{"vuid":"VU#595507","idnumber":"595507","name":"Common Desktop Environment (CDE) ToolTalk RPC Server rpc.ttdbserverd contains format string vulnerability","keywords":["ToolTalk daemon","format string","rpc","rpc.ttdbserverd","CDE","Common Desktop Environment","APAR #IY23846","HPSBUX0110-168","SSRT0767U"],"overview":"A vulnerability exists in CDE ToolTalk that may allow a remote attacker to execute arbitrary code with root privileges.","clean_desc":"Internet Security Systems (ISS) X-Force has discovered a format string vulnerability in the Common Desktop Environment (CDE) ToolTalk Remote Procedure Call (RPC) server, rpc.ttdbserverd. The ToolTalk architecture allows custom applications to communicate with each other via RPC calls, and CDE and ToolTalk are installed and enabled by default on many common UNIX platforms. rpc.ttdbserverd manages RPC communication between ToolTalk applications. rpc.ttdbserverd contains a syslog(3) function call that does not include a format string specifier. As a result, a crafted RPC open request containing user-supplied format string specifiers is interpreted by syslog(), possibly overwriting arbitrary locations in memory. By carefully designing such a request an attacker may execute arbitrary code with the privileges of rpc.ttdbserverd, typically root. For more information, see the ISS X-Force advisory at:  http://xforce.iss.net/alerts/advise98.php. The rpcinfo command may be able to help you determine if rpc.ttdbserverd is running on your system. On SunOS: % rpcinfo -p\n   program vers proto   port  service\n    100000    4   tcp    111  rpcbind\n    104567    5   tcp    112  custom On MacOS X: % rpcinfo -p\n   program vers proto   port\n    100000    2   tcp    111  portmapper\n    100000    2   udp    111  portmapper\n 200100001    1   udp    745  netinfobind\n 200100001    1   tcp    748  netinfobind\nThe program number for rpc.ttdbserverd is 100083. If 100083 shows up in the rpcinfo output, you may be running the rpc.ttdbserverd service. Additionally, the service may be listed in /etc/rpc. For example, the following entry may indicate rpc.ttdbserverd is running on your system: 100083 1 tcp 692\nSystems that are not running rpc.ttdbserverd are not exposed to this vulnerability.","impact":"A remote attacker may send crafted RPC traffic causing the ToolTalk RPC server to crash or allowing the attacker to execute arbitrary code on the vulnerable system.","resolution":"Apply Patch\nApply the appropriate vendor supplied patch as described in the vendor section below.","workarounds":"Disable Vulnerable Service Until a patch can be applied, you may wish to consider disabling the ToolTalk service. As a general practice, CERT/CC recommends disabling any services not explicitly required. Block or Restrict Access Your router or firewall may be able to block access to the ToolTalk service at your network perimeter. Additionally, an application-level firewall may be able to filter requests made to the ToolTalk service.","sysaffected":"","thanks":"The CERT Coordination Center thanks Internet Security Systems (ISS) \nX-Force\n and \nThe Open Group\n for information used in this document.","author":"This document was written by Art Manion, Shawn V. Hernan, and Jeffrey S. Havrilla.","public":["http://xforce.iss.net/alerts/advise98.php","http://www.securityfocus.com/bid/3382","http://www.securitytracker.com/alerts/2001/Oct/1002479.html","http://www.opengroup.org/desktop/faq/"],"cveids":["CVE-2001-0717"],"certadvisory":"CA-2001-27","uscerttechnicalalert":null,"datecreated":"2001-08-09T12:34:42Z","publicdate":"2001-10-02T00:00:00Z","datefirstpublished":"2001-10-03T15:25:05Z","dateupdated":"2004-03-24T15:01:16Z","revision":47,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"18","cam_impact":"19","cam_easeofexploitation":"8","cam_attackeraccessrequired":"15","cam_scorecurrent":"17.6985","cam_scorecurrentwidelyknown":"21.546","cam_scorecurrentwidelyknownexploited":"36.936","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":17.6985,"vulnote":null}