Patch-ID# 107894-20 Keywords: security crashes tooltalk clients database server buffer overflow Synopsis: OpenWindows 3.6.1_x86: Tooltalk patch Date: Sep/24/2003 Install Requirements: Additional instructions may be listed below See Special Install Instructions Solaris Release: 7_x86 SunOS Release: 5.7_x86 Unbundled Product: OpenWindows Unbundled Release: 3.6.1_x86 Xref: This patch is available for SPARC as patch 107893 Topic: Relevant Architectures: i386 BugId's fixed with this patch: 4153078 4162766 4203589 4204015 4229531 4260867 4272834 4278349 4325870 4334998 4363822 4379430 4417781 4476458 4499995 4522203 4668701 4707187 4713445 4871091 Changes incorporated in this version: 4871091 Patches accumulated and obsoleted by this patch: 108123-01 108238-01 Patches which conflict with this patch: Patches required with this patch: 106943-09 or greater Obsoleted by: Files included with this patch: /usr/openwin/bin/rpc.ttdbserverd /usr/openwin/bin/ttauth /usr/openwin/bin/ttsession /usr/openwin/share/man/man1/ttauth.1 /usr/openwin/lib/libtt.so.2 Problem Description: 4871091 dtmail cannot open attached mail (from 107894-19) 4713445 buffer overflow in the ToolTalk library (from 107894-18) 4707187 multiple vulnerabilities in Tooltalk database server (from 107894-17) 4668701 64bit ToolTalk clients cannot connect with ttsession (from 107894-16) 4476458 _Tt_c_procid::set_default_session dumps core on Solaris 7 and Solaris (reowrked) 4522203 libtt crashes and burns when ttsession cannot be reached (reworked) (from 107894-15) 4476458 _Tt_c_procid::set_default_session dumps core on Solaris 7 and Solaris 4522203 libtt crashes and burns when ttsession cannot be reached (from 107894-14) 4499995 format string vulnerability in ToolTalk Database Server (from 107894-13) 4417781 Login failed after patch 105802-14 add (reworked) 4203589 Possible denial of service attack against rpc.ttdbserverd per bug 4124715 (reworked) (from 107894-12) 4417781 Login failed after patch 105802-14 add (from 107894-11) 4203589 Possible denial of service attack against rpc.ttdbserverd per bug 4124715 (from 107894-10) 4379430 After patch add 105802-12, login failed (from 107894-09) 4363822 ttsession memory leak (from 107894-08) 4334998 Loopback automount maps and 107893-07 cause failed CDE logins, hangs (from 108238-01) (from 107894-07) 4325870 ttauth utility missing in patch 107893-07 (from 107894-06) 4162766 tooltalk does not resolve lofs the way user expects it to (reworked) (from 107894-05) 4162766 tooltalk does not resolve lofs the way user expects it to 4272834 Using des authentication as the default ttsession breaks applications (from 107894-04) 4278349 ToolTalk authentication needs to be enhanced (reworked) (from 107894-03) 4278349 ToolTalk authentication needs to be enhanced (from 108123-01) 4260867 tooltalk apps vulnerable to attack through TT_SESSION env. variab (from 107894-02) 4204015 dbserver SEGVs when rpc function 15 is called with garbage (from 107894-01) 4229531 ttsession fails under heavy system load 4153078 CDE dtlogin hangs sometimes due to a ttsession hang Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7 release, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- 1. Desktop application failures when a ToolTalk Failure Occurs A. Possible Error Messages Seen When a ToolTalk Failure Occurs Message from dtmail: ToolTalk is not initialized. Mailer cannot run without ToolTalk. Try starting /usr/dt/bin/ttsession, or contact your System Administrator. Message from dtcm: Could not initialize ToolTalk. Message from dtfile: Unable to access this trash information file: <$HOME>/.dt/Trash/.trashinfo All trash operations will not be performed. The most common causes are: - Network authentication - Insufficient disk space - Wrong permissions $HOME/.dt/Trash. Message from dticon: ttmedia_ptype_decalare returned ToolTalk error: TT_ERR_PROCID The process id passed is not valid. Message from dtpad: ttdt_open failed. TT_ERR_PROCID The process id passed is not valid. Message from sdthotkey: ttdt_open(): TT_ERR_PROCID The process id passed is not valid. Message from sdtimage -tooltalk: Image Viewer: Could not initialize ToolTalk. Message from audiotool: Audio Control: Could not initialize Tool Talk: Unknown error code 1042 Message from helpviewer: Could not start Viewer Could not initialize tooltalk (tt_open): TT_ERR_PROCID The process id used refers to no valid ToolTalk client. The client may have crashed, exited, or closed its ToolTalk connection. Message from helpopen: helpopen: Can't initialize tooltalk Could not initialize tooltalk (tt_open): TT_ERR_PROCID The process id used refers to no valid ToolTalk client. The client may have crashed, exited, or closed its ToolTalk connection. Message from mailtool: mailtool: Could not initialize Tool Talk: TT_ERR_PROCID (1042): Invalid process id Message from navigator: Can't initialize tooltalk Could not initialize tooltalk (tt_open): TT_ERR_PROCID The process id used refers to no valid ToolTalk client. The client may have crashed, exited, or closed its ToolTalk connection. Message from workshop: Could not initialize ToolTalk channel. B. Possible Behavior Seen When a ToolTalk Failure Occurs Without an Error Message Behavior for iconedit: 'Palette...' button fails to start Color Chooser application. Behavior for snapshot: 'View...' button fails to start imagetool. Behavior for binder: '...' button on Properties Icon page fails to start Color Chooser application. C. Solutions to failures The following is a list of possible solutions or work arounds to various ToolTalk failures. This list is not an exhaustive list but should cover the majority of cases: 1. insure the user's home directory is accessible on all systems involved 2. share Magic Cookie credentials (see 'Sharing of Cookies') 3. start /usr/openwin/bin/ttsession or /usr/dt/bin/ttsession 4. start ttsession for application (ttsession -c ) 5. insure the authorization levels are the same between hosts (see ttsession(1) and ttsession_file(4) man pages) 2. Sharing of Cookies Information This patch changes the default authentication used in ToolTalk from Unix authentication to Magic Cookie authentication. Magic Cookie authentication uses a random sequence of numbers to help authenticate the user. This random sequence of numbers is kept in the users home directory in the .TTauthority file. If the user is the same on both ends of the connection and the home directories are the same then no other steps are necessary to allow authentication. However, if the user's home directory is not available or there are different users involved then one must share the Magic Cookie random sequence in order to authenticate. This is done using the new command called ttauth. Care in transmitting of Magic Cookies must be taken. The ttauth command is made up of a series of subcommands. For sharing of Magic Cookies the most interesting ones are list, extract, merge (see 'ttauth help' for a full list). The list subcommand will list all Magic Cookies that are contained in the authority file. The format of the list displayed is as follows: For example: localhost% ttauth list TT "" 1342177279/1/127.0.0.1/3 MIT-MAGIC-COOKIE-1 fbaaa8f1203aae2c564ffec3c41028b800 TT "" 1342177279/1/129.101.122.10/2 MIT-MAGIC-COOKIE-1 b127d768a094c9e15a2456e9c26fecb00 localhost% So 'TT' is the protoname, '""' (effectively blank) is the protodata, etc. Once you can view the Cookie entries you can then share them using the extract and merge subcommands to ttauth. For the extract subcommand you must specify the field to identify which Cookie entry you want to extract. From 'ttauth help extract': localhost% ttauth help extract extract extract entries into file extract filename localhost% So to extract the localhost information (127.0.0.1 entry in the above example) the following command could be used: localhost% ttauth extract /tmp/localauth netid=1342177279/1/127.0.0.1/3 localhost% Then using a secure method you can move the newly created file (/tmp/localauth) to another machine (remote host): localhost% rcp /tmp/localauth remotehost:/tmp Finally on the remote host a merge is performed: remotehost% ttauth merge /tmp/localauth This merges the entry in the file with the remote authority file. Be sure to remove the extracted file (/tmp/localauth in the example) on both the remote and local hosts. This can be done in one step once the list of Cookies is obtained from the remote host: remotehost% rsh localhost ttauth extract - netid=1342177279/1/127.0.0.1/3 | ttauth merge - Or from the localhost: localhost% ttauth extract - netid=1342177279/1/127.0.0.1/3 | rsh remotehost ttauth merge - 3. Note on Leftover Configuration Setup Though these ToolTalk patches implement the cookie level security by default, the system security level may have been reduced through previous suggested workarounds. Notably, the presence of AUTH=unix in /etc/default/ttsession or changing the Xsession file to invoke ttsession with an -a unix option. To reap the full benefit the System Administrator should verify that workarounds that compromise the cookie security are removed. 4. Patch listing other patches All systems must have the ToolTalk Magic Cookie enhanced patches installed in order to allow the authentication across different releases of Solaris or system architecture. The following table lists the minimum patch revisions that have the necessary enhancement: Patch ID Solaris Window System Release System Architecture -------- ------- ------ ------------ 107893-05 7 CDE/OW sparc 107894-05 7_x86 CDE/OW intel 105802-12 2.6 CDE/OW sparc 105803-14 2.6_x86 CDE/OW intel 104489-11 2.5.1 CDE/OW sparc 105496-09 2.5.1_x86 CDE/OW intel 104428-09 2.5 CDE/OW sparc 105495-07 2.5_x86 CDE/OW intel 102734-05 2.4 OW sparc 108641-01 2.4_x86 OW intel 108636-01 2.4 CDE sparc 108637-01 2.4_x86 CDE intel 5. Note on DES usage for local and root user(s) ToolTalk will fail to authenticate local and root users in DES mode if they do not have a DES credential. This is expected behavior for a secure site using DES. Should the local administrator wish to have ToolTalk authenticate local and root users in this situation a DES credential must be assigned to said user. Alternatively, the system administrator could lower their authentication level in ToolTalk (see ttsession(1) man page). README -- Last modified date: Wednesday, September 24, 2003