Weekly Solaris Security Roundup -  2000/06/19 to 2000/06/26

Name:
Email:

Security Portal
Weekly Newsletter

Weekly Solaris Security Roundup Archive

By Seán Boran, sean AT boran.com, for Security Portal


The Rundown

No new Solaris vulnerabilities this week, but a few Application Vulnerabilities popped up: Veritas Volume Manager 3.0.x and Netscape FTP server.

There's quite a few interesting articles and the SunScreen 3.1 Lite is available for free download.

The tip of the week looks at the "ok" prompt.


CERT Advisories & Sun Security Bulletins

none this week.

Patches have not yet been produced for the ufsrestore vulnerability noted last week.


News

The SunScreen 3.1 Lite firewall for Solaris8 is available for free download:
www.sun.com/software/securenet/lite

SecurityFocus Articles:

Libnet 101 By Michael Schiffman
This article describes what libnet is about, how to compile and use it for packet monitoring, creation etc.
Libnet is a library for generating and inspecting network traffic.  Its being used for everything from intrusion detection systems to network validation and scanning tools, to developing more reliable and extensible versions of traditional Unix utilities.

Bypassing the Solaris non-executable stack protection
This posting discusses getting around the noexec_user_stack option in /etc/system which is worrying as it means that Solaris admins might be placing too much faith in this option.
Hopefully these exploits demonstrate that it is important to make sure that programs that run at an elevated privilege are free of buffer overflow bugs. The stack protection will certainly help protect you from the majority of intruders, but moderately competent intruders will probably be able to bypass it.

SecurityFocus - selected free Tools

srm (secure rm) is a command-line compatible rm(1) which destroys file contents before unlinking.
Guardbot encrypts HTML pages with DES encryption. The encrypted pages can be viewed directly in a web browser. The Guardbot protected page generates a password prompt, and the page is decrypted with the included Java applet.
dsniff 2.2 is a simple password sniffer plus some sniffing utilities which are useful in penetration testing. A rewritten RPC framework and configurable decode triggers. The new protocol decodes RIP, OSPF, poppass, Meeting Maker, PostgreSQL, and yppasswd

Solarisguide:

Two older but useful Security Focus articles are noted:
Back to the Basics: Solaris and inetd.conf Part I and Part II. PartII includes a useful summary of RPC, TLI and RPC services listed in inetd.conf.

Sunworld:

Securing your network: An introduction to TCP wrappers
Paul Dunne runs though compiling and installing tcpd.


Mailing lists, Bugtraq

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - Applications that run on Solaris:

2000-06-21: Netscape Professional Services FTP Server Vulnerability
Certain versions of the Netscape Professional Services FTP Server have a serious vulnerability which may lead to a remote or local root compromise. The vulnerability in essence is a failure of of the FTP server to enforce a restricted user environment (chroot).
2000-06-21: BEA Systems WebLogic Server and Express Source Code Disclosure Vulnerability
2000-06-19: xdm/kdm/wdm Buffer Overflow Vulnerability

2000-06-16: Veritas Volume Manager 3.0.x File Permission Vulnerability
Veritas Volume Manager 3.0.x for Solaris has a vulnerability with which local users can gain root access. This problem is not present in the current beta release of 3.1. All Solaris versions prior to Solaris 8 are vulnerable. Solaris 8 sets a umask of 022 during the boot process, which keeps this bug from causing a compromise.

When a system with Veritas Volume Manger 3.0.x installed boots, the initialization script for the Storage Administrator Server (/etc/rc2.d/S96vmsa-server) executes without first specifically setting a umask. When the server comes up, it creates /var/opt/vmsa/logs/.server_pids with permissions on the file set according to the inherited umask. Because there is no umask set at that point (Solaris 7 and earlier), permissions on the .server_pids file are set to 666. So an unprivileged user can put arbitrary commands into it, and they will be executed as root when the stop_server() function is run (i.e. when manually stopping the server).

Fix: add "umask 022" to the top of /etc/rc2.d/S96vmsa-server

FOCUS-Sun discussions this week:

06/21/00 Sun Patch Methods
06/21/00 IPchains vs IPfilter
06/21/00
Solaris 2.8, was Locking down a Sun box
06/21/00
Portscan warning (was: Determining unnecessary ports)
06/21/00 Running BIND chroot on Solaris (Solution)
06/20/00 Trusted Solaris: can it be used on the command line?
           Thread1 Thread2 Thread3 Thread4 Thread5
06/20/00
Determining unnecessary ports: Thread1 Thread2
06/19/00
sun support / linux ??
06/19/00 IP accounting
06/19/00
Locking down a Sun box
06/19/00
IP Filter for Solaris
06/16/00
linux v. solaris
06/16/00
Sunscreen vs ipf
06/16/00 Secured FTP server
06/15/00
More Setuid

Yassp (the Solaris hardening tool) Developers' list:

Yassp now has an archive site for the Developers list, so from now on we'll just list links to the threads for this week. No new betas this week.

cleanup-passwd question
yassp man page: first try
yassp man page, Draft#2

See also: Main site, Dev. list archiveHardening Solaris Article.


Tip of the Week

The "ok" prompt has a few hidden treasures. Bootprom is a very useful feature that gives Sun hardware an advantage above the rest: the possibility to remotely (via the serial line console) diagnose hardware problems, boot from disk/cd/network, or remotely install Operating Systems.

I've been using commands like go, resume, boot, reset, sync, printenv, setenv, probe-scsi, probe-scsi-all, test-all etc. for many years, but had missed some obvious ones that are very useful, such as the following.
Note that "^" means "hold Control key".

^P: previous command ^A/E: jump to line start/end
^N: next command escB/F: jump to previous/next word
^L: list lines ^K: delete to end of line
^R: repeat line ^W/D: delete previous/next word
show-devs [device-path]
Display all the devices directly under the specified device in the device tree; without device-path it shows the entire device tree.
disk-info: List all disks such that their path can be copied and used in the nvalias command (saves on lots of typing)

Warning: some commands like watch-net, test-net have caused systems to hang (for me), a cold restart was needed.

See also Sun's OpenBoot Collection documentation and it's search feature.


References and Resources

Sun Security Resources: Security Coordination Team, Security bulletins, General Sun Security, Solaris Security Datasheets, Java Security.

Patches

Sun security patches: sunsolve.sun.com/securitypatch
Public patches sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database. If you don't, use the SecurityFocus Solaris Patch Calculator.

Web Publications, resources

SecurityFocus: Sun section, Vulnerability database.

Security Portal papers: Hardening Solaris, Review of the Sunscreen EFS3 firewall, All about SSH - Part I, All about SSH - Part II.

SANS Report: How To Eliminate The Ten Most Critical Internet Security Threats

BigAdmin SunFreeware
Solaris Guide Freeware4sun
Solaris Central BSD Today, Daemonnews
Solaris-System (x86) Forum IT Security Cookbook
Sunwhere index of resources Tools: tcpd, rdist, fwtk/smap
Nessus, Nmap, snort, Yassp.
Sunworld security columns
Solaris Security FAQ

General discussion resources

Personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html Newsgroups: comp.unix.solaris, comp.sys.sun.admin, comp.sys.sun.hardware,  alt.solaris.x86

Sun-managers Mailing list: This high quality list has been around for many years and is an invaluable resource to Sun system administrators.
Send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".

SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help ..., using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. ... In addition, important announcements related to breaking vulnerabilities will be posted.