Date: Mon, 13 Sep 1999 16:03:26 +0200 From: Job de Haas <job@ITSX.COM> Subject: Multiple vulnerabilities in CDE To: BUGTRAQ@SECURITYFOCUS.COM Hello, Recently I discovered four vulnerabilities in the software package called Common Desktop Environment (CDE). This software aims for a unified desktop across multiple Unix flavors and versions. It is maintained by The Open Group, but the vendors maintain their (binary) distribution themselves. I found these problems because I went looking for them for three reasons: - I've always wondered what ToolTalk was about and what ttsession does. - I've always been irritated about the lack of pro-active security measures by vendors and thought it would be easy to prove they do lack it. - I enjoy hacking a system. After I found these four problems I satisfied all reasons so I stopped looking. In four separate e-mails I will give a detailed explanation of the problems. I think advisories and reports which combine different problems only complicate the already difficult process of referencing, archiving and determination if it is relevant to one's situation etc. etc. This can also be seen from a brief history of security problems in CDE (http://www.itsx.com/history.htm). The vulnerabilities are: 1. A buffer overflow condition in 'dtaction' when supplying the -u <username> option with a long username. This can lead to local root compromise if dtaction is setuid root. It is a problem for only a limited number of platforms. 2. A symlink attack against 'dtspcd'. This daemon checks the owner of a temporary file created by the client, but fails to check if it is a symlink. This leads to a local root compromise. 3. A lack of verification of client credentials in 'ttsession', resulting in remote compromise of a system with the credentials of the user running ttsession on the host. 4. A buffer overflow in the shared library for ToolTalk (libtt.so) which leads to a local root compromise when exploited in 'dtsession'. I reported these seven weeks ago and since then CERT has been coordinating the release of vendor patches (if anyone has). I have heard no more than that CERT will be releasing an advisory, so I can give no detailed information on the relevance of these bugs to specific vendors or on their patch availability. Also I have heard nothing about this information being incorrect. The lack of pro-active measures by vendors can be shown from the fact that already in June 1997 Georgi Guninski found a vulnerability in dtaction. This discovery should have led to the discovery of two of the vulnerabilities above by the vendors themselves. Firstly it should have prompted a review of the dtaction source (even though Guninski's hole was in a shared library) and thus solving my vulnerability #1. Secondly it should have prompted a review of the other shared libraries and thus solving my vulnerability #4 (also an environment driven overflow, just like the one Georgi found). Further it is of course very sad that two daemons particularly created to allow cross-platform invocation of applications (ttsession and dtspcd) have authentication problems, for which they should have been specifically reviewed. It is even worse when you think how long they've already been running and that I never believe I was the first to find anything. I haven't lost the hope that vendors will ever start doing it right, but that is simply because I never had any hope to start with. However, if you are concerned about this behavior by vendors I suggest you let them know, because their marketing department (they apparently control everything) sure doesn't believe you are. (Oh, and this isn't going to be a start of a longer series of advisories, therefor I didn't create any higher numbering/naming scheme.) Regards, Job --- Job de Haas job@itsx.com ITSX bv http://www.itsx.com