Signature Detail

RPC: TT Malformed RPC Message Format String (TCP)

This signature detects attempts to exploit a known vulnerability against the ToolTalk rpc.ttdbserverd used in Common Desktop Environment (CDE) for Solaris, IRIX, HP-UX, and other platforms. The ToolTalk messaging server uses ttsession and RPC calls to enable communication between independent applications. Attackers can embed arbitrary commands in a maliciously crafted RPC message, causing the server to overflow an automatic variable on the stack, overwrite the activation records stored on the stack, and execute the embedded commands; attackers can gain complete control of server processes.

Extended Description

CDE ships with a daemon called the ToolTalk database server, which allows programs designed for use in CDE to communicate with each other. The server is enabled by default on most systems shipped with CDE. ToolTalk database server contains a remotely exploitable format-string vulnerability. Remote attackers may be able to cause a denial of service or gain root access on the target host.

Affected Products

• Caldera OpenUnix 8.0.0
• Caldera UnixWare 7
• Compaq Digital Unix 4.0.0 f
• Compaq Tru64 4.0.0 g
• Compaq Tru64 5.0.0 a
• Compaq Tru64 5.1.0
• HP HP-UX 10.10.0
• HP HP-UX 10.20.0
• HP HP-UX 11.0.0
• HP HP-UX 11.11.0
• HP HP-UX (VVOS) 10.24.0
• HP HP-UX (VVOS) 11.0.0 4
• IBM AIX 4.3.0
• IBM AIX 4.3.1
• IBM AIX 4.3.2
• IBM AIX 4.3.3
• IBM AIX 5.1
• SGI IRIX 5.2.0
• SGI IRIX 5.3.0
• SGI IRIX 6.0.0
• SGI IRIX 6.0.1
• SGI IRIX 6.1.0
• SGI IRIX 6.2.0
• SGI IRIX 6.3.0
• SGI IRIX 6.4.0
• SGI IRIX 6.5.13
• SGI IRIX 6.5.14
• SGI IRIX 6.5.15
• SGI IRIX 6.5.16
• SGI IRIX 6.5.17
• Sun Solaris 2.5
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_ppc
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.5_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8 Sparc
• Sun Solaris 8 X86

References

• BugTraq: 3382
• CVE: CVE-2001-0717