Dear List,


I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.


Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

ToolTalk rpc.ttdbserverd database parser vulnerability
CVE-2010-0083
CPVDT-2010-0651



INTRODUCTION

There exists a vulnerability within a function of the ToolTalk database server
(rpc.ttdbserverd), which when properly exploited can lead to compromise of the
vulnerable system.
This vulnerability was confirmed in the following versions of operating systems,
other operating systems and versions may be also affected.  There are working
exploits to be shared with interested parts.

IBM AIX all versions up to today.
Sun Solaris all versions up to today. (Sparc and x86)
HP HP-UX all versions up to today.


Patches and workarounds are available for all the vendors.   Disable the service if unsure.

To determine whether the ToolTalk database server is running on a host, use the
"rpcinfo" command to print a list of the RPC services running on it, as:

$ rpcinfo -p hostname

The remote program number for the ToolTalk database server is 100083. If an
entry exists for this program, then the ToolTalk database server is running on
the system.

    100083    1   tcp  32768  ttdbserver

DETAILS

This vulnerability can be triggered by creating a fake database (.rec file) on
the system and calling remote procedure 7 of ToolTalk database server pointing
to this database, leading to a heap overflow.
Remote command execution can be achieved if you can place files on the host via
FTP or HTTP servers for example.
Four byte overwrite is possible as showed above (Solaris 9 Sparc).


#0  0xff0c766c in t_delete () from /usr/lib/libc.so.1
(gdb) x/i $pc
0xff0c766c <t_delete+52>:       st  %o0, [ %o1 + 8 ]
(gdb) i r $o0
o0             0x61626364       1633837924
(gdb) i r $o1
o1             0x41424344       1094861636
(gdb) bt
#0  0xff0c766c in t_delete () from /usr/lib/libc.so.1
#1  0xff0c72b0 in realfree () from /usr/lib/libc.so.1
#2  0xff0c7b50 in cleanfree () from /usr/lib/libc.so.1
#3  0xff0c6c8c in _malloc_unlocked () from /usr/lib/libc.so.1
#4  0xff0c6b6c in malloc () from /usr/lib/libc.so.1
#5  0xff31a814 in __0oN_Tt_allocatednwUiT () from /usr/dt/lib/libtt.so.2
#6  0xff31a970 in __0oK_Tt_stringctPCc () from /usr/dt/lib/libtt.so.2
#7  0xff31dc98 in __0FL_tt_vsyslogP6EFILEiPCcPv () from /usr/dt/lib/libtt.so.2
#8  0xff319f40 in __0FK_tt_syslogP6EFILEiPCce () from /usr/dt/lib/libtt.so.2
#9  0x0002a094 in __0FN_tt_iserase_1PPcP6J__svcxprt ()
#10 0x00026584 in __0FT_tt_dbserver_prog_1P6Hsvc_reqP6J__svcxprt ()
#11 0x00026584 in __0FT_tt_dbserver_prog_1P6Hsvc_reqP6J__svcxprt ()


CREDITS

This vulnerability was discovered and exploited by Rodrigo Rubira Branco from
Check Point Vulnerability Discovery Team (VDT).




Best Regards,

Rodrigo.

--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies