Vulnerability Note VU#595507

Common Desktop Environment (CDE) ToolTalk RPC Server rpc.ttdbserverd contains format string vulnerability

Original Release date: 03 Oct 2001 | Last revised: 24 Mar 2004

Overview

A vulnerability exists in CDE ToolTalk that may allow a remote attacker to execute arbitrary code with root privileges.

Description

Internet Security Systems (ISS) X-Force has discovered a format string vulnerability in the Common Desktop Environment (CDE) ToolTalk Remote Procedure Call (RPC) server, rpc.ttdbserverd. The ToolTalk architecture allows custom applications to communicate with each other via RPC calls, and CDE and ToolTalk are installed and enabled by default on many common UNIX platforms. rpc.ttdbserverd manages RPC communication between ToolTalk applications. rpc.ttdbserverd contains a syslog(3) function call that does not include a format string specifier. As a result, a crafted RPC open request containing user-supplied format string specifiers is interpreted by syslog(), possibly overwriting arbitrary locations in memory. By carefully designing such a request an attacker may execute arbitrary code with the privileges of rpc.ttdbserverd, typically root.

For more information, see the ISS X-Force advisory at: http://xforce.iss.net/alerts/advise98.php.

The rpcinfo command may be able to help you determine if rpc.ttdbserverd is running on your system.

On SunOS:

    % rpcinfo -p
       program vers proto   port  service
        100000    4   tcp    111  rpcbind
        104567    5   tcp    112  custom

On MacOS X:
    % rpcinfo -p
       program vers proto   port
        100000    2   tcp    111  portmapper
        100000    2   udp    111  portmapper
     200100001    1   udp    745  netinfobind
     200100001    1   tcp    748  netinfobind
The program number for rpc.ttdbserverd is 100083. If 100083 shows up in the rpcinfo output, you may be running the rpc.ttdbserverd service. Additionally, the service may be listed in /etc/rpc. For example, the following entry may indicate rpc.ttdbserverd is running on your system:
    100083 1 tcp 692
Systems that are not running rpc.ttdbserverd are not exposed to this vulnerability.

Impact

A remote attacker may send crafted RPC traffic causing the ToolTalk RPC server to crash or allowing the attacker to execute arbitrary code on the vulnerable system.

Solution

Apply Patch
Apply the appropriate vendor supplied patch as described in the vendor section below.


Disable Vulnerable Service

Until a patch can be applied, you may wish to consider disabling the ToolTalk service. As a general practice, CERT/CC recommends disabling any services not explicitly required.

Block or Restrict Access

Your router or firewall may be able to block access to the ToolTalk service at your network perimeter. Additionally, an application-level firewall may be able to filter requests made to the ToolTalk service.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Compaq Computer CorporationAffected14 Aug 200108 Oct 2001
Hewlett-Packard CompanyAffected14 Aug 200106 Dec 2001
IBMAffected14 Aug 200131 Oct 2001
Sun Microsystems Inc.Affected14 Aug 200114 Nov 2001
The Open GroupAffected15 Aug 200131 Oct 2001
The SCO Group (SCO UnixWare)Affected15 Aug 200113 Sep 2002
Xi GraphicsAffected03 Oct 200109 Oct 2001
Cray Inc.Not Affected20 Aug 200109 Oct 2001
Data GeneralUnknown15 Aug 200127 Aug 2001
FujitsuUnknown15 Aug 200127 Aug 2001
SGIUnknown14 Aug 200103 Apr 2002
TriTealUnknown-12 Nov 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks Internet Security Systems (ISS) X-Force and The Open Group for information used in this document.

This document was written by Art Manion, Shawn V. Hernan, and Jeffrey S. Havrilla.

Other Information

  • CVE IDs: CVE-2001-0717
  • CERT Advisory: CA-2001-27
  • Date Public: 02 Oct 2001
  • Date First Published: 03 Oct 2001
  • Date Last Updated: 24 Mar 2004
  • Severity Metric: 17.70
  • Document Revision: 47

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.