Weekly Solaris Security Digest
2000/09/17 to 2000/09/24

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

By Seán Boran (sean AT boran.com) for SecurityPortal


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

none

 

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-09-21: Extent RBS ISP Directory Traversal Vulnerability
2000-09-18: Horde IMP Remote Command Execution via Sendmail Vulnerability
2000-09-15: WebSphere Application Server Plugin DoS Vulnerability
2000-09-13: Pine Malformed Header Denial of Service Vulnerability


News & Articles

Sun:
Solaris Tunable Parameters Reference Manual This a useful reference for advanced administrators. Not light reading though.
• Setting up NAT on Solaris using IP Filter www.rite-group.com/consulting/solaris_nat.html
• Tuning Solaris for Firewall-1, by Rob Thomas www.enteract.com/~robt/Docs/Articles/tuning-solaris-checkpoint.txt
• HOWTO create a hidden sniffer with Solaris, by Rob Thomas www.enteract.com/~robt/Docs/Howto/Sun/sniffer-trick.txt

O'Reilly Network:
• An Introduction to Unix Permissions: Part I www.oreillynet.com/pub/a/bsd/2000/09/06/FreeBSD_Basics.html, Part II www.oreillynet.com/pub/a/bsd/2000/09/13/FreeBSD_Basics.html?page=2 . These articles run through understanding and setting UNIX permissions. FreeBSD is used as an example, but it applies to Solaris too.
• Long-Term Monitoring with SNMP www.oreillynet.com/pub/a/bsd/2000/09/21/Big_Scary_Daemons.html, by Michael Lucas. Using mrtg to turn long-term SNMP statistics into easy-to-read web pages with bar charts.

SecurityFocus:
• Role Based Access Control - A distribution of power part 3, by Hal Flynn
www.securityfocus.com/focus/sun/articles/rbac3.html
This third part in the series discussion RBAC, guides us through a sample implementation. Topics such as the planning of an RBAC setup and the ideas associated with design are discussed. This article is designed to work as a reference. While the concepts in this article can be transparently applied in a production environment to create an RBAC infrastructure, such an infrastructure should be carefully planned and designed to provide scalability and optimization. In short, plan your RBAC environment for your business needs prior to implementation.
• Chasing the Wind Episode One: No Place to Hide, by Robert G. Ferrell
www.securityfocus.com/frames/?focus=ih&content=/focus/ih/articles/chasing1.html The first installment of  a continuing series that chronicles the education of folks on each side of the 'digital curtain' . A light humorous read.

Information Security Magazine /Sept 2000:
• Securing Oracle www.infosecuritymag.com/sep2000/databasesecurity.htm
• Penetration Testing Exposed www.infosecuritymag.com/sep2000/securestrategies.htm
• A Wizard Gets Wiser www.infosecuritymag.com/sep2000/qa.htm , an Interview with Marcus Ranum.

Security Tools News

Snort
• snort.panel - A windows-based utility for managing, controlling, and monitoring the Snort IDS. www.xato.net/files.htm

Titan: A presentation on Titan by Brad Powell www.fish.com/titan/vanguard.pdf

Nessus v1.05 has been released. www.nessus.org

PGP freeware: v6.5.8  is available for windows (GUI and command line) and UNIX (CLI only). PGP7 is not yet available as freeware. www.pgpi.org

Nmap:
• New development release, 2.54BETA5 is available. www.insecure.org/nmap/#download
• NDiff 0.02 is available, which compares two nmap scans and outputs the differences. It allows monitoring of your network(s) for interesting changes in port states and visible hosts. www.vinecorp.com/ndiff  [Editor's note: I have just finished a script like this myself, watch this spot for more news on tests of ndiff and other tools such as nlog and nmap2html]

OpenLDAP 2.0.3 is available www.OpenLDAP.org

Saint v3.0 beta 1 www.wwdsi.com/saint
Changes: This version features an RPM for Linux users, GUI support for SAINTwriter, a new man page, and a new configuration script based on GNU Autoconf. Also includes check for Qaz trojan/worm, backdoors on 9704/TCP and 1524/TCP, checks for new CGI vulnerabilities including YaBB, scohelphttp, MultiHTTP, and Mobius DocumentDirect for Internet, and adjusted timing for better scanning.

Sara 3.2.1 www.www-arc.com/wn.html
Changes: Corrected problem in SARA Report filters corrected various Makefile problems Added trinity DDOS (XF Advisory 59) Added test for Web bulletin board (YaBB) Added PhotoAlbum Web vulnerability Added t0rn server Trojan test. Improved mail relay reporting Submitting SARA to industry evaluation Enhanced Report Writer for SARA/SAINT/SATAN Updated to maintain SANS/CVE Certification/Compliance

ngrep  (Unix) 1.38 sourceforge.net/projects/ngrep/
Ngrep is now on Sourceforge and available for UNIX and Windows. By Jordan Ritter.

OpenSSL Beta 3 of  0.9.6 is available on www.OpenSSL.org

chkrootkit-0.17.tar.gz  ftp://ftp.pangeia.com.br/pub/seg/pac/
Changes: Add tests for new and popular variations of rootkits, including Tornkit. Now attempts to identify LKM rootkits.

AAFID - Autonomous Agents for Intrusion Detection
www.cs.purdue.edu/coast/projects/autonomous-agents.html
AAFID is a distributed monitoring and intrusion detection system that employs small stand-alone programs (Agents) to perform monitoring functions in the hosts of a network. AAFID uses a hierarchical structure to collect the information produced by each agent, by each host, and by each set of hosts, so as to be able to detect suspicious activity. It is important to note that AAFID is not by itself a network-based intrusion detection system. It provides the infrastructure for distributing monitoring tasks over many hosts. Some agents may implement network monitoring functions, while others may implement host monitoring functions. This is the second public release of the AAFID prototype. It is completely implemented in Perl 5, which makes it easier to run it in different platforms.

Rpc_Gotcha 1.1
renfro.homepage.com/archive.htm
Rpc_Gotcha is a network based intrusion detection tool for detecting rpc based scans and attacks (buffer overflows). The program will passively sit on the network perimeter and process packets while analyzing the rpc message data payload looking for signs of a possible attack. Rpc_Gotcha will log all rpc calls made to the network and display payload data for possible attacks. Changes: This version has some major bug fixes , memory leaks and signature issues. It will also read tcpdump capture files in a batch mode.


Mailing Lists

FOCUS-Sun discussions

09/18/00 Machine authentication
09/18/00 SMTP AUTH/SASL/PAM/kerberos configuration?
09/18/00 The DHCP Caveat (trivial, yet annoying)
09/15/00 SMTP AUTH/SASL/PAM/kerberos configuration?
09/15/00 The DHCP Caveat (trivial, yet annoying)
09/15/00 Custom PAM for Solaris

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp breaks the 'dmesg' command, it seems to be linked to the custom syslog.conf included in Yassp, but the reason has not yet been found. Dmesg reads from a kernel ring buffer, syslogd seems to fill it - if you know exactly how this ring buffer is filled, I like to hear from you.
Otherwise, no Yassp discussions this week.

See also: Main site, DL archive, Interview With Jean Chouanard, Draft dev. doc.


Tip of the Week: "Securing Sendmail for typical workstation usage"

On UNIX and Linux, sendmail is invariably installed as an email server, running as a daemon. Many users/sysadmin think sendmail needs to run as a daemon on email clients and servers alike.

The sendmail daemon does not need to run on an 'Email Client'.

This erroneous installation behaviour seems to be a default that goes back 15 years, it is difficult to understand why vendors have not corrected this. Few email servers are needed in an organisation, the default should be to only send email, since most hosts are workstations or servers that do not need an SMTP server. Running sendmail as a daemon, increase security risks:

So how is an email client set up? Assuming we want to deliver all email from our workstation to one SMTP server, the steps are:

1. Define the mail server: add an entry with the email server name and IP address to /etc/hosts. Then add an alias 'mailhost' for this machine. There should also be an entry for the workstation, and workstation.DOMAINNAME.

2. Configure sendmail.cf (in /etc or /etc/mail), so that all email is sent via 'mailhost':

DSmailhost
DRmailhost
DHmailhost
O FallbackMXhost=mailhost

3. Stop the sendmail daemon from starting automatically

mv /etc/rc2.d/S88sendmail /etc/rc2.d/.no_S88sendmail

and kill the current daemon

4. Add appropriate aliases to /etc/mail/aliases, for example:

root: Your.Name@Yourcompany.com

5. If email cannot be delivered immediately (due to server congestion for example), add the following entry to the root crontab to check for and send queued email every hour:

## process the email Q
0 * * * 1-5 /usr/lib/sendmail -q

6. Finally, test that email is being correctly delivered, by sending an empty test email to 'root' (or some other local alias) and to your usual Email address. The '-v' option is added to mailx so that we see the complete dialog with the email server, to convince us that it really is working correctly.

mailx -v -s test_email root </dev/null
mailx -v -s test_email John.Doe@YourCompany.com </dev/null

Troubleshooting: look carefully at the output of the mailx commands above, and any error emails received in the root mailbox. Check that a 'ping' to mailhost works as expected. The SMTP server may be configured only to accept emails from known workstations or workstations with a particular domain (in which case /etc/resolv.conf - DNS must be setup correctly and the workstation must use the same hostname as is listed in DNS)

Hopefully Sun and other vendors will wake up and stop the sendmail daemon by default in future OS releases, it would certainly help reduce the number of unwitting open email relays on the Internet.

Finally, here is a list of references for the SMTP server administrator:

Securing Sendmail sendmail.net/?feed=000705securitygeneral
SMAP & FWTK (Firewall Toolkit) www.fwtk.org
Sendmail www.sendmail.org 
Postfix www.Postfix.org 
Anti-Virus Mail Scanner amavis.org
Scan4Virus - Virus Scan Wrapper for Qmail www.geocities.com/jhaar/scan4virus
UXN Anti-spam site combat.uxn.com
ORBS list of open relays www.orbs.org 
MIME Defanger www.roaringpenguin.com/mimedefang

If you have any security tips/scripts you'd like to share with others, contact sean AT boran.com.


References and Resources

For brevity, the list of resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 25 September, 2000