{"vuid":"VU#299816","idnumber":"299816","name":"Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) does not adequately validate file operations","keywords":["CDE","ToolTalk","database server","ttdbserver","rpc","rpc.ttdbserverd","symbolic link","smylink","_TT_TRANSACTION"],"overview":"The Common Desktop Environment (CDE) ToolTalk RPC database server does not adequately validate file operations and follows symbolic links, allowing a local attacker to overwrite any file that is writeable by the server. The ToolTalk RPC database server typically runs with root privileges.","clean_desc":"CORE SECURITY TECHNOLOGIES has reported a vulnerability in the CDE ToolTalk RPC database server (rpc.ttdbserverd). A component of CDE, the ToolTalk architecture allows applications to communicate with each other via remote procedure calls (RPC) across different hosts and platforms. The ToolTalk RPC database server manages connections between ToolTalk applications. CDE and ToolTalk are installed and enabled by default on many common UNIX platforms. Certain ToolTalk RPC database functions, among them _TT_TRANSACTION(), create and write to files that are referenced by user-supplied path and filename arguments. The ToolTalk RPC database server does not check that the file used in a create or write operation is not a symbolic link. By first creating a symbolic link, then issuing a specially crafted RPC call, a local attacker can overwrite the target of the symbolic link with arbitrary contents.","impact":"A local attacker could overwrite any file writeable by the ToolTalk RPC database server. This technique could be used to gain the privileges of the ToolTalk RPC database server, typically root.","resolution":"Apply a Patch When available, apply a patch from your vendor.","workarounds":"Disable rpc.ttdbserverd Until patches are available and can be applied, you may wish to consider disabling the ToolTalk RPC database service. As a general best practice, the CERT/CC recommends disabling any services that are not explicitly required. The ToolTalk RPC database service may be enabled in /etc/rpc or in /etc/inetd.conf. On a Solaris 8 system, comment out the following entry in /etc/inetd.conf to disable the ToolTalk RPC database service (rpc.ttdbserverd): # Sun ToolTalk Database Server 100083/1        tli     rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd The rpcinfo(1M) and ps(1) commands may be useful in determining if you system is running the ToolTalk RPC database server. On a Solaris 8 system, the following examples indicate that the ToolTalk RPC database server is running: # rpcinfo -p | grep 100083\n    100083    1   tcp   32773 # ps -ef | grep rpc.ttdbserverd\n    root   355   164  0  19:31:27 ? 0:00 rpc.ttdbserverd Block or Restrict Access Until patches are available and can be applied, block or restrict access to the RPC portmapper service and the ToolTalk RPC database service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block the ports used by the RPC portmapper and ToolTalk RPC services. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. The ToolTalk RPC service may be configured to use port 692/tcp or another port as indicated in output from the rpcinfo command. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate.","sysaffected":"","thanks":"The CERT/CC thanks Ricardo Quesada and Iván Arce of \nCORE SECURITY TECHNOLOGIES\n for reporting this vulnerability.","author":"This document was written by Art Manion.","public":["http://www.corest.com/common/showdoc.php?idx=251&idxseccion=10","http://www.securityfocus.com/bid/5083"],"cveids":["CVE-2002-0678"],"certadvisory":"CA-2002-20","uscerttechnicalalert":null,"datecreated":"2002-06-19T18:51:46Z","publicdate":"2002-07-10T00:00:00Z","datefirstpublished":"2002-07-11T06:21:25Z","dateupdated":"2002-08-15T22:38:09Z","revision":11,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"2","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"18","cam_impact":"19","cam_easeofexploitation":"19","cam_attackeraccessrequired":"10","cam_scorecurrent":"12.18375","cam_scorecurrentwidelyknown":"34.1145","cam_scorecurrentwidelyknownexploited":"58.482","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":12.18375,"vulnote":null}