TUCoPS :: Unix :: General
:: unix5528.htm
Tooltalk database server local and remote compromise
11th Jul 2002 [SBWID-5528]
COMMAND
Tooltalk database server local and remote compromise
SYSTEMS AFFECTED
Vulnerable Packages
Solaris 2.5.1 2.6 7 8 9
HP-UX 10.10 10.20 11.00 11.11
Tru64 v4.0f, v4.0g, v5.0a, v5.1, v5.1a
Xi Graphics deXtop CDE v2.1
IBM AIX 4.3.3 and 5.1.0
Caldera Open UNIX and Caldera UNIXware
Not confirmed but suspected vulnerable
SGI IRIX 5.2-6.5.x
Not vulnerable
Fujitsu UXP/V
Cray Inc, CrayTools
Caldera OpenLinux
SCO OpenServer
PROBLEM
These vulnerabilities were discovered and researched by Ricardo Quesada
of the CORE IMPACT team at CORE Security Technologies. CORE would like
to thank CERT for their efforts coordinating the release of this
advisory with CORE and the vendors, [http://www.corest.com] :
The ToolTalk service allows independently developed applications to
communicate with each other by exchanging ToolTalk messages. Using
ToolTalk, applications can create open protocols which allow different
programs to be interchanged, and new programs to be plugged into the
system with minimal reconfiguration.
The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service
which manages objects needed for the operation of the ToolTalk service.
ToolTalk-enabled processes communicate with each other using RPC calls
to this program, which runs on each ToolTalk-enabled host. This program
is a standard component of the ToolTalk system, which ships as a
standard component of many commercial Unix operating systems. The
ToolTalk database server runs as root.
Several security bugs were discovered in the rpc.ttdbserverd program
that allow an attacker to:
- Overwrite 4 bytes of memory the running process with a zero
(0x0L) value
- Remotely delete any file on the vulnerable host
- Locally create or overwrite any file on the vulnerable host
with arbitrary contents.
- Remotely create arbitrary directory entries on the vulnerable
host
These vulnerabilities by themselves can lead to remote and local
compromise of the privilege root account on the vulnerable system.
Additionally these vulnerabilities may be used to build more reliable
and effective exploit programs for previously published ToolTalk
Database server vulnerabilities.
Technical Description - Exploit/Concept Code
============================================
1) Overwriting portions of memory with 0L
The _TT_ISCLOSE procedure in ttdbserverd allows a client to close an
open ToolTalk Database. The client needs only to perform a client call
to the mentioned procedure passing a valid file descriptor as argument.
The server first checks if the authentication credentials passed in the
procedure call (AUTH_UNIX) are valid for the requested operation. To do
so, the server uses the file descriptor received as argument to index
into a statically allocated table of structs of 24 bytes each named
_tt_db_table. The table has 128 entries and each entry contains an
struct with the following fields (the names given to the fields were
chosen arbitrarly):
struct _tt_db_table_entry {
char * path;
int uid;
int mode;
int isopen;
int isopen2;
int aux;
};
The value in uid specifies the owner of the open database and a non
zero value in the isopen field indicates that the file is open and in
use. Once the file is closed (or even if the operation fails) the
_TT_ISCLOSE procedure resets the value of the isopen field to 0 to
indicate that this entry in the table belongs to a file that is no
longer open and in use.
A failure to perform proper range checks on the file descriptor used as
index into the table allows an attacker to specify arbitrary portions
of memory as table entries. By abusing this vulnerability an attacker
could use the _TT_ISCLOSE procedure to overwrite portions of memory
with a value of 0L. This attack is restricted to overwritting portions
of memory at 24 bytes intervals (since that is the overall size of each
table entry). As we will see, the ability to do so will provide the
means to perform more sophisticated attacks.
2) Deleting files remotely
The ttdbserverd program provides also a procedure to log transactions
on a ToolTalk Database to a logfile. For this purpose the
_TT_TRANSACTION procedure is used.
_TT_TRANSACTION receives a file descriptor and a list of records to log
to the log file. The filename for the logfile is kept in a statically
allocated variable _tt_log_file.
Upon failure of a transaction operation, a generic error handler
function is called and the logfile is deleted from the filesystem using
the unlink() function call.
In Solaris 8 ( patch 110286-6 applied) the variable is located at:
0x0007636c 0x00000401 OBJT GLOB 0 .bss _tt_log_file
The filename for the log file is generated by concatenating the full
pathname for the TT Database and the fixed string \'log_file\'.
The variable is populated by the _TT_ISOPEN and _TT_TRANSACTION
procedures, available to any local or remote ttdbserverd client.
A client can create a new TT database using the _TT_ISBUILD procedure
call and subsequently use the _TT_TRANSACTION procedure to log
transations on the newly created database to the file specified in
_tt_log_file.
As described above, _TT_TRANSACTION will populate the _tt_log_file
variable with the filename of the TT Database concatenated with the
string \'log_file\'. Therefore by creating (using _TT_ISBUILD) a TTDB
named
\"////////etc/passwd012345689ABCDEF/file_table\"
and subsequently calling _TT_TRANSACTION with the valid file descriptor
for that DB (received as result of the ISBUILD call) the _tt_log_file
variable will end up as:
_tt_log_file = \"////////etc/passwd012345689ABCDEF/log_file\"
An attacker can now abuse the vulnerability described in 1) to insert a
zero (and null terminate the string) leaving the _tt_log_file variable
as follows:
_tt_log_file = \"////////etc/passwd\0円\0円\0円\045689円ABCDEF/log_file\"
Once this has been done, a call to _TT_TRANSACTION with an *invalid*
file descriptor as argument (i.e. -2) will trigger the unlink in the
error handler function, effectively removing the file specified in the
_tt_log_file variable from the file system.
This technique can be used by an attacker to remove any file or
directory on the vulnerable host.
3) Creating / Overwriting any local file
The _TT_TRANSACTION procedure follows symlinks when opening the log
file in order to write the transaction log. By using a combination of
the techniques described above an attacker can locally overwrite any
file with any contents of her choice since the list of transaction
records to log is passed by the client program.
Conclusion
==========
This advisory describes techniques to abuse two vulnerabilities found
in the CDE ttdbserver program:
- Improper checks on user suplied RPC arguments that
lead to memory overwriting.
BID:5082 CERT: VU#975403 CVE:CAN-2002-0677
This is the file descriptor range check problem described in 1) and
later used in 2)
- Lack of file system checks for file operations that
lead to local file creation or overwriting.
This is the symlink problem described in 3)
BID:5083 CERT: VU#299816 CVE: CAN-2002-0678
The vulnerabilities and techniques described in this advisory can be
abused by an attacker in order to gain privileged access to a
vulnerable system both remotelly and locally, or in order to perform a
denial of service attack (ie. deletion of *ANY* file remotely)
It is relevant to mention that vulnerabilities disclosed very recently
(see BID:4639/CVE:NOT-ASSIGNED and BID:3382 /CVE:CAN-2001-0717) rely on
the attacker\'s ability to make file system operations to fail in order
to exploit those bugs.
Additionally, the ability to overwrite *any* portion of the process
memory with a value of 0L may provide other possible attack scenarios
for remote or local compromise of the vulnerable host.
SOLUTION
If patches are not available from your vendor these workarounds can be
implemented:
- Disable the vulnerable service
To do so, it is needed to comment out or remove the lines that refer to
rpc.ttdbserverd in /etc/inetd.conf and restart the inetd daemon.
- Block connections to the vulnerable service
Block access from untrusted networks to the ToolTalk Database server
program. The program is identified as RPC program number 100083 and may
service requests on port 629/tcp or any other port. Use the rpcinfo
program to determine on which port ttdbserver is servicing requests and
block access to that port and the portmapper (111/tcp 111/udp) at the
perimeter. This will not prevent exploitation from trusted networks. In
general it is advisable to block access from untrusted networks to ALL
RPC services.
Pacth
=====
Check the original advisory post and see your vendor information :
http://www.corest.com/common/showdoc.php?idx=251&idxseccion=10