SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   libDtSvc.a (CDE DtSvc Library) Vendors:   IBM
(Sun Issues Workaround) Re: Common Desktop Environment (CDE) DtSvc Library Buffer Overflow May Let Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1002914
SecurityTracker URL:  http://securitytracker.com/id/1002914
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 6 2001
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   IBM reported a buffer oveflow vulnerability in CDE DtSvc library for IBM's AIX operating system. A local user can execute arbitrary code and gain elevated privileges on the host, potentially including root level privileges.

It is reported that a buffer overflow vulnerability has been found in the Common Desktop Environment (CDE) libDtSvc.a library. The vulnerability can be triggered when a local user passes a specially coded string to any of the "dt" commands (e.g., dtprintinfo, dtterm) using the "-session" option.

Impact:   A local user can execute arbitrary code with root level privileges, gaining root level access on the host.
Solution:   Sun has issued the following workaround:

1) Disable the "dtspc" service in the /etc/inetd.conf file by commenting out the line following line by putting a "#" at the beginning of the line:

dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd

Tell the inetd(1M) process to reread the newly modified /etc/inetd.conf file by sending it a hangup signal, SIGHUP:

$ ps -ef | grep inetd
$ kill -HUP <PID of "inetd" from above "ps" output>

By disabling "dtspcd", the system no longer executes remote CDE actions. To execute remote CDE actions on the system, login to the remote system and execute the commands. If you want to remotely execute X/Motif-based applications, set the DISPLAY variable to the appropriate value.

2) Use tcp-wrappers to protect access to the "dtspcd" daemon if it is not convenient to disable it. This is available in the tcpd-7.6 package at:

http://www.sun.com/solaris/freeware.html

3) Block access to network port 6112/tcp (dtspc) at all appropriate network perimeters.

Sun notes that a final solution is pending completion.

Vendor URL:  www.ibm.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (AIX), UNIX (Any)
Underlying OS Comments:  SPARC and Intel: CDE 1.0.1 on Solaris 2.4, 2.5; CDE 1.0.2 on Solaris 2.4, 2.5, 2.5.1; Solaris 2.6, 7, and 8

Message History:   This archive entry is a follow-up to the message listed below.
Oct 30 2001 Common Desktop Environment (CDE) DtSvc Library Buffer Overflow May Let Local Users Obtain Root Privileges



 Source Message Contents

Subject:  Buffer Overflow in CDE Subprocess Control Service Daemon


Sun(sm) Alert Notification 

     Sun Alert ID: 41764 
     Synopsis: Buffer Overflow in CDE Subprocess Control Service Daemon
(dtspcd) 
     Category: Security 
     Product: Solaris 
     BugIDs: 4527363 
     Avoidance: Workaround 
     State: Engineering Completed 
     Date Released: 03-Dec-2001 
     Date Closed: 
     Date Modified: 

1. Impact 

A library that the CDE Subprocess Control Service (dtspcd) daemon uses
contains a buffer overflow vulnerability that could allow a remote user
to gain root access to the affected system. 

This issue is described in the CERT Vulnerability VU#172583 (see
http://www.kb.cert.org/vuls/id/172583) which is referenced in CA-2000-31
(see http://www.cert.org/advisories/CA-2001-31.html). 

                  

2. Contributing Factors 

This issue can occur in the following releases: 

SPARC 

     CDE 1.0.1 on Solaris 2.4, 2.5 
     CDE 1.0.2 on Solaris 2.4, 2.5, 2.5.1 
     Solaris 2.6 
     Solaris 7 
     Solaris 8 

Intel 

     CDE 1.0.1 on Solaris 2.4, 2.5 
     CDE 1.0.2 on Solaris 2.4, 2.5, 2.5.1 
     Solaris 2.6 
     Solaris 7 
     Solaris 8 

3. Symptoms 

There are no reliable symptoms that would show the described issue has
been exploited to gain unauthorized root access to a host. 

 Solution Summary
                    Top


4. Relief/Workaround 

1) Disable the "dtspc" service in the /etc/inetd.conf file by commenting
out the line following line by putting a "#" at the beginning of the
line: 

        dtspc stream tcp nowait root /usr/dt/bin/dtspcd
/usr/dt/bin/dtspcd           

Tell the inetd(1M) process to reread the newly modified /etc/inetd.conf
file by sending it a hangup signal, SIGHUP: 

        $ ps -ef | grep inetd
        $ kill -HUP <PID of "inetd" from above "ps"
output>                  

By disabling "dtspcd", the system no longer executes remote CDE actions.
To execute remote CDE actions on the system, login to the remote system
and execute the commands. If you want to remotely execute X/Motif-based
applications, set the DISPLAY variable to the appropriate value. 

2) Use tcp-wrappers to protect access to the "dtspcd" daemon if it is
not convenient to disable it. This is available in the tcpd-7.6 package
at: 

        http://www.sun.com/solaris/freeware.html                  

3) Block access to network port 6112/tcp (dtspc) at all appropriate
network perimeters. 

5. Resolution 

A final solution is pending completion. 

The issue described in this Sun(sm) Alert document may or may not be
experienced by your particular system(s). The information in this
Sun(sm) Alert document may be based upon information received from
third-parties. It is being provided to you "AS IS", for informational
purposes only. Sun does not make any representations, warranties, or
guaranties as to the quality, suitability, truth, accuracy or
completeness of any of the information. Sun shall not be liable for any
losses or damages suffered as a result of Customer's use or non-use of
the information.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC