SecurityTracker.com Archives - (Caldera Issues Fix for UnixWare and Open UNIX) Re: ToolTalk Database Server Format String Flaw Lets Remote Users Gain Root Level Privileges on Several UNIX Operating System Platforms

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

About the Archives

Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here

Category: Application (Generic) > ToolTalk (rpc.ttdbserver)

Vendors: [Multiple Authors/Vendors]

(Caldera Issues Fix for UnixWare and Open UNIX) Re: ToolTalk Database Server Format String Flaw Lets Remote Users Gain Root Level Privileges on Several UNIX Operating System Platforms

Date: Oct 17 2001

Impact: Execution of arbitrary code via network, Root access via network

Fix Available: Yes Vendor Confirmed: Yes

Advisory: Internet Security Systems (X-Force)

Version(s): HP-UX 10.10, 10.20, 11.00, 11.11; AIX 4.3, 5.1; IRIX 5.2-6.4; Tru64 DIGITAL UNIX v4.0f, v4.0g, v5.0a, v5.1, v5.1a; Solaris 1.1-1.2, 2.0-2.7, 7, 8

Description: Internet Security Systems warned of a format string vulnerability in several vendors' implementations of the ToolTalk RPC database server (rpc.ttdbserver) that could allow remote users to crash the service or obtain root level privileges on the server.

ToolTalk reportedly contains a syslog() call that accepts unfiltered user-supplied input and will interpret user-supplied formatting arguments, allowing a remote user to supply a specially crafted protocol message to execute arbitrary code via the syslog() call.

ISS notes that the rpc.ttdbserverd is enabled by default on many popular Unix operating systems, even when it is not required.

Impact: A remote user can cause arbitrary code to be executed with root level privileges, yielding root level access on the server.

Solution: Caldera has released fixed binaries for UnixWare 7 and Open UNIX 8.0.0. The binaries are available at:

ftp://stage.caldera.com/pub/security/openunix/CSSA-2001- SCO.28/

The md5 verification checksum is:

b15a904dd742eb1263429b00fb1a1c20 erg711831.Z

Upgrade the affected binaries with the following commands:

# uncompress /tmp/erg711831.Z
# pkgadd -d /tmp/erg711831

Cause: Input validation error

Underlying OS: UNIX (SCO)

Underlying OS Comments: Other operating systems may be affected

Reported By: sco-security@caldera.com

Message History: This archive entry is a follow-up to the message listed below.

Oct 3 2001

ToolTalk Database Server Format String Flaw Lets Remote Users Gain Root Level Privileges on Several UNIX Operating System Platforms

Source Message Contents

Date: Tue, 16 Oct 2001 16:15:06 -0700
From: sco-security@caldera.com
Subject: Security Update: [CSSA-2001-SCO.28] Open UNIX, UnixWare 7: rpc.ttdbserverd format string vulnerability

 

--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

To: bugtraq@securityfocus.com security-announce@lists.securityportal.com announce@lists.caldera.com s
coannmod@xenitec.on.ca


Do not reply to this mail. This security advisory is being sent from a
nonexistent address in order to avoid spam problems.  Caldera's
contact address for UNIX security issues is security-alert@caldera.com.


___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		Open UNIX, UnixWare 7: rpc.ttdbserverd format string vulnerability
Advisory number: 	CSSA-2001-SCO.28
Issue date: 		2001 October 16
Cross reference:
___________________________________________________________________________


1. Problem Description
 
	The rpc.ttdbserverd command is vulnerable to a format string
	attack.  This could be used by an unauthorized user to gain
	privilege.


2. Vulnerable Versions

	Operating System	Version		Affected Files
	------------------------------------------------------------------
	UnixWare 7		All		/usr/dt/bin/rpc.ttdbserverd
	Open UNIX		8.0.0		/usr/dt/bin/rpc.ttdbserverd


3. Workaround

	None.


4. UnixWare 7, Open UNIX 8

  4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.28/


  4.2 Verification

	md5 checksums:
 
	b15a904dd742eb1263429b00fb1a1c20	erg711831.Z


	md5 is available for download from

		ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	# uncompress /tmp/erg711831.Z
	# pkgadd -d /tmp/erg711831


5. References

	http://www.securityfocus.com/archive/1/217901
	http://www.securityfocus.com/advisories/3583

	This and other advisories are located at
		http://stage.caldera.com/support/security

	This advisory addresses Caldera Security internal incidents
	sr851392, fz518746 and erg711831.


6. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on our website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera International products.


7. Acknowledgements

	This vulnerability was discovered and researched by Mark Dowd
	of the ISS X-Force.

	 
___________________________________________________________________________

--h31gzZEtNLTqOjlF
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjvMv3oACgkQaqoBO7ipriGaEgCcD3yctUtbaf8mjyWhkFepTxNG
CcsAn0QtFQjEAdBSCriF1LRRTrRRwF+W
=znXN
-----END PGP SIGNATURE-----

--h31gzZEtNLTqOjlF--

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2001, SecurityGlobal.net LLC