Vulnerability Note VU#172583

Common Desktop Environment (CDE) Subprocess Control Service dtspcd contains buffer overflow

Original Release date: 12 Nov 2001 | Last revised: 11 Aug 2003

Overview

A remotely exploitable buffer overflow exists in the Common Desktop Environment (CDE) Subprocess Control Service (dtspcd). An attacker who successfully exploits this vulnerability can execute arbitrary code as root.

Description

Internet Security Systems (ISS) X-Force has reported a remotely exploitable buffer overflow in the Common Desktop Environment (CDE) Subprocess Control Service (dtspcd). CDE is an integrated graphical user interface that runs on Unix and Linux operating systems. dtspcd is a network daemon that accepts requests from clients to execute commands and launch applications remotely. On systems running CDE, dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response to a CDE client request. dtspcd is typically configured to run on port 6112/tcp with root privileges. dtspcd makes a function call to a shared library, libDTSvc.so.1, that contains a buffer overflow condition in the client connection routine. The buffer overflow can be exploited by a specially crafted CDE client request. Although the buffer overflow occurs in a shared library, the CERT/CC is not aware of any other CDE applications that use the vulnerable function.

Impact

A successful attacker can execute arbitrary code remotely with root privileges.

Solution

Apply Patch

Apply the appropriate vendor supplied patch as described in the vendor section below.


Disable Vulnerable Service

Until a patch can be applied, you may wish to consider disabling dtspcd. Typically, this may be achieved by commenting out the approprate entry in /etc/inetd.conf. As a general practice, CERT/CC recommends disabling any services that are not explicitly required. It is important to carefully consider the consequences of disabling dtspcd in your environment.

/etc/inetd.conf

    dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
Block or Restrict Access

Monitor or block external access to 6112/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to dtspcd.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Compaq Computer CorporationAffected29 Oct 200130 May 2002
Hewlett-Packard CompanyAffected29 Oct 200108 Mar 2002
IBMAffected29 Oct 200111 Aug 2003
SGIAffected29 Oct 200103 Apr 2002
Sun Microsystems Inc.Affected29 Oct 200110 Jan 2002
The Open GroupAffected29 Oct 200112 Nov 2001
The SCO Group (SCO UnixWare)Affected29 Oct 200113 Sep 2002
Xi GraphicsAffected29 Oct 200115 Nov 2001
Cray Inc.Not Affected29 Oct 200131 Oct 2001
FujitsuNot Affected29 Oct 200131 Oct 2001
Data GeneralUnknown29 Oct 200131 Oct 2001
TriTealUnknown-12 Nov 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported to the CERT Coordination Center by Internet Security Systems (ISS) X-Force.

This document was written by Art Manion.

Other Information

  • CVE IDs: CVE-2001-0803
  • CERT Advisory: CA-2001-31
  • Date Public: 07 Nov 2001
  • Date First Published: 12 Nov 2001
  • Date Last Updated: 11 Aug 2003
  • Severity Metric: 16.30
  • Document Revision: 45

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.