From seclabs@NAI.COM Mon Aug 31 20:16:47 1998
From: Security Research Labs <seclabs@NAI.COM>
To: BUGTRAQ@netspace.org
Date: Mon, 31 Aug 1998 18:19:00 -0700
Subject: ToolTalk Advisory

    [The following text is in the "iso-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=======================================================================


                         Network Associates, Inc.
                           SECURITY ADVISORY
                            August 31, 1998
                            NAI Advisory 29
                 Stack Overflow in ToolTalk RPC Service


=======================================================================

SYNOPSIS

An implementation fault in the ToolTalk object database server allows
a remote attacker to run arbitrary code as the superuser on hosts
supporting the ToolTalk service.  The affected program runs on many
popular UNIX operating systems supporting CDE and some Open Windows
installs. This vulnerability is being actively exploited by
attackers on the Internet.


=======================================================================

Confirmed Vulnerable Operating Systems and Third Party Vendors


Sun Microsystems
- ---------------------------

SunOS 5.6, 5.6_x86
SunOS 5.5.1, 5.5.1_x86
SunOS 5.5, 5.5_x86
SunOS 5.4, 5.4_x86
SunOS 5.3
SunOS 4.1.
SunOS 4.1.3_U1

Hewlett Packard
- ------------------------

HP-UX release 10.10
HP-UX release 10.20
HP-UX release 10.30
HP-UX release 11.00

SGI
- -----

IRIX 5.3
IRIX 5.4
IRIX 6.2
IRIX 6.3
IRIX 6.4

IBM
- ------

AIX 4.1.X
AIX 4.2.X
AIX 4.3.X


TriTeal
- ---------

TriTeal CDE - TED versions 4.3 and previous.


Xi Graphics
- -----------------

Xi Graphics Maximum CDE v1.2.3


It should be noted here that this not an exhaustive list of vulnerable
vendors. These are only the *confirmed vulnerable* vendors. Also, any
OS installation that is not configured to use or start up the ToolTalk
service is not vulnerable to this problem.

To determine whether the ToolTalk database server is running on a
host, use the "rpcinfo" command to print a list of the RPC services
running on it, as:

$ rpcinfo -p <hostname>

Because many operating systems do not include an entry for the
ToolTalk
database service in the RPC mapping table ("/etc/rpc" on most Unix
platforms), the vulnerable service may not appear by name in the
listing.
The RPC program number for the ToolTalk database service is 100083. If

an entry exists for this program, such as,

        100083          1       tcp     692

then the service is running on the host. Until additional information
is made available from the OS vendor, it should be assumed that the
system is vulnerable to the attack described in this advisory.


========================================================================


DETAILS

The ToolTalk service allows independently developed applications
to communicate with each other by exchanging ToolTalk messages.
Using ToolTalk, applications can create open protocols which allow
different programs to be interchanged, and new programs to be
plugged into the system with minimal reconfiguration.

The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service
which manages objects needed for the operation of the ToolTalk
service.
ToolTalk-enabled processes communicate with each other using RPC calls
to this program, which runs on each ToolTalk-enabled host. This
program
is a standard component of the ToolTalk system, which ships as a
standard component of many commercial Unix operating systems. The
ToolTalk database server runs as root.

Due to an implementation fault in rpc.ttdbserverd, it is possible for
a malicious remote client to formulate an RPC message that will cause
the server to overflow an automatic variable on the stack. By
overwriting activation records stored on the stack, it is possible to
force a transfer of control into arbitrary instructions provided by
the attacker in the RPC message, and thus gain total control of the
server process.


=======================================================================

TECHNICAL DETAILS

Source code and XDR specifications for the ToolTalk database protocol
and server were not available at the time this advisory was drafted.
What follows is information based on analysis of the rpc.ttdbserverd
binary and a captured attack trace from a network on which an
exploitation script for this problem was run.

The observed attack utilized the ToolTalk Database (TTDB) RPC
procedure number 7, with an XDR-encoded string as its sole argument.
TTDB procedure 7 corresponds to the _tt_iserase_1() function symbol
in the Solaris binary (/usr/openwin/bin/rpc.ttdbserverd). This
function implements an RPC procedure which takes an ASCII string as
an argument, which is treated as a pathname.

The pathname string is passed to the function isopen(), which in
turn passes it to _am_open(), then to _amopen(), _openfcb(),
_isfcb_open(), and finally to _open_datfile(), where it, as the first
argument to the function, is passed directly to a strcpy() to a
pointer on the stack.  If the pathname string is suitably large, the
string overflows the stack buffer and overwrites an activation record,
allowing control to transfer into instructions stored in the pathname
string.


=======================================================================

RESOLUTION

This is an implementation problem and can only be resolved completely
by applying patches to or replacing affected software.  As a temporary
workaround, it is possible to eliminate vulnerability to this problem
by disabling the ToolTalk database service. This can be done by
killing
the "rpc.ttdbserverd" process and removing it from any OS startup
scripts. It should be noted that this may impair system functionality.

The following vendors have been confirmed vulnerable, contacted, and
have responded with repair information:

Sun Microsystems
- ----------------

Sun plans to release patches this week that relate to the ToolTalk
vulnerability for SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and
5.5_x86.

Patches for SunOS 5.4, 5.4_x86, 5.3, 4.1.4 and 4.1.3_U1 will be
released
in about 4 weeks.

Sun recommended and security patches (including checksums) are
available from:

        http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

Hewlett Packard
- ---------------

HP-UX has been confirmed vulnerable in releases 10.XX and 11.00. HP
has made patches available with the following identifications:

       HP-UX release 10.10  HP9000 Series 7/800   PHSS_16150
       HP-UX release 10.20  HP9000 Series 7/800   PHSS_16147
       HP-UX release 10.30  HP9000 Series 7/800   PHSS_16151
       HP-UX release 11.00  HP9000 Series 7/800   PHSS_16148

IBM
- ---

IBM AIX has been confirmed vulnerable. IBM's response is as follows:

The version of ttdbserver shipped with AIX is vulnerable. We are
currently working on the following fixes which will be available soon:

  APAR 4.1.x: IX81440
  APAR 4.2.x: IX81441
  APAR 4.3.x: IX81442

Until the official APARs are available, a temporary fix can be
downloaded via anonymous ftp from:

  ftp://aix.software.ibm.com/aix/efixes/security/ttdbserver.tar.Z

TriTeal
- -------

An official response from TriTeal is as follows:

The ToolTalk vulnerability will be fixed in the TED4.4 release. For
earlier versions of TED, please contact the TriTeal technical support
department at <support@triteal.com> or at
http://www.triteal.com/support.

Xi Graphics
- -----------

An official response from Xi Graphics is as follows:

Xi Graphics Maximum CDE v1.2.3 is vulnerable to this attack.  A patch
to correct this problem will be placed on our FTP site by 8/28/1998:

ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.tar.gz
ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.txt

        Users of Maximum CDE v1.2.3 are urged to install this update.

Silicon Graphics
- ----------------

The Security Labs team at Network Associates has confirmed that SGI
IRIX 6.3 is vulnerable to this attack. SGI's security team has been
contacted and informed of the vulnerability. No repair information
has been made available from Silicon Graphics regarding this problem.

Other Vendors
- ---------------------

If any uncertainty exists with regards to whether a given vendor not
listed in this advisory is vulnerable to this attack, we recommend
contacting them via their support/security channels for more
information.


========================================================================


ACKNOWLEDGEMENTS

The NAI Security Labs Team would like to thank the HP & IBM Security
Response
Teams, CERT/CC & AUSCERT for their contributions to this advisory.


=======================================================================

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most
important
research in computer security today. With over 28 published security
advisories published in the last 2 years, the Network Associates
security
auditing teams have been responsible for the discovery of many of the
Internet's most serious security flaws. This advisory represents our
ongoing commitment to provide critical information to the security
community.

For more information about the Security Labs at Network Associates,
see our website at http://www.nai.com or contact us at
<seclabs@nai.com>.


=======================================================================

NETWORK ASSOCIATES SECURITY LABS PGP KEY

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 5.5.5

mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
- -----END PGP PUBLIC KEY BLOCK-----



-----BEGIN PGP SIGNATURE-----
Version: PGP 5.5.5

iQA/AwUBNfh4hqF4LLqP1YESEQKzwQCgoORfM/2beZWFmyUVHbUd0M5i/zkAoOdT
iH94z1lVHNjuRHXI+EgEw7Re
=3/ck
-----END PGP SIGNATURE-----