*******ENTERCEPT RICOCHET ADVISORY******* Date: Monday, August 12, 2002 Issue: Multi-Vendor CDE ToolTalk Database Server Remote Buffer Overflow Vulnerability DETAILS: The ToolTalk component allows applications to communicate with each other via remote procedure calls (RPC) across different hosts and platforms. The ToolTalk RPC database server manages connections between ToolTalk applications. Most Unix environments include CDE and ToolTalk in their default installations. _TT_CREATE_FILE procedure in the ToolTalk RPC database server is vulnerable to a buffer overflow. In most environments, this translates to a heap buffer overflow vulnerability that renders current non-executable stack protection mechanisms useless and can be bypassed. A successful attack exploiting this buffer overflow vulnerability would enable the attacker to run code with the privileges of the ToolTalk RPC database server that typically runs as root. Unsuccessful exploitation can still cause a denial of service on a vulnerable system. VENDORS AFFECTED: - Caldera - Compaq Computer Corporation - Cray Inc. - Data General - Fujitsu - Hewlett Packard - IBM - SGI - Sun Microsystems Inc. - The Open Group - Xi Graphics Entercept worked directly with CERT (Computer Emergency Response Team), to ensure that the vendors had the technical details necessary to develop their patches and issue security advisories. The CERT advisory will be available at: http://www.cert.org/advisories/CA-2002-26.html ACKNOWLEDGEMENTS/INFORMATION RESOURCES: This vulnerability was discovered and researched by Sinan Eren of the Entercept Ricochet Team. ABOUT ENTERCEPT RICOCHET: Entercept�s Ricochet team is a specialized group of security researchers dedicated to identifying, assessing, and evaluating intelligence regarding server threats. The Ricochet team researches current and future avenues of attack and builds this knowledge into Entercept�s intrusion prevention solution. Ricochet is dedicated to providing critical, viable security content via security advisories and technical briefs. This content is designed to educate organizations and security professionals about the nature and severity of Internet security threats, vulnerabilities and exploits. Copyright Entercept Security Technologies. All rights reserved. Entercept and the Entercept logo are trademarks of Entercept Security Technologies. All other trademarks, trade names or service marks are the property of their respective owners. DISCLAIMER STATEMENT: The information in this bulletin is provided by Entercept Security Technologies, Inc. ("Entercept") and is intended to provide information on a particular security issue or incident. Given that each exploitation technique is unique, Entercept makes no claim to prevent any specific exploit related to the vulnerability discussed in this bulletin. Entercept expressly disclaims any and all warranties with respect to the information provided in this bulletin, express or implied or otherwise, including, but not limited to, warranty of fitness for a particular purpose. Under no circumstances may this information be used to exploit vulnerabilities in any other environment. http://www.entercept.com/news/uspr/08-12-02.asp ###