ENTERCEPT RICOCHET ADVISORY: Multi-Vendor CDE ToolTalk Database Server Remote Buffer Overflow Vulnerability

[<Ricochet () entercept com>]

*******ENTERCEPT RICOCHET ADVISORY*******
Date: Monday, August 12, 2002

Issue: Multi-Vendor CDE ToolTalk Database Server Remote Buffer Overflow 
Vulnerability


 
DETAILS:
The ToolTalk component allows applications to communicate with each other 
via remote procedure calls (RPC) across different hosts and platforms.  
The ToolTalk RPC database server manages connections between ToolTalk 
applications. Most Unix environments include CDE and ToolTalk in their 
default installations. 
 
_TT_CREATE_FILE procedure in the ToolTalk RPC database server is 
vulnerable to a buffer overflow. In most environments, this translates to 
a heap buffer overflow vulnerability that renders current non-executable 
stack protection mechanisms useless and can be bypassed. 
 
A successful attack exploiting this buffer overflow vulnerability would 
enable the attacker to run code with the privileges of the ToolTalk RPC 
database server that typically runs as root. Unsuccessful exploitation can 
still cause a denial of service on a vulnerable system.
 
VENDORS AFFECTED:
 - Caldera
 - Compaq Computer Corporation 
 - Cray Inc.
 - Data General
 - Fujitsu
 - Hewlett Packard
 - IBM
 - SGI
 - Sun Microsystems Inc.
 - The Open Group
 - Xi Graphics
 
Entercept worked directly with CERT (Computer Emergency Response Team), to 
ensure that the vendors had the technical details necessary to develop 
their patches and issue security advisories. The CERT advisory will be 
available at: http://www.cert.org/advisories/CA-2002-26.html
 
 
ACKNOWLEDGEMENTS/INFORMATION RESOURCES:
This vulnerability was discovered and researched by Sinan Eren of the 
Entercept Ricochet Team. 
 
ABOUT ENTERCEPT RICOCHET:
Entercept’s Ricochet team is a specialized group of security researchers 
dedicated to identifying, assessing, and evaluating intelligence regarding 
server threats. The Ricochet team researches current and future avenues of 
attack and builds this knowledge into Entercept’s intrusion prevention 
solution. Ricochet is dedicated to providing critical, viable security 
content via security advisories and technical briefs. This content is 
designed to educate organizations and security professionals about the 
nature and severity of Internet security threats, vulnerabilities and 
exploits. 

Copyright Entercept Security Technologies. All rights reserved. Entercept 
and the Entercept logo are trademarks of Entercept Security Technologies. 
All other trademarks, trade names or service marks are the property of 
their respective owners. 

DISCLAIMER STATEMENT: 
The information in this bulletin is provided by Entercept Security 
Technologies, Inc. ("Entercept") and is intended to provide information on 
a particular security issue or incident. Given that each exploitation 
technique is unique, Entercept makes no claim to prevent any specific 
exploit related to the vulnerability discussed in this bulletin. Entercept 
expressly disclaims any and all warranties with respect to the information 
provided in this bulletin, express or implied or otherwise, including, but 
not limited to, warranty of fitness for a particular purpose. Under no 
circumstances may this information be used to exploit vulnerabilities in 
any other environment.
http://www.entercept.com/news/uspr/08-12-02.asp
###