Patch-ID# 105803-21 Keywords: security crashes ttsession Tooltalk database server buffer overflow Synopsis: OpenWindows 3.6_x86: ToolTalk patch Date: Sep/11/2002 Install Requirements: None Solaris Release: 2.6_x86 SunOS Release: 5.6_x86 Unbundled Product: OpenWindows Unbundled Release: 3.6_x86 Xref: This patch is available for sparc as patch 105802 Topic: Relevant Architectures: i386 BugId's fixed with this patch: 1234927 1234927 4100289 4100289 4115735 4115735 4141128 4141128 4143376 4143376 4153078 4153078 4164808 4164808 4171550 4171550 4172282 4172282 4203589 4203589 4204015 4204015 4229531 4229531 4260867 4260867 4272834 4272834 4278349 4278349 4302067 4302067 4363822 4363822 4379430 4379430 4417781 4417781 4476458 4476458 4499995 4499995 4522203 4522203 4707187 4707187 4713445 4713445 Changes incorporated in this version: 4713445 Patches accumulated and obsoleted by this patch: 106481-01 Patches which conflict with this patch: Patches required with this patch: 105402-28 or greater Obsoleted by: Files included with this patch: /usr/openwin/bin/tt_type_comp /usr/openwin/bin/tt_type_comp /usr/openwin/bin/ttauth /usr/openwin/bin/ttauth /usr/openwin/bin/ttsession /usr/openwin/bin/ttsession /usr/openwin/lib/libtt.so.2 /usr/openwin/lib/libtt.so.2 /usr/openwin/share/man/man1/ttauth.1 /usr/openwin/share/man/man1/ttauth.1 /usr/openwin/bin/rpc.ttdbserverd /usr/openwin/bin/rpc.ttdbserverd Problem Description: 4713445 buffer overflow in the ToolTalk library (from 105803-20) 4707187 multiple vulnerabilities in Tooltalk database server (from 105803-19) 4476458 _Tt_c_procid::set_default_session dumps core on Solaris 7 and Solaris 4522203 libtt crashes and burns when ttsession cannot be reached (from 105803-18) 4203589 Possible denial of service attack against rpc.ttdbserverd per bug 4124 4499995 format string vulnerability in ToolTalk Database Server (from 105803-17) 4417781 Login failed after patch 105802-14 add (from 105803-16) 4379430 After patch add 105802-12, login failed (from 105803-15) 4363822 ttsession memory leak (from 105803-14) 4204015 dbserver SEGVs when rpc function 15 is called with garbage 4302067 ToolTalk patch (105803-10) prohibits users to log into CDE. 4272834 Using des authentication as the default ttsession breaks applications 4143376 tt_type_comp crashes in tooltalk test suite (from 105803-13) 4278349 ToolTalk authentication needs to be enhanced (from 105803-12) 4260867 tooltalk apps vulnerable to attack through TT_SESSION env. variab (from 105803-11) 4204015 dbserver SEGVs when rpc function 15 is called with garbage (from 105803-10) 4229531 ttsession fails under heavy system load (from 105803-09) 4172282 patch 105802-05 breaks dtlogin for non-root users (from 105803-08) rpc.ttdbserverd was compiled incorrectly (from 105803-07) 4171550 patch 105803-05 breaks CDE (from 105803-06) 4153078 CDE dtlogin hangs sometimes due to a ttsession hang (from 105803-05) 4164808 rpc.ttdbserver has buffer overflow problems (from 105803-04) 4153078 CDE dtlogin hangs sometimes due to a ttsession hang (This fix proved to be ineffective but is released in revision -05 in order to release the security fix in that revision. 4153078 is being reworked to be released in a newer revision.) (from 106481-01) 4141128 tt_session_prop hangs in tooltalk version 1.3 (from 105803-03) 4115735 ttsession dumps core on initial reboot after install (from 105803-02) 4100289 tooltalk display problem between tooltalk revs 1.1.2 and 1.3 (from 105803-01) 1234927 tooltalk memory leak in tt_open/tt_close Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- 1. Desktop application failures when a ToolTalk Failure Occurs A. Possible Error Messages Seen When a ToolTalk Failure Occurs Message from dtmail: ToolTalk is not initialized. Mailer cannot run without ToolTalk. Try starting /usr/dt/bin/ttsession, or contact your System Administrator. Message from dtcm: Could not initialize ToolTalk. Message from dtfile: Unable to access this trash information file: <$HOME>/.dt/Trash/.trashinfo All trash operations will not be performed. The most common causes are: - Network authentication - Insufficient disk space - Wrong permissions $HOME/.dt/Trash. Message from dticon: ttmedia_ptype_decalare returned ToolTalk error: TT_ERR_PROCID The process id passed is not valid. Message from dtpad: ttdt_open failed. TT_ERR_PROCID The process id passed is not valid. Message from sdthotkey: ttdt_open(): TT_ERR_PROCID The process id passed is not valid. Message from sdtimage -tooltalk: Image Viewer: Could not initialize ToolTalk. Message from audiotool: Audio Control: Could not initialize Tool Talk: Unknown error code 1042 Message from helpviewer: Could not start Viewer Could not initialize tooltalk (tt_open): TT_ERR_PROCID The process id used refers to no valid ToolTalk client. The client may have crashed, exited, or closed its ToolTalk connection. Message from helpopen: helpopen: Can't initialize tooltalk Could not initialize tooltalk (tt_open): TT_ERR_PROCID The process id used refers to no valid ToolTalk client. The client may have crashed, exited, or closed its ToolTalk connection. Message from mailtool: mailtool: Could not initialize Tool Talk: TT_ERR_PROCID (1042): Invalid process id Message from navigator: Can't initialize tooltalk Could not initialize tooltalk (tt_open): TT_ERR_PROCID The process id used refers to no valid ToolTalk client. The client may have crashed, exited, or closed its ToolTalk connection. Message from workshop: Could not initialize ToolTalk channel. B. Possible Behavior Seen When a ToolTalk Failure Occurs Without an Error Message Behavior for iconedit: 'Palette...' button fails to start Color Chooser application. Behavior for snapshot: 'View...' button fails to start imagetool. Behavior for binder: '...' button on Properties Icon page fails to start Color Chooser application. C. Solutions to failures The following is a list of possible solutions or work arounds to various ToolTalk failures. This list is not an exhaustive list but should cover the majority of cases: 1. insure the user's home directory is accessible on all systems involved 2. share Magic Cookie credentials (see 'Sharing of Cookies') 3. start /usr/openwin/bin/ttsession or /usr/dt/bin/ttsession 4. start ttsession for application (ttsession -c ) 5. insure the authorization levels are the same between hosts (see ttsession(1) and ttsession_file(4) man pages) 2. Sharing of Cookies Information This patch changes the default authentication used in ToolTalk from Unix authentication to Magic Cookie authentication. Magic Cookie authentication uses a random sequence of numbers to help authenticate the user. This random sequence of numbers is kept in the users home directory in the .TTauthority file. If the user is the same on both ends of the connection and the home directories are the same then no other steps are necessary to allow authentication. However, if the user's home directory is not available or there are different users involved then one must share the Magic Cookie random sequence in order to authenticate. This is done using the new command called ttauth. Care in transmitting of Magic Cookies must be taken. The ttauth command is made up of a series of subcommands. For sharing of Magic Cookies the most interesting ones are list, extract, merge (see 'ttauth help' for a full list). The list subcommand will list all Magic Cookies that are contained in the authority file. The format of the list displayed is as follows: For example: localhost% ttauth list TT "" 1342177279/1/127.0.0.1/3 MIT-MAGIC-COOKIE-1 fbaaa8f1203aae2c564ffec3c41028b800 TT "" 1342177279/1/129.101.122.10/2 MIT-MAGIC-COOKIE-1 b127d768a094c9e15a2456e9c26fecb00 localhost% So 'TT' is the protoname, '""' (effectively blank) is the protodata, etc. Once you can view the Cookie entries you can then share them using the extract and merge subcommands to ttauth. For the extract subcommand you must specify the field to identify which Cookie entry you want to extract. From 'ttauth help extract': localhost% ttauth help extract extract extract entries into file extract filename localhost% So to extract the localhost information (127.0.0.1 entry in the above example) the following command could be used: localhost% ttauth extract /tmp/localauth netid=1342177279/1/127.0.0.1/3 localhost% Then using a secure method you can move the newly created file (/tmp/localauth) to another machine (remote host): localhost% rcp /tmp/localauth remotehost:/tmp Finally on the remote host a merge is performed: remotehost% ttauth merge /tmp/localauth This merges the entry in the file with the remote authority file. Be sure to remove the extracted file (/tmp/localauth in the example) on both the remote and local hosts. This can be done in one step once the list of Cookies is obtained from the remote host: remotehost% rsh localhost ttauth extract - netid=1342177279/1/127.0.0.1/3 | ttauth merge - Or from the localhost: localhost% ttauth extract - netid=1342177279/1/127.0.0.1/3 | rsh remotehost ttauth merge - 3. Note on Leftover Configuration Setup Though these ToolTalk patches implement the cookie level security by default, the system security level may have been reduced through previous suggested workarounds. Notably, the presence of AUTH=unix in /etc/default/ttsession or changing the Xsession file to invoke ttsession with an -a unix option. To reap the full benefit the System Administrator should verify that workarounds that compromise the cookie security are removed. 4. Patch listing other patches All systems must have the ToolTalk Magic Cookie enhanced patches installed in order to allow the authentication across different releases of Solaris or system architecture. The following table lists the minimum patch revisions that have the necessary enhancement: Patch ID Solaris Window System Release System Architecture -------- ------- ------ ------------ 107893-05 7 CDE/OW sparc 107894-05 7_x86 CDE/OW intel 105802-12 2.6 CDE/OW sparc 105803-14 2.6_x86 CDE/OW intel 104489-11 2.5.1 CDE/OW sparc 105496-09 2.5.1_x86 CDE/OW intel 104428-09 2.5 CDE/OW sparc 105495-07 2.5_x86 CDE/OW intel 102734-05 2.4 OW sparc 108641-01 2.4_x86 OW intel 108636-01 2.4 CDE sparc 108637-01 2.4_x86 CDE intel 5. Note on DES usage for local and root user(s) ToolTalk will fail to authenticate local and root users in DES mode if they do not have a DES credential. This is expected behavior for a secure site using DES. Should the local administrator wish to have ToolTalk authenticate local and root users in this situation a DES credential must be assigned to said user. Alternatively, the system administrator could lower their authentication level in ToolTalk (see ttsession(1) man page). README -- Last modified date: Wednesday, September 11, 2002