CERT: CDE ToolTalk flaw could give root access
- 13 August, 2002 08:01
- Comments
A buffer overflow in the ToolTalk RPC database server used in the Common Desktop Environment (CDE) on systems from vendors such as Sun Microsystems Inc. and IBM Corp. could allow an attacker to run code with root privileges, according to a security alert released Monday by the CERT Coordination Center (CERT/CC).
CDE is a graphical interface used on Unix and some Linux systems. The ToolTalk component of the software allows applications to communicate with each other across different platforms and hosts via remote procedure calls (RPCs). The RPC database server manages those communications.
The vulnerability comes as the result of a buffer overflow -- an attack in which the amount of memory assigned to an application or process is overrun, often with unpredictable results -- in the _TT_CREATE_FILE procedure in the ToolTalk RPC database server, according to CERT/CC, which is based at Carnegie Mellon University in Pittsburgh. CERT/CC is a federally funded computer and network security organization that frequently coordinates the release and repair of software security holes.
By sending a specially crafted RPC message to the vulnerable component, an attacker could gain the ability to run code on the target system with the same privileges as the ToolTalk server, which are usually root, CERT/CC said. Even if an attacker were not able to run code, the attack would cause a denial of service, CERT/CC added.
CDE is included in software from IBM, Hewlett-Packard Co., Sun, Silicon Graphics Inc. and others. Users should check with their vendors on whether their systems are vulnerable and for patch status and availability.
More information about the vulnerability, including a list of affected software, workarounds and patches, can be found in CERT/CC's advisory, available at http://www.cert.org/advisories/CA-2002-26.html.
Another vulnerability which could lead to a denial of service attack was found in the ToolTalk RPC database server in July.
- Bookmark this page
- Share this article
- Got more on this story? Email Computerworld
- Follow Computerworld on twitter
- Effective Storage Management and Data Protection for Cloud Computing
- Lowering your IT Costs with Oracle Database 11g Release 2
- Solid State Storage 101 - An introduction to Solid State Storage
- Smarter Storage and Data Management for Virtual Server Environments
- Best Practices for Energy Efficient Storage Operations Version 1.0
- iPhone 5 rumour rollup for the week ending February 10
- 3D mapping revives underwater city
- Academic challenges Turnbull over NBN satellite criticism
- What are you saying: Telstra’s customer service slowly improving, SA minister urging Facebook to overturn its photo ban
- In pictures: Capgemini opens new Canberra office
-
Maingear's six-core laptop has 1.8TB of SSD storage
-
After Megaupload shuts, BTJunkie follows
-
Windows Event Viewer phishing scam remains active
-
NeuroSky MindWave: Fun with Brainwaves
-
20 popular Ubuntu Linux apps you may want to try
-
Windows 7 for Dummies® Dvd+book Bundle
-
Teach Yourself Visually Windows 7
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Office 2007 All-In-One Desk Reference for Dummies
-
Computers for Seniors for Dummies, 2nd Edition
-
Windows 7 for Dummies®
-
Office 2007 for Dummies
-
MYOB Software for Dummies 6E Australian Edition
-
Windows 7 for Seniors for Dummies®
Comments
Post new comment