search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Common Desktop Environment (CDE) ToolTalk RPC Server rpc.ttdbserverd contains format string vulnerability

Vulnerability Note VU#595507

Original Release Date: 2001-10-03 | Last Revised: 2004-03-24

Overview

A vulnerability exists in CDE ToolTalk that may allow a remote attacker to execute arbitrary code with root privileges.

Description

Internet Security Systems (ISS) X-Force has discovered a format string vulnerability in the Common Desktop Environment (CDE) ToolTalk Remote Procedure Call (RPC) server, rpc.ttdbserverd. The ToolTalk architecture allows custom applications to communicate with each other via RPC calls, and CDE and ToolTalk are installed and enabled by default on many common UNIX platforms. rpc.ttdbserverd manages RPC communication between ToolTalk applications. rpc.ttdbserverd contains a syslog(3) function call that does not include a format string specifier. As a result, a crafted RPC open request containing user-supplied format string specifiers is interpreted by syslog(), possibly overwriting arbitrary locations in memory. By carefully designing such a request an attacker may execute arbitrary code with the privileges of rpc.ttdbserverd, typically root.

For more information, see the ISS X-Force advisory at: http://xforce.iss.net/alerts/advise98.php.

The rpcinfo command may be able to help you determine if rpc.ttdbserverd is running on your system.

On SunOS:

% rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    104567    5   tcp    112  custom

On MacOS X:

% rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
 200100001    1   udp    745  netinfobind
 200100001    1   tcp    748  netinfobind
The program number for rpc.ttdbserverd is 100083. If 100083 shows up in the rpcinfo output, you may be running the rpc.ttdbserverd service. Additionally, the service may be listed in /etc/rpc. For example, the following entry may indicate rpc.ttdbserverd is running on your system:

100083 1 tcp 692
Systems that are not running rpc.ttdbserverd are not exposed to this vulnerability.

Impact

A remote attacker may send crafted RPC traffic causing the ToolTalk RPC server to crash or allowing the attacker to execute arbitrary code on the vulnerable system.

Solution

Apply Patch
Apply the appropriate vendor supplied patch as described in the vendor section below.


Disable Vulnerable Service

Until a patch can be applied, you may wish to consider disabling the ToolTalk service. As a general practice, CERT/CC recommends disabling any services not explicitly required.

Block or Restrict Access

Your router or firewall may be able to block access to the ToolTalk service at your network perimeter. Additionally, an application-level firewall may be able to filter requests made to the ToolTalk service.

Vendor Information

595507
Expand all

Compaq Computer Corporation

Notified:  August 14, 2001 Updated:  October 08, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    NO RESTRICTION FOR DISTRIBUTION
PROVIDED THE ADVISORY REMAINS INTACT

  TITLE: SSRT0767U Potential rpc.ttdbserverd buffer overflow

  CASE ID: SSRT0767U
 (X-REF: CVE CAN-2001-0717, x-force 02-oct-2001,
         CERT CA-2001-27)

  SOURCE:  Compaq Computer Corporation
          Software Security Response Team
   DATE:  02-Oct-2001

(c) Copyright 2001 Compaq Computer Corporation. All rights reserved.


  "Compaq is broadly distributing this Security Advisory in order
 to bring to the attention of users of Compaq products the
 important security information contained in this Advisory.
 Compaq recommends that all users determine the applicability of
 this information to their individual situations and take
 appropriate action.

  Compaq does not warrant that this information is necessarily
 accurate or complete for all user situations and, consequently,
 Compaq will not be responsible for any damages resulting from
 user's use or disregard of the information provided in this
 Advisory."

  Severity: low

   This potential security vulnerability has not been
  reproduced for any release of Compaq Tru64 Unix.
  However with the information available, we are providing
  a patch that will further reduce any potential
  vulnerability.

   A patch has been made available for all supported
  versions of Tru64/ DIGITAL UNIX V4.0f, V4.0g, V5.0a,
  V5.1, and V5.1a. To obtain a patch for prior versions
  contact your normal Compaq Services support channel.

   *This solution will be included in a future distributed
  release of Compaq's Tru64 / DIGITAL UNIX.


  The patches identified are available from the Compaq FTP site
 http://ftp1.support.compaq.com/public/dunix/ then choose the
 version directory needed and search for the patch by name.

  The patch names are:

     DUV40F17-C0056200-11703-ER-20010928.tar
    T64V40G17-C0007000-11704-ER-20010928.tar
    T64V50A17-C0015500-11705-ER-20010928.tar
    T64V5117-C0065200-11706-ER-20010928.tar
    T64V51Assb-C0000800-11707-ER-20010928.tar


  To subscribe to automatically receive future NEW Security
 Advisories from the Software Security Response Team at
 Compaq via electronic mail,

  Use your browser to get to the
 http://www.support.compaq.com/patches/mailing-list.shtml
 and sign up.   Select "Security and Individual Notices" for
 immediate dispatch notifications.

  To report a potential security vulnerability for Compaq
 products, send email to security-ssrt@compaq.com

  If you need further information, please contact your normal
 Compaq Services support channel.

  Compaq appreciates your cooperation and patience. As always,
 Compaq urges you to periodically review your system management
 and security procedures.  Compaq will continue to review and
 enhance the security features of its products and work
 with customers to maintain and improve the security and
 integrity of their systems.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO78nlDnTu2ckvbFuEQKetQCg4wWYlBghvodt3FcggpMWzoYYQNIAoOBu
59ftYye4zJnazHWnZHQqEPBY
=JKbN
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  August 14, 2001 Updated:  December 06, 2001

Status

  Vulnerable

Vendor Statement

Document ID:  HPSBUX0110-168


    Date Loaded:  20011205
          Title:  Sec. Vulnerability in rpc.ttdbserverd (rev.3)

    ---------------------------------------------------------------
        HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0168,
        Originally issued: 01 October '01
        **Revision 01**: 03 October '01
        **Revision 02**: 19 November '01
        **Revision 03**: 05 December '01
     ---------------------------------------------------------------

    The information in the following Security Bulletin should be acted
    upon as soon as possible.  Hewlett-Packard Company will not be
    liable for any consequences to any customer resulting from customer's
    failure to fully implement instructions in this Security Bulletin as
    soon as possible.

     ---------------------------------------------------------------
    PROBLEM:  Buffer overflow in rpc.ttdbserver

    PLATFORM: HP9000 Series 700/800 running HP-UX releases 10.10,
              10.20, 10.24, 11.00, 11.04, and 11.11.

    DAMAGE:   Unauthorized access, increased privileges.

    SOLUTION: Install the appropriate patch:
                        10.10       PHSS_25136,
                        10.20       PHSS_25137,
                        10.24       PHSS_25419,
                        11.00       PHSS_25138,
                        11.04       PHSS_25420,
                        11.11       PHSS_25139.

    MANUAL ACTIONS: none

    AVAILABILITY:  All listed patches are available now.

    CHANGE SUMMARY:  Rev.01 Updated patch information, deleted old
                            instructions.
                     Rev.02 Updated patch information again.
                     Rev.03 Updated instructions for disabling
                            rpc.ttdbserver
     ---------------------------------------------------------------
     A. Background
         A remotely exploitable buffer overflow in rpc.ttdbserver has
         been reported to HP.

     B. Fixing the problem

         Install the appropriate patch.  An alternative is to disable
         rpc.ttdbserver.  The rpc.ttdbserver process is not needed for
         the programs provided in HP's CDE product.  It may be needed
         by third party applications using ToolTalk.  If you are not
         using ToolTalk applications rpc.ttdbserver may be disabled.

    **Rev.03**

         Edit /etc/inetd.conf and comment out the rpc.ttdbserver
         line as follows:

    #rpc stream tcp swait root /usr/dt/bin/rpc.ttdbserver ...

         Restart inetd:

             /usr/sbin/inetd -c

         Kill any instances of rpc.ttdbserver that might be
         running.


     C. Recommended solution
        Install the appropriate patch:
                       10.10   PHSS_25136,
                       10.20   PHSS_25137,
                       10.24   PHSS_25419,
                       11.00   PHSS_25138,
                       11.04   PHSS_25420,
                       11.11   PHSS_25139.

     D. To subscribe to automatically receive future NEW HP Security
        Bulletins from the HP IT Resource Center via electronic
        mail, do the following:

        Use your browser to get to the HP IT Resource Center page
        at:

           http://itrc.hp.com

        Use the 'Login' tab at the left side of the screen to login
        using your ID and password.  Use your existing login or the
        "Register" button at the left to create a login, in order to
        gain access to many areas of the ITRC.  Remember to save the
        User ID assigned to you, and your password.

        In the left most frame select "Maintenance and Support".

        Under the "Notifications" section (near the bottom of
        the page), select "Support Information Digests".

        To -subscribe- to future HP Security Bulletins or other
        Technical Digests, click the check box (in the left column)
        for the appropriate digest and then click the "Update
        Subscriptions" button at the bottom of the page.

        or

        To -review- bulletins already released, select the link
        (in the middle column) for the appropriate digest.

        To -gain access- to the Security Patch Matrix, select
        the link for "The Security Bulletins Archive".  (near the
        bottom of the page)  Once in the archive the third link is
        to the current Security Patch Matrix. Updated daily, this
        matrix categorizes security patches by platform/OS release,
        and by bulletin topic.  Security Patch Check completely
        automates the process of reviewing the patch matrix for
        11.XX systems.

        For information on the Security Patch Check tool, see:
        http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
        displayProductInfo.pl?productNumber=B6834AA"

        The security patch matrix is also available via anonymous
        ftp:

        ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix

        On the "Support Information Digest Main" page:
        click on the "HP Security Bulletin Archive".


     E. To report new security vulnerabilities, send email to

        security-alert@hp.com

        Please encrypt any exploit information using the
        security-alert PGP key, available from your local key
        server, or by sending a message with a -subject- (not body)
        of 'get key' (no quotes) to security-alert@hp.com.

        Permission is granted for copying and circulating this
        Bulletin to Hewlett-Packard (HP) customers (or the Internet
        community) for the purpose of alerting them to problems,
        if and only if, the Bulletin is not edited or changed in
        any way, is attributed to HP, and provided such reproduction
        and/or distribution is performed for non-commercial purposes.

        Any other use of this information is prohibited. HP is not
        liable for any misuse of this information by any third party.
     ________________________________________________________________
    -----End of Document ID:  HPSBUX0110-168--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  August 14, 2001 Updated:  October 31, 2001

Status

  Vulnerable

Vendor Statement

[from IBM Security Advisory contained in: ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z]

A. Official fix

IBM is working on the following fixes which will be available soon:

AIX 4.3:

    Pending assignment - the Advisory copy in the efix download package will be updated as soon as the assignment is made. Also, the CERT Vulnerability Note will be updated and we will post a note to SecurityFocus BUGTRAQ. IBM's Managed Security Service will also distribute notification of when this happens.
AIX 5.1:
    APAR #IY23846

The APARs for AIX 4.3 and 5.1 will not be available until late October - November 2001.

NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 at the latest maintenance level, or to 5.1.

B. How to minimize the vulnerability

WORKAROUND

None, other than disabling the CDE Tooltalk RPC database server.

EMERGENCY FIX (efix):

Temporary fixes for AIX 4.3.x and 5.1 systems are available.

The temporary fixes can be downloaded via ftp from:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See also:

Sun Microsystems Inc.

Notified:  August 14, 2001 Updated:  November 14, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

________________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin

Bulletin Number: #00212
Date: November 13, 2001
Cross-Ref: CERT Advisory CA-2001-27
Title: rpc.ttdbserverd
________________________________________________________________________________

The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.
________________________________________________________________________________

1. Bulletins Topics

Sun announces the release of patches for Solaris(tm) 8, 7, 2.6,
2.5.1, and 2.5 (SunOS(tm) 5.8, 5.7, 5.6, 5.5.1, and 5.5) which
relate to a format string vulnerability in rpc.ttdbserverd.

Sun recommends that you install the patches listed in section 4
immediately on systems running the CDE ToolTalk database server,
rpc.ttdbserverd, on SunOS 5.8, 5.7, 5.6, 5.5.1 and 5.5.

2. Who is Affected

Vulnerable: SunOS 5.8, 5.8_x86, 5.7, 5.7_x86, 5.6,
5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and
5.5_x86

3. Understanding the Vulnerability

The RPC-based ToolTalk database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. A format string
vulnerability has been discovered in rpc.ttdbserverd which may be
exploited by a local or a remote attacker to gain root access on the
affected system. Any system that does not run the ToolTalk RPC
database service is not vulnerable to this problem. This issue was
discovered by ISS X-Force who published an advisory at:

http://xforce.iss.net/alerts/advise98.php

CERT Advisory CA-2001-27 is available from:

http://www.cert.org/advisories/CA-2001-27.html

4. List of Patches

The following patches are available in relation to the above issue.

OS Version Patch ID
__________ _________
SunOS 5.8 110286-04
SunOS 5.8_x86 110287-04
SunOS 5.7 107893-15
SunOS 5.7_x86 107894-14
SunOS 5.6 105802-16
SunOS 5.6_x86 105803-18
SunOS 5.5.1 104489-14
SunOS 5.5.1_x86 105496-12
SunOS 5.5 104428-12
SunOS 5.5_x86 105495-10
_______________________________________________________________________________

APPENDICES

A. Patches listed in this bulletin are available to all Sun customers at:

http://sunsolve.sun.com/securitypatch

B. Checksums for the patches listed in this bulletin are available at:

ftp://sunsolve.sun.com/pub/patches/CHECKSUMS

C. Sun security bulletins are available at:

http://sunsolve.sun.com/security

D. Sun Security Coordination Team's PGP key is available at:

http://sunsolve.sun.com/pgpkey.txt

E. To report or inquire about a security problem with Sun software, contact
one or more of the following:

- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:

security-alert@sun.com

F. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:

security-alert@sun.com

with a subject line (not body) containing one of the following commands:

Command Information Returned/Action Taken
_______ _________________________________

help An explanation of how to get information

key Sun Security Coordination Team's PGP key

list A list of current security topics

query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team

report [topic] The email is treated as a security report and is
forwarded to the Security Coordination Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key

send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):

send #138

subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):

subscribe cws your-email-address

Note that your-email-address should be substituted
by your email address.

unsubscribe Sender is removed from the CWS mailing list.
________________________________________________________________________________

Copyright 2001 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries. This
Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBO/GUHbdzzzOFBFjJAQFqSwP+MIdnt8E9JYPubpxT9qmOiLZ64LuLEnKp
IZD2coi7rpObSoxwdLh3lZ0+7+wn/EBDPRLusiFTW5s0ycxDjsusRI9sRr2eywfs
BRaqZhQXCIAVpE4u+Jem+AJr3jFiXBzQILjRbnchErVpxt1QvsOFdwdK9M6+RjIL
BheyLWWC58E=
=7l7y
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The Open Group

Notified:  August 15, 2001 Updated:  October 31, 2001

Status

  Vulnerable

Vendor Statement

Source licensees of The Open Group's CDE product can contact desktop@opengroup.org for advice and a source patch that address this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare)

Notified:  August 15, 2001 Updated:  September 13, 2002

Status

  Vulnerable

Vendor Statement

Caldera Open Unix and UnixWare are vulnerable. Caldera has released Security Advisory CSSA-2001-SCO.28.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xi Graphics

Notified:  October 03, 2001 Updated:  October 09, 2001

Status

  Vulnerable

Vendor Statement

Xi Graphics DeXtop 2.1 is vulnerable. Further information and a patch are available at the following locations:

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.txt

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.tar.gz

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  August 20, 2001 Updated:  October 09, 2001

Status

  Not Vulnerable

Vendor Statement

UNICOS and UNICOS/mk are not vulnerable to either of these two advisories. For further information see Cray SPR 721061. Cray, Inc. does include ToolTalk within the CrayTools product. However, this implementation does not use rpc.ttdbserverd. Therefore, Cray, Inc. is not vulnerable to this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Cray SPRs are available to licensed Cray customers.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  August 15, 2001 Updated:  August 27, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  August 15, 2001 Updated:  August 27, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  August 14, 2001 Updated:  April 03, 2002

Status

  Unknown

Vendor Statement

SGI acknowledges the CDE vulnerabilities reported by CERT and is currently investigating. No further information is available at this time.

For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems.

Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements.

As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has released SGI Security Advisory 20020302-01-A which addresses a number of vulnerabilities in CDE and ToolTalk.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TriTeal

Updated:  November 12, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

TriTeal went bankrupt in December 1999. It is possible that TriTeal Enterprise Desktop (TED) and CDE distributions based on TriTeal code are vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT Coordination Center thanks Internet Security Systems (ISS) X-Force and The Open Group for information used in this document.

This document was written by Art Manion, Shawn V. Hernan, and Jeffrey S. Havrilla.

Other Information

CVE IDs: CVE-2001-0717
CERT Advisory: CA-2001-27
Severity Metric: 17.70
Date Public: 2001-10-02
Date First Published: 2001-10-03
Date Last Updated: 2004-03-24 15:01 UTC
Document Revision: 47

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.