Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
By Seán Boran (sean AT boran.com) for SecurityPortal
none
Samba: The Australian company Secure Reality Pty Ltd. announces remote root compromises through the pluggable authentication modules pam_smb and pam_ntdom used (mainly on Linux and Solaris) to authenticate to Samba and Windows servers. The pam-smb and pam-ntdom PAM components (versions prior to 1.1.6 and 0.24, respectively) contain various buffer overflows that let local users gain root privileges. Patches can be found at: ftp://ftp.samba.org/pub/samba/pam_smb and http://cb1.com/~lkcl/pam-ntdom . There is also a Bugtraq discussion.
none
2000-09-12: IMP File Disclosure Vulnerability
2000-09-11: NT Authentication PAM Modules Buffer Overflow Vulnerability
2000-09-11: Ranson Johnson mailto.cgi Piped Address Vulnerability
2000-09-11: MailForm 2.0 XX-attach_file Vulnerability
2000-09-11: Netegrity SiteMinder Authentication Bypass Vulnerability
2000-09-11: EFTP Buffer Overflow Vulnerability
2000-09-11: EFTP Partial Input Denial of Service Vulnerability
2000-09-10: YaBB Arbitrary File Read Vulnerability
2000-09-09: muh IRC Log Format String Vulnerability
2000-09-08: Horde CGI Remote Command Execution Vulnerability
2000-09-07: Nathan Purciful phpPhotoAlbum Directory Traversal Vulnerability
2000-09-07: XMail Buffer Overflow Vulnerability
2000-09-07: Mailman 1.1 Writable Variable Vulnerability
The latest Crypto-Gram provides some an interesting discussion on the "window of exposure" and whether publishing vulnerabilities is a "good thing". www.counterpane.com/crypto-gram-0009.html#
Snort
• Spade is a Snort preprocessor plugin that looks at TCP SYN packets to specified networks, and sends alerts about those that are unusual (e.g., the have a destination port/host combination rarely seen on your network). This might indicate some probing or scanning that is occurring (or it might be something benign that just seems unusual). You can find out more information and download a copy from: www.silicondefense.com/spice
• ACID, Analysis Console for Incident Databases, is a PHP analysis engine to search and process a database of alerts generated by IDSes, among them Snort (and the database plug-in). This application was developed at the CERT Coordination Center as a part of the AIRCERT project. See www.cert.org/kb/acid for the most up to date information and documentation about this application.
• Updated the Snort Database Search pages : The output page is now completely stand alone, to get rid of all the HTML info it was passing before. To hit it directly, the string to send ishttp://www.snort.org/Database/rules_results.asp?type=ruletype&type=ruletype&port=&keyword=&thedate=
Keywords that can be passed as 'ruletype' are- BACKDOOR-ACTIVITY, BACKDOOR-ATTEMPT, BACKDOOR-SIG, DDOS, FINGER, FTP, MISC, NETBIOS, OVERFLOW, PING, RPC, RSERVICE, SCAN, SMTP, SYSADMIN, TELNET, MAILVIRUS, WEB-CGI, WEB-COLDFUSION, WEB-FRONTPAGE, WEB-IIS, WEB-MISC, FALSES, or BETA
• snort.panel - A windows-based utility for managing, controlling, and monitoring the Snort IDS. www.xato.net/files.htm
• New snortsnarf released ( www.snort.org/files/snortsnarf-090700.1.tar.gz ), changes:
- added special handling of alerts from the Spade anomalous event sensor including a special section of the pages
- CIDR specification of networks now supported for -homenet
- for pages listing alerts, a summary of the alert types is now presented at top of page
- Geektools now added as an IP lookup option (contrib. by Dr. Paul Mitchell)
- arachNIDS links are now generated even if IDS### is not at the start of the alert message
- added new SISR module set_flags.pl to summarize protocol flags and added corresponding details to the example config file
Logcheck 1.1.1 has been released. The only change is that the entire package is now covered by the GNU license. www.psionic.com/abacus/logcheck/
OpenSSL: Beta 1 of OpenSSL 0.9.6 is now available, as is a release plan for OpenSSL 0.9.6. See www.openssl.org
Lsof (list open files)
• Lsof has been upgraded to v4.51 ftp://vic.cc.purdue.edu/pub/tools/unix/lsof
Changes: adds support for Solaris 9 (SunOS 5.9); changes scripts/ to make Perl 5 the standard; recognizes FreeBSD 4.1; has been tested on OpenServer 5.0.6; recognizes AIX C compiler version 5; adds support for Tru64 UNIX 5.1; adds Tru64 UNIX 5.[01] support for library files on AdvFS; adds AIX 4.3.3 ability to select the proper rnode and user structures; corrects a bug in the reporting of a PTX fattach()'d target address; encourages NetBSD and OpenBSD lsof to use /usr/include/uvm when it's available; adds snprintf() support, including a private version for dialects without one; fixes a BSDI, DEC/OSF1, Digital UNIX, FreeBSD, NetBSD, OpenBSD, and Tru64 UNIX repeat-mode memory leak; works on Linux 2.4; modifies the Pyramid MkKernOpts script.
• An experimental release lsof_4.52D.uw.tar.gz is also available. ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/NEW/Ethereal v0.8.12
Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
Ethereal now understands Kerberos 5, rsh, and Zebra, and has the initial work done for BXXP. Ethereal (via our wiretap library) can now read Cisco Secure IDS iplog files. Ethereal's Help menu option finally gives help. Many other updates and fixes were made in version 0.8.12. ethereal.zing.org
09/14/00 How to configure a unified, secure, DHCP/DNS/NIS in a heterogeneous environment; Thread1, Thread2, Thread3
09/14/00 Is there a way to timeout telnet session
09/14/00 unsafe start-up services Thread1 Thread2
09/14/00 Custom PAM for Solaris
09/13/00 [FW1] Blocking user jumping to different servers using telnet even if not authorized by firewall.
09/08/00 locale exploit on BugTrack
09/07/00 Problem with RCS (Revision Control)
All quiet on the Yassp front this week.
See also: Main site, DL archive, Interview With Jean Chouanard, Draft dev. doc.
The useradd tool is a typical way of adding new accounts to the system. It adds a new user to the /etc/passwd and /etc/shadow (and on Solaris 8 /etc/user_attr) files. For example:
useradd -c "Sean Boran" -f 60 -g ftpusers -m boran
This creates the new user 'boran' belonging to group 'ftpusers', an appropriate home directory (with copies of skeleton files from /etc/skel) and sets the inactive timeout to 60 days.
Apart from adding users, system defaults can also be set (with the 'useradd -D' option), so that it is easier to use. For example:
useradd -D -b /home -f 60 -g ftpusers
Here the default parent directory is /home, accounts are inactive if idle for 60 days, the default group is 'ftpusers'.
The first time 'useradd -D' is run, a file /usr/sadm/defadduser is created, which contains the list of defaults. This file can be edited manually. For example on a default Solaris 7 it contains:
defgroup=1
defgname=other
defparent=/home
defskel=/etc/skel
defshell=/bin/sh
definact=0
defexpire=
One would expect that the default shell could be changed with a command like the following, but this does not work on Solaris 7 or 8.
useradd -D -s /usr/local/bin/bash
So the only way is to edit the /usr/sadm/defadduser file manually, for example:
defshell=/usr/local/bin/bash
Solaris 8 contains a few additional defaults in /usr/sadm/defadduser for the new Role Based Authentication Control (RBAC):
defauthorization=
defprofile=
defrole=
If /usr/sadm/defadduser is copied from a Solaris 8 machine to a Solaris 7, the additional Solaris 8 settings are silently ignored. This is very useful, as one could synchronise this file across an array of Solaris servers without worrying about versions.
See also: useradd (1m), userdel (1m), usermod (1m)
If you have any security tips/scripts you'd like to share with others, contact sean AT boran.com.
For brevity, the list of resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 15 September, 2000 |