Note: The red stoplight on this page indicates the highest possible severity level for this type of vulnerability. For the actual severity level in this case, refer to the colored dot beside the link to this tutorial on the previous page.
The main ToolTalk component, the ToolTalk database server, is an RPC service which manages objects needed for the operation of the ToolTalk service. All ToolTalk-enabled processes communicate with one another using RPC calls to this program, which runs on each ToolTalk-enabled host. The database server is a standard component of all ToolTalk systems, which itself ships as a standard component of many commercial UNIX operating systems.
8/13/02
CVE 2002-0679
The ToolTalk database server is vulnerable to a heap buffer
overflow via an argument passed to the procedure
_TT_CREATE_FILE(). With a specially crafted
RPC message, an attacker with access to the ToolTalk RPC
database service could exploit this vulnerability to execute
arbitrary code or cause a denial of service. NOTE: The
non-executable stack protection provided by some operating
systems will not prevent the execution of code located on the
heap. Systems affected by this vulnerability include Caldera
Open UNIX 8 and UnixWare 7, IBM AIX releases 4.3.3 and 5.1.0,
Solaris 2.5.1, 2.6, 7, 8, and 9, and Xi Graphics deXtop CDE
versions prior to v3.0. Probably affected are HP-UX and HP
Tru64 UNIX, IRIX 6.5 (and earlier).
7/11/02
CAN 2002-0677
There is an input validation problem in the
_TT_ISCLOSE() function in ToolTalk.
This function, which is used to close a database upon
a client's request, resets a memory address determined
by a file descriptor specified by the client. The function
does not check whether this file descriptor is within a
valid range, thus allowing a remote attacker to set
arbitrary memory locations to zero. Through various attacks,
this capability could be leveraged to delete arbitrary
files, create a denial of service, or possibly execute
arbitrary commands.
CVE 2002-0678
A separate vulnerability in various
ToolTalk functions could allow
a local attacker to overwrite arbitrary files by creating
symbolic links to the target files and then sending certain
RPC requests.
10/2/01
CVE 1999-0003
CVE 1999-0693
CVE 2001-0717
Three older potential vulnerabilities exist in the database server portion of the ToolTalk program. One is a remotely
exploitable buffer overflow condition, one is a locally
exploitable buffer overflow condition, and the other is a format string problem. All three flaws affect
how the server processes RPC messages. By using a specially formulated RPC message, a malicious client
might be able to gain control of the ToolTalk service (which usually runs as Root), and then
issue arbitrary commands to the system as a privileged user. This means, of course, that the malicious user might be able
to gain control of the target system and cause damage in the form of erased/modified system files, compromised information, etc.
If ToolTalk is not required on your network, it may be best to completely disable it. This may be done by killing the rpc.ttdbserverd process and removing it from any OS startup scripts. You should carefully consider your network configuration and service requirements before deciding to restrict access to or disable the Tooltalk database or portmapper services.