SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#595507

Common Desktop Environment (CDE) ToolTalk RPC Server rpc.ttdbserverd contains format string vulnerability

Overview

A vulnerability exists in CDE ToolTalk that may allow a remote attacker to execute arbitrary code with root privileges.

I. Description

Internet Security Systems (ISS) X-Force has discovered a format string vulnerability in the Common Desktop Environment (CDE) ToolTalk Remote Procedure Call (RPC) server, rpc.ttdbserverd. The ToolTalk architecture allows custom applications to communicate with each other via RPC calls, and CDE and ToolTalk are installed and enabled by default on many common UNIX platforms. rpc.ttdbserverd manages RPC communication between ToolTalk applications. rpc.ttdbserverd contains a syslog(3) function call that does not include a format string specifier. As a result, a crafted RPC open request containing user-supplied format string specifiers is interpreted by syslog(), possibly overwriting arbitrary locations in memory. By carefully designing such a request an attacker may execute arbitrary code with the privileges of rpc.ttdbserverd, typically root.

For more information, see the ISS X-Force advisory at: http://xforce.iss.net/alerts/advise98.php.

The rpcinfo command may be able to help you determine if rpc.ttdbserverd is running on your system.

On SunOS:

    % rpcinfo -p
       program vers proto   port  service
        100000    4   tcp    111  rpcbind
        104567    5   tcp    112  custom

On MacOS X:
    % rpcinfo -p
       program vers proto   port
        100000    2   tcp    111  portmapper
        100000    2   udp    111  portmapper
     200100001    1   udp    745  netinfobind
     200100001    1   tcp    748  netinfobind
The program number for rpc.ttdbserverd is 100083. If 100083 shows up in the rpcinfo output, you may be running the rpc.ttdbserverd service. Additionally, the service may be listed in /etc/rpc. For example, the following entry may indicate rpc.ttdbserverd is running on your system:
    100083 1 tcp 692
Systems that are not running rpc.ttdbserverd are not exposed to this vulnerability.

II. Impact

A remote attacker may send crafted RPC traffic causing the ToolTalk RPC server to crash or allowing the attacker to execute arbitrary code on the vulnerable system.

III. Solution

Apply Patch

Apply the appropriate vendor supplied patch as described in the vendor section below.

Disable Vulnerable Service

Until a patch can be applied, you may wish to consider disabling the ToolTalk service. As a general practice, CERT/CC recommends disabling any services not explicitly required.

Block or Restrict Access

Your router or firewall may be able to block access to the ToolTalk service at your network perimeter. Additionally, an application-level firewall may be able to filter requests made to the ToolTalk service.

Systems Affected

VendorStatusDate Updated
Compaq Computer CorporationVulnerable8-Oct-2001
Cray Inc.Not Vulnerable9-Oct-2001
Data GeneralUnknown27-Aug-2001
FujitsuUnknown27-Aug-2001
Hewlett-Packard CompanyVulnerable6-Dec-2001
IBMVulnerable31-Oct-2001
SGIUnknown3-Apr-2002
Sun Microsystems Inc.Vulnerable14-Nov-2001
The Open GroupVulnerable31-Oct-2001
The SCO Group (SCO UnixWare)Vulnerable13-Sep-2002
TriTealUnknown12-Nov-2001
Xi GraphicsVulnerable9-Oct-2001

References

http://www.cert.org/advisories/CA-2001-27.html
http://www.cert.org/advisories/CA-1998-11.html
http://xforce.iss.net/alerts/advise98.php
http://www.securityfocus.com/bid/3382
http://www.securitytracker.com/alerts/2001/Oct/1002479.html
http://www.opengroup.org/desktop/faq/

Credit

The CERT Coordination Center thanks Internet Security Systems (ISS) X-Force and The Open Group for information used in this document.

This document was written by Art Manion, Shawn V. Hernan, and Jeffrey S. Havrilla.

Other Information

Date Public10/02/2001
Date First Published10/03/2001 11:25:42 AM
Date Last Updated03/24/2004
CERT AdvisoryCA-2001-27
CVE NameCVE-2001-0717
US-CERT Technical Alerts 
Metric17.70
Document Revision47

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader