|
Brought to you by:
Suppliers of:
|
|
|
| |
| There exists a vulnerability within a function of the ToolTalk database server (rpc.ttdbserverd), which when properly exploited can lead to remote compromise of the vulnerable system. |
| |
Credit:
The information has been provided by Adriano Lima and Ramon de Carvalho Valle.
The original article can be found at: http://risesecurity.org/advisories/RISE-2009001.txt
|
| |
Vulnerable Systems:
* IBM AIX version 6.1.3
To determine whether the ToolTalk database server is running on a host, use the "rpcinfo" command to print a list of the RPC services running on it, as:
$ rpcinfo -p hostname
The remote program number for the ToolTalk database server is 100083. If an entry exists for this program, then the ToolTalk database server is running on the system. 100083 1 tcp 32768 ttdbserver
The following ToolTalk service components work together to provide inter-application communication and object information management:
* ttsession is the ToolTalk communication process. This process joins together senders and receivers that are either using the same X server or interested in the same file. One ttsession communicates with other ttsessions when a message needs to be delivered to an application in another session.
* rpc.ttdbserverd is the ToolTalk database server process. One rpc.ttdbserverd is installed on each machine which contains a disk partition that stores files of interest to ToolTalk clients or files that contain ToolTalk objects. File and ToolTalk object information is stored in a records database managed by rpc.ttdbserverd.
* libtt is the ToolTalk application programming interface (API) library. Applications include the API library in their program and call the ToolTalk functions in the library.
The ToolTalk service uses the Remote Procedure Call (RPC) to communicate between these ToolTalk components.
Applications provide the ToolTalk service with process and object type information. This information is stored in an XDR format file, which is referred to as the ToolTalk Types Database in this manual.
The vulnerable function _tt_internal_realpath() does not validate user supplied data when copying it to a stack-based buffer using strcpy(), resulting in a stack-based buffer overflow. The exploitation of this vulnerability is trivial and results in remote compromise of the vulnerable system.
This vulnerability can be triggered by calling remote procedure 15 of ToolTalk database server with a large XDR-encoded ASCII string as its argument.
Breakpoint 1, 0xd37b2200 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) (gdb) where
#0 0xd37b2200 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#1 0xd37af9f0 in _tt_get_realpath__FPcT1 () from /usr/lib/libtt.a(shr.o)
#2 0xd37b00b4 in _tt_realpath () from /usr/lib/libtt.a(shr.o)
#3 0xd37b287c in _Tt_file_system::bestMatchToPath () from /usr/lib/libtt.a(shr.o)
#4 0x1001ca50 in ?? ()
...
(gdb) stepi
0xd37b2240 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
(gdb) x/i $pc
0xd37b2240: bl 0xd3793080
(gdb) x/s $r4
0x200aa4a8: "/hom\e/root/", 'A' <repeats 189 times>...
(gdb) stepi
0xd3793080 in strcpy () from /usr/lib/libtt.a(shr.o)
(gdb) step
Single stepping until exit from function strcpy, which has no line number information.
0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
(gdb) where
#0 0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#1 0xaabbccdd in ?? () (gdb)
Patch Availability:
IBM has released advisory and fixes for this vulnerability:
http://aix.software.ibm.com/aix/efixes/security/libtt_advisory.asc
http://aix.software.ibm.com/aix/efixes/security/libtt_fix.tar
|
|
|
|
|
