CERT: CDE ToolTalk flaw could give root access

A buffer overflow in the ToolTalk RPC database server used in the Common Desktop Environment (CDE) on systems from vendors such as Sun Microsystems Inc. and IBM Corp. could allow an attacker to run code with root privileges, according to a security alert released Monday by the CERT Coordination Center (CERT/CC).

CDE is a graphical interface used on Unix and some Linux systems. The ToolTalk component of the software allows applications to communicate with each other across different platforms and hosts via remote procedure calls (RPCs). The RPC database server manages those communications.

The vulnerability comes as the result of a buffer overflow -- an attack in which the amount of memory assigned to an application or process is overrun, often with unpredictable results -- in the _TT_CREATE_FILE procedure in the ToolTalk RPC database server, according to CERT/CC, which is based at Carnegie Mellon University in Pittsburgh. CERT/CC is a federally funded computer and network security organization that frequently coordinates the release and repair of software security holes.

By sending a specially crafted RPC message to the vulnerable component, an attacker could gain the ability to run code on the target system with the same privileges as the ToolTalk server, which are usually root, CERT/CC said. Even if an attacker were not able to run code, the attack would cause a denial of service, CERT/CC added.

CDE is included in software from IBM, Hewlett-Packard Co., Sun, Silicon Graphics Inc. and others. Users should check with their vendors on whether their systems are vulnerable and for patch status and availability.

More information about the vulnerability, including a list of affected software, workarounds and patches, can be found in CERT/CC's advisory, available at http://www.cert.org/advisories/CA-2002-26.html.

Another vulnerability which could lead to a denial of service attack was found in the ToolTalk RPC database server in July.