AUSCERT External Security Bulletin Redistribution

                 ESB-2001.480 -- CERT Advisory CA-2001-31
             Buffer Overflow in CDE Subprocess Control Service
                             13 November 2001


        AusCERT Security Bulletin Summary

Product:                CDE
Operating System:       UNIX
Impact:                 Root Compromise
                        Denial of Service
Access Required:        Remote

Ref:                    ESB-2001.479

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess Control Service

   Original release date: November 12, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Systems running CDE


   There  is  a  remotely  exploitable buffer overflow vulnerability in a
   library  function  used  by  the  CDE Subprocess Control Service. This
   vulnerability  could  be  used  to  crash  the  service  or to execute
   arbitrary  code with root privileges. This vulnerability is documented
   in VU#172583.

I. Description

   The  Common  Desktop Environment (CDE) is an integrated graphical user
   interface  that  runs  on  UNIX  and  Linux operating systems. The CDE
   Subprocess  Control  Service (dtspcd) is a network daemon that accepts
   requests  from  clients  to  execute  commands and launch applications
   remotely.  On  systems  running CDE, dtspcd is spawned by the Internet
   services  daemon  (typically  inetd  or  xinetd)  in response to a CDE
   client request. dtspcd is typically configured to run on port 6112/tcp
   with root privileges.

   For more information about CDE, see



   There  is  a  remotely  exploitable buffer overflow vulnerability in a
   shared  library  that  is  used  by dtspcd. During client negotiation,
   dtspcd  accepts  a  length  value  and subsequent data from the client
   without performing adequate input validation. As a result, a malicious
   client can manipulate data sent to dtspcd and cause a buffer overflow,
   potentially executing code with root privileges.

   The  vulnerability  was  first  reported to us in March 1999, and more
   recently   by  Internet  Security  Systems  (ISS)  X-Force.  For  more
   information, see



   This  vulnerability  has been assigned the identifier CAN-2001-0803 by
   the Common Vulnerabilities and Exposures (CVE) group:


   Many  common  UNIX  systems  ship  with  CDE  installed and enabled by
   default.  To  determine  if  your  system is configured to run dtspcd,
   check for the following entries (may be wrapped):


         dtspc 6112/tcp


         dtspc   stream   tcp   nowait   root   /usr/dt/bin/dtspcd

   Any system that does not run the CDE Subprocess Control Service is not
   vulnerable to this problem.

II. Impact

   An attacker can execute arbitrary code with root privileges.

III. Solution

Apply a patch

   Appendix  A  contains  information  from  vendors  who  have  provided
   information  for  this  advisory.  We  will  update the appendix as we
   receive more information. If a vendor's name does not appear, then the
   CERT/CC  did  not  hear  from  that vendor. Please contact your vendor

Limit access to vulnerable service

   Until  patches are available and can be applied, you may wish to limit
   or  block  access  to  the  Subprocess  Control Service from untrusted
   networks   such   as   the   Internet.   Using  a  firewall  or  other
   packet-filtering technology, block or restrict access to the port used
   by the Subprocess Control Service. As noted above, dtspcd is typically
   configured  to  listen on port 6112/tcp. It may be possible to use TCP
   Wrapper or a similar technology to provide improved access control and
   logging  functionality  for  dtspcd  connections.  Keep  in  mind that
   blocking  ports at a network perimeter does not protect the vulnerable
   service  from the internal network. It is important to understand your
   network  configuration  and  service requirements before deciding what
   changes are appropriate. TCP Wrapper is available from


Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  When  vendors  report  new  information  to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their

Caldera, Inc.

   Caldera  Open  Unix  and UnixWare are vulnerable. Caldera has released
   Security Advisory CSSA-2001-SCO.30 (URL wrapped):


Compaq Computer Corporation

   Case ID SSRT0782U
   Compaq  has  not been able to reproduce the problem identified in this
   advisory  for  any Compaq OS. However, with the information available,
   we  are  including  a  code  change  for Compaq's TRU64 UNIX that will
   further reduce any potential overflow vulnerability. This updated code
   will  be  announced when patches are available from the TRU64 UNIX FTP
   site  and will be included in future releases of TRU64 UNIX. The TRU64
   UNIX FTP patch site is at:


   To  subscribe  to automatically receive future NEW Security Advisories
   from the Compaq's Software Security Response Team via electronic mail,
   use your browser select the URL:


   Select  "Security  and  Individual  Notices"  for  immediate  dispatch
   notifications directly to your mailbox.
   To report new Security Vulnerabilities, send mail to:


Cray Inc.

   UNICOS, UNICOS/mk, and CrayTools are not vulnerable.


   Fujitsu's UXP/V operating system is not vulnerable because it does not
   support any CDE components.

Hewlett-Packard Company

   The  version of dtspcd supplied by HP has a buffer overflow. It is not
   clear  whether  this  overflow  can  be  exploited.  To  be safe HP is
   generating  patches  to  fix  this  overflow on the assumption that it
   might be exploitable.

IBM Corporation

   IBM  addressed a buffer overflow in CDE dtspcd in AIX 4.x around April
   1999. See the following APARs for more information (URLs wrapped):
   APAR IY06694:


   APAR IX89419 (AIX 4.3.0):


   APAR IX89893 (AIX 4.2.0):


   APAR IX89806 (AIX V4.1 BOS):


The Open Group

   The   Open   Group  maintains  source  code  for  the  Common  Desktop
   Environment  (CDE).  The  Open  Group is investigating this issue, and
   source   licensees  of  The  Open  Group's  CDE  product  can  contact
   desktop@opengroup.org for advice regarding this issue.


   SGI  acknowledges  the  CDE  vulnerabilities  reported  by CERT and is
   currently  investigating.  No further information is available at this
   time.  For the protection of all our customers, SGI does not disclose,
   discuss  or  confirm  vulnerabilities  until  a full investigation has
   occurred  and any necessary patch(es) or release streams are available
   for all vulnerable and supported IRIX operating systems. Until SGI has
   more  definitive  information  to provide, customers are encouraged to
   assume   all   security   vulnerabilities   as  exploitable  and  take
   appropriate  steps  according  to  local  site  security  policies and
   requirements.  As  further  information  becomes available, additional
   advisories  will  be  issued  via  the normal SGI security information
   distribution methods including the wiretap mailing list.



   The  Sun  dtspcd  daemon is vulnerable to this buffer overflow. Sun is
   generating  patches  to  address  this  issue  for  all  affected  and
   supported  versions  of  Solaris. Sun will be releasing a Sun Security
   Bulletin  once  the  patches  are  officially  released  and  publicly
   available. The patches will be available from:


   Sun Security Bulletins are available from:


Xi Graphics

   We  have  not  been  able to confirm whether we are vulnerable to this
   exploit,  however  the  potential  for a buffer overrun is present. We
   will  provide  a  patch  on our FTP site for DeXtop during the week of
   [November] 12th that addresses this issue.

Appendix B. - References

    1. http://www.kb.cert.org/vuls/id/172583
    2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803
    3. http://xforce.iss.net/alerts/advise101.php
    4. http://www.opengroup.org/cde/
    5. http://www.opengroup.org/desktop/faq/

   The  CERT  Coordination  Center thanks Internet Security Systems (ISS)
   X-Force, who published an advisory on this issue.

   Author: Art Manion

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from


   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

    Getting security information

   CERT  publications  and  other security information are available from
   our web site


   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
November 12, 2001:  initial release

Version: PGP 6.5.8


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key