SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ToolTalk (rpc.ttdbserver) Vendors:   Caldera/SCO, Compaq, Cray, Data General, Fujitsu Siemens Computers, HPE, IBM, SGI (Silicon Graphics), Sun
CDE ToolTalk Database Server Buffer Overflow in _TT_CREATE_FILE Procedure May Let Remote Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1005023
SecurityTracker URL:  http://securitytracker.com/id/1005023
CVE Reference:   CVE-2002-0679   (Links to External Site)
Date:  Aug 12 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Vendor Confirmed:  Yes  

Description:   A buffer overflow vulnerability was reported in the CDE ToolTalk database server. A remote user may be able to execute arbitrary code on the system, possibly with root level privileges.

Entercept Ricochet issued a security advisory warning of a buffer overflow in the _TT_CREATE_FILE procedure. According to the report, this results in a heap buffer overflow on most environments, allowing a remote user to execute arbitrary code with the privileges of the ToolTalk RPC database server or cause a denial of service condition on the server. It is reported that the server process typically runs as root.

The following vendors are reported to be affected:

- Caldera
- Compaq Computer Corporation
- Cray Inc.
- Data General
- Fujitsu
- Hewlett Packard
- IBM
- SGI
- Sun Microsystems Inc.
- The Open Group
- Xi Graphics

CERT has issued an advisory on the topic, available at:

http://www.cert.org/advisories/CA-2002-26.html

CERT has also issued a Vulnerability Note, available at:

http://www.kb.cert.org/vuls/id/387387

Impact:   A remote user may be able to execute arbitrary code on the system with the privileges of the server, which may be root privileges on some systems. A remote user can also cause denial of service conditions on the server.
Solution:   Individual vendors will be releasing patches [see the Message History for alerts covering vendor-specific patches.]

As a workaround, you can disable rpc.ttdbserverd. Or, you can block or restrict access to the RPC portmapper service and the ToolTalk RPC database service from untrusted networks.

Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(IBM Issues Fix for AIX) Re: CDE ToolTalk Database Server Buffer Overflow in _TT_CREATE_FILE Procedure May Let Remote Users Execute Arbitrary Code With Root Privileges
IBM has released a fix for CDE Tooltalk on AIX.
(Caldera Issues Fix for Open UNIX/UnixWare) CDE ToolTalk Database Server Buffer Overflow in _TT_CREATE_FILE Procedure May Let Remote Users Execute Arbitrary Code With Root Privileges
Caldera has released a fix for Open UNIX.



 Source Message Contents

Subject:  ENTERCEPT RICOCHET ADVISORY: Multi-Vendor CDE ToolTalk Database




*******ENTERCEPT RICOCHET ADVISORY*******
Date: Monday, August 12, 2002

Issue: Multi-Vendor CDE ToolTalk Database Server Remote Buffer Overflow 
Vulnerability


 
DETAILS:
The ToolTalk component allows applications to communicate with each other 
via remote procedure calls (RPC) across different hosts and platforms.  
The ToolTalk RPC database server manages connections between ToolTalk 
applications. Most Unix environments include CDE and ToolTalk in their 
default installations. 
 
_TT_CREATE_FILE procedure in the ToolTalk RPC database server is 
vulnerable to a buffer overflow. In most environments, this translates to 
a heap buffer overflow vulnerability that renders current non-executable 
stack protection mechanisms useless and can be bypassed. 
 
A successful attack exploiting this buffer overflow vulnerability would 
enable the attacker to run code with the privileges of the ToolTalk RPC 
database server that typically runs as root. Unsuccessful exploitation can 
still cause a denial of service on a vulnerable system.
 
VENDORS AFFECTED:
 - Caldera
 - Compaq Computer Corporation 
 - Cray Inc.
 - Data General
 - Fujitsu
 - Hewlett Packard
 - IBM
 - SGI
 - Sun Microsystems Inc.
 - The Open Group
 - Xi Graphics
 
Entercept worked directly with CERT (Computer Emergency Response Team), to 
ensure that the vendors had the technical details necessary to develop 
their patches and issue security advisories. The CERT advisory will be 
available at: http://www.cert.org/advisories/CA-2002-26.html
 
 
ACKNOWLEDGEMENTS/INFORMATION RESOURCES:
This vulnerability was discovered and researched by Sinan Eren of the 
Entercept Ricochet Team. 
 
ABOUT ENTERCEPT RICOCHET:
dedicated to identifying, assessing, and evaluating intelligence regarding 
server threats. The Ricochet team researches current and future avenues of 
solution. Ricochet is dedicated to providing critical, viable security 
content via security advisories and technical briefs. This content is 
designed to educate organizations and security professionals about the 
nature and severity of Internet security threats, vulnerabilities and 
exploits. 

Copyright Entercept Security Technologies. All rights reserved. Entercept 
and the Entercept logo are trademarks of Entercept Security Technologies. 
All other trademarks, trade names or service marks are the property of 
their respective owners. 

DISCLAIMER STATEMENT: 
The information in this bulletin is provided by Entercept Security 
Technologies, Inc. ("Entercept") and is intended to provide information on 
a particular security issue or incident. Given that each exploitation 
technique is unique, Entercept makes no claim to prevent any specific 
exploit related to the vulnerability discussed in this bulletin. Entercept 
expressly disclaims any and all warranties with respect to the information 
provided in this bulletin, express or implied or otherwise, including, but 
not limited to, warranty of fitness for a particular purpose. Under no 
circumstances may this information be used to exploit vulnerabilities in 
any other environment.
http://www.entercept.com/news/uspr/08-12-02.asp
###
 


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC