[Am-info] CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess Control Service
Fred A. Miller
fm@cupserv.org
Tue, 13 Nov 2001 13:54:18 -0500
Overview
There is a remotely exploitable buffer overflow vulnerability in a
library function used by the CDE Subprocess Control Service. This
vulnerability could be used to crash the service or to execute
arbitrary code with root privileges. This vulnerability is documented
in VU#172583.
I. Description
The Common Desktop Environment (CDE) is an integrated graphical user
interface that runs on UNIX and Linux operating systems. The CDE
Subprocess Control Service (dtspcd) is a network daemon that accepts
requests from clients to execute commands and launch applications
remotely. On systems running CDE, dtspcd is spawned by the Internet
services daemon (typically inetd or xinetd) in response to a CDE
client request. dtspcd is typically configured to run on port 6112/tcp
with root privileges.
For more information about CDE, see
http://www.opengroup.org/cde/
http://www.opengroup.org/desktop/faq/
There is a remotely exploitable buffer overflow vulnerability in a
shared library that is used by dtspcd. During client negotiation,
dtspcd accepts a length value and subsequent data from the client
without performing adequate input validation. As a result, a malicious
client can manipulate data sent to dtspcd and cause a buffer overflow,
potentially executing code with root privileges.
The vulnerability was first reported to us in March 1999, and more
recently by Internet Security Systems (ISS) X-Force. For more
information, see
http://www.kb.cert.org/vuls/id/172583
http://xforce.iss.net/alerts/advise101.php
This vulnerability has been assigned the identifier CAN-2001-0803 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803
Many common UNIX systems ship with CDE installed and enabled by
default. To determine if your system is configured to run dtspcd,
check for the following entries (may be wrapped):
/etc/services
dtspc 6112/tcp
/etc/inetd.conf
dtspc stream tcp nowait root /usr/dt/bin/dtspcd
/usr/dt/bin/dtspcd
Any system that does not run the CDE Subprocess Control Service is not
vulnerable to this problem.
II. Impact
An attacker can execute arbitrary code with root privileges.
III. Solution
Apply a patch
Appendix A contains information from vendors who have provided
information for this advisory. We will update the appendix as we
receive more information. If a vendor's name does not appear, then the
CERT/CC did not hear from that vendor. Please contact your vendor
directly.
Limit access to vulnerable service
Until patches are available and can be applied, you may wish to limit
or block access to the Subprocess Control Service from untrusted
networks such as the Internet. Using a firewall or other
packet-filtering technology, block or restrict access to the port used
by the Subprocess Control Service. As noted above, dtspcd is typically
configured to listen on port 6112/tcp. It may be possible to use TCP
Wrapper or a similar technology to provide improved access control and
logging functionality for dtspcd connections. Keep in mind that
blocking ports at a network perimeter does not protect the vulnerable
service from the internal network. It is important to understand your
network configuration and service requirements before deciding what
changes are appropriate. TCP Wrapper is available from
ftp://ftp.porcupine.org/pub/security/index.html
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
Caldera, Inc.
Caldera Open Unix and UnixWare are vulnerable. Caldera has released
Security Advisory CSSA-2001-SCO.30 (URL wrapped):
ftp://stage.caldera.com/pub/security/openunix/
CSSA-2001-SCO.30/CSSA-2001-SCO.30.txt
Compaq Computer Corporation
Case ID SSRT0782U
Compaq has not been able to reproduce the problem identified in this
advisory for any Compaq OS. However, with the information available,
we are including a code change for Compaq's TRU64 UNIX that will
further reduce any potential overflow vulnerability. This updated code
will be announced when patches are available from the TRU64 UNIX FTP
site and will be included in future releases of TRU64 UNIX. The TRU64
UNIX FTP patch site is at:
http://ftp.support.compaq.com/public/dunix/
To subscribe to automatically receive future NEW Security Advisories
from the Compaq's Software Security Response Team via electronic mail,
use your browser select the URL:
http://www.support.compaq.com/patches/mailing-list.shtml
Select "Security and Individual Notices" for immediate dispatch
notifications directly to your mailbox.
To report new Security Vulnerabilities, send mail to:
security-ssrt@compaq.com
Cray Inc.
UNICOS, UNICOS/mk, and CrayTools are not vulnerable.
Fujitsu
Fujitsu's UXP/V operating system is not vulnerable because it does not
support any CDE components.
Hewlett-Packard Company
The version of dtspcd supplied by HP has a buffer overflow. It is not
clear whether this overflow can be exploited. To be safe HP is
generating patches to fix this overflow on the assumption that it
might be exploitable.
IBM Corporation
IBM addressed a buffer overflow in CDE dtspcd in AIX 4.x around April
1999. See the following APARs for more information (URLs wrapped):
APAR IY06694:
http://techsupport.services.ibm.com/aix/fixes/v4/X11/
X11.Dt.rte.4.3.3.10.info
APAR IX89419 (AIX 4.3.0):
http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&
org=apars&doc=29B5A5858069D8A2852567C90039978E
http://techsupport.services.ibm.com/aix/fixes/v4/X11/
X11.Dt.lib.4.3.2.5.info
APAR IX89893 (AIX 4.2.0):
http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&
org=apars&doc=AAF008DAA07200B6852567CC0049B07D
APAR IX89806 (AIX V4.1 BOS):
http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&
org=apars&doc=446F48D60A887FF0852567CA005C9920
The Open Group
The Open Group maintains source code for the Common Desktop
Environment (CDE). The Open Group is investigating this issue, and
source licensees of The Open Group's CDE product can contact
desktop@opengroup.org for advice regarding this issue.
SGI
SGI acknowledges the CDE vulnerabilities reported by CERT and is
currently investigating. No further information is available at this
time. For the protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are available
for all vulnerable and supported IRIX operating systems. Until SGI has
more definitive information to provide, customers are encouraged to
assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and
requirements. As further information becomes available, additional
advisories will be issued via the normal SGI security information
distribution methods including the wiretap mailing list.
http://www.sgi.com/support/security/
Sun
The Sun dtspcd daemon is vulnerable to this buffer overflow. Sun is
generating patches to address this issue for all affected and
supported versions of Solaris. Sun will be releasing a Sun Security
Bulletin once the patches are officially released and publicly
available. The patches will be available from:
http://sunsolve.sun.com/securitypatch
Sun Security Bulletins are available from:
http://sunsolve.sun.com/security
Xi Graphics
We have not been able to confirm whether we are vulnerable to this
exploit, however the potential for a buffer overrun is present. We
will provide a patch on our FTP site for DeXtop during the week of
[November] 12th that addresses this issue.
Appendix B. - References
1. http://www.kb.cert.org/vuls/id/172583
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803
3. http://xforce.iss.net/alerts/advise101.php
4. http://www.opengroup.org/cde/
5. http://www.opengroup.org/desktop/faq/
_________________________________________________________________
_________________________________________________________________
The CERT Coordination Center thanks Internet Security Systems (ISS)
X-Force, who published an advisory on this issue.
_________________________________________________________________
Author: Art Manion
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2001-31.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
Revision History
November 12, 2001: initial release
--
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org