CERT/CC Vulnerability Note VU#387387

Overview

The Common Desktop Environment (CDE) ToolTalk RPC database server contains a buffer overflow condition that could let an attacker execute arbitrary code or cause a denial of service on a vulnerable system. The ToolTalk RPC database server typically runs with root privileges.

Description

A buffer overflow vulnerability has been reported in the CDE ToolTalk RPC database server (rpc.ttdbserverd). A component of CDE, the ToolTalk architecture allows applications to communicate with each other via remote procedure calls (RPC) across different hosts and platforms. The ToolTalk RPC database server manages connections between ToolTalk applications. CDE and ToolTalk are installed and enabled by default on many common UNIX platforms.

The ToolTalk RPC database server is vulnerable to a heap buffer overflow via an argument to the procedure _TT_CREATE_FILE(). As noted by the reporter, the non-executable stack feature of some operating systems may not prevent exploitation of this vulnerability if the payload can be located on the heap. An attacker with access to the ToolTalk RPC database service could exploit this vulnerability with a specially crafted RPC message.

Impact

A remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The ToolTalk RPC database server typically runs with root privileges.

Solution

Apply a Patch

Apply the appropriate patch from your vendor as specified in the Systems Affected section below.

Disable rpc.ttdbserverd

Until patches are available and can be applied, you may wish to consider disabling the ToolTalk RPC database service. As a general best practice, the CERT/CC recommends disabling any services that are not explicitly required. The ToolTalk RPC database service may be enabled in /etc/rpc or in /etc/inetd.conf. For example, on a Solaris 8 system, comment out the following entry in /etc/inetd.conf to disable the ToolTalk RPC database service (rpc.ttdbserverd):

#
# Sun ToolTalk Database Server
#
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd

The rpcinfo(1M) and ps(1) commands may be useful in determining if you system is running the ToolTalk RPC database server. On a Solaris 8 system, the following examples indicate that the ToolTalk RPC database server is running:

# rpcinfo -p | grep 100083
100083 1 tcp 32773

# ps -ef | grep rpc.ttdbserverd
root 355 164 0 19:31:27 ? 0:00 rpc.ttdbserverd

Block or Restrict Access

Until patches are available and can be applied, block or restrict access to the RPC portmapper service and the ToolTalk RPC database service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block the ports used by the RPC portmapper and ToolTalk RPC services. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. The ToolTalk RPC service may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo command. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate.

Vendor Information

387387

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Caldera Affected

Hewlett-Packard Company Affected

Notified: July 04, 2002 Updated: September 09, 2002

Status

Affected

Vendor Statement

SOURCE: Hewlett-Packard Company Software Security Response Team (SSRT)

Date: 15 August, 2002
CROSS REFERENCE ID: SSRT2274

HP Tru64 UNIX

At the time of writing this document, Hewlett Packard is currentlyinvestigating the potential impact to HP-UX and HP Tru64 UNIX releasedoperating system software.

HP will provide notice of the availability of any necessary patchesthrough standard security bulletin announcements and be available fromyour normal HP Services support channel.

HP-UX

A preliminary fix for HP-UX is avaiable:

Originally issued: 12 July 2002
Last revision: 14 Aug 2002

ftp://ttdb1:ttdb1@hprc.external.hp.com/
file: rpc.ttdbserver.2.tar.gz

Details can be found in HPSBUX0207-199 at http://itrc.hp.com

NOT IMPACTED:

HP-MPE/ix
HP OpenVMS
HP NonStop Servers

HP Recommended Workaround:

A recommended workaround is to disable rpc.ttdbserverd until solutionsare available. This should only create a potential problem for publicsoftware packages applications that use the RPC-based ToolTalkdatabase server. This step should be evaluated against the risksidentified, your security measures environment, and potential impactof other products that may use the ToolTalk database server.

To disable rpc.ttdbserverd:

HP Tru64 Unix:

Comment out the following line in /etc/inetd.conf:
rpc.ttdbserverd stream tcp swait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
Force inetd to re-read the configuration file by executing the inetd -h command.
Note: The internet daemon should kill the currently running rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd process.

HP-UX:

Comment out the following line in /etc/inetd.conf:
rpc stream tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1 /usr/dt/bin/rpc.ttdbserver [10.20]
or
rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1 /usr/dt/bin/rpc.ttdbserver [11.0/11.11]
Force inetd to re-read the configuration file by executing the inetd -c command.
Note: The internet daemon should kill the currently running rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd process.

To report potential security vulnerabilities in HP software, send anE-mail message to: security-alert@hp.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Hewlett-Packard has released a security bulletin (SRB0039W/SSRT2274) that addresses VU#387387 and other vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Affected

Sun Microsystems Inc. Affected

Xi Graphics Affected

Cray Inc. Unknown

Data General Unknown

SGI Unknown

The Open Group Unknown

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC thanks Sinan Eren of the Entercept Ricochet Team for reporting this vulnerability.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2002-0679
Severity Metric:	14.04
Date Public:	2002-08-12
Date First Published:	2002-08-12
Date Last Updated:	2002-09-09 22:15 UTC
Document Revision:	32

Software Engineering Institute

CERT Coordination Center

Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) vulnerable to buffer overflow via _TT_CREATE_FILE()

Vulnerability Note VU#387387

Overview

Description

Impact

Solution

Vendor Information

Caldera Affected

Hewlett-Packard Company Affected

IBM Affected

Sun Microsystems Inc. Affected

Xi Graphics Affected

Cray Inc. Unknown

Data General Unknown

SGI Unknown

The Open Group Unknown

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC