Vulnerability Note VU#595507
Common Desktop Environment (CDE) ToolTalk RPC Server rpc.ttdbserverd contains format string vulnerability
A vulnerability exists in CDE ToolTalk that may allow a remote attacker to execute arbitrary code with root privileges.
Internet Security Systems (ISS) X-Force has discovered a format string vulnerability in the Common Desktop Environment (CDE) ToolTalk Remote Procedure Call (RPC) server, rpc.ttdbserverd. The ToolTalk architecture allows custom applications to communicate with each other via RPC calls, and CDE and ToolTalk are installed and enabled by default on many common UNIX platforms. rpc.ttdbserverd manages RPC communication between ToolTalk applications. rpc.ttdbserverd contains a syslog(3) function call that does not include a format string specifier. As a result, a crafted RPC open request containing user-supplied format string specifiers is interpreted by syslog(), possibly overwriting arbitrary locations in memory. By carefully designing such a request an attacker may execute arbitrary code with the privileges of rpc.ttdbserverd, typically root.
For more information, see the ISS X-Force advisory at: http://xforce.iss.net/alerts/advise98.php.
program vers proto port service
100000 4 tcp 111 rpcbind
104567 5 tcp 112 custom
On MacOS X:
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
200100001 1 udp 745 netinfobind
200100001 1 tcp 748 netinfobind
A remote attacker may send crafted RPC traffic causing the ToolTalk RPC server to crash or allowing the attacker to execute arbitrary code on the vulnerable system.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Compaq Computer Corporation||Affected||14 Aug 2001||08 Oct 2001|
|Hewlett-Packard Company||Affected||14 Aug 2001||06 Dec 2001|
|IBM||Affected||14 Aug 2001||31 Oct 2001|
|Sun Microsystems Inc.||Affected||14 Aug 2001||14 Nov 2001|
|The Open Group||Affected||15 Aug 2001||31 Oct 2001|
|The SCO Group (SCO UnixWare)||Affected||15 Aug 2001||13 Sep 2002|
|Xi Graphics||Affected||03 Oct 2001||09 Oct 2001|
|Cray Inc.||Not Affected||20 Aug 2001||09 Oct 2001|
|Data General||Unknown||15 Aug 2001||27 Aug 2001|
|Fujitsu||Unknown||15 Aug 2001||27 Aug 2001|
|SGI||Unknown||14 Aug 2001||03 Apr 2002|
|TriTeal||Unknown||-||12 Nov 2001|
CVSS Metrics (Learn More)
This document was written by Art Manion, Shawn V. Hernan, and Jeffrey S. Havrilla.
- CVE IDs: CVE-2001-0717
- CERT Advisory: CA-2001-27
- Date Public: 02 Oct 2001
- Date First Published: 03 Oct 2001
- Date Last Updated: 24 Mar 2004
- Severity Metric: 17.70
- Document Revision: 47
If you have feedback, comments, or additional information about this vulnerability, please send us email.