CERT: Flaw could allow root access in some Unix, Linux systems

Computerworld.com ^ | AUGUST 12, 2002 | Sam Costello

[Bush2000]

CERT: Flaw could allow root access in some Unix, Linux systems

A buffer overflow in the ToolTalk RPC database server used in the Common Desktop Environment (CDE) on systems from vendors such as Sun Microsystems Inc. and IBM could allow an attacker to run code with root privileges, according to a security alert released today by the CERT Coordination Center (CERT/CC). CDE is a graphical interface used on Unix and some Linux systems. The ToolTalk component of the software allows applications to communicate with each other across different platforms and hosts via remote procedure calls (RPC). The RPC database server manages those communications.

The vulnerability comes from a buffer overflow -- an attack in which the amount of memory assigned to an application or process is overrun, often with unpredictable results -- in the _TT_CREATE_FILE procedure in the ToolTalk RPC database server, according to CERT/CC. Based at Carnegie Mellon University in Pittsburgh, CERT/CC is a federally funded computer and network security organization that frequently coordinates the release and repair of software security holes.

By sending a specially crafted RPC message to the vulnerable component, an attacker could gain the ability to run code on the target system with the same privileges as the ToolTalk server, which are usually root, CERT/CC said. Even if an attacker wasn't able to run code, the attack would cause a denial of service, CERT/CC said.

CDE is included in software from IBM, Hewlett-Packard Co., Sun, Silicon Graphics Inc. and others. Users should check with their vendors on whether their systems are vulnerable and for patch status and availability.

More information about the vulnerability, including a list of affected software, work-arounds and patches, can be found in CERT/CC's advisory.

[Bush2000]

I'm shocked, shocked, shocked!!!

[lelio]

Bah. Who runs CDE anyway? Someone should gracefully kill that pile of poop.

[wienerdog.com]

I agree. It looks too much like Windows. (BTW, any sysadmin knows to disable tooltalk and CDE on a server.) It's a good thing Unix administrators are generally more knowledgeable that the Microsoft guys.

[Michael Barnes]

ANYONE runnig CDE on their servers deserves everything they get...CDE, pfft...real men use CLI

[wienerdog.com]

It's best to stick to a text-based UI. Actually, with sshd on the server, why should it have any display at all? Shut all that junk off in inet.d, and keep up with the patches. Bill Gates would do well to separate the OS out from that gay GUI of theirs. I resent clicking four dozen menus when you could do something in about two seconds from the command line.

[Michael Barnes]

yeppers...!

[Libertarianize the GOP]

http://www.freerepublic.com/perl/bump-list

[SoDak]

CDE is one of the first things I obliterate on a server.

[Bush2000]

ANYONE runnig CDE on their servers deserves everything they get...CDE, pfft...real men use CLI

Hypocrites. If somebody runs some Windows middleware component which turns out to have an exploit, you trash the entire OS. Can't you get your story straight?

[Knitebane]

The difference is that a Unix admin actually has the ability to either turn off or restrict remote access to these components. Indeed all of the current Unix distros that I'm aware of already restrict remote access to the local machine for X apps (that includes CDE.)

Every Unix distro has at least host.allow/host.deny and most have tcpwrappers. Thus I can build a Solaris server and put it on the Internet and restrict X apps and RPC calls to the local net or restict it to localhost only. This is built in and all modern Unixes restrict X apps to localhost out of the box anyway.

Under Solaris, this can be done without any third-party apps, but using a script like Titan is easier.

Also take note that on Solaris and HP-UX you at least can turn off the graphical front-end, which you cannot under Windows. Windows requires running the graphical interface whether the server needs it or not.

This flaw is serious and needs to be fixed, but the vast majority of sysadmins needn't panic, their systems aren't immediately at risk. Only those systems which have been set up to allow outside access to CDE processes are at risk.

[Knitebane]

CDE is one of the first things I obliterate on a server.

Indeed, my custom Solaris install script only installs about 18 packages (depending on the type of machine) total. No CDE, no ToolTalk, no sound, nothing but the core OS, networking and storage. Anything else I add as needed.

It amazes me that there are still software packages for Solaris that "require" a full install as part of their system requirements. Generally it's only one or two packages that they need but they are too lazy to find out which ones.

Veritas, Oracle and even Checkpoint do this. I've found that Checkpoint Firewall-1 will install with only the 18 packages in my script. Veritas requires most of the external storage packages and Oracle requires about 30 packages.

I've never built a server with CDE on it, though I've built some specialized workstations that required it. Checkpoint's firewall manager and Cisco's NetRanger controller both need it, although that's only for the management front-ends. On the server side, neither one requires CDE.

The Microsofties will of course go overboard about this, since they can't seem to conceive of a server that doesn't run a graphical front-end.

[Michael Barnes]

Hypocrites. If somebody runs some Windows middleware component which turns out to have an exploit, you trash the entire OS. Can't you get your story straight?

I was just starting to like ya, then you post something moronic like this. See, (l)users, such as yourself on MS products, can't segregate yourself from your makers desktop, which is afterall, what were talking about right? Unless a middleware/vertical app builds in CLI's, MS is toast when it comes to CLI strengths at the OS level. At the core, you have to add on other app's to make the server even remotely close to a *nix strength when it comes to offering services. Don't call me a hypocrite. I don't like MS for a reason, It makes it harder for me to do my job (offering services to thousands of users). Now, when it comes to gaming, shit....let's go get some WC3 on with my XP box..

[Bush2000]

The difference is that a Unix admin actually has the ability to either turn off or restrict remote access to these components. Indeed all of the current Unix distros that I'm aware of already restrict remote access to the local machine for X apps (that includes CDE.)

I can't turn off IIS? Or FTP? Or AD? Or Indexing? Or SMTP? Or Telnet? Or Terminal Services? Must be my imagination. Or, more likely, you have no idea what you're talking about. Trying booting Windows sometime.

[Don Joe]

"I'm shocked, shocked, shocked!!!"

If only they'd written it in Java, none of this could have happened.

ObChuckle: rotflmao

[B Knotts]

Trying booting Windows sometime.

Nein danke!

[B Knotts]

Trying booting Windows sometime.

Nein danke!

[dyed_in_the_wool]

Trying booting Windows sometime.

You mean that OS that runs EVERYTHING as root?
Yeah, much safer.

[SoDak]

I run mostly AIX and never use a GUI. CDE and the like are never used. I used to have some UnixWare boxes that required CDE active in order to do emergency recovery, oddly enough. UnixWare was a worthless OS though, for the most part, at least to me. I haven't used Solaris, but I believe I'd like it.

[Bush2000]

You mean that OS that runs EVERYTHING as root? Yeah, much safer.

Obviously, you've never locked down a Windows box, troll. I have. And it ain't running as root.

[Bush2000]

If only they'd written it in Java, none of this could have happened.

Welcome back!!!!!! :)