Vulnerability Note VU#387387

Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) vulnerable to buffer overflow via _TT_CREATE_FILE()

Original Release date: 12 Aug 2002 | Last revised: 09 Sep 2002

Overview

The Common Desktop Environment (CDE) ToolTalk RPC database server contains a buffer overflow condition that could let an attacker execute arbitrary code or cause a denial of service on a vulnerable system. The ToolTalk RPC database server typically runs with root privileges.

Description

A buffer overflow vulnerability has been reported in the CDE ToolTalk RPC database server (rpc.ttdbserverd). A component of CDE, the ToolTalk architecture allows applications to communicate with each other via remote procedure calls (RPC) across different hosts and platforms. The ToolTalk RPC database server manages connections between ToolTalk applications. CDE and ToolTalk are installed and enabled by default on many common UNIX platforms.

The ToolTalk RPC database server is vulnerable to a heap buffer overflow via an argument to the procedure _TT_CREATE_FILE(). As noted by the reporter, the non-executable stack feature of some operating systems may not prevent exploitation of this vulnerability if the payload can be located on the heap. An attacker with access to the ToolTalk RPC database service could exploit this vulnerability with a specially crafted RPC message.

Impact

A remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The ToolTalk RPC database server typically runs with root privileges.

Solution


Apply a Patch

Apply the appropriate patch from your vendor as specified in the Systems Affected section below.


Disable rpc.ttdbserverd

Until patches are available and can be applied, you may wish to consider disabling the ToolTalk RPC database service. As a general best practice, the CERT/CC recommends disabling any services that are not explicitly required. The ToolTalk RPC database service may be enabled in /etc/rpc or in /etc/inetd.conf. For example, on a Solaris 8 system, comment out the following entry in /etc/inetd.conf to disable the ToolTalk RPC database service (rpc.ttdbserverd):

#
# Sun ToolTalk Database Server
#
100083/1        tli     rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd

The rpcinfo(1M) and ps(1) commands may be useful in determining if you system is running the ToolTalk RPC database server. On a Solaris 8 system, the following examples indicate that the ToolTalk RPC database server is running:

# rpcinfo -p | grep 100083
    100083    1   tcp   32773

# ps -ef | grep rpc.ttdbserverd
    root   355   164  0  19:31:27 ?        0:00 rpc.ttdbserverd

Block or Restrict Access

Until patches are available and can be applied, block or restrict access to the RPC portmapper service and the ToolTalk RPC database service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block the ports used by the RPC portmapper and ToolTalk RPC services. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. The ToolTalk RPC service may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo command. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CalderaAffected04 Jul 200220 Aug 2002
Hewlett-Packard CompanyAffected04 Jul 200209 Sep 2002
IBMAffected04 Jul 200213 Aug 2002
Sun Microsystems Inc.Affected04 Jul 200209 Aug 2002
Xi GraphicsAffected04 Jul 200209 Aug 2002
Cray Inc.Unknown04 Jul 200209 Aug 2002
Data GeneralUnknown04 Jul 200205 Jul 2002
SGIUnknown04 Jul 200209 Aug 2002
The Open GroupUnknown04 Jul 200205 Jul 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Sinan Eren of the Entercept Ricochet Team for reporting this vulnerability.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2002-0679
  • Date Public: 12 Aug 2002
  • Date First Published: 12 Aug 2002
  • Date Last Updated: 09 Sep 2002
  • Severity Metric: 14.04
  • Document Revision: 32

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.