Buffer Flaw Found in ToolTalk

A remote tool found in a popular Unix and Linux application has a buffer
overflow vulnerability, according to a group which publicized the breach Monday.

The common desktop environment ToolTalk database server program, common in
most Unix systems around the world, can be hacked into and let unauthorized
snoops collect personal information, gain root access to the server and
establish back door access.

A team of security experts from Entercept Security Technologies found the
bug and reported it to the Computer Emergency Response Team (CERT), which then contacted vendors. Equipment and
software affected by the vulnerability are (and the fixes they recommend,
if available):

• Caldera (patch on its site)
• Compaq Computer
• Cray (remove the “/opt/ctl/bin/rpc.ttdbserverd” binary)
• Data General
• Fujitsu
• Hewlett-Packard (investigating)
• IBM (download patch)
• SGI (investigating)
• Sun Microsystems (download
  patch, when available)
• The Open Group
• Xi Graphics (download
  patch).

CERT officials said administrators should disable or block remote access to
ToolTalk until systems have been updated.

The Entercept team found the software glitch by flooding the
_TT_CREATE_FILE procedure with information, causing it to crash. They were
then able to create an executable on the overflow data, giving them “root”
access to the server.

Even an unsuccessful buffer overflow breach isn’t good news, according to
the team, which reported an “unsuccessful exploitation can still cause
denial of service on a vulnerable system.”

Components of the CDE ToolTalk program have come under the microsoft often
this year. In April, two vulnerabilities were found: the first was a
faulty file validator that’s sent to _TT_ISCLOSE(); the other, a flaw that
couldn’t tell the difference between a real file and a symbolic link. Both
were patched.