Vulnerability Note VU#299816
Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file operations
The Common Desktop Environment (CDE) ToolTalk RPC database server does not adequately validate file operations and follows symbolic links, allowing a local attacker to overwrite any file that is writeable by the server. The ToolTalk RPC database server typically runs with root privileges.
CORE SECURITY TECHNOLOGIES has reported a vulnerability in the CDE ToolTalk RPC database server (rpc.ttdbserverd). A component of CDE, the ToolTalk architecture allows applications to communicate with each other via remote procedure calls (RPC) across different hosts and platforms. The ToolTalk RPC database server manages connections between ToolTalk applications. CDE and ToolTalk are installed and enabled by default on many common UNIX platforms.
Certain ToolTalk RPC database functions, among them _TT_TRANSACTION(), create and write to files that are referenced by user-supplied path and filename arguments. The ToolTalk RPC database server does not check that the file used in a create or write operation is not a symbolic link. By first creating a symbolic link, then issuing a specially crafted RPC call, a local attacker can overwrite the target of the symbolic link with arbitrary contents.
A local attacker could overwrite any file writeable by the ToolTalk RPC database server. This technique could be used to gain the privileges of the ToolTalk RPC database server, typically root.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Compaq Computer Corporation||Affected||11 Jun 2002||09 Sep 2002|
|Hewlett-Packard Company||Affected||11 Jun 2002||15 Aug 2002|
|IBM||Affected||11 Jun 2002||11 Jul 2002|
|SGI||Affected||11 Jun 2002||07 Nov 2002|
|Sun Microsystems Inc.||Affected||11 Jun 2002||11 Jul 2002|
|The SCO Group (SCO UnixWare)||Affected||12 Jun 2002||13 Sep 2002|
|Xi Graphics||Affected||12 Jun 2002||11 Jul 2002|
|Fujitsu||Not Affected||12 Jun 2002||11 Jul 2002|
|Cray Inc.||Unknown||12 Jun 2002||11 Jul 2002|
|Data General||Unknown||12 Jun 2002||11 Jul 2002|
|The Open Group||Unknown||12 Jun 2002||11 Jul 2002|
|TriTeal||Unknown||-||12 Jul 2002|
CVSS Metrics (Learn More)
The CERT/CC thanks Ricardo Quesada and Iván Arce of CORE SECURITY TECHNOLOGIES for reporting this vulnerability.
This document was written by Art Manion.
- CVE IDs: CAN-2002-0678
- CERT Advisory: CA-2002-20
- Date Public: 10 Jul 2002
- Date First Published: 11 Jul 2002
- Date Last Updated: 15 Aug 2002
- Severity Metric: 12.18
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.