CERT Advisory CA-2001-27 Format String Vulnerability in CDE ToolTalk
Original release date: October 5, 2001
Last revised: Thu Oct 5 14:17:55 EDT 2001
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Systems running CDE ToolTalk
Overview
There is a remotely exploitable format string vulnerability in the CDE
ToolTalk RPC database service. This vulnerability could be used to
crash the service or execute arbitrary code, potentially allowing an
intruder to gain root access. This vulnerability is documented in
VU#595507.
I. Description
The Common Desktop Environment (CDE) is an integrated graphical user
interface that runs on Unix and Linux operating systems. CDE ToolTalk
is a message brokering system that provides an architecture for
applications to communicate with each other across hosts and
platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. For more information
about CDE, see
http://www.opengroup.org/cde/
http://www.opengroup.org/desktop/faq/
There is a remotely exploitable format string vulnerability in the CDE
ToolTalk RPC database server. While handling an error condition, a
syslog(3) function call is made without providing a format string
specifier argument. Since rpc.ttdbserverd does not perform adequate
input validation or provide the format string specifier argument, a
crafted RPC request containing format string specifiers will be
interpreted by the vulnerable syslog(3) function call. Such a request
can be designed to overwrite specific locations in memory, thus
executing code with the privileges of rpc.ttdbserverd, typically root.
The vulnerability was discovered by Internet Security Systems (ISS)
X-Force. For more information, see
http://xforce.iss.net/alerts/advise98.php
This vulnerability has been assigned the identifier CAN-2001-00717 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717
Many common UNIX systems ship with CDE ToolTalk installed and enabled
by default. The rpcinfo command may help determine if a system is
running the ToolTalk RPC database service:
$ rpcinfo -p hostname
The program number for the ToolTalk RPC database service is 100083.
References to this number in the output from rpcinfo or in /etc/rpc
may indicate that the ToolTalk RPC database service is running. Any
system that does not run the ToolTalk RPC database service is not
vulnerable to this problem.
II. Impact
An attacker can execute arbitrary code with the privileges of the
rpc.ttdbserverd process, typically root.
III. Solution
Apply a patch
Appendix A contains information from vendors who have provided
information for this advisory. We will update the appendix as we
receive more information. If a vendor's name does not appear, then the
CERT/CC did not hear from that vendor. Please contact your vendor
directly.
Block access to vulnerable service
Until patches are available and can be applied, you may wish to block
access to the RPC portmapper service and the ToolTalk RPC service from
untrusted networks such as the internet. Using a firewall or other
packet-filtering technology, block the ports used by the RPC
portmapper and ToolTalk RPC services. The RPC portmapper service
typically runs on ports 111/tcp and 111/udp. The ToolTalk RPC service
may be configured to use port 692/tcp or another port as indicated in
output from the rpcinfo command. Keep in mind that blocking ports at a
network perimeter does not protect the vulnerable service from the
internal network. It is important to understand your network
configuration and service requirements before deciding what changes
are appropriate.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
Caldera, Inc.
Caldera UnixWare and Open Linux are vulnerable, and a fix is
forthcoming.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 14:59:52 EDT