Weekly Solaris Security Digest
2000/09/03 to 2000/09/10

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

By Seán Boran (sean AT boran.com) for SecurityPortal


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins:

none

Bugtraq vulnerabilities this week - Solaris:

2000-09-04: Multiple Vendor Locale Subsystem Format String Vulnerability
Many UNIX operating systems provide internationalization support according to the X/Open XPG3, XPG4 and Sun/Uniforum specifications using the of the locale subsystem. The locale subsystem comprises a set of databases that store language and country specific information and a set of library functions used to store, retrieve and generally manage that information.
By building and installing a custom messages database an attacker can control the output of the message retrieval functions that get feed to the printf(3) functions. Bad coding practices and the ability to feed format strings to the later functions makes it possible for an attacker to execute arbitrary code as a privileged user (root) using almost any SUID program on the vulnerable systems. Alternatively, on some operating systems, the problem can be exploited remotely using the environment variable passing options in telnetd. However, a remote attacker must be able to place the suitable messages database on the target host (i.e. anonymous ftp, NFS, email, etc.)
The original advisory is at: http://www.core-sdi.com
Bugtraq: http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1649

No patches are available from Sun, yet. Note that most Linux vendors have published a patch.

Bugtraq vulnerabilities this week - 3rd party applications:

2000-09-06: LPPlus Permissions DoS Vulnerabilities
2000-09-06: LPPlus dccscan unprivileged read vulnerability
2000-09-06: University of Washington c-client DoS Vulnerability (IMAP, pine)
2000-09-05: screen User Supplied Format String Vulnerability
2000-09-03: PHP Upload Arbitrary File Disclosure Vulnerability
2000-09-01: XS4ALL SunFTP Server Partial Input Denial of Service Vulnerability
2000-09-01: XS4ALL SunFTP Buffer Overflow Vulnerability
2000-09-01: QNX Voyager Multiple Webserver Vulnerabilities
2000-08-30: CGI Script Center Auction Weaver Remote Command Execution Vulnerability


News

BSD today

Using Postfix A basic guide on configuring and installing the Postfix mail server, By Alan P. Laudicina
Tired of the sendmail's cryptic configuration, or do you find yourself complaining about its speed? Well then, postfix could be the MTA for you.

Sunworld

Down the rabid hole, Sandra Henry-Stocker begins a new SunWorld column, Building Blocks to Security, by taking an in-depth look at the recent Outlook/IE bug.

SecurityFocus

Role Based Access Control - A distribution of power part 2, by Hal Flynn
http://www.securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/rbac2.html
This second part in the series discussion RBAC, presents the special shells for role control pfsh/pfcsh/pfksh, the RBAC configuration files, the roleadd/roledel commands and the profiles/auths/roles commands. Next week, the RBAC design process will be presented with examples.

Sun

Solaris Data Encryption Supplemental CD Download delivery
The software previously contained on the Solaris Data Encryption Supplemental CD (SOLZ9-080N9999) is being repriced from $100 to no charge (via web download) and will now be offered via download to all countries except Russia, Israel and nations embargoed by the U.S. government and Burma as per Sun policy.
We announced this last week, it's been repeated because the link for downloading the software has been found: http://www.sun.com/software/solaris/encryption/download.html

Security Tools News

SSH
OpenSSH 2.2.0p1 released.
A patch for OpenSSH 2.1.1p4 portable integrates Challenge/response authentication, especially Cryptocard. Does not use PAM. Download from media solutions.
scanssh is a tool to list hosts running SSH on a network and show the SSH version.
Installing and Configuring OpenSSH, by Matt Lesko, on Sysadmin Magazine.
  This is a brief, but useful article on compiling & installing OpenSSH.

Nessus: Commercial support is now available from Nessus Consulting.

Nmap: 2.54BETA4 is now available.

Saint: 2.2 released Changes: A new check for smurf and fraggle amplifiers, based upon NMAP. Check for: Trinity distributed denial-of-service tool, Specialized Header (Translate: f) vulnerability in Microsoft web servers, bboard vulnerability in Sun Java Web Server,  vulnerability in ntop, netauth.cgi and htgrep,  root accounts with empty passwords, for guest and administrator accounts with empty passwords, writeable NetBIOS shares.
Fixed compilation problem for Red Hat 6.2, bug in NFS check affecting Solaris 7 and 8.

Sara v3.1.8 released. Changes: Improved tutorials for http and SMB, Added multi tasking support, Fixed error reporting date in daemon mode, Fixed errors in html.pl introduced in 3.1.7, Added test for IRIX telnetd vulnerability, Fixed a problem importing SARA Report data into Office 2000, and Fixed problem with get_targets (FW vs non FW).


Mailing Lists

FOCUS-Sun discussions

09/06/00 End-User Package Security...
09/05/00 locale exploit on BugTraq
09/01/00 Solaris 7 or 8?
09/01/00 Limiting write access to a port
09/01/00 Problem with RCS (Revision Control) , Thread 2

YASSP (the Solaris hardening tool) Developers' list discussions

Discussion threads this week:
FYI: RSA unlocks patent on encryption technology
tocsin package ready

See also: Main site, DL archive, Interview With Jean Chouanard, Draft dev. doc.


Tip of the Week

The DNS server, BIND, provides some advanced security features it it's latest release. Here we examine one: the use of TSIG (transaction signatures), to authenticate zone transfers. Zone transfers are usual limited to a list of IP addresses (via the ACL mechanism) which correspond to official DNS servers for a zone. Since only IP addresses are used, this mechanism is open to spoofing. BIND 8.2 and later allow authentication and verification of zone data. A key is configured on primary and secondary name servers, and the servers are configured to use this key to sign messages exchanged between the servers. It's important that the server times are synchronised. If the transfer is not authenticated with the correct key, no zone transfer may take place.

Lets look at an example where we use TSIG to restrict the zone transfers between a DNS primary "prim" (IP address 10.1.1.2) and DNS slave secondary "sec1" (IP address 10.1.2.2).

a) Generate an MD5 key, which will be used as a shared secret between the DNS servers. The 'dnskeygen' tool is used, the key is written to a file.

# /usr/local/sbin/dnskeygen -H 128 -h -n prim-sec1. 
Generating 128 bit HMAC-MD5 Key for prim-sec1. 
Generated 128 bit Key for prim-sec1. id=0 alg=157 flags=513
# cat Kprim-sec1.+157+00000.private
Private-key-format: v1.2
Algorithm: 157 (HMAC)
Key: bFs2bXnLTYTI7r0WJv7HMA==

b) Create an identical key entry on both servers in named.conf:

key prim-sec1 {
	algorithm hmac-md5;
	secret "bFs2bXnLTYTI7r0WJv7HMA==";
};

c) add an ACL on both servers to limit transfers to specific hosts, e.g.

acl "my-nameservers" {
	localhost;
	10.1.1.2;
	10.1.2.2;
};

d) For each host in the ACL, tell the BIND which key to use (do this for each server), for example on the primary:

server 10.1.2.2 {
	transfer-format many-answers;
	keys { prim-sec1 ; };
};
zone "mytestdomain.com" {
          type master;
          file "mytestdomain.hosts";
          allow-query    { any; };
          allow-update   { none; };
          allow-transfer { my-nameservers; };
}

d) Restart both named servers (send a HUP signal), then check the (syslog) logs for errors.

Testing if it works:

So it's really not so difficult to significantly increase the security of your zone transfers. It is important that the file permissions on named.conf be restrictive so that it cannot be read by everyone on a system, the secret string used in the key must remain secret.

If you have any security tips/scripts you'd like to share with others, contact sean AT boran.com.


References and Resources

For brevity, the list of resources and references is kept in a separate document:
http://www.securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 10 September, 2000