Weekly Solaris Security Digest
2000/09/10 to 2000/09/17

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

By Seán Boran (sean AT boran.com) for SecurityPortal


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

none

Samba: The Australian company Secure Reality Pty Ltd. announces remote root compromises through the pluggable authentication modules pam_smb and pam_ntdom used (mainly on Linux and Solaris) to authenticate to Samba and Windows servers. The pam-smb and pam-ntdom PAM components (versions prior to 1.1.6 and 0.24, respectively) contain various buffer overflows that let local users gain root privileges. Patches can be found at: ftp://ftp.samba.org/pub/samba/pam_smb   and http://cb1.com/~lkcl/pam-ntdom . There is also a Bugtraq discussion.

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-09-12: IMP File Disclosure Vulnerability
2000-09-11: NT Authentication PAM Modules Buffer Overflow Vulnerability
2000-09-11: Ranson Johnson mailto.cgi Piped Address Vulnerability
2000-09-11: MailForm 2.0 XX-attach_file Vulnerability
2000-09-11: Netegrity SiteMinder Authentication Bypass Vulnerability
2000-09-11: EFTP Buffer Overflow Vulnerability
2000-09-11: EFTP Partial Input Denial of Service Vulnerability
2000-09-10: YaBB Arbitrary File Read Vulnerability
2000-09-09: muh IRC Log Format String Vulnerability
2000-09-08: Horde CGI Remote Command Execution Vulnerability
2000-09-07: Nathan Purciful phpPhotoAlbum Directory Traversal Vulnerability
2000-09-07: XMail Buffer Overflow Vulnerability
2000-09-07: Mailman 1.1 Writable Variable Vulnerability


News

The latest Crypto-Gram provides some an interesting discussion on the "window of exposure" and whether publishing vulnerabilities is a "good thing". www.counterpane.com/crypto-gram-0009.html#

Security Tools News

Snort
Spade is a Snort preprocessor plugin that looks at TCP SYN packets to specified networks, and sends alerts about those that are unusual (e.g., the have a destination port/host combination rarely seen on your network). This might indicate some probing or scanning that is occurring (or it might be something benign that just seems unusual). You can find out more information and download a copy from: www.silicondefense.com/spice
ACID, Analysis Console for Incident Databases, is a PHP analysis engine to search and process a database of alerts generated by IDSes, among them Snort (and the database plug-in). This application was developed at the CERT Coordination Center as a part of the AIRCERT project. See www.cert.org/kb/acid   for the most up to date information and documentation about this application.
Updated the Snort Database Search pages : The output page is now completely stand alone, to get rid of all the HTML info it was passing before. To hit it directly, the string to send is

http://www.snort.org/Database/rules_results.asp?type=ruletype&type=ruletype&port=&keyword=&thedate=

Keywords that can be passed as 'ruletype' are- BACKDOOR-ACTIVITY, BACKDOOR-ATTEMPT, BACKDOOR-SIG, DDOS, FINGER, FTP, MISC, NETBIOS, OVERFLOW, PING, RPC, RSERVICE, SCAN, SMTP, SYSADMIN, TELNET, MAILVIRUS, WEB-CGI, WEB-COLDFUSION, WEB-FRONTPAGE, WEB-IIS, WEB-MISC, FALSES, or BETA

snort.panel - A windows-based utility for managing, controlling, and monitoring the Snort IDS. www.xato.net/files.htm
New snortsnarf released ( www.snort.org/files/snortsnarf-090700.1.tar.gz ), changes:

Logcheck 1.1.1 has been released. The only change is that the entire package is now covered by the GNU license. www.psionic.com/abacus/logcheck/

OpenSSL: Beta 1 of OpenSSL 0.9.6 is now available, as is a release plan for OpenSSL 0.9.6. See www.openssl.org

Lsof (list open files)
Lsof has been upgraded to v4.51 ftp://vic.cc.purdue.edu/pub/tools/unix/lsof  
Changes: adds support for Solaris 9 (SunOS 5.9); changes scripts/ to make Perl 5 the standard; recognizes FreeBSD 4.1; has been tested on OpenServer 5.0.6; recognizes AIX C compiler version 5; adds support for Tru64 UNIX 5.1; adds Tru64 UNIX 5.[01] support for library files on AdvFS; adds AIX 4.3.3 ability to select the proper rnode and user structures; corrects a bug in the reporting of a PTX fattach()'d target address; encourages NetBSD and OpenBSD lsof to use /usr/include/uvm when it's available; adds snprintf() support, including a private version for dialects without one; fixes a BSDI, DEC/OSF1, Digital UNIX, FreeBSD, NetBSD, OpenBSD, and Tru64 UNIX repeat-mode memory leak; works on Linux 2.4; modifies the Pyramid MkKernOpts script.
An experimental release lsof_4.52D.uw.tar.gz is also available. ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/NEW/

Ethereal v0.8.12
Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
Ethereal now understands Kerberos 5, rsh, and Zebra, and has the initial work done for BXXP. Ethereal (via our wiretap library) can now read Cisco Secure IDS iplog files. Ethereal's Help menu option finally gives help. Many other updates and fixes were made in version 0.8.12. ethereal.zing.org


Mailing Lists

FOCUS-Sun discussions

09/14/00 How to configure a unified, secure, DHCP/DNS/NIS in a heterogeneous environment; Thread1, Thread2, Thread3
09/14/00 Is there a way to timeout telnet session
09/14/00 unsafe start-up services Thread1 Thread2
09/14/00 Custom PAM for Solaris
09/13/00 [FW1] Blocking user jumping to different servers using telnet even if not authorized by firewall.
09/08/00 locale exploit on BugTrack
09/07/00 Problem with RCS (Revision Control)

YASSP (the Solaris hardening tool) Developers' list discussions

All quiet on the Yassp front this week.

See also: Main site, DL archive, Interview With Jean Chouanard, Draft dev. doc.


Tip of the Week: 'useradd' and 'defadduser'

The useradd tool is a typical way of adding new accounts to the system. It adds a new user to the /etc/passwd and /etc/shadow (and on Solaris 8 /etc/user_attr) files. For example:

useradd -c "Sean Boran" -f 60 -g ftpusers -m boran

This creates the new user 'boran' belonging to group 'ftpusers', an appropriate home directory (with copies of skeleton files from /etc/skel) and sets the inactive timeout to 60 days.

Apart from adding users, system defaults can also be set (with the 'useradd -D' option), so that it is easier to use. For example:

useradd -D -b /home -f 60 -g ftpusers

Here the default parent directory is /home, accounts are inactive if idle for 60 days, the default group is 'ftpusers'.

The first time 'useradd -D' is run, a file /usr/sadm/defadduser is created, which contains the list of defaults. This file can be edited manually. For example on a default Solaris 7 it contains:

defgroup=1
defgname=other
defparent=/home
defskel=/etc/skel
defshell=/bin/sh
definact=0
defexpire=

One would expect that the default shell could be changed with a command like the following, but this does not work on Solaris 7 or 8.

useradd -D -s /usr/local/bin/bash

So the only way is to edit the /usr/sadm/defadduser file manually, for example:

defshell=/usr/local/bin/bash

Solaris 8 contains a few additional defaults in /usr/sadm/defadduser for the new Role Based Authentication Control (RBAC):

defauthorization=
defprofile=
defrole=

If /usr/sadm/defadduser is copied from a Solaris 8 machine to a Solaris 7, the additional Solaris 8 settings are silently ignored. This is very useful, as one could synchronise this file across an array of Solaris servers without worrying about versions.

See also: useradd (1m), userdel (1m), usermod (1m)

If you have any security tips/scripts you'd like to share with others, contact sean AT boran.com.


References and Resources

For brevity, the list of resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 15 September, 2000