Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ ToolTalk rpc.ttdbserverd database parser vulnerability CVE-2010-0083 CPVDT-2010-0651 INTRODUCTION There exists a vulnerability within a function of the ToolTalk database server (rpc.ttdbserverd), which when properly exploited can lead to compromise of the vulnerable system. This vulnerability was confirmed in the following versions of operating systems, other operating systems and versions may be also affected. There are working exploits to be shared with interested parts. IBM AIX all versions up to today. Sun Solaris all versions up to today. (Sparc and x86) HP HP-UX all versions up to today. Patches and workarounds are available for all the vendors. Disable the service if unsure. To determine whether the ToolTalk database server is running on a host, use the "rpcinfo" command to print a list of the RPC services running on it, as: $ rpcinfo -p hostname The remote program number for the ToolTalk database server is 100083. If an entry exists for this program, then the ToolTalk database server is running on the system. 100083 1 tcp 32768 ttdbserver DETAILS This vulnerability can be triggered by creating a fake database (.rec file) on the system and calling remote procedure 7 of ToolTalk database server pointing to this database, leading to a heap overflow. Remote command execution can be achieved if you can place files on the host via FTP or HTTP servers for example. Four byte overwrite is possible as showed above (Solaris 9 Sparc). #0 0xff0c766c in t_delete () from /usr/lib/libc.so.1 (gdb) x/i $pc 0xff0c766c : st %o0, [ %o1 + 8 ] (gdb) i r $o0 o0 0x61626364 1633837924 (gdb) i r $o1 o1 0x41424344 1094861636 (gdb) bt #0 0xff0c766c in t_delete () from /usr/lib/libc.so.1 #1 0xff0c72b0 in realfree () from /usr/lib/libc.so.1 #2 0xff0c7b50 in cleanfree () from /usr/lib/libc.so.1 #3 0xff0c6c8c in _malloc_unlocked () from /usr/lib/libc.so.1 #4 0xff0c6b6c in malloc () from /usr/lib/libc.so.1 #5 0xff31a814 in __0oN_Tt_allocatednwUiT () from /usr/dt/lib/libtt.so.2 #6 0xff31a970 in __0oK_Tt_stringctPCc () from /usr/dt/lib/libtt.so.2 #7 0xff31dc98 in __0FL_tt_vsyslogP6EFILEiPCcPv () from /usr/dt/lib/libtt.so.2 #8 0xff319f40 in __0FK_tt_syslogP6EFILEiPCce () from /usr/dt/lib/libtt.so.2 #9 0x0002a094 in __0FN_tt_iserase_1PPcP6J__svcxprt () #10 0x00026584 in __0FT_tt_dbserver_prog_1P6Hsvc_reqP6J__svcxprt () #11 0x00026584 in __0FT_tt_dbserver_prog_1P6Hsvc_reqP6J__svcxprt () CREDITS This vulnerability was discovered and exploited by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).