Tooltalk Version
CVE 1999-0003
Impact
The database component of the ToolTalk service may be compromised, allowing malicious
users to run arbitrary commands on a target system as a privileged user (typically Root).
Background
The ToolTalk service allows independently developed applications to communicate with each
other by exchanging ToolTalk messages. Using ToolTalk, applications are able to create
open protocols that allow different programs to be interchanged. Also, ToolTalk makes it
possible to plug new programs into a system with only minimal reconfigurations.
The main ToolTalk component, the ToolTalk database server, is an
RPC service which
manages objects needed for the operation of the ToolTalk service. All ToolTalk-enabled
processes communicate with one another using RPC calls to this program, which runs on each
ToolTalk-enabled host. The database server is a standard component of all ToolTalk
systems, which itself ships as a standard component of many commercial UNIX operating systems.
The Problems
An implementation fault exists in the database server portion of the ToolTalk program. The flaw involves
how the server processes RPC messages. By using a specially formulated RPC message, a malicious remote client
might be able to gain control of the ToolTalk service (which usually runs as Root), and then
issue arbitrary commands to the system as a privileged user. This means, of course, that the malicious user might be able
to gain control of the target system and cause damage in the form of erased/modified system files, compromised information, etc.
Resolution
There are currently two methods to resolve this vulnerability. The first is to apply patches for
this service, available from the vendor of your UNIX operating system. It should be noted that while
most vendors have been contacted about this problem, some might not have a patch for the problem developed
yet. If no patch is available, it may be best to completely disable the ToolTalk service.
This may be done by killing the rpc.ttdbserverd process and removing it from any OS
startup scripts. Please be warned, though, that disabling ToolTalk may impair system functionality.
Where can I read more about this?
To read more about the ToolTalk vulnerability, read
CERT Advisory 98.11. Also, for a list
of patches and more detailed technical information on the ToolTalk vulnerability, read
CIAC Bulletin I-091. For detailed
information on the ToolTalk program itself, visit Digital's
ToolTalk FAQ.