Flaws in CDE could lead to denial of service

Two security holes in a graphical user interface common on Unix and Linux systems from vendors such as IBM Corp., Sun Microsystems Inc. and Hewlett-Packard Co. could allow an attacker to launch a denial of service attack or overwrite files on affected systems, according to a new security bulletin released Wednesday by CERT/CC (the Computer Emergency Response Team/Coordination Center).

The flaws exist in the ToolTalk component of CDE (Common Desktop Environment), a tool used to add a graphical interface to systems running Unix and Linux that traditionally use command line interfaces. The ToolTalk system is used to give applications a way to send messages to each other across platforms and systems, CERT/CC said in its advisory. CERT/CC is a federally-funded computer and network security group based at Carnegie Mellon University in Pittsburgh.

The ToolTalk RPC database server, the part of ToolTalk that contains both security holes, manages the communication between ToolTalk applications, CERT/CC said.

The first vulnerability in the software is due to the failure of the ToolTalk RPC database server to fully validate the information that it passes to another procedure in the software, CERT/CC said. The remotely-exploitable vulnerability could allow an attacker combining a memory overwriting attack with legitimate requests to delete any file accessible to the ToolTalk RPC database server, CERT/CC said. Because that component normally runs with root privileges, any file on an affected system could be deleted, the group said.

The deletion of files could lead to a denial of service, CERT/CC said. It may also be possible to execute arbitrary code on vulnerable systems, the group said.

The second vulnerability, which is exploitable only by an attacker with local access to the affected system, exists because the ToolTalk RPC database server does not properly validate file operations, CERT/CC said. Because the operations are not adequately validated, a specially-crafted symbolic link in certain ToolTalk requests could be used to overwrite any files accessible to the database server, the group said. Such an attack could lead to privilege escalation or a denial of service attack, CERT/CC said.

Products vulnerable to the flaws include Caldera International Inc.’s Open Unix and UnixWare, Hewlett-Packard’s Tru64, HP-UX 10.10, 10.20, 11.00 and 11.11, IBM AIX 4.3.3 and 5.1.0 and Sun Solaris 2.5.1, 2.7, 7, 8 and 9. Different vendors are in various stages of readying patches, so users should check with their vendor to obtain fixes.

More information about the vulnerabilities is available in CERT/CC’s alert at http://www.cert.org/advisories/CA-2002-20.html.