/CC & AUSCERT for their contributions to this

   advisory.

   

   ABOUT THE NETWORK ASSOCIATES SECURITY LABS

   

   The Security Labs at Network Associates hosts some of the most

   important research in computer security today. With over 28 published

   security advisories published in the last 2 years, the Network

   Associates security auditing teams have been responsible for the

   discovery of many of the Internet's most serious security flaws. This

   advisory represents our ongoing commitment to provide critical

   information to the security community.

   

   For more information about the Security Labs at Network Associates,

   see our website at http://www.nai.com or contact us at

   seclabs@nai.com.

   

   UPDATES

   

   For more information about attacks using various RPC Services please

   see CERT Incident Note IN-99-04

   http://www.cert.org/incident_notes/IN-99-04.html

   ______________________________________________________________________

   

   This document is available from:

   http://www.cert.org/advisories/CA-98.11.tooltalk.html.

   ______________________________________________________________________

   

CERT/CC Contact Information



   Email: cert@cert.org

          Phone: +1 412-268-7090 (24-hour hotline)

          Fax: +1 412-268-6989

          Postal address:

          CERT Coordination Center

          Software Engineering Institute

          Carnegie Mellon University

          Pittsburgh PA 15213-3890

          U.S.A.

          

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)

   Monday through Friday; they are on call for emergencies during other

   hours, on U.S. holidays, and on weekends.

   

Using encryption



   We strongly urge you to encrypt sensitive information sent by email.

   Our public PGP key is available from http://www.cert.org/CERT_PGP.key.

   If you prefer to use DES, please call the CERT hotline for more

   information.

   

Getting security information



   CERT publications and other security information are available from

   our web site http://www.cert.org/.

   

   To be added to our mailing list for advisories and bulletins, send

   email to cert-advisory-request@cert.org and include SUBSCRIBE

   your-email-address in the subject of your message.

   

   Copyright 1999 Carnegie Mellon University.

   Conditions for use, disclaimers, and sponsorship information can be

   found in http://www.cert.org/legal_stuff.html.

   

   * "CERT" and "CERT Coordination Center" are registered in the U.S.

   Patent and Trademark Office

   ______________________________________________________________________

   

   NO WARRANTY

   Any material furnished by Carnegie Mellon University and the Software

   Engineering Institute is furnished on an "as is" basis. Carnegie

   Mellon University makes no warranties of any kind, either expressed or

   implied as to any matter including, but not limited to, warranty of

   fitness for a particular purpose or merchantability, exclusivity or

   results obtained from use of the material. Carnegie Mellon University

   does not make any warranty of any kind with respect to freedom from

   patent, trademark, or copyright infringement.

   ______________________________________________________________________

   

   Revision History



   July 22, 1999  Added link IN-99-04 to the "Updates" section.

   Dec.  9, 1998  Updated RESOLUTION information for Silicon Graphics.

   Sept. 4, 1998  Updated RESOLUTION information for Hewlett Packard.



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBCTOFr9kb5qlZHQEQKMNQCgw9Nwgn4dLhNFu7RHJ5rMGPtKSioAoNKz

KI/oGROUdG9rsye1Zcud51vp

=tAw3

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.