CERT Reports Flaws in Compaq GUI

Two vulnerabilities were discovered Wednesday in the Common Desktop
Environment (CDE) ToolTalk RPC database server that could allow hackers to
delete files or cause a denial-of-service (DoS) attack (define).


CDE is an integrated graphical user interface (define)
that runs on UNIX and Linux operating systems, and is widely installed as a
default program.


The ToolTalk service allows independently developed applications to
communicate with each other. Using ToolTalk, applications can create open
protocols that allow different programs to be interchanged, and new programs
to be plugged into the system with minimal reconfiguration.


The ToolTalk RPC database server manages communication between ToolTalk
applications. Sun, Hewlitt-Packard, Compaq, Caldera, IBM, and Xi Graphics
have all admitted to susceptibility on some on their machines.


The first vulnerability results from improper checks on user-supplied RPC
arguments. By issuing a specially crafted call to the procedure, a remote
attacker could overwrite certain locations in memory with zeros. Using a
combination of techniques, an attacker could delete any file that is
accessible by the ToolTalk RPC database server. Overwriting memory or
deleting files could cause a denial of service. It may also be possible to
execute arbitrary code and commands.


The second vulnerability stems from inadequate validation of file
operations. The ToolTalk RPC database server does not ensure that the target
of a file write operation is a valid file and not a symbolic link. This
could allow a hacker to overwrite any file with contents of his or her
choice, since the list of transaction records to log is passed by the client
program.


Despite the fact that no one is believed to have exploited the vulnerabilities
yet, Ivan Arce, CTO of Core Security Technologies, whose firm discovered the
vulnerability, believes the threat to be very serious.


“As far as we know it is not being exploited in the wild,” said Arce. “It
is very serious though because it effects almost every UNIX out there and it
provides remote privileged access. It’s in a service that shouldn’t be
accessed by untrusted parties — that could be a very bad situation.”


Vendors with vulnerable systems have provided patching information on their
security sites, as well as on the CERT Coordination
Center site
. According to officials at CORE Security Services, if
patches are not yet available from a particular vendor, admins should block
access from untrusted networks to the ToolTalk Database server program and
disable the vulnerable service.


This is not the first instance of a security threat through a vulnerability
in the CDE. A vulnerability first discovered in November of last year was
reported to be widely
exploited
on Solaris systems.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web