ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow Vulnerabilit=
Published: June 19, 2009
Updated: June 19, 2009
There exists a vulnerability within a function of the ToolTalk database ser=
(rpc.ttdbserverd), which when properly exploited can lead to remote comprom=
of the vulnerable system.
This vulnerability was confirmed by us in the following versions of operati=
systems, other operating systems and versions may be also affected.
IBM AIX Version 6.1.3
IBM AIX Version 6.1.2
IBM AIX Version 6.1.1
IBM AIX Version 6.1.0
IBM AIX Version 5.3.10
IBM AIX Version 5.3.9
IBM AIX Version 5.3.8
IBM AIX Version 5.3.7
IBM AIX Version 5.3.0
IBM AIX Version 5.2.0
IBM AIX Version 5.1.0
To determine whether the ToolTalk database server is running on a host, use=
"rpcinfo" command to print a list of the RPC services running on it, as:
$ rpcinfo -p hostname
The remote program number for the ToolTalk database server is 100083. If an
entry exists for this program, then the ToolTalk database server is running=
100083 1 tcp 32768 ttdbserver
As computer users increasingly demand that independently developed applicat=
work together, inter-operability is becoming an important theme for softwar=
developers. By cooperatively using each others facilities, inter-operating
applications offer users capabilities that would be difficult to provide in=
single application. The ToolTalk service is designed to facilitate the
development of inter-operating applications that serve individuals and work
The following ToolTalk service components work together to provide
inter-application communication and object information management:
* ttsession is the ToolTalk communication process.
This process joins together senders and receivers that are either using=
same X server or interested in the same file. One ttsession communicate=
with other ttsessions when a message needs to be delivered to an applic=
in another session.
* rpc.ttdbserverd is the ToolTalk database server process.
One rpc.ttdbserverd is installed on each machine which contains a disk
partition that stores files of interest to ToolTalk clients or files th=
contain ToolTalk objects.
File and ToolTalk object information is stored in a records database ma=
* libtt is the ToolTalk application programming interface (API) library.
Applications include the API library in their program and call the Tool=
functions in the library.
The ToolTalk service uses the Remote Procedure Call (RPC) to communicate be=
these ToolTalk components.
Applications provide the ToolTalk service with process and object type
information. This information is stored in an XDR format file, which is ref=
to as the ToolTalk Types Database in this manual.
The vulnerable function _tt_internal_realpath() does not validate user supp=
data when copying it to a stack-based buffer using strcpy(), resulting in a
stack-based buffer overflow. The exploitation of this vulnerability is triv=
and results in remote compromise of the vulnerable system.
This vulnerability can be triggered by calling remote procedure 15 of ToolT=
database server with a large XDR-encoded ASCII string as its argument.
Breakpoint 1, 0xd37b2200 in _tt_internal_realpath () from
#0 0xd37b2200 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#1 0xd37af9f0 in _tt_get_realpath__FPcT1 () from /usr/lib/libtt.a(shr.o)
#2 0xd37b00b4 in _tt_realpath () from /usr/lib/libtt.a(shr.o)
#3 0xd37b287c in _Tt_file_system::bestMatchToPath () from
#4 0x1001ca50 in ?? ()
0xd37b2240 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
(gdb) x/i $pc
0xd37b2240: bl 0xd3793080
(gdb) x/s $r4
0x200aa4a8: "/home/root/", A <repeats 189 times>...
(gdb) stepi =20
0xd3793080 in strcpy () from /usr/lib/libtt.a(shr.o)
Single stepping until exit from function strcpy,=20
which has no line number information.
0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#0 0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o)
#1 0xaabbccdd in ?? ()
A proof of concept code for this vulnerability can be downloaded from our
website at http://risesecurity.org/.
IBM has released advisory and fixes for this vulnerability:
This vulnerability was discovered by Adriano Lima <firstname.lastname@example.org=
Ramon de Carvalho Valle <email@example.com>.
The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any inform=
provided, including any kind of information which is incomplete or incorrec=
will therefore be rejected.
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----