CVE-2002-0677
CVSS7.5
发布时间 :2002-07-23 00:00:00
修订时间 :2016-10-17 22:21:16
NMCOS    

[原文]CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.


[CNNVD]多家厂商CDE ToolTalk数据库服务程序远程NULL写漏洞(CNNVD-200207-082)

        
        Common Desktop Environment (CDE)是一款集成图形用户接口,运行在各种UNIX和LINUX操作系统下,CDE ToolTalk服务允许独立的开发应用程序,使应用程序可以跨主机和平台交换ToolTalk信息相互之间通信,使用ToolTalk服务,应用程序可以建立开放协议允许各种程序进行交换和新的程序插入到系统中可以尽可能最小化重新配置。ToolTalk RPC数据库服务程序,rpc.ttdbserverd用于管理ToolTalk应用通信。
        ToolTalk客户端可以通过提送RPC请求给数据库服务程序来关闭某一ToolTalk数据库,在这个过程中,会调用_TT_ISCLOSE()过程,_TT_ISCLOSE() RPC接收来自客户端用于引用包含请求ToolTalk数据信息的内存结构作为文件描述符参数,结构中的内存位置设置为0(0L)表示关闭请求的数据库。ToolTalk在调用这个过程的时候没有检查文件描述符的范围,因此可能引用其他指向包含合法数据库信息的文件描述符作为参数传递,导致恶意的RPC调用使ToolTalk数据库服务进程空间中的指定内存位置被设置为0。
        攻击者可以结合其他方法利用这个漏洞远程删除任意文件和远程建立任意目录,或者对ToolTalk数据库服务进行拒绝服务攻击。
        必须注意的时这个RPC请求需要客户端提供AUTH_UNIX认证信息,不过AUTH_UNIX认证可以很容易的被攻击者伪造通过。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.5SGI IRIX 6.5
cpe:/o:sgi:irix:6.0.1SGI IRIX 6.0.1
cpe:/o:sgi:irix:6.1SGI IRIX 6.1
cpe:/o:sgi:irix:5.2SGI IRIX 5.2
cpe:/o:sgi:irix:6.4SGI IRIX 6.4
cpe:/a:xi_graphics:dextop:2.1
cpe:/o:sgi:irix:6.2SGI IRIX 6.2
cpe:/o:sgi:irix:6.5.15SGI IRIX 6.5.15
cpe:/o:compaq:tru64:4.0fCompaq Tru64 4.0f
cpe:/a:caldera:unixware:7
cpe:/o:compaq:tru64:4.0gCompaq Tru64 4.0g
cpe:/o:sgi:irix:6.0SGI IRIX 6.0
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:sgi:irix:6.3SGI IRIX 6.3
cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/o:sun:solaris:7.0
cpe:/o:compaq:tru64:5.1aCompaq Tru64 5.1a
cpe:/a:caldera:unixware:7.1_.0
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:8.0
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/o:sun:solaris:2.5.1
cpe:/o:sgi:irix:6.5.2SGI IRIX 6.5.2
cpe:/o:sgi:irix:6.5.7SGI IRIX 6.5.7
cpe:/o:sgi:irix:6.5.8SGI IRIX 6.5.8
cpe:/o:sgi:irix:6.5.5SGI IRIX 6.5.5
cpe:/o:compaq:tru64:5.1Compaq Tru64 5.1
cpe:/o:sgi:irix:6.5.3SGI IRIX 6.5.3
cpe:/o:sgi:irix:6.5.4SGI IRIX 6.5.4
cpe:/o:sgi:irix:6.5.1SGI IRIX 6.5.1
cpe:/o:sgi:irix:6.5.11SGI IRIX 6.5.11
cpe:/o:sgi:irix:6.5.16SGI IRIX 6.5.16
cpe:/o:caldera:openunix:8.0
cpe:/a:caldera:unixware:7.1.1
cpe:/o:sgi:irix:6.5.14SGI IRIX 6.5.14
cpe:/o:sgi:irix:6.5.6SGI IRIX 6.5.6
cpe:/o:sgi:irix:6.5.12SGI IRIX 6.5.12
cpe:/o:sgi:irix:6.5.13SGI IRIX 6.5.13
cpe:/o:compaq:tru64:5.0aCompaq Tru64 5.0a
cpe:/o:sgi:irix:6.5.10SGI IRIX 6.5.10
cpe:/o:sgi:irix:6.5.9SGI IRIX 6.5.9
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:ibm:aix:4.3.3IBM AIX 4.3.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:91Solaris 7 CDE ToolTalk Database Null Write Vulnerability
oval:org.mitre.oval:def:15Solaris 8 CDE ToolTalk Database Null Write Vulnerability
oval:org.mitre.oval:def:1099Solaris 9 CDE ToolTalk Database Null Write Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0677
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0677
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-082
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28/CSSA-2002-SCO.28.txt
(UNKNOWN)  CALDERA  CSSA-2002-SCO.28
ftp://patches.sgi.com/support/free/security/advisories/20021102-02-P
(UNKNOWN)  SGI  20021102-02-P
http://marc.info/?l=bugtraq&m=102635906423617&w=2
(UNKNOWN)  BUGTRAQ  20020710 [CORE-20020528] Multiple vulnerabilities in ToolTalk Database server
http://www.cert.org/advisories/CA-2002-20.html
(VENDOR_ADVISORY)  CERT  CA-2002-20
http://www.kb.cert.org/vuls/id/975403
(VENDOR_ADVISORY)  CERT-VN  VU#975403

- 漏洞信息

多家厂商CDE ToolTalk数据库服务程序远程NULL写漏洞
高危 输入验证
2002-07-23 00:00:00 2005-10-20 00:00:00
远程  
        
        Common Desktop Environment (CDE)是一款集成图形用户接口,运行在各种UNIX和LINUX操作系统下,CDE ToolTalk服务允许独立的开发应用程序,使应用程序可以跨主机和平台交换ToolTalk信息相互之间通信,使用ToolTalk服务,应用程序可以建立开放协议允许各种程序进行交换和新的程序插入到系统中可以尽可能最小化重新配置。ToolTalk RPC数据库服务程序,rpc.ttdbserverd用于管理ToolTalk应用通信。
        ToolTalk客户端可以通过提送RPC请求给数据库服务程序来关闭某一ToolTalk数据库,在这个过程中,会调用_TT_ISCLOSE()过程,_TT_ISCLOSE() RPC接收来自客户端用于引用包含请求ToolTalk数据信息的内存结构作为文件描述符参数,结构中的内存位置设置为0(0L)表示关闭请求的数据库。ToolTalk在调用这个过程的时候没有检查文件描述符的范围,因此可能引用其他指向包含合法数据库信息的文件描述符作为参数传递,导致恶意的RPC调用使ToolTalk数据库服务进程空间中的指定内存位置被设置为0。
        攻击者可以结合其他方法利用这个漏洞远程删除任意文件和远程建立任意目录,或者对ToolTalk数据库服务进行拒绝服务攻击。
        必须注意的时这个RPC请求需要客户端提供AUTH_UNIX认证信息,不过AUTH_UNIX认证可以很容易的被攻击者伪造通过。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭ToolTalk RPC数据库服务守护进程。
        编辑/etc/inetd.conf文件,注释或者删除'rpc.ttdbserver'相关的配置行。重启inetd守护进程。
        * 使用访问控制,限制对RPC服务端口的访问。
        厂商补丁:
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2002-SCO.28)以及相应补丁:
        CSSA-2002-SCO.28:UnixWare 7.1.1 Open UNIX 8.0.0 : rpc.ttdbserverd file creation and deletion vulnerabilities
        链接:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.28
        补丁下载:
        ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28
        补丁安装方法:
        # uncompress /var/spool/pkg/erg712073.pkg.Z
        # pkgadd -d /var/spool/pkg/erg712073.pkg
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX0207-199)以及相应升级程序:
        HPSBUX0207-199:Sec. Vulnerability in rpc.ttdbserver (Rev.1)
        链接:
        新版程序下载:
        ftp://ttdb1:ttdb1@192.170.19.51/rpc.ttdbserver.tar.gz
        升级程序安装方法:
        将rpc.ttdbserver.tar.gz文件解压到一个临时目录中,进入到临时目录执行:
        ./install_rpc.ttdbserver rpc.ttdbserver.1020

- 漏洞信息

4507
CDE ToolTalk _TT_ISCLOSE Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-07-10 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor CDE ToolTalk Database Server Null Write Vulnerability
Input Validation Error 5082
Yes No
2002-07-11 12:00:00 2009-07-11 01:56:00
Discovered by Ricardo Quesada of CORE Security Technologies.

- 受影响的程序版本

Xi Graphics DeXtop 2.1
Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.17
SGI IRIX 6.5.16 m
SGI IRIX 6.5.16 f
SGI IRIX 6.5.16
SGI IRIX 6.5.15 m
SGI IRIX 6.5.15 f
SGI IRIX 6.5.15
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f
SGI IRIX 6.5.14
SGI IRIX 6.5.13 m
SGI IRIX 6.5.13 f
SGI IRIX 6.5.13
SGI IRIX 6.5.12 m
SGI IRIX 6.5.12 f
SGI IRIX 6.5.12
SGI IRIX 6.5.11 m
SGI IRIX 6.5.11 f
SGI IRIX 6.5.11
SGI IRIX 6.5.10 m
SGI IRIX 6.5.10 f
SGI IRIX 6.5.10
SGI IRIX 6.5.9 m
SGI IRIX 6.5.9 f
SGI IRIX 6.5.9
SGI IRIX 6.5.8 m
SGI IRIX 6.5.8 f
SGI IRIX 6.5.8
SGI IRIX 6.5.7 m
SGI IRIX 6.5.7 f
SGI IRIX 6.5.7
SGI IRIX 6.5.6 m
SGI IRIX 6.5.6 f
SGI IRIX 6.5.6
SGI IRIX 6.5.5 m
SGI IRIX 6.5.5 f
SGI IRIX 6.5.5
SGI IRIX 6.5.4 m
SGI IRIX 6.5.4 f
SGI IRIX 6.5.4
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.3
SGI IRIX 6.5.2 m
SGI IRIX 6.5.2 f
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
SGI IRIX 6.0.1
SGI IRIX 6.0
SGI IRIX 5.3
SGI IRIX 5.2
IBM AIX 4.3.3
IBM AIX 5.1
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX 10.24
HP HP-UX 10.20
HP HP-UX 10.10
Compaq Tru64 5.1 a
Compaq Tru64 5.1
Compaq Tru64 5.0 a
Compaq Tru64 4.0 g
Compaq Tru64 4.0 f
Caldera UnixWare 7.1.1
Caldera UnixWare 7.1 .0
Caldera UnixWare 7
Caldera OpenUnix 8.0
SCO Open Server 5.0.6 a
SCO Open Server 5.0.6
SCO Open Server 5.0.5
SCO Open Server 5.0.4
SCO Open Server 5.0.3
SCO Open Server 5.0.2
SCO Open Server 5.0.1
SCO Open Server 5.0
Fujitsu UXP/V V10L20
Fujitsu UXP/V V10L10
Caldera OpenLinux 3.1 -IA64
Caldera OpenLinux 2.4
Caldera OpenLinux 2.3
Caldera OpenLinux 2.2
Caldera OpenLinux 1.3

- 不受影响的程序版本

SCO Open Server 5.0.6 a
SCO Open Server 5.0.6
SCO Open Server 5.0.5
SCO Open Server 5.0.4
SCO Open Server 5.0.3
SCO Open Server 5.0.2
SCO Open Server 5.0.1
SCO Open Server 5.0
Fujitsu UXP/V V10L20
Fujitsu UXP/V V10L10
Caldera OpenLinux 3.1 -IA64
Caldera OpenLinux 2.4
Caldera OpenLinux 2.3
Caldera OpenLinux 2.2
Caldera OpenLinux 1.3

- 漏洞讨论

CDE ships with a daemon called the ToolTalk database server. The ToolTalk database server allows for programs designed for use in CDE to communicate with each other. It is enabled by default on most systems shipped with CDE.

The ToolTalk database server is vulnerable to a condition that may allow for NULL words to be written to arbitrary locations in memory. The vulnerability is due to an input validation error in the _TT_ISCLOSE procedure, used by ToolTalk clients to close open ToolTalk databases.

The _TT_ISCLOSE RPC accepts as a parameter a file descriptor. This integer value is used as an index for writing to structures in server memory. There are no checks to restrict the range of the idnex value. Consequently, malicious file descriptor values supplied by remote clients may cause writes to occur far beyond the table in memory. The only value written is a NULL word, limiting the consequences.

Unfortunately there are several other conditions which may allow for complex attacks, potentially resulting in remote deletion/creation of files and code/command execution.

It should be noted that the only authentication required is client-supplied AUTH_UNIX credentials. AUTH_UNIX credentials may be trivially spoofed by attackers.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

HP has stated that HP-MPE/ix HP OpenVMS HP NonStop Servers are not vulnerable to this issue. HP has also revised an advisory with fix information. Users running HP-UX 10.10 are advised to contact security-alert@hp.com for fix information.

Compaq Computer Corporation

CROSS REFERENCE: SSRT2251

At this time Compaq does have solutions in final testing and will publish HP Tru64 UNIX security bulletin (SSRT2251) with patch information as soon as testing has completed and kits are available from the support ftp web site.

Cray, Inc.

Cray, Inc. does include ToolTalk within the CrayTools product. However, rpc.ttdbserverd is not turned on or used by any Cray provided application. Since a site may have turned this on for their own use, they can always remove the binary /opt/ctl/bin/rpc.ttdbserverd if they are concerned.

IBM Corporation

The CDE desktop product shipped with AIX is vulnerable to both the issues detailed above in the advisory. Fixes have been made available.

Sun Microsystems, Inc.

The Solaris RPC-based ToolTalk database server, rpc.ttdbserverd, is vulnerable to the two vulnerabilities [VU#975403 VU#299816] described in this advisory in all currently supported versions of Solaris:

Solaris 2.5.1, 2.6, 7, 8, and 9

Patches are being generated for all of the above releases. Sun will publish a Sun Security Bulletin and a Sun Alert for this issue. The Sun Alert will be available from:

http://sunsolve.sun.com

The patches will be available from:

http://sunsolve.sun.com/securitypatch

Sun Security Bulletins are available from:

http://sunsolve.sun.com/security

Xi Graphics

Xi Graphics deXtop CDE v2.1 is vulnerable to this attack. A update correcting this issue will be available on our ftp site once this vulnerability has been publicly announced.

When announced, the update and accompanying text file will be:

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

SGI has released a new advisory. A new patch, 4669, is available for IRIX 6.5.13 to 6.5.17.

Sun has released Sun Alert ID: 46022 dealing with this and other issues. Please see the referenced advisory for more information.


Sun Solaris 8_sparc

IBM AIX 5.1

Sun Solaris 2.6

Sun Solaris 2.6_x86

Sun Solaris 7.0

Sun Solaris 9

Sun Solaris 7.0_x86

Sun Solaris 8_x86

HP HP-UX 10.10
  • HP rpc.ttdbserver
    FTP login credentials are required in order to access this fix. Username and password is ttdb1/ttdb1. Proper patches are forthcoming.
    ftp://hprc.external.hp.com


HP HP-UX 10.20

HP HP-UX 10.24

HP HP-UX 11.0

HP HP-UX 11.11

IBM AIX 4.3.3

SGI IRIX 6.5

SGI IRIX 6.5.1

SGI IRIX 6.5.10

SGI IRIX 6.5.10 m

SGI IRIX 6.5.10 f

SGI IRIX 6.5.11

SGI IRIX 6.5.11 m

SGI IRIX 6.5.11 f

SGI IRIX 6.5.12 f

SGI IRIX 6.5.12 m

SGI IRIX 6.5.12

SGI IRIX 6.5.13 f

SGI IRIX 6.5.13 m

SGI IRIX 6.5.13

SGI IRIX 6.5.14 f

SGI IRIX 6.5.14

SGI IRIX 6.5.14 m

SGI IRIX 6.5.15

SGI IRIX 6.5.15 m

SGI IRIX 6.5.15 f

SGI IRIX 6.5.16 f

SGI IRIX 6.5.16

SGI IRIX 6.5.16 m

SGI IRIX 6.5.17

SGI IRIX 6.5.17 m

SGI IRIX 6.5.17 f

SGI IRIX 6.5.2 m

SGI IRIX 6.5.2 f

SGI IRIX 6.5.2

SGI IRIX 6.5.3 f

SGI IRIX 6.5.3

SGI IRIX 6.5.3 m

SGI IRIX 6.5.4 m

SGI IRIX 6.5.4

SGI IRIX 6.5.4 f

SGI IRIX 6.5.5

SGI IRIX 6.5.5 f

SGI IRIX 6.5.5 m

SGI IRIX 6.5.6

SGI IRIX 6.5.6 m

SGI IRIX 6.5.6 f

SGI IRIX 6.5.7 m

SGI IRIX 6.5.7

SGI IRIX 6.5.7 f

SGI IRIX 6.5.8 m

SGI IRIX 6.5.8

SGI IRIX 6.5.8 f

SGI IRIX 6.5.9 f

SGI IRIX 6.5.9 m

SGI IRIX 6.5.9

Caldera UnixWare 7.1.1

Caldera OpenUnix 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站