By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
none
none
2000-11-08: StarOffice /tmp Directory Symbolic Link Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1922
...A vulnerability exists which can allow users to read and write to restricted files belonging to users who run StarOffice.2000-11-08: ISC BIND 8.2.2-P5 Denial of Service Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1923
...The problem occurs in the Compressed Zone Transfer (ZXFR) functionality of BIND. A default installation of BIND does not support the transfer of compressed zone files. However, issuing a request for a compressed zone file transfer to a name server without this functionality produces unpredictable results. Such a transfer request leads to a crash of the daemon. This could result in a name resolution Denial of Service for all users and systems depending upon nameservers using the affected software.
- Workaround: A partial workaround can be implemented by disallowing zone transfers except from trusted hosts. Note that if the trusted hosts are compromised, name servers with this bug will be vulnerable to denial of service attacks.
http://www.isc.org/products/BIND/bind-security.html- Fix: update to BIND 8.2.2-P7
http://www.isc.org/products/BIND/bind8.html2000-11-07: Sonata Conferencing Multiple Vulnerabilities
http://www.securityfocus.com/vdb/bottom.html?vid=19162000-11-07: YaBB search.pl Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19212000-11-06: Cart32 Admin Password Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19152000-11-04: Volano ChatPro Local Password Disclosure Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D19062000-11-03: Lotus Domino SMTP Server ENVID Buffer Overflow and DoS Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1905
2000-11-02: CGI Script Center Subscribe Me Lite Account Deletion Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18972000-11-01: Multiple Vendor top Format String Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1895
Comment: Top has a confirmed vulnerability in FreeBSD, other platforms may be vulnerable too.
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Sep/07/00
Solaris 7 Nov/02/00*
Solaris 2.6 Nov/03/00*
Solaris 2.5.1 Nov/02/00*
File Recovery Techniques, (Files wanted, dead or alive), by Wietse Venema
http://www.ddj.com/articles/2000/0012/0012h/0012h.htmThis article is the first of two that explore the subject of file recovery. While the second article focuses on the reconstruction of deleted file contents, this first one deals with reconstruction of past behavior by examining deleted file access time patterns and other deleted file attributes.
Mirroring A Boot Drive Using Solstice Disksuite, by John Richardson
http://www.sunhelpdesk.com/users/john/002.htmWhat is Service Level Management (SLM)?
http://www.nextslm.org/slm1.html
Comment: although not a security topic, I though it might interest many of our readers.Free support from Sun! (until 26.Jan.2001)
http://supportforum.sun.com/cgi-bin/WebX.cgi?solaris_additional@116.fYxbaGxCbt0^0@
For a limited time only Sun is offering Solaris 8 Per Incident Phone and E-mail Support at no charge.
Network Magazine: System Fingerprinting With Nmap, by Rik Farrow
http://www.networkmagazine.com/article/NMG20001102S0005/1If you're interested in knowing why nmap identifies OSes so well, this is a useful guide.
SecurityPortal: Passive OS Detection and Source Ports, by Kurt Seifried
http://securityportal.com/closet/closet20001108.html
Can one reliably detect what the remote OS is, based solely on the source port of the connection?
Where the Log Files Live, by Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2000/11/08/FreeBSD_Basics.htmlA beginners guide to system logs on FreeBSD - much of which is applicable to Solaris.
Know Your Enemy: Worms at War, by Honeynet Project
http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/worms.htmlThis paper was born out of pure curiosity. Our Honeynet was being pounded with UDP port 137 and TCP port 139 scans. The network was getting scanned 5-10 times a day on these ports, something was up. The goal was to learn what these scans were all about. What was out in the Internet causing all of this activity? Based on the ports, we assumed that the scans were looking for Window's based vulnerabilities. The plan was to setup a Win98 honeypot, sit back and wait. We didn't have to wait long.
All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
11/09/00 Sun Articles
http://www.securityfocus.com/templates/archive.pike?tid=144211&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&11/09/00 locking a user immediately on Solaris 8
http://www.securityfocus.com/templates/archive.pike?tid=144133&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&11/08/00 Connection Limitations for ftp & telnet !
http://www.securityfocus.com/templates/archive.pike?tid=144022&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&11/08/00 New mailing list: Security-Basics
http://www.securityfocus.com/templates/archive.pike?tid=144021&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&11/08/00 Effective copy across disks
http://www.securityfocus.com/templates/archive.pike?tid=143894&fromthread=0&threads=1&end=2000-11-11&start=2000-11-05&list=92&
News: beta 12 is being prepared and should be out soon. It will include OpenSSH, rather than SSH1 and support x86 as well as SPARC.
Discussions:
New edition of SANS Solaris guide
http://www.theorygroup.com/Archive/YASSP/2000/msg00669.htmlSee also :
http://www.yassp.org
First off an addendum to last weeks 'tip': Another resource for Solaris hardening is:
Securing Solaris Servers - A Checklist Approach,
by Paul D. J. Vandenberg and Susan D. Wyess
http://www.usenix.org/sage/sysadmins/solaris/index.html#hostThis material is excerpted from an internal U.S. Government document on web security,
which the authors played leading roles in preparing. This material has been officially
reviewed, and the authors have been granted permission to use this material in a
non-official publication.
Back in August we had a brief look at Solaris C2 auditing / the 'BSM' module, and
presented some scripts which make examining the audit logs easier:
http://securityportal.com/topnews/weekly/solaris20000814.html
A new C2 article has been published in the special November supplement of Sysadmin magazine:
Implementing C2 Auditing in the Solaris Environment, by Kevin Wenchel and Stephen Michaels
http://www.sysadminmag.com/supplement/913c2.shtml
This article is easy to read, useful and references a GUI developed by the authors.
The GUI, 'BSM Event Viewer v1.1' is implemented in Perl/Tk and is easily compiled with gcc and Perl5. However it crashed sometimes and I was unable to persuade it to open all the files in /var/audit or open individual log files. The author, Kevin Wenchel, thinks the problem might be with my X server (eXceed on NT4), so it may well work for you. A new release with some fixes is also on the way.
Despite these problems, the article is worth a read, and this space will be updated when we get the tools working.
On a different topic, I was on the hunt for a free TFTP server for Solaris with sources and came across utftpd v0.2.4.
http://www.ohse.de/uwe/software/utftpd.htmlThis server is interesting, it can chroot'ed, run as a non-root user, contains IP level access control for clients (each client IP can be assigned create/read/write rights) and support automatic pushing and pulling of files from a version control system like SCCS or RCS (useful for managing router configuration files).
One minor change was needed to get it compile on Solaris 8. In utftpd.c, change:
pid_t pi=waitpid(WAIT_ANY,0,WNOHANG);
to
pid_t pi=waitpid(0,0,WNOHANG);
If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.
For brevity, the list of Solaris resources and references is kept in a separate
document:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 21 November, 2000 |