Tooltalk Version

CVE 1999-0003

Impact

The database component of the ToolTalk service may be compromised, allowing malicious users to run arbitrary commands on a target system as a privileged user (typically Root).

Background

The ToolTalk service allows independently developed applications to communicate with each other by exchanging ToolTalk messages. Using ToolTalk, applications are able to create open protocols that allow different programs to be interchanged. Also, ToolTalk makes it possible to plug new programs into a system with only minimal reconfigurations.

The main ToolTalk component, the ToolTalk database server, is an RPC service which manages objects needed for the operation of the ToolTalk service. All ToolTalk-enabled processes communicate with one another using RPC calls to this program, which runs on each ToolTalk-enabled host. The database server is a standard component of all ToolTalk systems, which itself ships as a standard component of many commercial UNIX operating systems.

The Problems

An implementation fault exists in the database server portion of the ToolTalk program. The flaw involves how the server processes RPC messages. By using a specially formulated RPC message, a malicious remote client might be able to gain control of the ToolTalk service (which usually runs as Root), and then issue arbitrary commands to the system as a privileged user. This means, of course, that the malicious user might be able to gain control of the target system and cause damage in the form of erased/modified system files, compromised information, etc.

Resolution

There are currently two methods to resolve this vulnerability. The first is to apply patches for this service, available from the vendor of your UNIX operating system. It should be noted that while most vendors have been contacted about this problem, some might not have a patch for the problem developed yet. If no patch is available, it may be best to completely disable the ToolTalk service. This may be done by killing the rpc.ttdbserverd process and removing it from any OS startup scripts. Please be warned, though, that disabling ToolTalk may impair system functionality.

Where can I read more about this?

To read more about the ToolTalk vulnerability, read CERT Advisory 98.11. Also, for a list of patches and more detailed technical information on the ToolTalk vulnerability, read CIAC Bulletin I-091. For detailed information on the ToolTalk program itself, visit Digital's ToolTalk FAQ.