what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CA-99.11.CDE

CA-99.11.CDE
Posted Sep 14, 1999

Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE).

tags | vulnerability
SHA-256 | 2d78f97e15faf286dc5325055282ee431d85a0b0d264ec0690e3df1c5ed1be86

CA-99.11.CDE

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-11 Four Vulnerabilities in the Common Desktop Environment

Original release date: September 13, 1999
Last revised: September 13, 1999
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

* Systems running the Common Desktop Environment (CDE)

I. Description

Multiple vulnerabilities have been identified in some distributions of
the Common Desktop Environment (CDE). These vulnerabilities are
different from those discussed in CA-98.02. We recommend that you
install appropriate vendor patches as soon as possible (see Section
III below). Until you can do so, we encourage you to disable or
uninstall vulnerable copies of the CDE package. Note that disabling
these programs will severely affect the utility of the CDE
environment.

At this time, the CERT/CC has not received any reports of these
vulnerabilities being exploited by intruders.

Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism

The ToolTalk messaging server ttsession allows independent
applications to communicate without having direct knowledge of each
other. Applications can communicate through an associated ttsession
which delivers messages via RPC calls between interested agents.

On many systems, ttsession uses AUTH_UNIX authentication (a
client-based security option) by default. When messages are received,
ttsession uses certain environment variables supplied by the client
to determine how the message is handled. Because of this, the
ttsession process can be manipulated to execute unauthorized
arbitrary programs with the privileges of the running ttsession.

Vulnerability #2: CDE dtspcd relies on file-system based authentication

The network daemon dtspcd (a CDE desktop subprocess control program)
accepts CDE requests from clients to execute commands and launch
applications remotely.

When a client makes a request, the dtspcd daemon asks the client to
create a file that has a predictable name so that the daemon can
authenticate the request. If a local user can manipulate the files
used for authentication, then that user can craft arbitrary commands
that may run as root.

Vulnerability #3: CDE dtaction buffer overflow

The dtaction utility allows applications or shell scripts that
otherwise are not connected into the CDE development environment, to
request that CDE actions be performed.

A buffer overflow can occur in some implementations of dtaction when a
username argument greater than 1024 bytes is used.

Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION

There is a vulnerability in some implementations of the ToolTalk
shared library which allows the TT_SESSION environment variable buffer
to overflow. A setuid root program using a vulnerable ToolTalk
library, such as dtsession, can be exploited to run arbitrary code as
root.

II. Impact

Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism

A local or remote user may be able to use this vulnerability to run
commands on a vulnerable system with the same privileges of the
attacked ttsession. For this attack to work, a ttsession must be
actively running on the system attacked. The ttsession daemon is
started whenever a user logs in using the CDE desktop, or upon
interaction with CDE at some future point.

Vulnerability #2: CDE dtspcd relies on file-system based authentication

A vulnerable dtspcd may allow a local user to run arbitrary commands
as root.

Vulnerability #3: CDE dtaction buffer overflow

A local user may be able to exploit this vulnerability to execute
arbitrary code with root privileges.

Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION

A local user may be able to exploit this vulnerability to execute
arbitrary code with root privileges.

III. Solution

Install appropriate patches from your vendor

We recommend installing vendor patches as soon as possible and disabling the
vulnerable programs until you can do so (or uninstalling the entire CDE
package if not needed). Note that disabling these programs will severely
affect the utility of the CDE environment.

Appendix A contains information provided by vendors for this advisory. We
will update the appendix as we receive more information. If you do not see
your vendor's name, the CERT/CC did not hear from that vendor. Please
contact your vendor directly.

Appendix A. Vendor Information

Compaq Computer Corporation

Problem #1

CDE ToolTalk session daemon & ToolTalk shared library overflow

This potential security problem has been resolved and a patch
for this problem has been made available for Tru64 UNIX V4.0D,
V4.0E, V4.0F and V5.0.

This patch can be installed on:

V4.0D-F, all patch kits
V5.0, all patch kits

*This solution will be included in a future distributed release
of Compaq's Tru64/ DIGITAL UNIX.

This patch may be obtained from the World Wide Web at the
following FTP address:

http://www.service.digital.com/patches

The patch file name is SSRT0617_ttsession.tar.Z

Problem #2

Compaq's Tru64/DIGITAL UNIX is not vulnerable.

Problem #3

CDE dtaction buffer overflow

This potential security problem has been resolved and a patch
for this problem has been made available for Tru64 UNIX V4.0D,
V4.0E and V4.0F.

This patch can be installed on:

V4.0D Patch kit BL11 or BL12
V4.0E Patch kit BL1 or BL12
V4.0F Patch kit BL1

*This solution will be included in a future distributed release
of Compaq's Tru64/ DIGITAL UNIX.

This patch may be obtained from the World Wide Web at the
following FTP address:

http://www.service.digital.com/patches

The patch file name is SSRT0615U_dtaction.tar.Z

Problem #4

CDE ToolTalk shared library overflow

See solution fix described in in Problem #1.

Fujitsu

Fujitsu's UXP/V operating system is not vulnerable to any of these
vulnerabilities.

Hewlett-Packard Company

HP-9000 Series 700/800 HP-UX releases 10.X and 11.0 systems with CDE
patches previously recommended in HP Security Bulletins are not
vulnerable to vulnerabilities #2, #3, and #4.

All HP-UX 10.X and 11.0 systems running CDE are vulnerable to
vulnerability #1.

Patches are in progress.

IBM Corporation

All releases of AIX version 4 are vulnerable to vulnerabilities #1,
#3, and #4. AIX is not vulnerable to #2. The following APARs
will be available soon:

AIX 4.1.x: IY03125 IY03847
AIX 4.2.x: IY03105 IY03848
AIX 4.3.x: IY02944 IY03849

Customers that do not require the CDE desktop functionality can
disable CDE by restricting access to the CDE daemons and
removing the dt entry from /etc/inittab. Run the following
commands as root to disable CDE:

# /usr/dt/bin/dtconfig -d
# chsubserver -d -v dtspc
# chsubserver -d -v ttdbserver
# chsubserver -d -v cmsd
# chown root.system /usr/dt/bin/*
# chmod 0 /usr/dt/bin/*

For customers that require the CDE desktop functionality, a
temporary fix is available via anonymous ftp from:

ftp://aix.software.ibm.com/aix/efixes/security/cdecert.tar.Z

Filename sum md5
=================================================================
dtaction_4.1 32885 18 82af470bbbd334b240e874ff6745d8ca
dtaction_4.2 52162 18 b10f21abf55afc461882183fbd30e602
dtaction_4.3 56550 19 6bde84b975db2506ab0cbf9906c275ed
libtt.a_4.1 29234 2132 f5d5a59956deb8b1e8b3a14e94507152
libtt.a_4.2 21934 2132 73f32a73873caff06057db17552b8560
libtt.a_4.3 12154 2118 b0d14b9fe4a483333d64d7fd695f084d
ttauth 56348 31 495828ea74ec4c8f012efc2a9e6fa731
ttsession_4.1 19528 337 bfac4a06b90cbccc0cd494a44bd0ebc9
ttsession_4.2 46431 338 05949a483c4e390403055ff6961b0816
ttsession_4.3 54031 339 e1338b3167c7edf899a33520a3adb060

NOTE - This temporary fix has not been fully regression tested.
Use the following steps (as root) to install the temporary fix.

1. Uncompress and extract the fix.

# uncompress < cdecert.tar.Z | tar xf -
# cd cdecert

2. Replace the vulnerable executables with the temporary fix for
your version of AIX.

# (cd /usr/dt/lib && mv libtt.a libtt.a.before_security_fix)
# (cd /usr/dt/bin && mv ttsession ttsession.before_security_fix)
# (cd /usr/dt/bin && mv dtaction dtaction.before_security_fix)
# chown root.system /usr/dt/lib/libtt.a.before_security_fix
# chown root.system /usr/dt/bin/ttsession.before_security_fix
# chown root.system /usr/dt/bin/dtaction.before_security_fix
# chmod 0 /usr/dt/lib/libtt.a.before_security_fix
# chmod 0 /usr/dt/bin/ttsession.before_security_fix
# chmod 0 /usr/dt/bin/dtaction.before_security_fix
# cp ./libtt.a_ /usr/dt/lib/libtt.a
# cp ./ttsession_ /usr/dt/bin/ttsession
# cp ./dtaction_ /usr/dt/bin/dtaction
# cp ./ttauth /usr/dt/bin/ttauth
# chmod 555 /usr/dt/lib/libtt.a
# chmod 555 /usr/dt/bin/ttsession
# chmod 555 /usr/dt/bin/dtaction
# chmod 555 /usr/dt/bin/ttauth

IBM AIX APARs may be ordered using Electronic Fix Distribution
(via the FixDist program), or from the IBM Support Center. For
more information on FixDist, and to obtain fixes via the
Internet, please reference

http://techsupport.services.ibm.com/support/rs6000.support/down
loads

or send electronic mail to "aixserv@austin.ibm.com" with the
word "FixDist" in the "Subject:" line. To facilitate ease of
ordering all security related APARs for each AIX release,
security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last
update and list of individual fixes, send electronic mail to
"aixserv@austin.ibm.com" with the word "subscribe
Security_APARs" in the "Subject:" line.

Santa Cruz Operation, Inc.

SCO is investigating these vulnerabilities on SCO UnixWare 7. Other
SCO products (OpenServer 5.0.x, UnixWare 2.1.x, Open Server /
Open Desktop 3.0 and CMW+) are not vulnerable as CDE is not a
component of these releases.

SCO will make patches and status information available at

http://www.sco.com/security.

Silicon Graphics, Inc.

SGI acknowledges the CDE vulnerabilities reported and is currently
investigating. No further information is available at this
time. As further information becomes available, additional
advisories will be issued via the normal SGI security
information distribution methods including the wiretap mailing
list.

Until SGI has more definitive information to provide, customers
are encouraged to assume all security vulnerabilities as
exploitable and take appropriate steps according to local site
security policies and requirements.

The SGI Security Headquarters Web page is accessible at the URL

http://www.sgi.com/Support/security/security.html

Sun Microsystems, Inc.

Vulnerability #1:

Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and
SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX
authentication mechanism (default) is used with ttsession.

The use of DES authentication is recommended to resolve this
issue. To set the authentication mechanism to DES, use the
ttsession command with the '-a' option and specify 'des' as
the argument (see ttsession(1) for more information). The use
of DES authentication also requires that the system uses Secure
NFS, NIS+, or keylogin. For more information about Secure NFS,
NIS+, or keylogin, please see the System Administration Guide,
Volume II. Information is also available at:

http://docs.sun.com:80/ab2/coll.47.8/SYSADV2/@Ab2PageView/34908
?DwebQuery=secure+rpc

Vulnerability #2:

The following patches are available:

CDE version SunOS version Patch ID
___________ _____________ _________

1.3 5.7 108221-01
1.3_x86 5.7_x86 108222-01
1.2 5.6 108199-01
1.2_x86 5.6_x86 108200-01
1.0.2 5.5.1, 5.5, 5.4 108205-01
1.0.2_x86 5.5.1_x86, 5.5_x86, 5.4_x86 108206-01
1.0.1 5.5, 5.4 108252-01
1.0.1_x86 5.5_x86, 5.4_x86 108253-01

Vulnerability #3:

The following patches are available:

CDE version SunOS version Patch ID
___________ _____________ _________

1.3 5.7 108219-01
1.3_x86 5.7_x86 108220-01
1.2 5.6 108201-01
1.2_x86 5.6_x86 108202-01

Patches for CDE versions 1.0.2 and 1.0.1 will be available
within two weeks of the release of this advisory.

Vulnerability #4:

Patches will be available within two weeks of the release of
this advisory.

Sun security patches are available at:

http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li
cense&nav=pubpatches
_________________________________________________________________

The CERT Coordination Center would like to thank Job de Haas for
reporting these vulnerabilities and working with the vendors to effect
fixes. We would also like to thank Network Solutions Atlantic for
their efforts in coordinating vendor solutions.
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-99-11-CDE.html
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

http://www.cert.org/

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in

http://www.cert.org/legal_stuff.html

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________

Revision History
Sep 13, 1999: Initial release

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN91iy3VP+x0t4w7BAQGTegQAt9JwYcx3CrpLW2kxYad4K418zsobY/B+
SOHEZcMLSRhD0wS+HaTH18UqUPXcBGKps5t5oL1fhECAkWkQe+6RgJL/2dSiXX4B
63tdackbWYhAkO3Qjb2Ct75JVcbzPSj5S1cvpHSCGSowNhwhSHSsvg4JPzbuuaCL
qYTYEYyAOVQ=
=RvOJ
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close