RealTime IT News

CERT Reports Flaws in Compaq GUI

Two vulnerabilities were discovered Wednesday in the Common Desktop Environment (CDE) ToolTalk RPC database server that could allow hackers to delete files or cause a denial-of-service (DoS) attack (define).

CDE is an integrated graphical user interface (define) that runs on UNIX and Linux operating systems, and is widely installed as a default program.

The ToolTalk service allows independently developed applications to communicate with each other. Using ToolTalk, applications can create open protocols that allow different programs to be interchanged, and new programs to be plugged into the system with minimal reconfiguration.

The ToolTalk RPC database server manages communication between ToolTalk applications. Sun, Hewlitt-Packard, Compaq, Caldera, IBM, and Xi Graphics have all admitted to susceptibility on some on their machines.

The first vulnerability results from improper checks on user-supplied RPC arguments. By issuing a specially crafted call to the procedure, a remote attacker could overwrite certain locations in memory with zeros. Using a combination of techniques, an attacker could delete any file that is accessible by the ToolTalk RPC database server. Overwriting memory or deleting files could cause a denial of service. It may also be possible to execute arbitrary code and commands.

The second vulnerability stems from inadequate validation of file operations. The ToolTalk RPC database server does not ensure that the target of a file write operation is a valid file and not a symbolic link. This could allow a hacker to overwrite any file with contents of his or her choice, since the list of transaction records to log is passed by the client program.

Despite the fact that no one is believed to have exploited the vulnerabilities yet, Ivan Arce, CTO of Core Security Technologies, whose firm discovered the vulnerability, believes the threat to be very serious.

"As far as we know it is not being exploited in the wild," said Arce. "It is very serious though because it effects almost every UNIX out there and it provides remote privileged access. It's in a service that shouldn't be accessed by untrusted parties -- that could be a very bad situation."

Vendors with vulnerable systems have provided patching information on their security sites, as well as on the CERT Coordination Center site. According to officials at CORE Security Services, if patches are not yet available from a particular vendor, admins should block access from untrusted networks to the ToolTalk Database server program and disable the vulnerable service.

This is not the first instance of a security threat through a vulnerability in the CDE. A vulnerability first discovered in November of last year was reported to be widely exploited on Solaris systems.