RISE-2009001
ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow Vulnerability

http://risesecurity.org/advisories/RISE-2009001.txt
Published: June 19, 2009
Updated: June 19, 2009

INTRODUCTION

There exists a vulnerability within a function of the ToolTalk database server
(rpc.ttdbserverd), which when properly exploited can lead to remote compromise
of the vulnerable system.
This vulnerability was confirmed by us in the following versions of operating
systems, other operating systems and versions may be also affected.

IBM AIX Version 6.1.3
IBM AIX Version 6.1.2
IBM AIX Version 6.1.1
IBM AIX Version 6.1.0
IBM AIX Version 5.3.10
IBM AIX Version 5.3.9
IBM AIX Version 5.3.8
IBM AIX Version 5.3.7
IBM AIX Version 5.3.0
IBM AIX Version 5.2.0
IBM AIX Version 5.1.0

To determine whether the ToolTalk database server is running on a host, use the
"rpcinfo" command to print a list of the RPC services running on it, as:

$ rpcinfo -p hostname

The remote program number for the ToolTalk database server is 100083. If an
entry exists for this program, then the ToolTalk database server is running on
the system.

    100083    1   tcp  32768  ttdbserver

DETAILS

As computer users increasingly demand that independently developed applications
work together, inter-operability is becoming an important theme for software
developers. By cooperatively using each other's facilities, inter-operating
applications offer users capabilities that would be difficult to provide in a
single application. The ToolTalk service is designed to facilitate the
development of inter-operating applications that serve individuals and work
groups.

The following ToolTalk service components work together to provide
inter-application communication and object information management:

  * ttsession is the ToolTalk communication process.

    This process joins together senders and receivers that are either using the
    same X server or interested in the same file. One ttsession communicates
    with other ttsessions when a message needs to be delivered to an application
    in another session.

  * rpc.ttdbserverd is the ToolTalk database server process.

    One rpc.ttdbserverd is installed on each machine which contains a disk
    partition that stores files of interest to ToolTalk clients or files that
    contain ToolTalk objects.

    File and ToolTalk object information is stored in a records database managed
    by rpc.ttdbserverd.

  * libtt is the ToolTalk application programming interface (API) library.

    Applications include the API library in their program and call the ToolTalk
    functions in the library.

The ToolTalk service uses the Remote Procedure Call (RPC) to communicate between
these ToolTalk components.

Applications provide the ToolTalk service with process and object type
information. This information is stored in an XDR format file, which is referred
to as the ToolTalk Types Database in this manual.

The vulnerable function _tt_internal_realpath() does not validate user supplied
data when copying it to a stack-based buffer using strcpy(), resulting in a
stack-based buffer overflow. The exploitation of this vulnerability is trivial
and results in remote compromise of the vulnerable system.

This vulnerability can be triggered by calling remote procedure 15 of ToolTalk
database server with a large XDR-encoded ASCII string as its argument.


Breakpoint 1, 0xd37b2200 in _tt_internal_realpath () from
/usr/lib/libtt.a(shr.o)
(gdb) where
#0  0xd37b2200 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#1  0xd37af9f0 in _tt_get_realpath__FPcT1 () from /usr/lib/libtt.a(shr.o)
#2  0xd37b00b4 in _tt_realpath () from /usr/lib/libtt.a(shr.o)
#3  0xd37b287c in _Tt_file_system::bestMatchToPath () from
/usr/lib/libtt.a(shr.o)
#4  0x1001ca50 in ?? ()
...
(gdb) stepi
0xd37b2240 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
(gdb) x/i $pc
0xd37b2240:     bl      0xd3793080
(gdb) x/s $r4
0x200aa4a8:      "/hom\e/root/", 'A' <repeats 189 times>...
(gdb) stepi   
0xd3793080 in strcpy () from /usr/lib/libtt.a(shr.o)
(gdb) step 
Single stepping until exit from function strcpy, 
which has no line number information.
0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
(gdb) where
#0  0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#1  0xaabbccdd in ?? ()
(gdb) 


A proof of concept code for this vulnerability can be downloaded from our
website at http://risesecurity.org/.

VENDOR

IBM has released advisory and fixes for this vulnerability:
http://aix.software.ibm.com/aix/efixes/security/libtt_advisory.asc
http://aix.software.ibm.com/aix/efixes/security/libtt_fix.tar

CREDITS

This vulnerability was discovered by Adriano Lima <adriano@risesecurity.org> and
Ramon de Carvalho Valle <ramon@risesecurity.org>.

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any information
provided, including any kind of information which is incomplete or incorrect,
will therefore be rejected.