Copyright 2024 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-98.11
Original issue date: September 3, 1998

Topic: Vulnerability in ToolTalk RPC Service
- -----------------------------------------------------------------------------

The text of this advisory was originally released on August 31, 1998, as
NAI-29, developed by Network Associates, Inc. (NAI). To more widely
broadcast this information, we are reprinting the NAI advisory here with
their permission.

As we receive additional information it will be placed in an "Updates"
section at the end of this advisory.

- -----------------------------------------------------------------------------

Stack Overflow in ToolTalk RPC Service

                                                            NAI Advisory 29
                                                   Network Associates, Inc.
                                                          SECURITY ADVISORY
                                                            August 31, 1998
SYNOPSIS

An implementation fault in the ToolTalk object database server allows a
remote attacker to run arbitrary code as the superuser on hosts supporting
the ToolTalk service. The affected program runs on many popular UNIX
operating systems supporting CDE and some Open Windows installs. This
vulnerability is being actively exploited by attackers on the Internet.

Confirmed Vulnerable Operating Systems and Third Party Vendors

Sun Microsystems

     SunOS 5.6, 5.6_x86
     SunOS 5.5.1, 5.5.1_x86
     SunOS 5.5, 5.5_x86
     SunOS 5.4, 5.4_x86
     SunOS 5.3
     SunOS 4.1.
     SunOS 4.1.3_U1

Hewlett Packard

     HP-UX release 10.10
     HP-UX release 10.20
     HP-UX release 10.30
     HP-UX release 11.00

SGI

     IRIX 5.3
     IRIX 5.4
     IRIX 6.2
     IRIX 6.3
     IRIX 6.4

IBM

     AIX 4.1.X
     AIX 4.2.X
     AIX 4.3.X

TriTeal

     TriTeal CDE - TED versions 4.3 and previous.

Xi Graphics

     Xi Graphics Maximum CDE v1.2.3

It should be noted here that this not an exhaustive list of vulnerable
vendors. These are only the *confirmed vulnerable* vendors. Also, any OS
installation that is not configured to use or start up the ToolTalk service
is not vulnerable to this problem. To determine whether the ToolTalk
database server is running on a host, use the "rpcinfo" command to print a
list of the RPC services running on it, as:

     $ rpcinfo -p hostname

Because many operating systems do not include an entry for the ToolTalk
database service in the RPC mapping table ("/etc/rpc" on most Unix
platforms), the vulnerable service may not appear by name in the listing.
The RPC program number for the ToolTalk database service is 100083. If an
entry exists for this program, such as,

     100083 1 tcp 692

then the service is running on the host. Until additional information is
made available from the OS vendor, it should be assumed that the system is
vulnerable to the attack described in this advisory.

DETAILS

The ToolTalk service allows independently developed applications to
communicate with each other by exchanging ToolTalk messages. Using
ToolTalk, applications can create open protocols which allow different
programs to be interchanged, and new programs to be plugged into the system
with minimal reconfiguration.

The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service which
manages objects needed for the operation of the ToolTalk service.
ToolTalk-enabled processes communicate with each other using RPC calls to
this program, which runs on each ToolTalk-enabled host. This program is a
standard component of the ToolTalk system, which ships as a standard
component of many commercial Unix operating systems. The ToolTalk database
server runs as root.

Due to an implementation fault in rpc.ttdbserverd, it is possible for a
malicious remote client to formulate an RPC message that will cause the
server to overflow an automatic variable on the stack. By overwriting
activation records stored on the stack, it is possible to force a transfer
of control into arbitrary instructions provided by the attacker in the RPC
message, and thus gain total control of the server process.

TECHNICAL DETAILS

Source code and XDR specifications for the ToolTalk database protocol and
server were not available at the time this advisory was drafted. What
follows is information based on analysis of the rpc.ttdbserverd binary and
a captured attack trace from a network on which an exploitation script for
this problem was run.

The observed attack utilized the ToolTalk Database (TTDB) RPC procedure
number 7, with an XDR-encoded string as its sole argument. TTDB procedure 7
corresponds to the _tt_iserase_1() function symbol in the Solaris binary
(/usr/openwin/bin/rpc.ttdbserverd). This function implements an RPC
procedure which takes an ASCII string as an argument, which is treated as a
pathname.

The pathname string is passed to the function isopen(), which in turn
passes it to _am_open(), then to _amopen(), _openfcb(), _isfcb_open(), and
finally to _open_datfile(), where it, as the first argument to the
function, is passed directly to a strcpy() to a pointer on the stack. If
the pathname string is suitably large, the string overflows the stack
buffer and overwrites an activation record, allowing control to transfer
into instructions stored in the pathname string.

RESOLUTION

This is an implementation problem and can only be resolved completely by
applying patches to or replacing affected software. As a temporary
workaround, it is possible to eliminate vulnerability to this problem by
disabling the ToolTalk database service. This can be done by killing the
"rpc.ttdbserverd" process and removing it from any OS startup scripts. It
should be noted that this may impair system functionality.

The following vendors have been confirmed vulnerable, contacted, and have
responded with repair information:

Sun Microsystems

Sun plans to release patches this week that relate to the ToolTalk
vulnerability for SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and 5.5_x86.

Patches for SunOS 5.4, 5.4_x86, 5.3, 4.1.4 and 4.1.3_U1 will be released in
about 4 weeks.

Sun recommended security patches (including checksums) are
available from: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

Hewlett Packard

HP-UX has been confirmed vulnerable in releases 10.XX and 11.00. HP has
made patches available with the following identifications:

     HP-UX release 10.10 HP9000 Series 7/800 PHSS_16150
     HP-UX release 10.20 HP9000 Series 7/800 PHSS_16147
     HP-UX release 10.30 HP9000 Series 7/800 PHSS_16151
     HP-UX release 11.00 HP9000 Series 7/800 PHSS_16148

IBM

IBM AIX has been confirmed vulnerable. IBM's response is as follows:

The version of ttdbserver shipped with AIX is vulnerable. We are currently
working on the following fixes which will be available soon:

 APAR 4.1.x: IX81440
 APAR 4.2.x: IX81441
 APAR 4.3.x: IX81442

Until the official APARs are available, a temporary fix can be downloaded
via anonymous ftp from:

     ftp://aix.software.ibm.com/aix/efixes/security/ttdbserver.tar.Z

TriTeal

An official response from TriTeal is as follows:
The ToolTalk vulnerability will be fixed in the TED4.4 release. For earlier
versions of TED, please contact the TriTeal technical support department at
This email address is being protected from spambots. You need JavaScript enabled to view it. or at http://www.triteal.com/support.

Xi Graphics

An official response from Xi Graphics is as follows:
Xi Graphics Maximum CDE v1.2.3 is vulnerable to this attack. A patch to
correct this problem will be placed on our FTP site by 8/28/1998:

   * ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.tar.gz
   * ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.txt

Users of Maximum CDE v1.2.3 are urged to install this update.

Silicon Graphics

The Security Labs team at Network Associates has confirmed that SGI IRIX
6.3 is vulnerable to this attack. SGI's security team has been contacted
and informed of the vulnerability. No repair information has been made
available from Silicon Graphics regarding this problem.

Other Vendors

If any uncertainty exists with regards to whether a given vendor not listed
in this advisory is vulnerable to this attack, we recommend contacting them
via their support/security channels for more information.

ACKNOWLEDGEMENTS

The NAI Security Labs Team would like to thank the HP & IBM Security
Response Teams, CERT/CC & AUSCERT for their contributions to this advisory.

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most important
research in computer security today. With over 28 published security
advisories published in the last 2 years, the Network Associates security
auditing teams have been responsible for the discovery of many of the
Internet's most serious security flaws. This advisory represents our
ongoing commitment to provide critical information to the security
community.

For more information about the Security Labs at Network Associates, see our
website at http://www.nai.com or contact us at This email address is being protected from spambots. You need JavaScript enabled to view it..

- -----------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information
- ---------------------------
Email	This email address is being protected from spambots. You need JavaScript enabled to view it.

Phone	+1 412-268-7090 (24-hour hotline)
	        CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
		and are on call for emergencies during other hours.

Fax	+1 412-268-6989

Postal address:
	CERT Coordination Center
	Software Engineering Institute
	Carnegie Mellon University
	Pittsburgh PA 15213-3890
	USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key
	ftp://ftp.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
	http://www.cert.org/
	ftp://ftp.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
	comp.security.announce

   To be added to our mailing list for advisories and bulletins, send email to
	This email address is being protected from spambots. You need JavaScript enabled to view it.
   In the subject line, type
	SUBSCRIBE your-email-address

- -----------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff/legal_stuff.html and
ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with
"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

NO WARRANTY
ANY MATERIAL FURNISHED BY CARNEGIE MELLON UNIVERSITY AND THE SOFTWARE
ENGINEERING INSTITUTE IS FURNISHED ON AN "AS IS" BASIS. CARNEGIE
MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR
IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF
FITNESS FOR A PARTICULAR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY OR
RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY
DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

- ------------------------------------------------------------------------

This file: ftp://ftp.cert.org/pub/cert_advisories/CA-98.11.tooltalk
	    http://www.cert.org/advisories/CA-98.11.tooltalk.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNe8MJHVP+x0t4w7BAQGCqgP/ViH/pUX3F4XV5eyZ7xZxmSSVtUMaPIpg
W0ooz0+Cygxi7R9Qyif6WnZWEMFX19jfAkMIgAOxliGXKS4urRC8TLWk69Xf595r
7gxOmoXkUlWsl4IBoGlTj9vQL3Jd9MBm/GgKdCxAjyPksdvMh2175DPE2MUEPzAZ
L78D/qZYqzI=
=OMbx
-----END PGP SIGNATURE-----


Powered by: MHonArc

Login Form

Search

School of Engineering and technologies     Asian Institute of Technology