Patch-ID# 102734-06 Keywords: security leak SEGV ODS Database Server denial service Synopsis: OpenWindows 3.4: ToolTalk 1.1.2: fix core dumps, leaks, ODS install Date: Nov/09/2001 Solaris Release: 2.4 SunOS Release: 5.4 Unbundled Product: OpenWindows Unbundled Release: 3.4 Xref: Topic: Relevant Architectures: sparc BugId's fixed with this patch: 1212956 1234927 1245603 4164808 4203589 4260867 4278349 4499995 Changes incorporated in this version: 4499995 4203589 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 101973-40 or greater Obsoleted by: Files included with this patch: /usr/openwin/bin/tt_type_comp /usr/openwin/bin/ttauth /usr/openwin/bin/ttce2xdr /usr/openwin/bin/ttcp /usr/openwin/bin/ttdbck /usr/openwin/bin/ttmv /usr/openwin/bin/ttrm /usr/openwin/bin/ttrmdir /usr/openwin/bin/ttsession /usr/openwin/bin/tttar /usr/openwin/lib/libtt.a /usr/openwin/lib/libtt.so.1 /usr/openwin/share/man/man1/ttauth.1 /usr/openwin/share/man/man1/ttsession.1 /usr/openwin/bin/rpc.ttdbserverd Problem Description: 4203589 Possible denial of service attack against rpc.ttdbserverd per bug 4124 4499995 format string vulnerability in ToolTalk Database Server (from 102734-05) 4260867 tooltalk apps vulnerable to attack through TT_SESSION env. variable 4164808 rpc.ttdbserver has buffer overflow problems 4278349 ToolTalk authentication needs to be enhanced (from 102734-04) 1245603 Patch 102734-03 will not install correctly on a system with ODS (from 102734-03) 1234927 tooltalk memory leak in tt_open/tt_close (from 102734-02) 1212956 A tooltalk based client crashes in tt_default_session when ttsession is killed. (from 102734-01) 1212956 Calling tt_default_session() after killing the default session from another process could core dump. Normally this problem is not seen because the default session is not killed from another process, or if it were, another ToolTalk API call returns TT_ERR_NOMP, or TT_ERR_SESSION, before tt_default_session is called, however it is possible to core dump so this patch fixes that bug. Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- 1. Desktop application failures when a ToolTalk Failure Occurs A. Possible Error Messages Seen When a ToolTalk Failure Occurs Message from dtmail: ToolTalk is not initialized. Mailer cannot run without ToolTalk. Try starting /usr/dt/bin/ttsession, or contact your System Administrator. Message from dtcm: Could not initialize ToolTalk. Message from dtfile: Unable to access this trash information file: <$HOME>/.dt/Trash/.trashinfo All trash operations will not be performed. The most common causes are: - Network authentication - Insufficient disk space - Wrong permissions $HOME/.dt/Trash. Message from dticon: ttmedia_ptype_decalare returned ToolTalk error: TT_ERR_PROCID The process id passed is not valid. Message from dtpad: ttdt_open failed. TT_ERR_PROCID The process id passed is not valid. Message from sdthotkey: ttdt_open(): TT_ERR_PROCID The process id passed is not valid. Message from sdtimage -tooltalk: Image Viewer: Could not initialize ToolTalk. Message from audiotool: Audio Control: Could not initialize Tool Talk: Unknown error code 1042 Message from helpviewer: Could not start Viewer Could not initialize tooltalk (tt_open): TT_ERR_PROCID The process id used refers to no valid ToolTalk client. The client may have crashed, exited, or closed its ToolTalk connection. Message from helpopen: helpopen: Can't initialize tooltalk Could not initialize tooltalk (tt_open): TT_ERR_PROCID The process id used refers to no valid ToolTalk client. The client may have crashed, exited, or closed its ToolTalk connection. Message from mailtool: mailtool: Could not initialize Tool Talk: TT_ERR_PROCID (1042): Invalid process id Message from navigator: Can't initialize tooltalk Could not initialize tooltalk (tt_open): TT_ERR_PROCID The process id used refers to no valid ToolTalk client. The client may have crashed, exited, or closed its ToolTalk connection. Message from workshop: Could not initialize ToolTalk channel. B. Possible Behavior Seen When a ToolTalk Failure Occurs Without an Error Message Behavior for iconedit: 'Palette...' button fails to start Color Chooser application. Behavior for snapshot: 'View...' button fails to start imagetool. Behavior for binder: '...' button on Properties Icon page fails to start Color Chooser application. C. Solutions to failures The following is a list of possible solutions or work arounds to various ToolTalk failures. This list is not an exhaustive list but should cover the majority of cases: 1. insure the user's home directory is accessible on all systems involved 2. share Magic Cookie credentials (see 'Sharing of Cookies') 3. start /usr/openwin/bin/ttsession or /usr/dt/bin/ttsession 4. start ttsession for application (ttsession -c ) 5. insure the authorization levels are the same between hosts (see ttsession(1) and ttsession_file(4) man pages) 2. Sharing of Cookies Information This patch changes the default authentication used in ToolTalk from Unix authentication to Magic Cookie authentication. Magic Cookie authentication uses a random sequence of numbers to help authenticate the user. This random sequence of numbers is kept in the users home directory in the .TTauthority file. If the user is the same on both ends of the connection and the home directories are the same then no other steps are necessary to allow authentication. However, if the user's home directory is not available or there are different users involved then one must share the Magic Cookie random sequence in order to authenticate. This is done using the new command called ttauth. Care in transmitting of Magic Cookies must be taken. The ttauth command is made up of a series of subcommands. For sharing of Magic Cookies the most interesting ones are list, extract, merge (see 'ttauth help' for a full list). The list subcommand will list all Magic Cookies that are contained in the authority file. The format of the list displayed is as follows: For example: localhost% ttauth list TT "" 1342177279/1/127.0.0.1/3 MIT-MAGIC-COOKIE-1 fbaaa8f1203aae2c564ffec3c41028b800 TT "" 1342177279/1/129.101.122.10/2 MIT-MAGIC-COOKIE-1 b127d768a094c9e15a2456e9c26fecb00 localhost% So 'TT' is the protoname, '""' (effectively blank) is the protodata, etc. Once you can view the Cookie entries you can then share them using the extract and merge subcommands to ttauth. For the extract subcommand you must specify the field to identify which Cookie entry you want to extract. From 'ttauth help extract': localhost% ttauth help extract extract extract entries into file extract filename localhost% So to extract the localhost information (127.0.0.1 entry in the above example) the following command could be used: localhost% ttauth extract /tmp/localauth netid=1342177279/1/127.0.0.1/3 localhost% Then using a secure method you can move the newly created file (/tmp/localauth) to another machine (remote host): localhost% rcp /tmp/localauth remotehost:/tmp Finally on the remote host a merge is performed: remotehost% ttauth merge /tmp/localauth This merges the entry in the file with the remote authority file. Be sure to remove the extracted file (/tmp/localauth in the example) on both the remote and local hosts. This can be done in one step once the list of Cookies is obtained from the remote host: remotehost% rsh localhost ttauth extract - netid=1342177279/1/127.0.0.1/3 | ttauth merge - Or from the localhost: localhost% ttauth extract - netid=1342177279/1/127.0.0.1/3 | rsh remotehost ttauth merge - 3. Note on Leftover Configuration Setup Though these ToolTalk patches implement the cookie level security by default, the system security level may have been reduced through previous suggested workarounds. Notably, the presence of AUTH=unix in /etc/default/ttsession or changing the Xsession file to invoke ttsession with an -a unix option. To reap the full benefit the System Administrator should verify that workarounds that compromise the cookie security are removed. 4. Patch listing other patches All systems must have the ToolTalk Magic Cookie enhanced patches installed in order to allow the authentication across different releases of Solaris or system architecture. The following table lists the minimum patch revisions that have the necessary enhancement: Patch ID Solaris Window System Release System Architecture -------- ------- ------ ------------ 107893-05 7 CDE/OW sparc 107894-05 7_x86 CDE/OW intel 105802-12 2.6 CDE/OW sparc 105803-14 2.6_x86 CDE/OW intel 104489-11 2.5.1 CDE/OW sparc 105496-09 2.5.1_x86 CDE/OW intel 104428-09 2.5 CDE/OW sparc 105495-07 2.5_x86 CDE/OW intel 102734-05 2.4 OW sparc 108641-01 2.4_x86 OW intel 108636-01 2.4 CDE sparc 108637-01 2.4_x86 CDE intel 5. Note on DES usage for local and root user(s) ToolTalk will fail to authenticate local and root users in DES mode if they do not have a DES credential. This is expected behavior for a secure site using DES. Should the local administrator wish to have ToolTalk authenticate local and root users in this situation a DES credential must be assigned to said user. Alternatively, the system administrator could lower their authentication level in ToolTalk (see ttsession(1) man page). README -- Last modified date: Friday, November 9, 2001