This event is generated when an attempt is made to exploit a buffer overflow associated with the Remote Procedure Call (RPC) ToolTalk.
Impact
Remote root access. This attack may permit the execution of arbitrary commands with the privileges of root.
Detailed Information
The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications to communicate in the Common Desktop Environment (CDE). The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications. The ToolTalk database server is enabled by default on hosts with CDE. A function in the code receives an argument for a pathname. If an overly long pathname is passed to the function, a buffer overflow may occur, possibly allowing the execution of arbitrary commands with the privileges of root.
An attacker can query the portmapper to discover the port where ttdbserverd runs. Alternately, an attacker may attempt to execute the exploit code on any listening port in the RPC range if the portmapper is blocked.
Ease of Attack
Easy. Exploit scripts are freely available.
Corrective Action
Limit remote access to RPC services.
Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.