mailing list archives
[RISE-2009001] ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow Vulnerability
From: RISE Security <advisories () risesecurity org>
Date: Fri, 19 Jun 2009 23:37:29 -0300
ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow Vulnerability
Published: June 19, 2009
Updated: June 19, 2009
There exists a vulnerability within a function of the ToolTalk database server
(rpc.ttdbserverd), which when properly exploited can lead to remote compromise
of the vulnerable system.
This vulnerability was confirmed by us in the following versions of operating
systems, other operating systems and versions may be also affected.
IBM AIX Version 6.1.3
IBM AIX Version 6.1.2
IBM AIX Version 6.1.1
IBM AIX Version 6.1.0
IBM AIX Version 5.3.10
IBM AIX Version 5.3.9
IBM AIX Version 5.3.8
IBM AIX Version 5.3.7
IBM AIX Version 5.3.0
IBM AIX Version 5.2.0
IBM AIX Version 5.1.0
To determine whether the ToolTalk database server is running on a host, use the
"rpcinfo" command to print a list of the RPC services running on it, as:
$ rpcinfo -p hostname
The remote program number for the ToolTalk database server is 100083. If an
entry exists for this program, then the ToolTalk database server is running on
100083 1 tcp 32768 ttdbserver
As computer users increasingly demand that independently developed applications
work together, inter-operability is becoming an important theme for software
developers. By cooperatively using each other's facilities, inter-operating
applications offer users capabilities that would be difficult to provide in a
single application. The ToolTalk service is designed to facilitate the
development of inter-operating applications that serve individuals and work
The following ToolTalk service components work together to provide
inter-application communication and object information management:
* ttsession is the ToolTalk communication process.
This process joins together senders and receivers that are either using the
same X server or interested in the same file. One ttsession communicates
with other ttsessions when a message needs to be delivered to an application
in another session.
* rpc.ttdbserverd is the ToolTalk database server process.
One rpc.ttdbserverd is installed on each machine which contains a disk
partition that stores files of interest to ToolTalk clients or files that
contain ToolTalk objects.
File and ToolTalk object information is stored in a records database managed
* libtt is the ToolTalk application programming interface (API) library.
Applications include the API library in their program and call the ToolTalk
functions in the library.
The ToolTalk service uses the Remote Procedure Call (RPC) to communicate between
these ToolTalk components.
Applications provide the ToolTalk service with process and object type
information. This information is stored in an XDR format file, which is referred
to as the ToolTalk Types Database in this manual.
The vulnerable function _tt_internal_realpath() does not validate user supplied
data when copying it to a stack-based buffer using strcpy(), resulting in a
stack-based buffer overflow. The exploitation of this vulnerability is trivial
and results in remote compromise of the vulnerable system.
This vulnerability can be triggered by calling remote procedure 15 of ToolTalk
database server with a large XDR-encoded ASCII string as its argument.
Breakpoint 1, 0xd37b2200 in _tt_internal_realpath () from
#0 0xd37b2200 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#1 0xd37af9f0 in _tt_get_realpath__FPcT1 () from /usr/lib/libtt.a(shr.o)
#2 0xd37b00b4 in _tt_realpath () from /usr/lib/libtt.a(shr.o)
#3 0xd37b287c in _Tt_file_system::bestMatchToPath () from
#4 0x1001ca50 in ?? ()
0xd37b2240 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
(gdb) x/i $pc
0xd37b2240: bl 0xd3793080
(gdb) x/s $r4
0x200aa4a8: "/hom\e/root/", 'A' <repeats 189 times>...
0xd3793080 in strcpy () from /usr/lib/libtt.a(shr.o)
Single stepping until exit from function strcpy,
which has no line number information.
0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#0 0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#1 0xaabbccdd in ?? ()
A proof of concept code for this vulnerability can be downloaded from our
website at http://risesecurity.org/.
IBM has released advisory and fixes for this vulnerability:
This vulnerability was discovered by Adriano Lima <adriano () risesecurity org> and
Ramon de Carvalho Valle <ramon () risesecurity org>.
The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any information
provided, including any kind of information which is incomplete or incorrect,
will therefore be rejected.
Description: This is a digitally signed message part
- [RISE-2009001] ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow Vulnerability RISE Security (Jun 22)