SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ToolTalk (rpc.ttdbserver) Vendors:   Caldera/SCO, Compaq, HPE, IBM, Sun
Common Desktop Environment (CDE) ToolTalk Server Input Validation and Symlink Bugs Let Local and Remote Users Obtain Root Privileges on the System
SecurityTracker Alert ID:  1004740
SecurityTracker URL:  http://securitytracker.com/id/1004740
CVE Reference:   CVE-2002-0677, CVE-2002-0678   (Links to External Site)
Updated:  Sep 8 2004
Original Entry Date:  Jul 11 2002
Impact:   Denial of service via local system, Denial of service via network, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in the Common Desktop Environment (CDE) ToolTalk RPC database server. A remote user could delete arbitrary files, cause denial of service conditions, or execute arbitrary code or commands on the system. A local user could create or overwrite arbitrary files with arbitrary user-supplied contents.

CORE Security Technologies reported that a remote user can also create arbitrary directory entries on the target host.

Several operating systems are affected, including Solaris, HP-UX, Tru64, AIX, and Caldera Open UNIX/UnixWare. Other operating systems may also be affected.

According to the report, Fujitsu UXP/V, Cray's CrayTools, Caldera OpenLinux, and SCO OpenServer are not vulnerable.

According to CORE and CERT (as reported in CERT Advisory CA-2002-20), the ToolTalk RPC database server (rpc.ttdbserverd) does not properly validate a user-supplied file descriptor argument passed to the _TT_ISCLOSE() function. A remote user may be able to overwrite a certain 4 bytes of memory with a zero (0x0L) value.

A remote user could exploit this bug to delete any file on the system that is accessible by the ToolTalk RPC database server. Because the server typically runs with root privileges, any file on the system could be deleted. It may also be possible for the remote user to cause arbitrary code and commands to be executed.

The software also reportedly does not properly validate certain file operations, such as verifying whether a file to be written to is a valid file or a symbolic link. A local user could reference a specially crafted symbolic link in certain ToolTalk RPC requests to overwrite files on the system. Because the server typically runs with root privileges, any file on the system could be overwritten. This could allow the local user to obtain elevated privileges on the system (including root privileges).

Impact:   A remote user could delete arbitrary files, cause denial of service conditions, or execute arbitrary code or commands on the system. A local user could create or overwrite arbitrary files with arbitrary user-supplied contents.
Solution:   Several vendors have issued fixes or are in the process of issuing fixes. The status of some vendor efforts is listed below. Additional vendor-specific bulletins are expected to be released shortly. This alert will be updated accordingly.

The report provides the following general workaround if a patch is not yet available for your system:

- Disable the vulnerable service. To do so, it is needed to comment out or remove the lines that refer to rpc.ttdbserverd in /etc/inetd.conf and restart the inetd daemon.

- Block connections to the vulnerable service. Block access from untrusted networks to the ToolTalk Database server program. The program is identified as RPC program number 100083 and may service requests on port 629/tcp or any other port. Use the rpcinfo program to determine on which port ttdbserver is servicing requests and block access to that port and the portmapper (111/tcp 111/udp) at the perimeter. This will not prevent exploitation from trusted networks. In general it is advisable to block access from untrusted networks to ALL RPC services.

Caldera, Inc.

Caldera has reportedly developed fixes for Caldera Open UNIX and Caldera UnixWare and plans to release them shortly. SCO OpenServer and Caldera OpenLinux do not provide CDE and are therefore not vulnerable.


Compaq Computer Corporation

See SSRT2251 for more information. Compaq has solutions in final testing and will publish a security bulletin when testing has been completed. A workaround (to disable rpc.ttdbserver) is described in the Source Message.


Hewlett-Packard Company

HP does not have patches yet, but has made the following file available to replace rpc.ttdbserver as a workaround. Download rpc.ttdbserver.tar.gz from the ftp site. This file is temporary and will be deleted when patches are available from the standard HP web sites, including itrc.hp.com.

System: hprc.external.hp.com (192.170.19.51)
Login: ttdb1
Password: ttdb1
FTP Access: ftp://ttdb1:ttdb1@hprc.external.hp.com/
ftp://ttdb1:ttdb1@192.170.19.51/
File: rpc.ttdbserver.tar.gz
MD5: da1be3aaf70d0e2393bd9a03feaf4b1d

HP will issue a security bulletin.


IBM Corporation

An efix package will be available shortly from:

ftp.software.ibm.com/aix/efixes/security.

The following APARs will be available in the near future:

AIX 4.3.3: IY32368
AIX 5.1.0: IY32370


Sun Microsystems, Inc.

Sun is generating patches and will publish a Sun Security Bulletin and a Sun Alert. The patches will be available from:

http://sunsolve.sun.com/securitypatch

Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Solaris 2.5.1, 2.6, 7, 8, 9; HP-UX 10.10, 10.20, 11.00, 11.11; Tru64 v4.0f, v4.0g, v5.0a, v5.1, v5.1a; Xi Graphics deXtop CDE v2.1; IBM AIX 4.3.3 and 5.1.0; Caldera Open UNIX and Caldera UNIXware

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Caldera Issues Fix for UnixWare/Open UNIX) Common Desktop Environment (CDE) ToolTalk Server Input Validation and Symlink Bugs Let Local and Remote Users Obtain Root Privileges on the System
Caldera has released a fix for UnixWare/Open UNIX.
(HP Issues Bulletin with Workaround) Common Desktop Environment (CDE) ToolTalk Server Input Validation and Symlink Bugs Let Local and Remote Users Obtain Root Privileges on the System
HP has issued a security bulletin with an interim workaround.
(IBM Issues Fix) Re: Common Desktop Environment (CDE) ToolTalk Server Input Validation and Symlink Bugs Let Local and Remote Users Obtain Root Privileges on the System
IBM has released an APARs for AIX 5.1.0.
(SGI Issues Fix) Re: Common Desktop Environment (CDE) ToolTalk Server Input Validation and Symlink Bugs Let Local and Remote Users Obtain Root Privileges on the System
SGI has issued a fix.
(SGI Issues Fix for IRIX) Re: Common Desktop Environment (CDE) ToolTalk Server Input Validation and Symlink Bugs Let Local and Remote Users Obtain Root Privileges on the System
SGI has issued a fix for IRIX.
Sep 8 2004 (Sun Issues Fix) Common Desktop Environment (CDE) ToolTalk Server Input Validation and Symlink Bugs Let Local and Remote Users Obtain Root Privileges on the System
Sun has issued a fix.



 Source Message Contents

Subject:  [CORE-20020528] Multiple vulnerabilities in ToolTalk Database server



                              CORE SECURITY TECHNOLOGIES
                                      http://www.corest.com

         Multiple vulnerabilities in Tooltalk database server


Date Published: 2002-07-10

Last Update: 2002-07-10

Advisory ID: CORE-20020528

Bugtraq ID: 5082,5083

CVE: CAN-2002-0677, CAN-2002-0678

CERT: VU#975403 VU#299816

Title: Multiple vulnerabilities in Tooltalk database server.

Class: Implementation flaws

Remotely Exploitable: Yes

Locally Exploitable: Yes

Vendors contacted:

 - Sun
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11 4:32pm
   Status:
   .Vulnerable (original bug discovery on Solaris)
   .Acknowledged notification on 2002-06-10
   .Research in progress, no confirmation
    from Sun as of 2002-06-18
   .Official statement forwardr by CERT: 2002-07-10

 - HP
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11
   Status:
   .Acknowledged notification on 2002-06-10
   .Confirmed HP-UX vulnerable on 2002-06-11
    and issued high priority lab fix request
   .Official statement forwarded by CERT: 2002-07-10

 - Compaq Computer Corporation
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11 4:32pm
   Status:
   .Acknowledged notification on 2002-06-10
   .Official statement forwarded by CERT: 2002-07-10

 - SGI
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11
   Status:
   .Acknowledged notification on 2002-06-18

 - Xi Graphics (CDE for Linux)
   CERT notification: 2002-06-12
   Status:
   .Confirmed vulnerable, fixes are available
   at the release date of this advisory
   .Patches available : 2002-06-20

 - IBM
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11 4:32pm EST
   Status:
   .Confirmed vulnerable
   .Official statement forwarded by CERT: 2002-07-10

 - Caldera (SCO)
   CERT notification: 2002-06-12  1:32pm
   Status:
   .Confirmed vulnerable
   .Official statement forwarded by CERT: 2002-07-10

 - Cray Inc.
   CERT notification: 2002-06-12  1:19pm
   Status:
   .Acknoledged notification.
   "Cray Inc. ships ToolTAlk wiht the CrayTools
    product but is not enabled by default or used
    by any Cray provided application"

 - Data General
   CERT notification: 2002-06-12  1:19pm
   Status:
   N/A

 - Fujitsu
   CERT notification: 2002-06-12 1:19pm
   Status:
   .Acknowledged notification.
   "Fujitsu's UXP/V is not vulnerable. Does
    not support any CDE functionalities"

 - The Open Group
   CERT notification: 2002-06-12 1:31pm
   Status:
   N/A

Release Mode: USER RELEASE

*Vulnerability Description:*


 The ToolTalk service allows independently developed applications to
communicate with each other by exchanging ToolTalk messages. Using ToolTalk,
applications can create open protocols which allow different programs to be
interchanged, and new programs to be plugged into the system with minimal
reconfiguration.

 The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service which
manages objects needed for the operation of the ToolTalk service.
ToolTalk-enabled processes communicate with each other using RPC calls to
this program, which runs on each ToolTalk-enabled host. This program is a
standard component of the ToolTalk system, which ships as a standard
component of many commercial Unix operating systems. The ToolTalk database
server runs as root.

 Several security bugs were discovered in the rpc.ttdbserverd program
that allow an attacker to:
 - Overwrite 4 bytes of memory the running process with a zero
   (0x0L) value
 - Remotely delete any file on the vulnerable host
 - Locally create or overwrite any file on the vulnerable host
   with arbitrary contents.
 - Remotely create arbitrary directory entries on the vulnerable
   host

 These vulnerabilities by themselves can lead to remote and local
 compromise of the privilege root account on the vulnerable system.

 Additionally these vulnerabilities may be used to build more reliable
 and effective exploit programs for previously published ToolTalk
 Database server vulnerabilities.

 Exploit modules for the vulnerabilities described in this advisory
 are available inmediately for CORE IMPACT customers through the
 product support channel or as part of CORE IMPACT v1.1 or
 the July 2002 module update pack.


*Vulnerable Packages:*
  Solaris 2.5.1 2.6 7 8 9
  HP-UX 10.10 10.20 11.00 11.11
  Tru64 v4.0f, v4.0g, v5.0a, v5.1, v5.1a
  Xi Graphics deXtop CDE v2.1
  IBM AIX 4.3.3 and 5.1.0
  Caldera Open UNIX and Caldera UNIXware


 Not confirmed but suspected vulnerable
 - SGI IRIX 5.2-6.5.x

 Not vulnerable
 - Fujitsu UXP/V
 - Cray Inc, CrayTools
 - Caldera OpenLinux
 - SCO OpenServer

*Solution/Vendor Information/Workaround*

Caldera, Inc.

  Caldera   Open  UNIX  and  Caldera  UnixWare  provide  the
  CDE ttdbserverd daemon, and are vulnerable to these issues.
  We have prepared  fixes  for those two operating systems,
  and will make them available as soon as these issues are
  made public.

  SCO  OpenServer  and  Caldera OpenLinux do not provide CDE,
  and are therefore not vulnerable.

Compaq Computer Corporation

  CROSS REFERENCE: SSRT2251

  At  this  time  Compaq does have solutions in final testing
  and will  publish  HP  Tru64 UNIX security bulletin
  (SSRT2251) with patch information as soon as testing has
  completed and kits are available from the support ftp web
  site.

  A  recommended  workaround however is to disable
  rpc.ttdbserver until  solutions  are  available.  This
  should  only  create a potential  problem  for  public
  software packages applications that  use  the  RPC-based
  ToolTalk  database server. This step should be evaluated
  against the risks identified, your security measures
  environment,  and  potential impact of other products that
  may use the ToolTalk database server.

  To disable rpc.ttdbserverd:

  + Comment out the following line in /etc/inetd.conf:
    rpc.ttdbserverd stream tcp swait root
    /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
  + Force  inetd  to  re-read the configuration file by
    executing the inetd -hcommand.

  Note:  The  internet  daemon  should kill the currently
  running rpc.ttdbserver. If not, manually kill any
  existing rpc.ttdbserverd process.

Cray, Inc.

 Cray,  Inc. does include ToolTalk within the CrayTools
 product. However,  rpc.ttdbserverd  is not turned on or used
 by any Cray provided  application. Since a site may have
 turned this on for their   own   use,   they   can   always
 remove   the  binary /opt/ctl/bin/rpc.ttdbserverd if they
 are concerned.

Fujitsu

  Fujitsu's   UXP/V   operating   system   is not affected  by
  the vulnerability  reported  in  VU#975403  [or  VU#299816]
  because UXP/V does not support any CDE functionalties.

Hewlett-Packard Company

  HP9000  Series  700/800  running  HP-UX  releases 10.10,
  10.20, 11.00, and 11.11 are vulnerable.

  Until  patches  are  available, install the appropriate file
  to replace rpc.ttdbserver.

  Download  rpc.ttdbserver.tar.gz from the ftp site. This file
  is temporary  and  will be deleted when patches are
  available from the standard HP web sites, including
  itrc.hp.com.

  System: hprc.external.hp.com (192.170.19.51)
  Login: ttdb1
  Password: ttdb1
  FTP Access: ftp://ttdb1:ttdb1@hprc.external.hp.com/
              ftp://ttdb1:ttdb1@192.170.19.51/
  File: rpc.ttdbserver.tar.gz
  MD5: da1be3aaf70d0e2393bd9a03feaf4b1d

  An HP security bulletin will be released with more
  information.

IBM Corporation

  The  CDE desktop product shipped with AIX is vulnerable to
  both the  issues  detailed  above  in the advisory. This
  affects AIX releases  4.3.3  and  5.1.0  An  efix package
  will be available shortly  from  the IBM software ftp site.
  The efix packages can be  downloaded  from
  ftp.software.ibm.com/aix/efixes/security. This  directory
  contains  a  README  file  that  gives further details on
  the efix packages.

  The following APARs will be available in the near future:

    AIX 4.3.3: IY32368
    AIX 5.1.0: IY32370

SGI

  SGI  acknowledges the ToolTalk vulnerabilities reported by
  CERT and  is  currently  investigating.  No  further
  information is available at this time.

  For the protection of all our customers, SGI does not
  disclose, discuss  or  confirm vulnerabilities until a full
  investigation has occurred and any necessary patch(es) or
  release streams are available  for  all  vulnerable  and
  supported  IRIX operating systems.  Until SGI has more
  definitive information to provide, customers are encouraged
  to assume all security vulnerabilities as  exploitable  and
  take appropriate steps according to local site security
  policies and requirements. As further information becomes
  available, additional advisories will be issued via the
  normal  SGI security information distribution methods
  including the wiretap mailing list on
  http://www.sgi.com/support/security/.

Sun Microsystems, Inc.

 The     Solaris    RPC-based    ToolTalk    database
 server, rpc.ttdbserverd,  is  vulnerable  to  the  two
 vulnerabilities [VU#975403   VU#299816]  described  in  this
 advisory  in  all currently supported versions of Solaris:

 Solaris 2.5.1, 2.6, 7, 8, and 9

 Patches  are being generated for all of the above releases.
 Sun will  publish  a Sun Security Bulletin and a Sun Alert
 for this issue. The Sun Alert will be available from:

   http://sunsolve.sun.com

 The patches will be available from:

   http://sunsolve.sun.com/securitypatch

 Sun Security Bulletins are available from:

   http://sunsolve.sun.com/security

The Open Group

  N/A

Xi Graphics

 Xi  Graphics  deXtop  CDE  v2.1 is vulnerable to this
 attack. A update  correcting this issue will be available on
 our ftp site once this vulnerability has been publically
 announced.

 When announced, the update and accompanying text file will
 be:

  ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz
  ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

 Most  sites  do  not need to use the ToolTalk server daemon.
 Xi Graphics  Security  recommends  that non-essential
 services are never  enabled.  To disable the ToolTalk server
 on your system, edit   /etc/inetd.conf   and   comment
 out,  or  remove,  the 'rpc.ttdbserver'  line.  Then,
 either restart inetd, or reboot your machine.

 Workarounds

 If patches are not available from your vendor these
 workarounds can be implemented:

  - Disable the vulnerable service
   To do so, it is needed to comment out or remove the
   lines that refer to rpc.ttdbserverd in /etc/inetd.conf
   and restart the inetd daemon.

  - Block connections to the vulnerable service
   Block access from untrusted networks to the ToolTalk
   Database server program.
   The program is identified as RPC program number
   100083 and may service requests on port 629/tcp
   or any other port. Use the rpcinfo program to
   determine on which port ttdbserver is servicing
   requests and block access to that port and the
   portmapper (111/tcp 111/udp) at the perimeter.
   This will not prevent exploitation from trusted
   networks.
   In general it is advisable to block access from
   untrusted networks to ALL RPC services.


*Credits:*

These vulnerabilities were discovered and researched by Ricardo Quesada
of the CORE IMPACT team at CORE Security Technologies.
We would like to thank CERT for their efforts coordinating the
release of this advisory with CORE and the vendors.

*Technical Description - Exploit/Concept Code*

 1) Overwriting portions of memory with 0L

 The _TT_ISCLOSE procedure in ttdbserverd allows a client to close
 an open ToolTalk Database. The client needs only to perform a
 client call to the mentioned procedure passing a valid file descriptor
 as argument.

 The server first checks if the authentication credentials passed in
 the procedure call (AUTH_UNIX) are valid for the requested operation.
 To do so, the server uses the file descriptor received as argument
 to index into a statically allocated table of structs of 24 bytes
 each named _tt_db_table.
 The table has 128 entries and each entry contains an struct with
 the following fields (the names given to the fields were chosen
 arbitrarly):

 struct _tt_db_table_entry {
        char *    path;
        int       uid;
        int       mode;
        int       isopen;
        int       isopen2;
        int       aux;
 };

 The value in uid specifies the owner of the open database and
 a non zero value in the isopen field indicates that the file is
 open and in use.
 Once the file is closed (or even if the operation fails) the
 _TT_ISCLOSE procedure resets the value of the isopen field to 0
 to indicate that this entry in the table belongs to a file
 that is no longer open and in use.

 A failure to perform proper range checks on the file descriptor
 used as index into the table allows an attacker to specify arbitrary
 portions of memory as table entries.
 By abusing this vulnerability an attacker could use the _TT_ISCLOSE
 procedure to overwrite portions of memory with a value of 0L.
 This attack is restricted to overwritting portions of memory at
 24 bytes intervals (since that is the overall size of each
 table entry).
 As we will see, the ability to do so will provide the means
 to perform more sophisticated attacks.


 2) Deleting files remotely

 The ttdbserverd program provides also a procedure to log
 transactions on a ToolTalk Database to a logfile. For this
 purpose the _TT_TRANSACTION procedure is used.

 _TT_TRANSACTION receives a file descriptor and a list of
 records to log to the log file.
 The filename for the logfile is kept in a statically allocated
 variable _tt_log_file.

 Upon failure of a transaction operation, a generic error
 handler function is called and the logfile is deleted from
 the  filesystem using the unlink() function call.

 In Solaris 8 ( patch 110286-6 applied) the variable is located
 at:
        0x0007636c 0x00000401  OBJT GLOB 0   .bss        _tt_log_file


 The filename for the log file is generated by concatenating the
 full pathname for the TT Database and the fixed string 'log_file'.

 The variable is populated by the _TT_ISOPEN and _TT_TRANSACTION
 procedures, available to any local or remote ttdbserverd client.

 A client can create a new TT database using the _TT_ISBUILD
 procedure call and subsequently use the _TT_TRANSACTION
 procedure to log transations on the newly created database
 to the file specified in _tt_log_file.

 As described above, _TT_TRANSACTION will populate the
 _tt_log_file variable with the filename of the TT Database
 concatenated with the string 'log_file'.
 Therefore by creating (using _TT_ISBUILD) a TTDB named
 "////////etc/passwd012345689ABCDEF/file_table" and subsequently
 calling _TT_TRANSACTION with the valid file descriptor
 for that DB (received as result of the ISBUILD call)
 the _tt_log_file variable will end up as:

 _tt_log_file = "////////etc/passwd012345689ABCDEF/log_file"

 An attacker can now abuse the vulnerability described in
 1) to insert a zero (and null terminate the string) leaving
 the _tt_log_file variable as follows:

 _tt_log_file = "////////etc/passwd\0\0\0\045689ABCDEF/log_file"

 Once this has been done, a call to _TT_TRANSACTION with
 an *invalid* file descriptor as argument (i.e. -2) will
 trigger the unlink in the error handler function, effectively
 removing the file specified in the _tt_log_file variable
 from the file system.

 This technique can be used by an attacker to remove any
 file or directory on the vulnerable host.

 3) Creating / Overwriting any local file

 The _TT_TRANSACTION procedure follows symlinks when opening
 the log file in order to write the transaction log.
 By using a combination of the techniques described above an
 attacker can locally overwrite any file with any contents
 of her choice since the list of transaction records to log
 is passed by the client program.

 Conclusion

 This advisory describes techniques to abuse two
 vulnerabilities found in the CDE ttdbserver program:
 - Improper checks on user suplied RPC arguments that
   lead to memory overwriting.
   BID:5082 CERT: VU#975403 CVE:CAN-2002-0677

   This is the file descriptor range check problem
   described in 1) and later used in 2)

 - Lack of file system checks for file operations that
   lead to local file creation or overwriting.
   This is the symlink problem described in 3)
   BID:5083 CERT: VU#299816 CVE: CAN-2002-0678

 The vulnerabilities and techniques described in this
 advisory can be  abused by an attacker in order to gain
 privileged access to a vulnerable system both remotelly
 and locally, or in order to perform a denial of service
 attack (ie. deletion of *ANY* file remotely)

 It is relevant to mention that vulnerabilities
 disclosed very recently (see BID:4639/CVE:NOT-ASSIGNED
 and BID:3382 /CVE:CAN-2001-0717) rely on the attacker's ability
 to make file system operations to fail in order
 to exploit those bugs.

 Additionally, the ability to overwrite *any* portion
 of the process memory with a value of 0L may provide
 other possible attack scenarios for remote or local
 compromise of the vulnerable host.

*DISCLAIMER:*

The contents of this advisory are copyright (c) 2002 CORE Security
Technologies and may be distributed freely provided that no fee is charged
for this distribution and proper credit is given.

$Id: ttdbserver.txt,v 1.9 2002/07/11 00:27:43 iarce Exp $

---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A



--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce@corest.com>

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC