By Edward Hurley, News Writer
19 Jul 2002, SearchSecurity
IT organizations should take seriously two recently announced security holes in a common GUI for Linux and Unix systems, experts say.
Late last week, the CERT Coordination Center at Pittsburgh-based Carnegie Mellon University released an advisory about two vulnerabilities in CDE (Common Desktop Environment) ToolTalk, a common GUI that runs on a host of Linux and Unix flavors.
The more serious of the two could allow remote attackers to commit denial of service attacks against affected servers, CERT said in its advisory. The lesser allows local attackers to escalate their system privileges. Both vulnerabilities involve the ToolTalk RPC database server in the CDE, which manages communications between ToolTalk applications.
"Both are very serious as they allow the arbitrary overwriting of files as root," said Ken Robson, a Unix specialist in Denmark. "If patches from vendors are not already available then packet filtering or firewalling should be used to protect hosts from attacks emanating from other subnets."
HP9000 Series 700/800 servers running HP-UX 10.10, 10.20, 11.00 and 11.11 are vulnerable, according to CERT. All supported versions of Solaris are vulnerable, including Solaris 2.5.1, 2.6, 7, 8 and 9, CERT said.
Ricardo Quesada, of New York-based Core Security Technologies, found the vulnerabilities while testing his company's penetration testing tool, Core Impact. "Ricardo was developing a module for a format string bug in the ToolTalk Database Server (rpc.ttdbserverd) and found these new ones," said Ivan Arce, Core Security's CTO.
Arce rates the flaws as a medium risk when balancing the pervasiveness of CDE ToolTalk, the severity of the vulnerabilities and how organizations use it. "I've failed to find an organization where the package (and CDE in general) is required in order to conduct normal activities," he said.
The fact that ToolTalk Database Server program is enabled by default in many of the commercial Unix flavors, however, means the vulnerabilities shouldn't be overlooked, Arce said.
Exploiting the vulnerabilities isn't particularly difficult either, Arce said. Executing a denial of service attack is harder, requiring "a relatively experienced developer," but the escalating systems privileges is easier, he said. "In any case, experience proves that once a working exploit has been developed by a technically savvy individual, the less technically 'apt' individuals are able to use it without further knowledge of what is does or how it works," he said.