By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
To receive this digest via Email, visit http://securityportal.com/subscribe.html
none
none
2000-10-16: Valve Software Half-Life Dedicated Server Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17992000-10-16: cmd5checkpw Qmail Remote Password Retrieval Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18092000-10-13: cURL Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18042000-10-12: CGI Script Center Auction Weaver Arbitrary File Deletion Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17822000-10-12: CGI Script Center Auction Weaver Username / Bidfile Directory Traversal Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17832000-10-12: PHP Error Logging Format String Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17862000-10-12: CommuniGate Pro Email Address Verification Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1792%3Fvid%3D17922000-10-12: GnuPG Multiple Signed Message Modification Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1797%3Fvid%3D17972000-10-12: xlib Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18052000-10-11: Netscape Messaging Server Email Address Verification Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17872000-10-11: MailFile Arbitrary File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1807Two weeks ago a serious weakness in SSH/scp was reported, no patches are yet available.
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1742
Not vulnerable: SSH2, OpenSSH 2.2 or later (apparently: I've seen no detailed tests that confirm this)
SSH1: no patches so far, avoid using scp, especially as root to untrusted servers.
OpenSSH: Upgrade to OpenSSH 2.2 or later.
The latest Solaris Recommended / Security Patch clusters are as follows, changes are marked with a '*':
Solaris 8 Sep/07/00
Solaris 7 Oct/03/00
Solaris 2.6 Oct/09/00
Solaris 2.5.1 Oct/09/00
Chasing the Wind - Episode Two: Raising the Stakes, by Robert G. Ferrell
http://www.securityfocus.com/frames/?focus=ih&content=/focus/ih/articles/chasing2.htmlLight reading on a hacking incident.
All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
There are new versions of Apache and also PHP that incorporate security updates. The PHP update seems particularly urgent.
http://www.apache.org
http://www.php.net
10/19/00 Sun security alerts
http://www.securityfocus.com/templates/archive.pike?end=2000-10-21&tid=140442&fromthread=0&start=2000-10-15&list=92&threads=1&10/13/00 Secure password propagation and authentication for Oracle
http://www.securityfocus.com/templates/archive.pike?fromthread=0&threads=1&tid=139748&list=92&end=2000-10-14&start=2000-10-08&10/13/00 tftp sources for Solaris
http://www.securityfocus.com/templates/archive.pike?fromthread=0&threads=1&tid=139422&list=92&end=2000-10-14&start=2000-10-08&10/13/00 System Security Conference?
http://www.securityfocus.com/templates/archive.pike?fromthread=0&threads=1&tid=139908&list=92&end=2000-10-21&start=2000-10-15&10/13/00 auditing users actions
http://www.securityfocus.com/templates/archive.pike?fromthread=0&threads=1&tid=139412&list=92&end=2000-10-14&start=2000-10-08&
New syslog.conf for beta#12
http://www.theorygroup.com/Archive/YASSP/2000/msg00657.htmlpackage removing
http://www.theorygroup.com/Archive/YASSP/2000/msg00658.htmlSee also :
http://www.yassp.org
Files which have the SUID bit set (an "s" where the execute bit for the owner/group is shown in 'ls' listings) allow the user executing the program to assume the identity/group of the owner of the program. This is typically used to allow normal users to access certain function typically only allowed to root, for example binding to low ports, mounting a floppy disk, etc. The problem is that historically, many security weakness have been found in such programs allowing attackers with local accounts to become root by exploiting buffer over flows, race conditions etc.
Solaris has many "SUID root" binaries and each one presents a risk, so when hardening systems it is advisable to disable as many SUID program as possible.
The purpose of this section is to provide a brief overview of the subject, a list of documents and scripts for disabling SUID files is provided.
What SUID files are on the system?
The find command can be used to list all SUID files:
find / -perm -u+s -lsor all SGID files:
find / -perm -g+s -lsExample listing of SUID/SGID files on a Solaris 7 system:
http://www.boran.com/security/sp/solaris/suid_sol7.txtExample listing of SUID/SGID files on a Solaris 8 system:
http://www.boran.com/security/sp/solaris/suid_sol8.txt
How should we handle SUID files? Possible courses of action, in order of preference, are:
- Remove the package containing the offending file
- Disable the program (e.g. chmod 000 FILENAME)
- The SUID bit can be removed (e.g. chmod ug-s FILENAME)
- Restrict the file to a group of users (first remove world access: "chmod o-rwx", then allow a group "chgrp MYGROUP MYFILE") .
What SUID files need to be limited?
- On sensitive systems where users have accounts, or where key daemons run as non-root users, disabling a maximum of SUID files is desirable.
- One suggestion for paranoid systems is to disable all except 'pt_chmod', 'utmp_update' and 'su'.
- Reg Quinton explains 1 each Solaris SUID file and recommends settings, together with an appropriate script that can be customised. The recommended settings are for "medium" security systems.
- Some tools like uucp are almost never needed. If possible remove the SUNWbnuu package or disable the setuid bits.
pkgrm SUNWbnuu
chmod ug-s /usr/bin/cu /usr/bin/uu* /usr/lib/uucp/*- Another often unused suite of tools is kcms (Kodak Color Management System), so either remove or disable:
pkgrm SUNWkcspg SUNWkcsrt
chmod ug-s /usr/openwin/bin/kcms*- Other tools are useful, but only root needs to use them (on most hosts) so remove the SUID bit, e.g.:
chmod ug-s /usr/sbin/snoop /usr/bin/netstat /usr/local/bin/top /usr/local/bin/lsof- We could check that all SUID files on the system are in the package database and haven't been changed:
find / -perm -u+s -exec pkgchk -p {} \; | more
The package DB only uses "checksums" (not hashes/signatures) and could easily be modified by an attacker, so don't trust the package commands as 'proof' that binaries are non modified, rather an indication.
- Or we could list all SUID files, with details and see what packages they belong to:
find / -perm -u+s -exec pkgchk -l -p {} \; | more
SUID references and further reading:
- Solaris 7 Setuid/Setgid Files Information Systems and Technology University of Waterloo
[Reg Quinton's documentation on Solaris 7 SUID files and associated scripts].
http://ist.uwaterloo.ca/security/howto/1999-04-21.html
Solaris 2.6:
http://ist.uwaterloo.ca/security/howto/2000-08-22.html
Solaris 8:
http://ist.uwaterloo.ca/security/howto/2000-08-17.html- Titan's ziplock module
http://www.titan.org- Example listing of SUID/SGID files on a Solaris 7 system:
http://www.boran.com/security/sp/solaris/suid_sol7.txt
Example listing of SUID/SGID files on a Solaris 8 system:
http://www.boran.com/security/sp/solaris/suid_sol8.txt
If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.
For brevity, the list of Solaris resources and references is kept in a separate
document:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 20 October, 2000 |