RISE-2009001 ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow Vulnerability http://risesecurity.org/advisories/RISE-2009001.txt Published: June 19, 2009 Updated: June 19, 2009 INTRODUCTION There exists a vulnerability within a function of the ToolTalk database server (rpc.ttdbserverd), which when properly exploited can lead to remote compromise of the vulnerable system. This vulnerability was confirmed by us in the following versions of operating systems, other operating systems and versions may be also affected. IBM AIX Version 6.1.3 IBM AIX Version 6.1.2 IBM AIX Version 6.1.1 IBM AIX Version 6.1.0 IBM AIX Version 5.3.10 IBM AIX Version 5.3.9 IBM AIX Version 5.3.8 IBM AIX Version 5.3.7 IBM AIX Version 5.3.0 IBM AIX Version 5.2.0 IBM AIX Version 5.1.0 To determine whether the ToolTalk database server is running on a host, use the "rpcinfo" command to print a list of the RPC services running on it, as: $ rpcinfo -p hostname The remote program number for the ToolTalk database server is 100083. If an entry exists for this program, then the ToolTalk database server is running on the system. 100083 1 tcp 32768 ttdbserver DETAILS As computer users increasingly demand that independently developed applications work together, inter-operability is becoming an important theme for software developers. By cooperatively using each other's facilities, inter-operating applications offer users capabilities that would be difficult to provide in a single application. The ToolTalk service is designed to facilitate the development of inter-operating applications that serve individuals and work groups. The following ToolTalk service components work together to provide inter-application communication and object information management: * ttsession is the ToolTalk communication process. This process joins together senders and receivers that are either using the same X server or interested in the same file. One ttsession communicates with other ttsessions when a message needs to be delivered to an application in another session. * rpc.ttdbserverd is the ToolTalk database server process. One rpc.ttdbserverd is installed on each machine which contains a disk partition that stores files of interest to ToolTalk clients or files that contain ToolTalk objects. File and ToolTalk object information is stored in a records database managed by rpc.ttdbserverd. * libtt is the ToolTalk application programming interface (API) library. Applications include the API library in their program and call the ToolTalk functions in the library. The ToolTalk service uses the Remote Procedure Call (RPC) to communicate between these ToolTalk components. Applications provide the ToolTalk service with process and object type information. This information is stored in an XDR format file, which is referred to as the ToolTalk Types Database in this manual. The vulnerable function _tt_internal_realpath() does not validate user supplied data when copying it to a stack-based buffer using strcpy(), resulting in a stack-based buffer overflow. The exploitation of this vulnerability is trivial and results in remote compromise of the vulnerable system. This vulnerability can be triggered by calling remote procedure 15 of ToolTalk database server with a large XDR-encoded ASCII string as its argument. Breakpoint 1, 0xd37b2200 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) (gdb) where #0 0xd37b2200 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) #1 0xd37af9f0 in _tt_get_realpath__FPcT1 () from /usr/lib/libtt.a(shr.o) #2 0xd37b00b4 in _tt_realpath () from /usr/lib/libtt.a(shr.o) #3 0xd37b287c in _Tt_file_system::bestMatchToPath () from /usr/lib/libtt.a(shr.o) #4 0x1001ca50 in ?? () ... (gdb) stepi 0xd37b2240 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) (gdb) x/i $pc 0xd37b2240: bl 0xd3793080 (gdb) x/s $r4 0x200aa4a8: "/hom\e/root/", 'A' ... (gdb) stepi 0xd3793080 in strcpy () from /usr/lib/libtt.a(shr.o) (gdb) step Single stepping until exit from function strcpy, which has no line number information. 0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) (gdb) where #0 0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) #1 0xaabbccdd in ?? () (gdb) A proof of concept code for this vulnerability can be downloaded from our website at http://risesecurity.org/. VENDOR IBM has released advisory and fixes for this vulnerability: http://aix.software.ibm.com/aix/efixes/security/libtt_advisory.asc http://aix.software.ibm.com/aix/efixes/security/libtt_fix.tar CREDITS This vulnerability was discovered by Adriano Lima and Ramon de Carvalho Valle . DISCLAIMER The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected.