From ciac@rumpole.llnl.gov Sat Oct 16 13:59:57 1999 From: CIAC Mail User Resent-From: mea culpa To: ciac-bulletin@rumpole.llnl.gov Resent-To: jericho@attrition.org Date: Mon, 11 Oct 1999 14:33:10 -0700 (PDT) Subject: CIAC Bulletin K-001: Four Vulnerabilities in the Common Desktop Environment [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- ________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Four Vulnerabilities in the Common Desktop Environment Updates to CERT Advisory CA-99-11 October 7, 1999 20:00 GMT Number K-001 ______________________________________________________________________________ PROBLEM: Multiple vulnerabilities exist in some distributions of the Common Desktop Environment (CDE). PLATFORM: Any system running the Common Desktop Environment (CDE). DAMAGE: Each vulnerability may allow arbitrary code on a vulnerable system to be run as root by a local user. The ToolTalk ttsession vulnerability may also allow arbitrary code to be run as root by a remote user. SOLUTION: Apply available vendor patches. ______________________________________________________________________________ VULNERABILITY Risk is high. These vulnerabilities have been published on the ASSESSMENT: internet. Each vulnerability, independent of the others, can lead to a total system compromise. ______________________________________________________________________________ [Start CERT Advisory] CERT Advisory CA-99-11 Four Vulnerabilities in the Common Desktop Environment Original release date: September 13, 1999 Last revised: October 04, 1999 Updated vendor information for Sun Microsystems, Inc. Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running the Common Desktop Environment (CDE) I. Description Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE). These vulnerabilities are different from those discussed in CA-98.02. We recommend that you install appropriate vendor patches as soon as possible (see Section III below). Until you can do so, we encourage you to disable or uninstall vulnerable copies of the CDE package. Note that disabling these programs will severely affect the utility of the CDE environment. At this time, the CERT/CC has not received any reports of these vulnerabilities being exploited by intruders. Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism The ToolTalk messaging server ttsession allows independent applications to communicate without having direct knowledge of each other. Applications can communicate through an associated ttsession which delivers messages via RPC calls between interested agents. On many systems, ttsession uses AUTH_UNIX authentication (a client-based security option) by default. When messages are received, ttsession uses certain environment variables supplied by the client to determine how the message is handled. Because of this, the ttsession process can be manipulated to execute unauthorized arbitrary programs with the privileges of the running ttsession. Vulnerability #2: CDE dtspcd relies on file-system based authentication The network daemon dtspcd (a CDE desktop subprocess control program) accepts CDE requests from clients to execute commands and launch applications remotely. When a client makes a request, the dtspcd daemon asks the client to create a file that has a predictable name so that the daemon can authenticate the request. If a local user can manipulate the files used for authentication, then that user can craft arbitrary commands that may run as root. Vulnerability #3: CDE dtaction buffer overflow The dtaction utility allows applications or shell scripts that otherwise are not connected into the CDE development environment, to request that CDE actions be performed. A buffer overflow can occur in some implementations of dtaction when a username argument greater than 1024 bytes is used. Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION There is a vulnerability in some implementations of the ToolTalk shared library which allows the TT_SESSION environment variable buffer to overflow. A setuid root program using a vulnerable ToolTalk library, such as dtsession, can be exploited to run arbitrary code as root. II. Impact Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism A local or remote user may be able to use this vulnerability to run commands on a vulnerable system with the same privileges of the attacked ttsession. For this attack to work, a ttsession must be actively running on the system attacked. The ttsession daemon is started whenever a user logs in using the CDE desktop, or upon interaction with CDE at some future point. Vulnerability #2: CDE dtspcd relies on file-system based authentication A vulnerable dtspcd may allow a local user to run arbitrary commands as root. Vulnerability #3: CDE dtaction buffer overflow A local user may be able to exploit this vulnerability to execute arbitrary code with root privileges. Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION A local user may be able to exploit this vulnerability to execute arbitrary code with root privileges. III. Solution Install appropriate patches from your vendor We recommend installing vendor patches as soon as possible and disabling the vulnerable programs until you can do so (or uninstalling the entire CDE package if not needed). Note that disabling these programs will severely affect the utility of the CDE environment. Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Appendix A. Vendor Information Compaq Computer Corporation Problem #1 CDE ToolTalk session daemon & ToolTalk shared library overflow This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E, V4.0F and V5.0. This patch can be installed on: V4.0D-F, all patch kits V5.0, all patch kits *This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX. This patch may be obtained from the World Wide Web at the following FTP address: http://www.service.digital.com/patches The patch file name is SSRT0617_ttsession.tar.Z Problem #2 Compaq's Tru64/DIGITAL UNIX is not vulnerable. Problem #3 CDE dtaction buffer overflow This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E and V4.0F. This patch can be installed on: V4.0D Patch kit BL11 or BL12 V4.0E Patch kit BL1 or BL12 V4.0F Patch kit BL1 *This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX. This patch may be obtained from the World Wide Web at the following FTP address: http://www.service.digital.com/patches The patch file name is SSRT0615U_dtaction.tar.Z Problem #4 CDE ToolTalk shared library overflow See solution fix described in Problem #1. Data General DG/UX is not subject to any of these vulnerabilities. Fujitsu Fujitsu's UXP/V operating system is not vulnerable to any of these vulnerabilities. Hewlett-Packard Company HP-9000 Series 700/800 HP-UX releases 10.X and 11.0 systems with CDE patches previously recommended in HP Security Bulletins are not vulnerable to vulnerabilities #2, #3, and #4. All HP-UX 10.X and 11.0 systems running CDE are vulnerable to vulnerability #1. [Start Hewlett-Packard Company Update] HP Support Information Digests ============================================================================== o HP Electronic Support Center World Wide Web Service --------------------------------------------------- If you subscribed through the HP Electronic Support Center and would like to be REMOVED from this mailing list, access the HP Electronic Support Center on the World Wide Web at: http://us-support.external.hp.com Login using your HP Electronic Support Center User ID and Password. Then select Support Information Digests. You may then unsubscribe from the appropriate digest. ============================================================================== Digest Name: Daily Security Bulletins Digest Created: Mon Sep 20 3:00:03 PDT 1999 Table of Contents: Document ID Title - --------------- ----------- HPSBUX9909-103 Security Vulnerability in CDE ttsession (Rev.01) The documents are listed below. - ------------------------------------------------------------------------------ Document ID: HPSBUX9909-103 Date Loaded: 19990919 Title: Security Vulnerability in CDE ttsession (Rev.01) - ------------------------------------------------------------------------- **REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00103, 14 Sep. 99 Last Revised: 20 Sep. 99 - ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. - ------------------------------------------------------------------------- PROBLEM: ttsession uses weak RPC authentication mechanism PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.X & 11.00 running CDE. DAMAGE: Allows remote and local users to execute programs with the privileges of the running ttsession. SOLUTION: **REVISED 01** Install the applicable patch. AVAILABILITY: The patches for 10.2X and 11.00 are available now. NOTE: This bulletin will be revised when other patches are available. CHANGE SUMMARY: This revision affects only HP-UX release 10.24. - ------------------------------------------------------------------------- I. A. Background This problem has been reported in CERT Advisory CA-99-11. The advisory reports four vulnerabilities: #1: ToolTalk ttsession uses weak RPC authentication mechanism #2: CDE dtspcd relies on file-system based authentication #3: CDE dtaction buffer overflow #4: CDE ToolTalk shared library buffer overflow in TT_SESSION With the patches recommended in previous security bulletins HP-UX releases 10.X and 11.00 are not vulnerable to #2, #3, nor #4. To avoid vulnerability #1 install the applicable patch below. B. Fixing the problem - Install the applicable patch: HP-UX release 10.10 In progress; HP-UX release 10.20 PHSS_19747; - ------->>>> HP-UX release 10.24 PHSS_19819; HP-UX release 11.00 PHSS_19748. Note: HP-UX release 10.30 was a development release prior to the availability of HP-UX release 11.00. HP-UX release 10.30 will not be patched. C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP Electronic Support Center via electronic mail, do the following: Use your browser to get to the HP Electronic Support Center page at: http://us-support.external.hp.com (for US, Canada, Asia-Pacific, & Latin-America) http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID assigned to you, and your password. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review- bulletins already released from the main Menu, click on the "Search Technical Knowledge Database." Near the bottom of the next page, click on "Browse the HP Security Bulletin Archive". Once in the archive there is another link to our current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ - -----End of Document ID: HPSBUX9909-103-------------------------------------- [End Hewlett-Packard Company Update] IBM Corporation All releases of AIX version 4 are vulnerable to vulnerabilities #1, #3, and #4. AIX is not vulnerable to #2. The following APARs will be available soon: AIX 4.1.x: IY03125 IY03847 AIX 4.2.x: IY03105 IY03848 AIX 4.3.x: IY02944 IY03849 Customers that do not require the CDE desktop functionality can disable CDE by restricting access to the CDE daemons and removing the dt entry from /etc/inittab. Run the following commands as root to disable CDE: # /usr/dt/bin/dtconfig -d # chsubserver -d -v dtspc # chsubserver -d -v ttdbserver # chsubserver -d -v cmsd # chown root.system /usr/dt/bin/* # chmod 0 /usr/dt/bin/* For customers that require the CDE desktop functionality, a temporary fix is available via anonymous ftp from: ftp://aix.software.ibm.com/aix/efixes/security/cdecert.tar.Z Filename sum md5 ================================================================= dtaction_4.1 32885 18 82af470bbbd334b240e874ff6745d8ca dtaction_4.2 52162 18 b10f21abf55afc461882183fbd30e602 dtaction_4.3 56550 19 6bde84b975db2506ab0cbf9906c275ed libtt.a_4.1 29234 2132 f5d5a59956deb8b1e8b3a14e94507152 libtt.a_4.2 21934 2132 73f32a73873caff06057db17552b8560 libtt.a_4.3 12154 2118 b0d14b9fe4a483333d64d7fd695f084d ttauth 56348 31 495828ea74ec4c8f012efc2a9e6fa731 ttsession_4.1 19528 337 bfac4a06b90cbccc0cd494a44bd0ebc9 ttsession_4.2 46431 338 05949a483c4e390403055ff6961b0816 ttsession_4.3 54031 339 e1338b3167c7edf899a33520a3adb060 NOTE - This temporary fix has not been fully regression tested. Use the following steps (as root) to install the temporary fix. 1. Uncompress and extract the fix. # uncompress < cdecert.tar.Z | tar xf - # cd cdecert 2. Replace the vulnerable executables with the temporary fix for your version of AIX. # (cd /usr/dt/lib && mv libtt.a libtt.a.before_security_fix) # (cd /usr/dt/bin && mv ttsession ttsession.before_security_fix) # (cd /usr/dt/bin && mv dtaction dtaction.before_security_fix) # chown root.system /usr/dt/lib/libtt.a.before_security_fix # chown root.system /usr/dt/bin/ttsession.before_security_fix # chown root.system /usr/dt/bin/dtaction.before_security_fix # chmod 0 /usr/dt/lib/libtt.a.before_security_fix # chmod 0 /usr/dt/bin/ttsession.before_security_fix # chmod 0 /usr/dt/bin/dtaction.before_security_fix # cp ./libtt.a_ /usr/dt/lib/libtt.a # cp ./ttsession_ /usr/dt/bin/ttsession # cp ./dtaction_ /usr/dt/bin/dtaction # cp ./ttauth /usr/dt/bin/ttauth # chmod 555 /usr/dt/lib/libtt.a # chmod 555 /usr/dt/bin/ttsession # chmod 555 /usr/dt/bin/dtaction # chmod 555 /usr/dt/bin/ttauth IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://techsupport.services.ibm.com/support/rs6000.support/downloads or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send electronic mail to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line. Santa Cruz Operation, Inc. SCO is investigating these vulnerabilities on SCO UnixWare 7. Other SCO products (OpenServer 5.0.x, UnixWare 2.1.x, Open Server / Open Desktop 3.0 and CMW+) are not vulnerable as CDE is not a component of these releases. SCO will make patches and status information available at http://www.sco.com/security. Silicon Graphics, Inc. SGI acknowledges the CDE vulnerabilities reported and is currently investigating. No further information is available at this time. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. The SGI Security Headquarters Web page is accessible at the URL http://www.sgi.com/Support/security/security.html Sun Microsystems, Inc. Vulnerability #1: Systems running Solaris 7, 2.6, and systems running Solaris 2.5.1, 2.5, and 2.4 installed with CDE are vulnerable if the UNIX authentication mechanism (default) is used. Sun recommends that sites using CDE use DES as the authentication mechanism. To set the authentication mechanism to DES, use the ttsession command with the '-a' option and specify 'des' as the argument (see ttsession(1) for more information). The use of DES authentication also requires that the system uses Secure NFS, NIS+, or keylogin. For more information about Secure NFS, NIS+, or keylogin, please see the System Administration Guide, Volume II. Information is also available at: http://docs.sun.com:80/ab2/coll.47.8/SYSADV2/@Ab2PageView/34908?DwebQuery=s ecure+rpc Sun is producing patches for this vulnerability that will not require the use of the DES authentication mechanism. Vulnerability #2: The following patches are available: CDE version SunOS version Patch ID ___________ _____________ _________ 1.3 5.7 108221-01 1.3_x86 5.7_x86 108222-01 1.2 5.6 108199-01 1.2_x86 5.6_x86 108200-01 1.0.2 5.5.1, 5.5, 5.4 108205-01 1.0.2_x86 5.5.1_x86, 5.5_x86, 5.4_x86 108206-01 1.0.1 5.5, 5.4 108252-01 1.0.1_x86 5.5_x86, 5.4_x86 108253-01 Vulnerability #3: The following patches are available: CDE version SunOS version Patch ID ___________ _____________ _________ 1.3 5.7 108219-01 1.3_x86 5.7_x86 108220-01 1.2 5.6 108201-01 1.2_x86 5.6_x86 108202-01 Patches for CDE versions 1.0.2 and 1.0.1 are in progress. Vulnerability #4: The following patches are available: SunOS version Patch ID _____________ _________ 5.7 107893-02 5.7_x86 107894-02 Patches for other supported versions are in progress. _____________________________________________________________________________ The CERT Coordination Center would like to thank Job de Haas for reporting these vulnerabilities and working with the vendors to effect fixes. We would also like to thank Solutions Atlantic for their efforts in coordinating vendor solutions. ______________________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-11- CDE.html _____________________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERTŪ Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. _____________________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _____________________________________________________________________________ 2Revision History Oct 04, 1999: Updated vendor information for Sun Microsystems, Inc. Oct 01, 1999: Added vendor information for Data General Sep 13, 1999: Initial release [End CERT Advisory] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of the CERT Coordination Center and the Hewlett-Packard Company for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (198.128.39.53) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-notes You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-063: Domain Name System (DNS) Denial of Service (DoS) Attacks J-064: ActiveX Controls, Scriptlet.typlib & Eyedog, Vulnerabilities J-065: Wu-ftpd Vulnerability J-066: FreeBSD File Flags and Main-In-The-Middle Attack J-067: Profiling Across FreeBSD Exec Calls J-068: FreeBSD Vulnerabilities in wu-ftpd and proftpd J-069: SunOS LC MESSAGES Environment Variable Vulnerability J-070: Microsoft Windows 95 and 98 Telnet Client Vulnerability J-071: Buffer Overflow Vulnerability in amd J-072: IBM AIX Buffer Overflow Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBOAJXKLnzJzdsy3QZAQEkmQP/fm6M3Jm0RQYW+srM/alwQp48deaaSaYc 4AXpNlvKN8hHaT41a9P91qEqO8Hp4oH30bf4SO+FgJ/3usAftTnAkHAnNct61lSn MUAx5MTatl3wFb3/Ix3RRYzmkE88lKyt9bBw+Wnc7aosMbQO3N/0IJzgvBbpqrxV dbekMxcniG4= =iQ/C -----END PGP SIGNATURE-----