Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-98.141 -- Network Associates, Inc. SECURITY ADVISORY Stack Overflow in ToolTalk RPC Service 4 September 1998 =========================================================================== Network Associates, Inc. has released the following advisory concerning a stack overflow in the ToolTalk RPC Service. This vulnerability may allow a remote attacker to run arbitrary code as the superuser on hosts supporting the ToolTalk service. - --------------------------BEGIN INCLUDED TEXT-------------------- ======================================================================= Network Associates, Inc. SECURITY ADVISORY August 31, 1998 NAI Advisory 29 Stack Overflow in ToolTalk RPC Service ======================================================================= SYNOPSIS An implementation fault in the ToolTalk object database server allows a remote attacker to run arbitrary code as the superuser on hosts supporting the ToolTalk service. The affected program runs on many popular UNIX operating systems supporting CDE and some Open Windows installs. This vulnerability is being actively exploited by attackers on the Internet. ======================================================================= Confirmed Vulnerable Operating Systems and Third Party Vendors Sun Microsystems - ---------------- SunOS 5.6, 5.6_x86 SunOS 5.5.1, 5.5.1_x86 SunOS 5.5, 5.5_x86 SunOS 5.4, 5.4_x86 SunOS 5.3 SunOS 4.1. SunOS 4.1.3_U1 Hewlett Packard - --------------- HP-UX release 10.10 HP-UX release 10.20 HP-UX release 10.30 HP-UX release 11.00 SGI - --- IRIX 5.3 IRIX 5.4 IRIX 6.2 IRIX 6.3 IRIX 6.4 IBM - --- AIX 4.1.X AIX 4.2.X AIX 4.3.X TriTeal - ------- TriTeal CDE - TED versions 4.3 and previous. Xi Graphics - ----------- Xi Graphics Maximum CDE v1.2.3 It should be noted here that this not an exhaustive list of vulnerable vendors. These are only the *confirmed vulnerable* vendors. Also, any OS installation that is not configured to use or start up the ToolTalk service is not vulnerable to this problem. To determine whether the ToolTalk database server is running on a host, use the "rpcinfo" command to print a list of the RPC services running on it, as: $ rpcinfo -p <hostname> Because many operating systems do not include an entry for the ToolTalk database service in the RPC mapping table ("/etc/rpc" on most Unix platforms), the vulnerable service may not appear by name in the listing. The RPC program number for the ToolTalk database service is 100083. If an entry exists for this program, such as, 100083 1 tcp 692 then the service is running on the host. Until additional information is made available from the OS vendor, it should be assumed that the system is vulnerable to the attack described in this advisory. ======================================================================== DETAILS The ToolTalk service allows independently developed applications to communicate with each other by exchanging ToolTalk messages. Using ToolTalk, applications can create open protocols which allow different programs to be interchanged, and new programs to be plugged into the system with minimal reconfiguration. The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service which manages objects needed for the operation of the ToolTalk service. ToolTalk-enabled processes communicate with each other using RPC calls to this program, which runs on each ToolTalk-enabled host. This program is a standard component of the ToolTalk system, which ships as a standard component of many commercial Unix operating systems. The ToolTalk database server runs as root. Due to an implementation fault in rpc.ttdbserverd, it is possible for a malicious remote client to formulate an RPC message that will cause the server to overflow an automatic variable on the stack. By overwriting activation records stored on the stack, it is possible to force a transfer of control into arbitrary instructions provided by the attacker in the RPC message, and thus gain total control of the server process. ======================================================================= TECHNICAL DETAILS Source code and XDR specifications for the ToolTalk database protocol and server were not available at the time this advisory was drafted. What follows is information based on analysis of the rpc.ttdbserverd binary and a captured attack trace from a network on which an exploitation script for this problem was run. The observed attack utilized the ToolTalk Database (TTDB) RPC procedure number 7, with an XDR-encoded string as its sole argument. TTDB procedure 7 corresponds to the _tt_iserase_1() function symbol in the Solaris binary (/usr/openwin/bin/rpc.ttdbserverd). This function implements an RPC procedure which takes an ASCII string as an argument, which is treated as a pathname. The pathname string is passed to the function isopen(), which in turn passes it to _am_open(), then to _amopen(), _openfcb(), _isfcb_open(), and finally to _open_datfile(), where it, as the first argument to the function, is passed directly to a strcpy() to a pointer on the stack. If the pathname string is suitably large, the string overflows the stack buffer and overwrites an activation record, allowing control to transfer into instructions stored in the pathname string. ======================================================================= RESOLUTION This is an implementation problem and can only be resolved completely by applying patches to or replacing affected software. As a temporary workaround, it is possible to eliminate vulnerability to this problem by disabling the ToolTalk database service. This can be done by killing the "rpc.ttdbserverd" process and removing it from any OS startup scripts. It should be noted that this may impair system functionality. The following vendors have been confirmed vulnerable, contacted, and have responded with repair information: Sun Microsystems - ---------------- Sun plans to release patches this week that relate to the ToolTalk vulnerability for SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and 5.5_x86. Patches for SunOS 5.4, 5.4_x86, 5.3, 4.1.4 and 4.1.3_U1 will be released in about 4 weeks. Sun recommended and security patches (including checksums) are available from: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html Hewlett Packard - --------------- HP-UX has been confirmed vulnerable in releases 10.XX and 11.00. HP has made patches available with the following identifications: HP-UX release 10.10 HP9000 Series 7/800 PHSS_16150 HP-UX release 10.20 HP9000 Series 7/800 PHSS_16147 HP-UX release 10.30 HP9000 Series 7/800 PHSS_16151 HP-UX release 11.00 HP9000 Series 7/800 PHSS_16148 IBM - --- IBM AIX has been confirmed vulnerable. IBM's response is as follows: The version of ttdbserver shipped with AIX is vulnerable. We are currently working on the following fixes which will be available soon: APAR 4.1.x: IX81440 APAR 4.2.x: IX81441 APAR 4.3.x: IX81442 Until the official APARs are available, a temporary fix can be downloaded via anonymous ftp from: ftp://aix.software.ibm.com/aix/efixes/security/ttdbserver.tar.Z TriTeal - ------- An official response from TriTeal is as follows: The ToolTalk vulnerability will be fixed in the TED4.4 release. For earlier versions of TED, please contact the TriTeal technical support department at <firstname.lastname@example.org> or at http://www.triteal.com/support. Xi Graphics - ----------- An official response from Xi Graphics is as follows: Xi Graphics Maximum CDE v1.2.3 is vulnerable to this attack. A patch to correct this problem will be placed on our FTP site by 8/28/1998: ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.tar.gz ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.txt Users of Maximum CDE v1.2.3 are urged to install this update. Silicon Graphics - ---------------- The Security Labs team at Network Associates has confirmed that SGI IRIX 6.3 is vulnerable to this attack. SGI's security team has been contacted and informed of the vulnerability. No repair information has been made available from Silicon Graphics regarding this problem. Other Vendors - ------------- If any uncertainty exists with regards to whether a given vendor not listed in this advisory is vulnerable to this attack, we recommend contacting them via their support/security channels for more information. ======================================================================== ACKNOWLEDGEMENTS The NAI Security Labs Team would like to thank the HP & IBM Security Response Teams, CERT/CC & AUSCERT for their contributions to this advisory. ======================================================================= ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 28 published security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at <email@example.com>. ======================================================================= - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It will not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBNfPgdih9+71yA2DNAQEKpQP9FeV5KVrv/xB0aC1eccv8pz2r647Rm4IP dhCjenN8tmiiYnqXC08FXko3RZ8o0IY9wO/tbzE6I8MyXC8bZrWVtKdAIq8n47Q6 kd0teXCH2o89TQRZLcDh8LijpURO3Jne6+g3is7Oxg+vs/dVfA7dDbWNojZLssju UaF32MQS8w4= =KFb0 -----END PGP SIGNATURE-----