[LWN Logo]

Date:         Mon, 13 Sep 1999 16:03:26 +0200
From: Job de Haas <job@ITSX.COM>
Subject:      Multiple vulnerabilities in CDE
To: BUGTRAQ@SECURITYFOCUS.COM

Hello,

Recently I discovered four vulnerabilities in the software package called
Common Desktop Environment (CDE). This software aims for a unified desktop
across multiple Unix flavors and versions. It is maintained by The Open Group,
but the vendors maintain their (binary) distribution themselves.

I found these problems because I went looking for them for three reasons:

- I've always wondered what ToolTalk was about and what ttsession does.

- I've always been irritated about the lack of pro-active security measures
  by vendors and thought it would be easy to prove they do lack it.

- I enjoy hacking a system.

After I found these four problems I satisfied all reasons so I stopped
looking.

In four separate e-mails I will give a detailed explanation of the problems.
I think advisories and reports which combine different problems only complicate
the already difficult process of referencing, archiving and determination
if it is relevant to one's situation etc. etc. This can also be seen from a
brief history of security problems in CDE (http://www.itsx.com/history.htm).

The vulnerabilities are:

1. A buffer overflow condition in 'dtaction' when supplying the -u
<username> option with a long username. This can lead to local root
compromise if dtaction is setuid root. It is a problem for only a limited
number of platforms.

2. A symlink attack against 'dtspcd'. This daemon checks the owner of
a temporary file created by the client, but fails to check if it is a
symlink. This leads to a local root compromise.

3. A lack of verification of client credentials in 'ttsession',
resulting in remote compromise of a system with the credentials of the
user running ttsession on the host.

4. A buffer overflow in the shared library for ToolTalk (libtt.so) which
leads to a local root compromise when exploited in 'dtsession'.

I reported these seven weeks ago and since then CERT has been coordinating
the release of vendor patches (if anyone has). I have heard no more than that
CERT will be releasing an advisory, so I can give no detailed information
on the relevance of these bugs to specific vendors or on their patch
availability. Also I have heard nothing about this information being incorrect.

The lack of pro-active measures by vendors can be shown from the fact that
already in June 1997 Georgi Guninski found a vulnerability in dtaction. This
discovery should have led to the discovery of two of the vulnerabilities above
by the vendors themselves. Firstly it should have prompted a review of the
dtaction source (even though Guninski's hole was in a shared library) and thus
solving my vulnerability #1. Secondly it should have prompted a review of the
other shared libraries and thus solving my vulnerability #4 (also an
environment driven overflow, just like the one Georgi found).

Further it is of course very sad that two daemons particularly created to
allow cross-platform invocation of applications (ttsession and dtspcd) have
authentication problems, for which they should have been specifically reviewed.
It is even worse when you think how long they've already been running and that
I never believe I was the first to find anything.

I haven't lost the hope that vendors will ever start doing it right, but that
is simply because I never had any hope to start with. However, if you are
concerned about this behavior by vendors I suggest you let them know, because
their marketing department (they apparently control everything) sure doesn't
believe you are.

(Oh, and this isn't going to be a start of a longer series of advisories,
therefor I didn't create any higher numbering/naming scheme.)

Regards,

Job

---
Job de Haas         job@itsx.com
ITSX bv      http://www.itsx.com