[UNIX] Multiple Vulnerabilities in ToolTalk Database Server

From: support@securiteam.com
Date: 07/11/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 11 Jul 2002 06:48:16 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in ToolTalk Database Server
------------------------------------------------------------------------

SUMMARY

The ToolTalk service allows independently developed applications to
communicate with each other by exchanging ToolTalk messages. Using
ToolTalk, applications can create open protocols that allow different
programs to be interchanged, and new programs to be plugged into the
system with minimal reconfiguration.

The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service that
manages objects needed for the operation of the ToolTalk service.
ToolTalk-enabled processes communicate with each other using RPC calls to
this program, which runs on each ToolTalk-enabled host. This program is a
standard component of the ToolTalk system, which ships as a standard
component of many commercial UNIX operating systems. The ToolTalk database
server runs as root.

Several security bugs were discovered in the rpc.ttdbserverd program that
allow an attacker to:
 - Overwrite 4 bytes of memory the running process with a zero (0x0L)
value
 - Remotely delete any file on the vulnerable host
 - Locally create or overwrite any file on the vulnerable host with
arbitrary contents.
 - Remotely create arbitrary directory entries on the vulnerable host

These vulnerabilities by themselves can lead to remote and local
compromise of the privilege root account on the vulnerable system.

Additionally these vulnerabilities may be used to build more reliable and
effective exploit programs for previously published ToolTalk Database
server vulnerabilities.

DETAILS

Vulnerable systems:
 * Solaris 2.5.1 2.6 7 8 9
 * HP-UX 10.10 10.20 11.00 11.11
 * Tru64 v4.0f, v4.0g, v5.0a, v5.1, v5.1a
 * Xi Graphics deXtop CDE v2.1
 * IBM AIX 4.3.3 and 5.1.0
 * Caldera Open UNIX and Caldera UnixWare

Immune systems:
 * Fujitsu UXP/V
 * Cray Inc, CrayTools
 * Caldera OpenLinux
 * SCO OpenServer

Solution/Vendor Information/Workaround:
Caldera, Inc.
Caldera Open UNIX and Caldera UnixWare provide the CDE ttdbserverd daemon,
and are vulnerable to these issues. We have prepared fixes for those two
operating systems, and will make them available as soon as these issues
are made public.

SCO OpenServer and Caldera OpenLinux do not provide CDE, and are therefore
not vulnerable.

Compaq Computer Corporation
CROSS REFERENCE: SSRT2251

At this time Compaq does have solutions in final testing and will publish
HP Tru64 UNIX security bulletin (SSRT2251) with patch information as soon
as testing has completed and kits are available from the support ftp web
site.

A recommended workaround however is to disable rpc.ttdbserver until
solutions are available. This should only create a potential problem for
public software packages applications that use the RPC-based ToolTalk
database server. This step should be evaluated against the risks
identified, your security measures environment, and potential impact of
other products that may use the ToolTalk database server.

To disable rpc.ttdbserverd:
 + Comment out the following line in /etc/inetd.conf:
    rpc.ttdbserverd stream tcp swait root /usr/dt/bin/rpc.ttdbserverd
rpc.ttdbserverd
  + Force inetd to re-read the configuration file by executing the inetd
-hcommand.

Note: The Internet daemon should kill the currently running
rpc.ttdbserver. If not, manually kill any existing rpc.ttdbserverd
process.

Cray, Inc.
Cray, Inc. does include ToolTalk within the CrayTools product. However,
rpc.ttdbserverd is not turned on or used by any Cray provided application.
Since a site may have turned this on for their own use, they can always
remove the binary /opt/ctl/bin/rpc.ttdbserverd if they are concerned.

Fujitsu
Fujitsu's UXP/V operating system is not affected by the vulnerabilities
because UXP/V does not support any CDE functionalities.

Hewlett-Packard Company
HP9000 Series 700/800 running HP-UX releases 10.10, 10.20, 11.00, and
11.11 are vulnerable.

Until patches are available, install the appropriate file to replace
rpc.ttdbserver.

Download rpc.ttdbserver.tar.gz from the ftp site. This file is temporary
and will be deleted when patches are available from the standard HP web
sites, including itrc.hp.com.

  System: hprc.external.hp.com (192.170.19.51)
  Login: ttdb1
  Password: ttdb1
  FTP Access: ttdb1@hprc.external.hp.com/">ftp://ttdb1:ttdb1@hprc.external.hp.com/
                       ftp://ttdb1:ttdb1@192.170.19.51/
  File: rpc.ttdbserver.tar.gz
  MD5: da1be3aaf70d0e2393bd9a03feaf4b1d

An HP security bulletin will be released with more information.

IBM Corporation
The CDE desktop product shipped with AIX is vulnerable to both the issues
detailed above in the advisory. This affects AIX releases 4.3.3 and 5.1.0.
An efix package will be available shortly from the IBM software ftp site.
The efix packages can be downloaded from
<ftp://ftp.software.ibm.com/aix/efixes/security>
ftp.software.ibm.com/aix/efixes/security. This directory contains a README
file that gives further details on the efix packages.

The following APARs will be available in the near future:
    AIX 4.3.3: IY32368
    AIX 5.1.0: IY32370

SGI
SGI acknowledges the ToolTalk vulnerabilities reported by CERT and is
currently investigating. No further information is available at this time.

For the protection of all our customers, SGI does not disclose, discuss or
confirm vulnerabilities until a full investigation has occurred and any
necessary patch(es) or release streams are available for all vulnerable
and supported IRIX operating systems. Until SGI has more definitive
information to provide, customers are encouraged to assume all security
vulnerabilities as exploitable and take appropriate steps according to
local site security policies and requirements. As further information
becomes available, additional advisories will be issued via the normal SGI
security information distribution methods including the wiretap mailing
list on <http://www.sgi.com/support/security/>
http://www.sgi.com/support/security/.

Sun Microsystems, Inc.
The Solaris RPC-based ToolTalk database server, rpc.ttdbserverd, is
vulnerable to the two vulnerabilities described in this advisory in all
currently supported versions of Solaris:
 Solaris 2.5.1, 2.6, 7, 8, and 9

Patches are being generated for all of the above releases. Sun will
publish a Sun Security Bulletin and a Sun Alert for this issue. The Sun
Alert will be available from: <http://sunsolve.sun.com>
http://sunsolve.sun.com

The patches will be available from:
<http://sunsolve.sun.com/securitypatch>
http://sunsolve.sun.com/securitypatch

Sun Security Bulletins are available from:
<http://sunsolve.sun.com/security> http://sunsolve.sun.com/security

The Open Group
N/A

Xi Graphics
Xi Graphics deXtop CDE v2.1 is vulnerable to this attack. An update
correcting this issue will be available on our ftp site once this
vulnerability has been publicly announced.

When announced, the update and accompanying text file will be:
 <ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz>
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz
 <ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt>
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

Most sites do not need to use the ToolTalk server daemon. Xi Graphics
Security recommends that non-essential services never be enabled. To
disable the ToolTalk server on your system, edit /etc/inetd.conf and
comment out, or remove, the 'rpc.ttdbserver' line. Then, either restart
inetd, or reboot your machine.

Workarounds:
If patches are not available from your vendor, these workarounds can be
implemented:

  - Disable the vulnerable service
   To do so, it is needed to comment out or remove the lines that refer to
rpc.ttdbserverd in /etc/inetd.conf and restart the inetd daemon.

  - Block connections to the vulnerable service
   Block access from untrusted networks to the ToolTalk Database server
program. The program is identified as RPC program number 100083 and may
service requests on port 629/tcp or any other port. Use the rpcinfo
program to determine on which port ttdbserver is servicing requests and
block access to that port and the portmapper (111/tcp 111/udp) at the
perimeter. This will not prevent exploitation from trusted networks. In
general, it is advisable to block access from untrusted networks to ALL
RPC services.

Vendors contacted:
 - Sun
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11 4:32pm
Status:
   .Vulnerable (original bug discovery on Solaris)
   .Acknowledged notification on 2002-06-10
   .Research in progress, no confirmation from Sun as of 2002-06-18
   .Official statement forwarder by CERT: 2002-07-10

 - HP
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11
Status:
   .Acknowledged notification on 2002-06-10
   .Confirmed HP-UX vulnerable on 2002-06-11 and issued high priority lab
fix request
   .Official statement forwarded by CERT: 2002-07-10

 - Compaq Computer Corporation
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11 4:32pm
Status:
   .Acknowledged notification on 2002-06-10
   .Official statement forwarded by CERT: 2002-07-10

 - SGI
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11
Status:
   .Acknowledged notification on 2002-06-18

 - Xi Graphics (CDE for Linux)
   CERT notification: 2002-06-12
Status:
   .Confirmed vulnerable, fixes are available at the release date of this
advisory
   .Patches available : 2002-06-20

 - IBM
   CORE notification: 2002-06-10
   CERT notification: 2002-06-11 4:32pm EST
Status:
   .Confirmed vulnerable
   .Official statement forwarded by CERT: 2002-07-10

 - Caldera (SCO)
   CERT notification: 2002-06-12 1:32pm
Status:
   .Confirmed vulnerable
   .Official statement forwarded by CERT: 2002-07-10

 - Cray Inc.
   CERT notification: 2002-06-12 1:19pm
Status:
   .Acknowledged notification.
   "Cray Inc. ships ToolTalk with the CrayTools product but is not enabled
by default or used by any Cray provided application"

 - Data General
   CERT notification: 2002-06-12 1:19pm
Status:
   N/A

 - Fujitsu
   CERT notification: 2002-06-12 1:19pm
Status:
   .Acknowledged notification.
   "Fujitsu's UXP/V is not vulnerable. Does not support any CDE
functionalities"

 - The Open Group
   CERT notification: 2002-06-12 1:31pm
Status:
   N/A

Technical Description - Exploit/Concept Code:
1) Overwriting portions of memory with 0L
The _TT_ISCLOSE procedure in ttdbserverd allows a client to close an open
ToolTalk Database. The client needs only to perform a client call to the
mentioned procedure passing a valid file descriptor as argument.

The server first checks if the authentication credentials passed in the
procedure call (AUTH_UNIX) are valid for the requested operation. To do
so, the server uses the file descriptor received as argument to index into
a statically allocated table of structs of 24 bytes each named
_tt_db_table. The table has 128 entries and each entry contains an struct
with the following fields (the names given to the fields were chosen
arbitrarily):

 struct _tt_db_table_entry {
        char * path;
        int uid;
        int mode;
        int isopen;
        int isopen2;
        int aux;
 };

The value in UID specifies the owner of the open database and a non-zero
value in the isopen field indicates that the file is open and in use. Once
the file is closed (or even if the operation fails), the _TT_ISCLOSE
procedure resets the value of the isopen field to 0 to indicate that this
entry in the table belongs to a file that is no longer open and in use.

A failure to perform proper range checks on the file descriptor used as
index into the table allows an attacker to specify arbitrary portions of
memory as table entries. By abusing this vulnerability, an attacker could
use the _TT_ISCLOSE procedure to overwrite portions of memory with a value
of 0L. This attack is restricted to overwriting portions of memory at 24
bytes intervals (since that is the overall size of each table entry).

As we will see, the ability to do so will provide the means to perform
attacks that are more sophisticated.

2) Deleting files remotely
The ttdbserverd program provides also a procedure to log transactions on a
ToolTalk Database to a logfile. For this purpose, the _TT_TRANSACTION
procedure is used.

_TT_TRANSACTION receives a file descriptor and a list of records to log to
the log file. The filename for the logfile is kept in a statically
allocated variable _tt_log_file.

Upon failure of a transaction operation, a generic error handler function
is called and the logfile is deleted from the filesystem using the
unlink() function call.

In Solaris 8 ( patch 110286-6 applied) the variable is located at:
        0x0007636c 0x00000401 OBJT GLOB 0 .bss _tt_log_file

The filename for the log file is generated by concatenating the full
pathname for the TT Database and the fixed string 'log_file'.

The variable is populated by the _TT_ISOPEN and _TT_TRANSACTION
procedures, available to any local or remote ttdbserverd client.

A client can create a new TT database using the _TT_ISBUILD procedure call
and subsequently use the _TT_TRANSACTION procedure to log transitions on
the newly created database to the file specified in _tt_log_file.

As described above, _TT_TRANSACTION will populate the _tt_log_file
variable with the filename of the TT Database concatenated with the string
'log_file'. Therefore by creating (using _TT_ISBUILD) a TTDB named
"////////etc/passwd012345689ABCDEF/file_table" and subsequently calling
_TT_TRANSACTION with the valid file descriptor for that DB (received as
result of the ISBUILD call) the _tt_log_file variable will end up as:

 _tt_log_file = "////////etc/passwd012345689ABCDEF/log_file"

An attacker can now abuse the vulnerability described in 1) to insert a
zero (and null terminate the string) leaving the _tt_log_file variable as
follows:

 _tt_log_file = "////////etc/passwd\0\0\0\045689ABCDEF/log_file"

Once this has been done, a call to _TT_TRANSACTION with an *invalid* file
descriptor as argument (i.e. -2) will trigger the unlink in the error
handler function, effectively removing the file specified in the
_tt_log_file variable from the file system.

This technique can be used by an attacker to remove any file or directory
on the vulnerable host.

3) Creating / Overwriting any local file
The _TT_TRANSACTION procedure follows symlinks when opening the log file
in order to write the transaction log. By using, a combination of the
techniques described above an attacker can locally overwrite any file with
any contents of her choice since the list of transaction records to log is
passed by the client program.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:core.lists.bugtraq@core-sdi.com> Iván Arce of Core Security
Technologies.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages