• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Multiple Vendor CDE ToolTalk Database Server Null Write Vulnerability

CDE ships with a daemon called the ToolTalk database server. The ToolTalk database server allows for programs designed for use in CDE to communicate with each other. It is enabled by default on most systems shipped with CDE.

The ToolTalk database server is vulnerable to a condition that may allow for NULL words to be written to arbitrary locations in memory. The vulnerability is due to an input validation error in the _TT_ISCLOSE procedure, used by ToolTalk clients to close open ToolTalk databases.

The _TT_ISCLOSE RPC accepts as a parameter a file descriptor. This integer value is used as an index for writing to structures in server memory. There are no checks to restrict the range of the idnex value. Consequently, malicious file descriptor values supplied by remote clients may cause writes to occur far beyond the table in memory. The only value written is a NULL word, limiting the consequences.

Unfortunately there are several other conditions which may allow for complex attacks, potentially resulting in remote deletion/creation of files and code/command execution.

It should be noted that the only authentication required is client-supplied AUTH_UNIX credentials. AUTH_UNIX credentials may be trivially spoofed by attackers.