Vulnerability Note VU#975403
Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file descriptor arguement to _TT_ISCLOSE()
The Common Desktop Environment (CDE) ToolTalk RPC database server does not adequately validate a client-supplied argument, allowing attackers to overwrite certain locations in memory with zeros. This vulnerability could be exploited in a number of ways, potentially allowing attackers to: cause a denial of service, remotely delete arbitrary files, remotely create arbitrary directories, and potentially execute arbitrary code or commands.
CORE SECURITY TECHNOLOGIES has reported a vulnerability in the CDE ToolTalk RPC database server (rpc.ttdbserverd). A component of CDE, the ToolTalk architecture allows applications to communicate with each other via remote procedure calls (RPC) across different hosts and platforms. The ToolTalk RPC database server manages connections between ToolTalk applications. CDE and ToolTalk are installed and enabled by default on many common UNIX platforms.
ToolTalk clients can close a ToolTalk database by issuing an RPC request to the database server. During this process, a call is made to the procedure _TT_ISCLOSE(), and a file descriptor argument supplied by the client is used to reference a memory structure that contains information about the requested ToolTalk database. A memory location within the structure is set to zero (0L), ostensibly closing the requested database. The ToolTalk database server does not check the range of the file descriptor, so it is possible to reference a location in memory that is outside the region that contains valid database information. As a result, a specially crafted RPC call can cause specific memory locations in the ToolTalk database server process space to be set to zero. By issuing such a call, and also by controlling the contents of memory through other means, attackers could exploit this vulnerability in a number of different ways.
The CORE SECURITY TECHNOLOGIES report describes several different attacks including remotely deleting arbitrary files and remotely creating arbitrary directory entries. In addition, attackers might be able to crash the ToolTalk RPC database server, denying service to legitimate users. It could be possible for attackers to execute arbitrary code and commands, although this has not yet been demonstrated. The ToolTalk RPC database server typically runs with root privileges.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Compaq Computer Corporation||Affected||11 Jun 2002||09 Sep 2002|
|Hewlett-Packard Company||Affected||11 Jun 2002||15 Aug 2002|
|IBM||Affected||11 Jun 2002||11 Jul 2002|
|SGI||Affected||11 Jun 2002||07 Nov 2002|
|Sun Microsystems Inc.||Affected||11 Jun 2002||10 Jul 2002|
|The SCO Group (SCO UnixWare)||Affected||12 Jun 2002||13 Sep 2002|
|Xi Graphics||Affected||12 Jun 2002||13 Jun 2002|
|Fujitsu||Not Affected||12 Jun 2002||11 Jul 2002|
|Cray Inc.||Unknown||12 Jun 2002||24 Jun 2002|
|Data General||Unknown||12 Jun 2002||13 Jun 2002|
|The Open Group||Unknown||12 Jun 2002||11 Jul 2002|
|TriTeal||Unknown||-||12 Jul 2002|
CVSS Metrics (Learn More)
The CERT/CC thanks Ricardo Quesada and Iván Arce of CORE SECURITY TECHNOLOGIES for reporting this vulnerability.
This document was written by Art Manion
- CVE IDs: CAN-2002-0677
- CERT Advisory: CA-2002-20
- Date Public: 10 Jul 2002
- Date First Published: 11 Jul 2002
- Date Last Updated: 19 Jul 2002
- Severity Metric: 9.47
- Document Revision: 41