AUSCERT External Security Bulletin Redistribution

                 ESB-2001.416 -- CERT Advisory CA-2001-27
                Format String Vulnerability in CDE ToolTalk
                              8 October 2001


        AusCERT Security Bulletin Summary

Product:                ToolTalk RPC service
Operating System:       Linux
Impact:                 Root Compromise
                        Denial of Service
Access Required:        Remote

Ref:                    ESB-2001.409

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Advisory CA-2001-27 Format String Vulnerability in CDE ToolTalk

   Original release date: October 5, 2001
   Last revised: Thu Oct 5 14:17:55 EDT 2001
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Systems running CDE ToolTalk


   There is a remotely exploitable format string vulnerability in the CDE
   ToolTalk  RPC  database  service.  This vulnerability could be used to
   crash  the  service or execute arbitrary code, potentially allowing an
   intruder  to  gain  root  access.  This vulnerability is documented in

I. Description

   The  Common  Desktop Environment (CDE) is an integrated graphical user
   interface  that runs on Unix and Linux operating systems. CDE ToolTalk
   is  a  message  brokering  system  that  provides  an architecture for
   applications   to   communicate  with  each  other  across  hosts  and
   platforms.  The ToolTalk RPC database server, rpc.ttdbserverd, manages
   communication  between  ToolTalk  applications.  For  more information
   about CDE, see


   There is a remotely exploitable format string vulnerability in the CDE
   ToolTalk  RPC  database  server.  While handling an error condition, a
   syslog(3)  function  call  is  made  without providing a format string
   specifier  argument.  Since  rpc.ttdbserverd does not perform adequate
   input  validation  or  provide the format string specifier argument, a
   crafted  RPC  request  containing  format  string  specifiers  will be
   interpreted  by the vulnerable syslog(3) function call. Such a request
   can  be  designed  to  overwrite  specific  locations  in memory, thus
   executing code with the privileges of rpc.ttdbserverd, typically root.

   The  vulnerability  was  discovered by Internet Security Systems (ISS)
   X-Force. For more information, see


   This  vulnerability has been assigned the identifier CAN-2001-00717 by
   the Common Vulnerabilities and Exposures (CVE) group:


   Many  common UNIX systems ship with CDE ToolTalk installed and enabled
   by  default.  The  rpcinfo  command  may help determine if a system is
   running the ToolTalk RPC database service:

          $ rpcinfo -p hostname

   The  program  number  for the ToolTalk RPC database service is 100083.
   References  to  this  number in the output from rpcinfo or in /etc/rpc
   may  indicate  that  the ToolTalk RPC database service is running. Any
   system  that  does  not  run  the ToolTalk RPC database service is not
   vulnerable to this problem.

II. Impact

   An  attacker  can  execute  arbitrary  code with the privileges of the
   rpc.ttdbserverd process, typically root.

III. Solution

Apply a patch

   Appendix  A  contains  information  from  vendors  who  have  provided
   information  for  this  advisory.  We  will  update the appendix as we
   receive more information. If a vendor's name does not appear, then the
   CERT/CC  did  not  hear  from  that vendor. Please contact your vendor

Block access to vulnerable service

   Until  patches are available and can be applied, you may wish to block
   access to the RPC portmapper service and the ToolTalk RPC service from
   untrusted  networks  such  as  the internet. Using a firewall or other
   packet-filtering   technology,   block  the  ports  used  by  the  RPC
   portmapper  and  ToolTalk  RPC  services.  The  RPC portmapper service
   typically  runs on ports 111/tcp and 111/udp. The ToolTalk RPC service
   may  be configured to use port 692/tcp or another port as indicated in
   output from the rpcinfo command. Keep in mind that blocking ports at a
   network  perimeter  does  not  protect the vulnerable service from the
   internal   network.   It  is  important  to  understand  your  network
   configuration  and  service  requirements before deciding what changes
   are appropriate.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  When  vendors  report  new  information  to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their

Caldera, Inc.

   Caldera  UnixWare  and  Open  Linux  are  vulnerable,  and  a  fix  is

Compaq Computer Corporation

   Compaq Computer Corporation
   Software Security Response Team
   Severity: low
   ToolTalk RPC Server Format String Vulnerability
   This potential security vulnerability has not been
   reproduced for any release of Compaq Tru64 Unix.
   However with the information available, we are providing
   a patch that will further reduce any potential
   A patch has been made available for all supported
   versions of Tru64/ DIGITAL UNIX V4.0f, V4.0g, V5.0a,
   V5.1, and V5.1a.
   *This solution will be included in a future distributed release of
   Compaq's Tru64/ DIGITAL UNIX.
   This patch may be obtained from the following URL address:
   Select BROWSE PATCH TREE and choose the version directory
   The patch names are:
   Note:  Te asterisk in the filename indicates the remainder of the
   tarfile name may change depending on the applicable date.
   This patch can be installed on:
   V4.0f, V4.0g            all patch kits
   V5.0a, V5.1, and V5.1a  all patch kits

Cray Inc.

   UNICOS and UNICOS/mk are not vulnerable to [this] advisory.  For
   further inform ation see Cray SPR 721061.  Cray SPRs are available
   to licensed Cray customers.

Hewlett-Packard Company

   Patches are now available from HP.  See HPSBUX0110-168 for details.

IBM Corporation

   IBM AIX 5.1 and 4.3 are vulnerable.  IBM has released an emergency
   fix (efix) w hich contains patched binaries for both AIX 5.1 and
   AIX 4.3 as well as an advis ory:
   IBM is working on APARs which will not be available until late
   October or Novem ber of 2001.
       AIX 4.3: Pending assignment
       AIX 5.1: APAR #IY23846

The Open Group

   The   Open   Group  maintains  source  code  for  the  Common  Desktop
   Environment  (CDE).  Source  licensees of The Open Group's CDE product
   can  contact  desktop@opengroup.org for advice and a source patch that
   address this issue.


   SGI  acknowledges  the  CDE  vulnerabilities  reported  by CERT and is
   currently  investigating.  No further information is available at this
   time.  For the protection of all our customers, SGI does not disclose,
   discuss  or  confirm  vulnerabilities  until  a full investigation has
   occurred  and any necessary patch(es) or release streams are available
   for all vulnerable and supported IRIX operating systems. Until SGI has
   more  definitive  information  to provide, customers are encouraged to
   assume   all   security   vulnerabilities   as  exploitable  and  take
   appropriate  steps  according  to  local  site  security  policies and
   requirements.  As  further  information  becomes available, additional
   advisories  will  be  issued  via  the normal SGI security information
   distribution methods including the wiretap mailing list.



   Sun  has  reproduced  the  vulnerability and is testing a fix. The Sun
   patches will be made available at the following location:


Xi Graphics

   Xi  Graphics  is  investigating  this  report  and  will  provide more
   information when it is available.

Appendix B. - References

    1. http://www.opengroup.org/cde/
    2. http://www.opengroup.org/desktop/faq/
    3. http://xforce.iss.net/alerts/advise98.php
    4. http://www.kb.cert.org/vuls/id/595507
    5. http://www.cert.org/advisories/CA-1998-11.html

   The  CERT  Coordination  Center thanks Internet Security Systems (ISS)
   X-Force,  who  published an advisory on this issue. We would also like
   to thank The Open Group for technical assistance.

   Authors: Art Manion and Shawn V. Hernan

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from


   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

    Getting security information

   CERT  publications  and  other security information are available from
   our web site


   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History

   October 5, 2001:  initial release

Version: PGP 6.5.8


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key