Weekly Solaris Security Digest
2000/11/06 to 2000/11/13

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

To receive this digest via Email:
http://securityportal.com/subscribe.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

none

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-11-08: StarOffice /tmp Directory Symbolic Link Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1922
...A vulnerability exists which can allow users to read and write to restricted files belonging to users who run StarOffice.

2000-11-08: ISC BIND 8.2.2-P5 Denial of Service Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1923
...The problem occurs in the Compressed Zone Transfer (ZXFR) functionality of BIND. A default installation of BIND does not support the transfer of compressed zone files. However, issuing a request for a compressed zone file transfer to a name server without this functionality produces unpredictable results. Such a transfer request leads to a crash of the daemon. This could result in a name resolution Denial of Service for all users and systems depending upon nameservers using the affected software.

2000-11-07: Sonata Conferencing Multiple Vulnerabilities
http://www.securityfocus.com/vdb/bottom.html?vid=1916

2000-11-07: YaBB search.pl Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1921

2000-11-06: Cart32 Admin Password Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1915

2000-11-04: Volano ChatPro Local Password Disclosure Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1906

2000-11-03: Lotus Domino SMTP Server ENVID Buffer Overflow and DoS Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1905

2000-11-02: CGI Script Center Subscribe Me Lite Account Deletion Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1897

2000-11-01: Multiple Vendor top Format String Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1895
Comment: Top has a confirmed vulnerability in FreeBSD, other platforms may be vulnerable too.


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8       Sep/07/00
Solaris 7       Nov/02/00*
Solaris 2.6    Nov/03/00*
Solaris 2.5.1 Nov/02/00*


News & Articles

Dr.Dobbs Journal

File Recovery Techniques, (Files wanted, dead or alive), by Wietse Venema
http://www.ddj.com/articles/2000/0012/0012h/0012h.htm

This article is the first of two that explore the subject of file recovery. While the second article focuses on the reconstruction of deleted file contents, this first one deals with reconstruction of past behavior by examining deleted file access time patterns and other deleted file attributes.

Sun

Mirroring A Boot Drive Using Solstice Disksuite, by John Richardson
http://www.sunhelpdesk.com/users/john/002.htm

What is Service Level Management (SLM)?
http://www.nextslm.org/slm1.html
Comment: although not a security topic, I though it might interest many of our readers.

Free support from Sun! (until 26.Jan.2001)
http://supportforum.sun.com/cgi-bin/WebX.cgi?solaris_additional@116.fYxbaGxCbt0^0@
For a limited time only Sun is offering Solaris 8 Per Incident Phone and E-mail Support at no charge.

Fingerprinting

Network Magazine: System Fingerprinting With Nmap, by Rik Farrow
http://www.networkmagazine.com/article/NMG20001102S0005/1

If you're interested in knowing why nmap identifies OSes so well, this is a useful guide.

 

SecurityPortal: Passive OS Detection and Source Ports, by Kurt Seifried
http://securityportal.com/closet/closet20001108.html

Can one reliably detect what the remote OS is, based solely on the source port of the connection?

O'Reilly Net

Where the Log Files Live, by Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2000/11/08/FreeBSD_Basics.html

A beginners guide to system logs on FreeBSD - much of which is applicable to Solaris.

SecurityFocus

Know Your Enemy: Worms at War, by Honeynet Project
http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/worms.html

This paper was born out of pure curiosity. Our Honeynet was being pounded with UDP port 137 and TCP port 139 scans. The network was getting scanned 5-10 times a day on these ports, something was up. The goal was to learn what these scans were all about. What was out in the Internet causing all of this activity? Based on the ports, we assumed that the scans were looking for Window's based vulnerabilities. The plan was to setup a Win98 honeypot, sit back and wait. We didn't have to wait long.

Security Tools News

All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html


Mailing Lists

FOCUS-Sun discussions

11/09/00 Sun Articles
http://www.securityfocus.com/templates/archive.pike?tid=144211&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&

11/09/00 locking a user immediately on Solaris 8
http://www.securityfocus.com/templates/archive.pike?tid=144133&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&

11/08/00 Connection Limitations for ftp & telnet !
http://www.securityfocus.com/templates/archive.pike?tid=144022&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&

11/08/00 New mailing list: Security-Basics
http://www.securityfocus.com/templates/archive.pike?tid=144021&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&

11/08/00 Effective copy across disks
http://www.securityfocus.com/templates/archive.pike?tid=143894&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&

YASSP (the Solaris hardening tool) Developers' list discussions

News: beta 12 is being prepared and should be out soon. It will include OpenSSH, rather than SSH1 and support x86 as well as SPARC.

Discussions:

New edition of SANS Solaris guide
http://www.theorygroup.com/Archive/YASSP/2000/msg00669.html

See also :
http://www.yassp.org


Tip of the Week: C2, TFTPD

First off an addendum to last weeks 'tip': Another resource for Solaris hardening is:

Securing Solaris Servers - A Checklist Approach,
by Paul D. J. Vandenberg and Susan D. Wyess
http://www.usenix.org/sage/sysadmins/solaris/index.html#host

This material is excerpted from an internal U.S. Government document on web security,
which the authors played leading roles in preparing. This material has been officially
reviewed, and the authors have been granted permission to use this material in a
non-official publication.

Back in August we had a brief look at Solaris C2 auditing / the 'BSM' module, and presented some scripts which make examining the audit logs easier:
http://securityportal.com/topnews/weekly/solaris20000814.html

A new C2 article has been published in the special November supplement of Sysadmin magazine:

Implementing C2 Auditing in the Solaris Environment, by Kevin Wenchel and Stephen Michaels
http://www.sysadminmag.com/supplement/913c2.shtml

This article is easy to read, useful and references a GUI developed by the authors.

The GUI, 'BSM Event Viewer v1.1' is implemented in Perl/Tk and is easily compiled with gcc and Perl5. However it crashed sometimes and I was unable to persuade it to open all the files in /var/audit or open individual log files. The author, Kevin Wenchel, thinks the problem might be with my X server (eXceed on NT4), so it may well work for you. A new release with some fixes is also on the way.

Despite these problems, the article is worth a read, and this space will be updated when we get the tools working.

TFTPD

On a different topic, I was on the hunt for a free TFTP server for Solaris with sources and came across utftpd v0.2.4.
http://www.ohse.de/uwe/software/utftpd.html

This server is interesting, it can chroot'ed, run as a non-root user, contains IP level access control for clients (each client IP can be assigned create/read/write rights) and support automatic pushing and pulling of files from a version control system like SCCS or RCS (useful for managing router configuration files).

One minor change was needed to get it compile on Solaris 8. In utftpd.c, change:
   pid_t pi=waitpid(WAIT_ANY,0,WNOHANG);
to
   pid_t pi=waitpid(0,0,WNOHANG);

 

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.


References and Resources

For brevity, the list of Solaris resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 21 November, 2000