CERT Advisory CA-2001-27

From: CERT Advisory (cert-advisory@cert.org)
Date: 10/05/01

Date: Fri, 5 Oct 2001 14:51:11 -0400 (EDT)
Message-Id: <CA-2001-27.1@cert.org>
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Advisory CA-2001-27


CERT Advisory CA-2001-27 Format String Vulnerability in CDE ToolTalk

   Original release date: October 5, 2001
   Last revised: Thu Oct 5 14:17:55 EDT 2001
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Systems running CDE ToolTalk


   There is a remotely exploitable format string vulnerability in the CDE
   ToolTalk RPC database service. This vulnerability could be used to
   crash the service or execute arbitrary code, potentially allowing an
   intruder to gain root access. This vulnerability is documented in

I. Description

   The Common Desktop Environment (CDE) is an integrated graphical user
   interface that runs on Unix and Linux operating systems. CDE ToolTalk
   is a message brokering system that provides an architecture for
   applications to communicate with each other across hosts and
   platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages
   communication between ToolTalk applications. For more information
   about CDE, see


   There is a remotely exploitable format string vulnerability in the CDE
   ToolTalk RPC database server. While handling an error condition, a
   syslog(3) function call is made without providing a format string
   specifier argument. Since rpc.ttdbserverd does not perform adequate
   input validation or provide the format string specifier argument, a
   crafted RPC request containing format string specifiers will be
   interpreted by the vulnerable syslog(3) function call. Such a request
   can be designed to overwrite specific locations in memory, thus
   executing code with the privileges of rpc.ttdbserverd, typically root.

   The vulnerability was discovered by Internet Security Systems (ISS)
   X-Force. For more information, see


   This vulnerability has been assigned the identifier CAN-2001-00717 by
   the Common Vulnerabilities and Exposures (CVE) group:


   Many common UNIX systems ship with CDE ToolTalk installed and enabled
   by default. The rpcinfo command may help determine if a system is
   running the ToolTalk RPC database service:

          $ rpcinfo -p hostname

   The program number for the ToolTalk RPC database service is 100083.
   References to this number in the output from rpcinfo or in /etc/rpc
   may indicate that the ToolTalk RPC database service is running. Any
   system that does not run the ToolTalk RPC database service is not
   vulnerable to this problem.

II. Impact

   An attacker can execute arbitrary code with the privileges of the
   rpc.ttdbserverd process, typically root.

III. Solution

Apply a patch

   Appendix A contains information from vendors who have provided
   information for this advisory. We will update the appendix as we
   receive more information. If a vendor's name does not appear, then the
   CERT/CC did not hear from that vendor. Please contact your vendor

Block access to vulnerable service

   Until patches are available and can be applied, you may wish to block
   access to the RPC portmapper service and the ToolTalk RPC service from
   untrusted networks such as the internet. Using a firewall or other
   packet-filtering technology, block the ports used by the RPC
   portmapper and ToolTalk RPC services. The RPC portmapper service
   typically runs on ports 111/tcp and 111/udp. The ToolTalk RPC service
   may be configured to use port 692/tcp or another port as indicated in
   output from the rpcinfo command. Keep in mind that blocking ports at a
   network perimeter does not protect the vulnerable service from the
   internal network. It is important to understand your network
   configuration and service requirements before deciding what changes
   are appropriate.

Appendix A. - Vendor Information

   This appendix contains information provided by vendors for this
   advisory. When vendors report new information to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular vendor is not listed below, we have not received their

Caldera, Inc.

   Caldera UnixWare and Open Linux are vulnerable, and a fix is

Compaq Computer Corporation

   Compaq Computer Corporation
   Software Security Response Team
   Severity: low
   ToolTalk RPC Server Format String Vulnerability
   This potential security vulnerability has not been
   reproduced for any release of Compaq Tru64 Unix.
   However with the information available, we are providing
   a patch that will further reduce any potential
   A patch has been made available for all supported
   versions of Tru64/ DIGITAL UNIX V4.0f, V4.0g, V5.0a,
   V5.1, and V5.1a.
   *This solution will be included in a future distributed release of
   Compaq's Tru64/ DIGITAL UNIX.
   This patch may be obtained from the following URL address:
   Select BROWSE PATCH TREE and choose the version directory
   The patch names are:
   Note: Te asterisk in the filename indicates the remainder of the
   tarfile name may change depending on the applicable date.
   This patch can be installed on:
   V4.0f, V4.0g all patch kits
   V5.0a, V5.1, and V5.1a all patch kits

Cray Inc.

   UNICOS and UNICOS/mk are not vulnerable to [this] advisory. For
   further inform ation see Cray SPR 721061. Cray SPRs are available
   to licensed Cray customers.

Hewlett-Packard Company

   Patches are now available from HP. See HPSBUX0110-168 for details.

IBM Corporation

   IBM AIX 5.1 and 4.3 are vulnerable. IBM has released an emergency
   fix (efix) w hich contains patched binaries for both AIX 5.1 and
   AIX 4.3 as well as an advis ory:
   IBM is working on APARs which will not be available until late
   October or Novem ber of 2001.
       AIX 4.3: Pending assignment
       AIX 5.1: APAR #IY23846

The Open Group

   The Open Group maintains source code for the Common Desktop
   Environment (CDE). Source licensees of The Open Group's CDE product
   can contact desktop@opengroup.org for advice and a source patch that
   address this issue.


   SGI acknowledges the CDE vulnerabilities reported by CERT and is
   currently investigating. No further information is available at this
   time. For the protection of all our customers, SGI does not disclose,
   discuss or confirm vulnerabilities until a full investigation has
   occurred and any necessary patch(es) or release streams are available
   for all vulnerable and supported IRIX operating systems. Until SGI has
   more definitive information to provide, customers are encouraged to
   assume all security vulnerabilities as exploitable and take
   appropriate steps according to local site security policies and
   requirements. As further information becomes available, additional
   advisories will be issued via the normal SGI security information
   distribution methods including the wiretap mailing list.



   Sun has reproduced the vulnerability and is testing a fix. The Sun
   patches will be made available at the following location:


Xi Graphics

   Xi Graphics is investigating this report and will provide more
   information when it is available.

Appendix B. - References

    1. http://www.opengroup.org/cde/
    2. http://www.opengroup.org/desktop/faq/
    3. http://xforce.iss.net/alerts/advise98.php
    4. http://www.kb.cert.org/vuls/id/595507
    5. http://www.cert.org/advisories/CA-1998-11.html

   The CERT Coordination Center thanks Internet Security Systems (ISS)
   X-Force, who published an advisory on this issue. We would also like
   to thank The Open Group for technical assistance.

   Authors: Art Manion and Shawn V. Hernan

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from


   If you prefer to use DES, please call the CERT hotline for more

    Getting security information

   CERT publications and other security information are available from
   our web site


   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History

   October 5, 2001: initial release

Version: PGP 6.5.8