SID: 570 -- Rule: -- Summary: This event indicates an attempt to exploit the tool talk RPC database service -- Impact: Possible unauthorized administrative access to the server or application or a denial of service to the affected application -- Detailed Information: ToolTalk RPC database service (rpc.ttdbserverd) does not perform adequate input validation or provide a format string specifier argument when writing to syslog. This means a specifically crafted RPC request to the ToolTalk RPC database service overwriting specific locations in memory and therefore allowing execution of code with the same permission level as the user running ttdbserverd, usually root. -- Affected Systems: HP-UX 10.10 - 11.0 AIX 4.1 - 4.3 IRIX 5.2 - 6.4 Solaris 1.1 - 2.6 TriTeal TED CDE 4.3 Xi Graphics Maximum CDE 1.2.3 Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor. -- Attack Scenarios: An attacker will send a specially crafted RPC call to the rpc.ttdbserverd daemon running on an affected system. A sucessful attack will then run code on the server with the access level of the root user. -- Ease of Attack: Simple, Exploit code is available. -- False Positives: None known -- False Negatives: None known -- Corrective Action: Updates packages and patches are available from vendors, install them or disable the service if not needed. -- Contributors: Snort documentation contributed by matthew harvey <indexone@yahoo.com> Original Rule Writer Unknown Sourcefire Research Team Nigel Houghton <nigel.houghton@sourcefire.com> -- References: --