SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ToolTalk (rpc.ttdbserver) Vendors:   Caldera/SCO
(Caldera Issues Fix for UnixWare/Open UNIX) Common Desktop Environment (CDE) ToolTalk Server Input Validation and Symlink Bugs Let Local and Remote Users Obtain Root Privileges on the System
SecurityTracker Alert ID:  1004752
SecurityTracker URL:  http://securitytracker.com/id/1004752
CVE Reference:   CVE-2002-0677, CVE-2002-0678   (Links to External Site)
Date:  Jul 12 2002
Impact:   Denial of service via local system, Denial of service via network, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in the Common Desktop Environment (CDE) ToolTalk RPC database server. A remote user could delete arbitrary files, cause denial of service conditions, or execute arbitrary code or commands on the system. A local user could create or overwrite arbitrary files with arbitrary user-supplied contents.

CORE Security Technologies reported that a remote user can also create arbitrary directory entries on the target host.

Several operating systems are affected, including Solaris, HP-UX, Tru64, AIX, and Caldera Open UNIX/UnixWare. Other operating systems may also be affected.

According to the report, Fujitsu UXP/V, Cray's CrayTools, Caldera OpenLinux, and SCO OpenServer are not vulnerable.

According to CORE and CERT (as reported in CERT Advisory CA-2002-20), the ToolTalk RPC database server (rpc.ttdbserverd) does not properly validate a user-supplied file descriptor argument passed to the _TT_ISCLOSE() function. A remote user may be able to overwrite a certain 4 bytes of memory with a zero (0x0L) value.

A remote user could exploit this bug to delete any file on the system that is accessible by the ToolTalk RPC database server. Because the server typically runs with root privileges, any file on the system could be deleted. It may also be possible for the remote user to cause arbitrary code and commands to be executed.

The software also reportedly does not properly validate certain file operations, such as verifying whether a file to be written to is a valid file or a symbolic link. A local user could reference a specially crafted symbolic link in certain ToolTalk RPC requests to overwrite files on the system. Because the server typically runs with root privileges, any file on the system could be overwritten. This could allow the local user to obtain elevated privileges on the system (including root privileges).

Impact:   A remote user could delete arbitrary files, cause denial of service conditions, or execute arbitrary code or commands on the system. A local user could create or overwrite arbitrary files with arbitrary user-supplied contents.
Solution:   Caldera has released a fix for UnixWare/Open UNIX.

For UnixWare 7.1.1:

Location of Fixed Binaries

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28


Verification

MD5 (erg712073.pkg.Z) = 9b7f2f606d658ed51d590737daf9e117

md5 is available for download from
ftp://ftp.caldera.com/pub/security/tools


Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download erg712073.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712073.pkg.Z
# pkgadd -d /var/spool/pkg/erg712073.pkg


For Open UNIX 8.0.0:

Location of Fixed Binaries

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28


Verification

MD5 (erg712073.pkg.Z) = 9b7f2f606d658ed51d590737daf9e117

md5 is available for download from
ftp://ftp.caldera.com/pub/security/tools


Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download erg712073.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712073.pkg.Z
# pkgadd -d /var/spool/pkg/erg712073.pkg

Vendor URL:  www.caldera.com/support/security/index.html (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  UnixWare 7.1.1, Open UNIX 8.0.0

Message History:   This archive entry is a follow-up to the message listed below.
Jul 11 2002 Common Desktop Environment (CDE) ToolTalk Server Input Validation and Symlink Bugs Let Local and Remote Users Obtain Root Privileges on the System



 Source Message Contents

Subject:  Security Update: [CSSA-2002-SCO.28] UnixWare 7.1.1 Open UNIX 8.0.0 : rpc.ttdbserverd file creation and deletion vulnerabilities


--St7VIuEGZ6dlpu13
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		UnixWare 7.1.1 Open UNIX 8.0.0 : rpc.ttdbserverd file creation and deletion vulnerabilities
Advisory number: 	CSSA-2002-SCO.28
Issue date: 		2002 July 11
Cross reference:
______________________________________________________________________________


1. Problem Description

	Several security bugs were discovered in the rpc.ttdbserverd
	program that allow an attacker to overwrite memory in the
	program as well as force the program to create and delete
	arbitrary files on the system. Some of these vulnerabilities
	are remotely exploitable.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.1 			/usr/dt/bin/rpc.ttdbserverd
	Open UNIX 8.0.0 		/usr/dt/bin/rpc.ttdbserverd


3. Solution

	The proper solution is to install the latest packages.


4. UnixWare 7.1.1

	4.1 Location of Fixed Binaries

	ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28


	4.2 Verification

	MD5 (erg712073.pkg.Z) = 9b7f2f606d658ed51d590737daf9e117

	md5 is available for download from
		ftp://ftp.caldera.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg712073.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712073.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712073.pkg


5. Open UNIX 8.0.0

	5.1 Location of Fixed Binaries

	ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28


	5.2 Verification

	MD5 (erg712073.pkg.Z) = 9b7f2f606d658ed51d590737daf9e117

	md5 is available for download from
		ftp://ftp.caldera.com/pub/security/tools


	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg712073.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712073.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712073.pkg


6. References

	Specific references for this advisory:
		CORE ST advisory CORE-20020528
		http://www.cert.org/advisories/CA-2002-20.html

	Caldera security resources:
		http://www.caldera.com/support/security/index.html

	This security fix closes Caldera incidents sr865685, fz521202,
	erg712073.


7. Disclaimer

	Caldera International, Inc. is not responsible for the
	misuse of any of the information we provide on this website
	and/or through our security advisories. Our advisories are
	a service to our customers intended to promote secure
	installation and use of Caldera products.


8. Acknowledgements

	The vulnerabilities were discovered and researched by Ricardo
	Quesada of the CORE IMPACT team at CORE Security Technologies.

______________________________________________________________________________

--St7VIuEGZ6dlpu13
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0twbMACgkQaqoBO7ipriF+DQCePEA8PVCDV3nK0mQsfBfOEOg2
W/0AoIDX42hiIEVMNnvPLm1vRgXjY5y4
=Q/c2
-----END PGP SIGNATURE-----

--St7VIuEGZ6dlpu13--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC