• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple CDE Vendor ToolTalk Database Server Format String Vulnerability

Severity: CRITICAL

Description:

CDE ships with a daemon called the ToolTalk database server, which allows programs designed for use in CDE to communicate with each other. The server is enabled by default on most systems shipped with CDE.

ToolTalk database server contains a remotely exploitable format-string vulnerability. The problem lies in the server's logging component.

UNIX applications can use the 'syslog' facility to write events to the logfiles through the syslog daemon. To construct a log message, the 'syslog()' function accepts a format-string argument and a variable number of values corresponding to the format specifiers. The log message is eventually processed using 'printf' libc functionality. If externally supplied data is included in the format-string argument, malicious format specifiers may force arbitrary locations in memory to be overwritten with almost arbitrary values.

The ToolTalk database server passes externally supplied data to the 'syslog()' function as the format-string argument. Any format specifiers included in the externally supplied data will be interpreted by the printf functionality.

By carefully constructing a format string and placing addresses at the right locations in memory, an attacker may be able to replace critical values such as function pointers or return addresses with pointers to shellcode.

If successful, remote attackers may cause a denial of service or gain root access on the target host.

Affected Products:

• Caldera OpenUnix 8.0.0
• Caldera UnixWare 0.0.07
• Compaq Digital Unix 4.0.0f
• Compaq Tru64 4.0.0 g
• Compaq Tru64 5.0.0 a
• Compaq Tru64 5.1.0
• HP HP-UX (VVOS) 10.24.0
• HP HP-UX (VVOS) 11.0.0 4
• HP HP-UX 10.10.0
• HP HP-UX 10.20.0
• HP HP-UX 11.0.0
• HP HP-UX 11.11.0
• IBM AIX 4.3.0
• IBM AIX 4.3.1
• IBM AIX 4.3.2
• IBM AIX 4.3.3
• IBM AIX 5.1.0
• SGI IRIX 5.2.0
• SGI IRIX 5.3.0
• SGI IRIX 6.0.0
• SGI IRIX 6.0.1
• SGI IRIX 6.1.0
• SGI IRIX 6.2.0
• SGI IRIX 6.3.0
• SGI IRIX 6.4.0
• SGI IRIX 6.5.13
• SGI IRIX 6.5.14
• SGI IRIX 6.5.15
• SGI IRIX 6.5.16
• SGI IRIX 6.5.17
• Sun Solaris 2.5.0
• Sun Solaris 2.5.0_x86
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_ppc
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8
• Sun Solaris 8_x86

References:

• CORE Security: ttdbserverd format string exploit
• Caldera Systems: Caldera Security Advisories Page
• Compaq: Tru64 Homepage
• HP IT Resource Center: HP IT Resource Center (for Europe)
• HP IT Resource Center: HP IT Resource Center (for US, Canada, Asia-Pacific, & Latin-America)
• IBM: AIX Fix Distribution Service
• IBM: IBM Emergency Response Service
• Silicon Graphics Inc.: SGI Support
• Sun Microsystems: Sun Patch Access Page
• Sun Microsystems: Sunsolve Online(tm)

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.