ToolTalk
ToolTalk is yet another distributed object system. It is part of the Common Desktop Environment (CDE), a standard produced by a consortium of Unix vendors, which allows desktop tools to communicate with each other. For instance, ToolTalk enables you to drag objects from one application to another with the expected results, and allows multiple applications to keep track of changes to the same file.Applications using ToolTalk do not communicate with each other directly. Instead, communications are handled by two kinds of ToolTalk servers. A session server, called ttsession, handles messages that concern processes, while an object server, called rpc.ttdbserverd, handles messages that concern objects. Applications register with the appropriate ToolTalk servers to tell them what kinds of messages they are interested in. When an application has a message to send, it sends the message to the appropriate ToolTalk server, which redistributes it to any interested applications and returns any replies to the sending application. Session servers group together related processes (for instance, all the programs started by a given user will normally be part of one session), and multiple session servers may run on the same machine.
rpc.ttdbserverd is started from inetd and runs as root, while ttsession is started up as needed and runs as the user that started it. Often, ttsession will be started when a user logs in, but that's not required; if an application wants to use ToolTalk but no ttsession is available, one will be started up.
ToolTalk is based on Sun RPC. Although ToolTalk provides a range of authentication mechanisms, most ToolTalk implementations use the simplest one, which authorizes requests based on the unauthenticated Unix user information embedded in the request. This is completely forgeable. In addition, there have been a variety of security problems with the ToolTalk implementation, including buffer overflow problems in rpc.ttdbserverd and in the ToolTalk client libraries. Several of these problems have allowed remote attackers to run arbitrary programs as root.
Summary of Recommendations for ToolTalk
- Do not allow RPC through your firewall; since ToolTalk is built on Sun RPC, this will prevent it from crossing the firewall.
- Remove ToolTalk from bastion host machines (this will remove some desktop functionality, but ideally you should remove all of the graphical user interface and desktop tools anyway).