Date: 11 July 2002
References: ESB-2002.335 ESB-2002.346 ESB-2002.347 ESB-2002.350 ESB-2002.438 ESB-2002.439 ESB-2002.523
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2002.07 -- AUSCERT ALERT
Multiple Vulnerabilities in CDE ToolTalk RPC Database Server
11 July 2002
===========================================================================
PROBLEM:
A component of the Common Desktop Environment (CDE), the ToolTalk
architecture allows independently developed applications to
communicate with each other using remote procedure calls (RPC)
across different hosts. The ToolTalk RPC database server controls
connections between ToolTalk applications and hosts. CDE and
ToolTalk are commonly installed and enabled with root privileges
on many UNIX operating systems.
Two new vulnerabilities have been reported in the ToolTalk
database server (rpc.ttdbserverd). The first of which involves
inadequate checking of an argument from the client, allowing an
attacker to overwrite sections of memory with zeros. A specially
crafted RPC call may allow an attacker to cause a denial of
service, create or overwrite arbitrary files, delete arbitrary
files, and possibly execute arbitrary code on the ToolTalk server.
The second vulnerability relates to the ToolTalk server not
validating whether the files to be created or written to are not
symbolic links. This may allow a local attacker to overwrite
arbitrary files through the use of symbolically linked files,
possibly gaining privileges of the ToolTalk server.
PLATFORM:
CERT/CC has contacted all major vendors and are awaiting their
responses. As many common UNIX systems have ToolTalk enabled by
default, administrators are encouraged to determine if they are
running the ToolTalk RPC database server and take steps to mitigate
their risk until vendor patches are available. Mitigation steps
are detailed in the Mitigation section below.
The rpcinfo command can be used to help determine if a server is
running the ToolTalk RPC database server:
rpcinfo -p <hostname>
The program number for the ToolTalk RPC database service is 100083.
References to this number in the output from rpcinfo or in /etc/rpc
may indicate that the ToolTalk RPC database service is running. Any
system that does not run the ToolTalk RPC database service is not
vulnerable to this problem.
IMPACT:
While the vulnerabilities impact different aspects of the ToolTalk
server, the overall impact summary is that vulnerable systems may
allow a remote attacker to execute arbitrary code with the
privileges of the ToolTalk RPC database server, typically root.
MITIGATION:
Contact your vendor and apply appropriate patches when they become
available.
Until patches are available for your specific operating system, you
may wish to limit or block access to vulnerable servers. This may
be done using a firewall or other packet filtering device to block
the ports used by the RPC portmapper and ToolTalk RPC services.
The RPC portmapper service typically runs on port 111/tcp and udp.
The ToolTalk RPC daemon may be configured to use port 692/tcp or
another port as indicated in output from the rpcinfo command. Keep
in mind that blocking ports at a network perimeter does not protect
the vulnerable service from the internal network. It is important
to understand your network configuration and service requirements
before deciding what changes are appropriate.
AusCERT and CERT/CC are currently monitoring this issue. If and
when patches become available, AusCERT will issue updates and
vendor bulletins.
- ---------------------------------------------------------------------------
AusCERT would like to thank CERT/CC for its assistance with the production
of this alert.
- ---------------------------------------------------------------------------
AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPUejYCh9+71yA2DNAQH/IwP+Ma7lyEgXQQWVfDfqI2fabDSfntTF3lr0
20+tE68wckJ2gIDskDv7XUOSNh2AmFRYjuwfpUo+ZMJPslsWLy3kt9/h/9Lxk/By
EagrSy7csu9Q5TopaJh6bY8EQH0Y3A7d6LtEpXgahvk68Y0ibAyrbW0wx7OQwk/t
hTtxbHkaCYM=
=iJ9u
-----END PGP SIGNATURE-----
|