Multi-vendor CDE dtspcd daemon buffer overflow

cde-dtspcd-bo (7396)

High Risk

Description:

The CDE Subprocess Control Server daemon (dtspcd) is vulnerable to a buffer overflow. By sending a specially-crafted CDE client request, a remote attacker can overflow a buffer in the connection negotiation routine within dtspcd and execute arbitrary commands on the system with superuser privileges.

The Subprocess Control Server daemon is enabled by default on all operating systems with CDE installed. This process is run by the root user and accepts remote connections by default.

Platforms Affected:

• Compaq, Tru64 4.0f
• Compaq, Tru64 4.0g
• Compaq, Tru64 5.0a
• Compaq, Tru64 5.1
• Compaq, Tru64 5.1a
• HP, HP-UX 10.10
• HP, HP-UX 10.20
• HP, HP-UX 10.24
• HP, HP-UX 11.00
• HP, HP-UX 11.04
• HP, HP-UX 11.11
• IBM, AIX 4.3
• IBM, AIX 5.1
• Open Group, Common Desktop Environment (CDE)
• SCO, Caldera OpenUnix 8.0.0
• SCO, Caldera UnixWare 7
• SGI, IRIX 6.5
• SGI, IRIX 6.5 20
• SGI, IRIX 6.5.1
• SGI, IRIX 6.5.10
• SGI, IRIX 6.5.10f
• SGI, IRIX 6.5.10m
• SGI, IRIX 6.5.11
• SGI, IRIX 6.5.11f
• SGI, IRIX 6.5.11m
• SGI, IRIX 6.5.12
• SGI, IRIX 6.5.12f
• SGI, IRIX 6.5.12m
• SGI, IRIX 6.5.13
• SGI, IRIX 6.5.13f
• SGI, IRIX 6.5.13m
• SGI, IRIX 6.5.14
• SGI, IRIX 6.5.14f
• SGI, IRIX 6.5.14m
• SGI, IRIX 6.5.15
• SGI, IRIX 6.5.15f
• SGI, IRIX 6.5.15m
• SGI, IRIX 6.5.16
• SGI, IRIX 6.5.16f
• SGI, IRIX 6.5.16m
• SGI, IRIX 6.5.17
• SGI, IRIX 6.5.17f
• SGI, IRIX 6.5.17m
• SGI, IRIX 6.5.18
• SGI, IRIX 6.5.18f
• SGI, IRIX 6.5.18m
• SGI, IRIX 6.5.19
• SGI, IRIX 6.5.19f
• SGI, IRIX 6.5.19m
• SGI, IRIX 6.5.2
• SGI, IRIX 6.5.20
• SGI, IRIX 6.5.20f
• SGI, IRIX 6.5.20m
• SGI, IRIX 6.5.21
• SGI, IRIX 6.5.21f
• SGI, IRIX 6.5.21m
• SGI, IRIX 6.5.22
• SGI, IRIX 6.5.22m
• SGI, IRIX 6.5.23
• SGI, IRIX 6.5.23m
• SGI, IRIX 6.5.24
• SGI, IRIX 6.5.24m
• SGI, IRIX 6.5.25
• SGI, IRIX 6.5.26
• SGI, IRIX 6.5.27
• SGI, IRIX 6.5.28
• SGI, IRIX 6.5.2f
• SGI, IRIX 6.5.2m
• SGI, IRIX 6.5.3
• SGI, IRIX 6.5.3f
• SGI, IRIX 6.5.3m
• SGI, IRIX 6.5.4
• SGI, IRIX 6.5.4f
• SGI, IRIX 6.5.4m
• SGI, IRIX 6.5.5
• SGI, IRIX 6.5.5f
• SGI, IRIX 6.5.5m
• SGI, IRIX 6.5.6
• SGI, IRIX 6.5.6f
• SGI, IRIX 6.5.6m
• SGI, IRIX 6.5.7
• SGI, IRIX 6.5.7f
• SGI, IRIX 6.5.7m
• SGI, IRIX 6.5.8
• SGI, IRIX 6.5.8f
• SGI, IRIX 6.5.8m
• SGI, IRIX 6.5.9
• SGI, IRIX 6.5.9f
• SGI, IRIX 6.5.9m
• Sun, Solaris 2.5.1
• Sun, Solaris 2.6
• Sun, Solaris 7.0
• Sun, Solaris 8

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
CdeDtspcdBo

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
Dtspcd_Overflow

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 6612

For Manual Protection:

For Caldera UnixWare 7 and OpenUNIX 8.0.0:
Apply the appropriate patch for your system, as listed in Caldera International, Inc. Security Advisory CSSA-2001-SCO.30. See References.

For HP-UX releases 10.10, 10.20, 10.24, 11.00, 11.04, and 11.11:
Download and install the latest replacement dtspcd files as listed in Hewlett-Packard Security Bulletin #00175 (HPSBUX0111-175). See References.

For Solaris 8, 7, 2.6, and 2.5.1:
Apply the appropriate patch for your system, as listed in Sun Microsystems, Inc. Security Bulletin #00214. See References.

For other distributions:
Contact your vendor for upgrade or patch information..

Consequences:

Gain Privileges

References:

• Caldera International, Inc. Security Advisory CSSA-2001-SCO.30, Open UNIX, UnixWare 7: DCE SPC library buffer overflow at ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/CSSA-2001-SCO.30.txt.
• CERT Advisory CA-2001-31, Buffer Overflow in CDE Subprocess Control Service at http://www.cert.org/advisories/CA-2001-31.html.
• CERT Advisory CA-2002-01, Exploitation of Vulnerability in CDE Subprocess Control Service at http://www.cert.org/advisories/CA-2002-01.html.
• CIAC Information Bulletin M-019, Multiple Vendor CDE dtpscd Process Buffer Overflow at http://www.ciac.org/ciac/bulletins/m-019.shtml.
• Compaq SECURITY BULLETIN (SSRT-541), Tru64 UNIX CDE, NFS and NIS related Potential Security Vulnerabilities at http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtml.
• Hewlett-Packard Company Security Bulletin HPSBUX0111-175, Sec. Vulnerability in dtspcd at http://online.securityfocus.com/advisories/3651. (From SecurityFocus archive.)
• Internet Security Systems Security Alert #101, Multi-Vendor Buffer Overflow Vulnerability in CDE Subprocess Control Service at http://www.iss.net/xforce/alerts/id/advise101.
• SGI Security Advisory 20011107-01-P, CDE vulnerabilities at ftp://patches.sgi.com/support/free/security/advisories/20011107-01-P.
• SGI Security Advisory 20020302-01-A, Additional CDE and CDE ToolTalk Vulnerabilities at ftp://patches.sgi.com/support/free/security/advisories/20020302-01-A.
• Sun Microsystems, Inc. Security Bulletin #00214, dtspcd at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/214&type=0&nav=sec.sba.
• BID-3517: Multiple Vendor CDE dtspcd Buffer Overflow Vulnerability
• CVE-2001-0803: Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.
• US-CERT VU#172583: Common Desktop Environment (CDE) Subprocess Control Service dtspcd contains buffer overflow

Reported:

Nov 12, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page