13-Nov-2001/20-Feb-2002 Name: Buffer Overflow in CDE Sub Process Control Daemon Vulnerability: Exploit can crash and/or execute code as root Systems: Linux/Unix -- especially Solaris Risk: Serious and Unwarranted On 12-Nov-2001 the CERT issued an advisory reporting a problem with the Sub Process Control Daemon of the Common Desktop Environment -- remote exploits of a buffer overflow are possible which will give the attacker root access. This vulnerability is limited to Unix and Linux systems running the "dtspcd" daemon. See: http://www.cert.org/advisories/CA-2001-31.html http://www.kb.cert.org/vuls/id/172583 On 14-Jan-2002 the CERT issued another advisory reporting that this problem is currently being exploited on (unpatched) Solaris systems. See: http://www.cert.org/advisories/CA-2002-01.html I recently scanned the campus network and determined that your system has a "dtspcd" daemon and *may* be vulnerable. It is my understanding that: 1. Solaris systems are vulnerable and patch issued see: http://www.kb.cert.org/vuls/id/AAMN-542TP8 2. AIX systems are vulnerable and APAR issued see: http://www.kb.cert.org/vuls/id/AAMN-542QHA 3. SGI systems are vulnerable and patch issued see: http://www.kb.cert.org/vuls/id/AAMN-542TD5 4. Some Linux systems are vulnerable (but CDE is uncommon) 5. Other Unix systems may be vulnerable. see: http://www.kb.cert.org/vuls/id/172583 You should be concerned that your system may be vulnerable to exploit. ------------------------ 1. Disabling the Service Our experience, on Solaris and AIX workstations and servers, is that you can safely disable the dtspcd daemon with no discernible loss of functionality -- it's an *optional* service for the CDE environment. I don't run it on my Solaris workstation and we always disable it on Unix systems we harden. >>> Since this note was originally released over 300 systems have >>> disabled this daemon with no reports of loss of functionality. For these reasons I recommend that you disable the service on your system -- you should not accept the risk of compromise on a service you do not need. You disable the service by commenting it out of /etc/inetd.conf and signaling the inetd daemon: % su # root access required % vi /etc/inetd.conf # edit configuration file ...etc. % grep dtspc /etc/inetd.conf # results should look like this: # HARDEN #dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd % ps -ef | grep inetd # find the inetd daemon % kill -1 # signal inetd to re-read the configuration file. You can verify that the daemon has been disabled: [10:29am] telnet localhost dtspc Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused ------------------------ 2. Patching the service. For Solaris systems managed by xhier: if you have the "sunos5-1.0_patches" package installed and configured patches will be applied automatically. For Solaris systems not managed by xhier -- please use the patching tools found at: See http://ist.uwaterloo.ca/security/howto/2000-12-04/ BEWARE: SUN DOES NOT ISSUE ANY PATCHES FOR SYSTEMS BEFORE SunOS 5.5.1. If your system is older then it cannot be patched -- you should disable the daemon. You should upgrade your system to a supported version at your earliest convenience. ------------------------ 3. Stack Overflow protection Current versions of Solaris include a method to protect against some buffer overflow problems -- many compromises involve overflowing a buffer on the stack with executeable code. These attacks can be stopped by a trivial configuration in the "/etc/system" file -- note that a reboot will be required. That's a configuration we recommend very highly. See http://ist.uwaterloo.ca/security/howto/1999-06-22.html If you have any questions/concerns or need help please let us know. I am, Reg Quinton Senior Technologist, Security Information Systems and Technology University of Waterloo, 200 University Ave W Waterloo, Ontario N2L 3G1 Canada +1 519 888-4567x36070 http://ist.uwaterloo.ca/security/vulnerable/20011113.note