By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
NEW! Sign up to get this digest by email.
CERT Summary CS-2000-04, November 20, 2000
http://www.cert.org/summaries/CS-2000-04.htmlTopics in this regularly scheduled CERT Summary include continued compromises via rpc.statd and FTPd, a vulnerability in the IRIX telnet daemon, and notable virus activity, specifically the Loveletter.as worm and the QAZ worm.
none
2000-11-23: Balabit syslog-ng Incomplete Priority String Remote DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19812000-11-23: Phorum PHP Source Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19852000-11-23: IBM HTTP Server Denial of Service Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1960%3Fvid%3D19602000-11-22: Alladin Ghostscript Symlink Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19902000-11-22: Alladin Ghostscript Arbitrary Shared Library Usage Vulnerability.
http://www.securityfocus.com/vdb/bottom.html?vid=19912000-11-21: Unify eWave ServletExec JSP Source Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19702000-11-20: CGIForum Arbitrary File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19632000-11-20: Oracle cmctl Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19682000-11-20: Adcycle Password Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19692000-11-20: BB4 Big Brother Multiple CGI Vulnerabilities
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1960%3Fvid%3D19602000-11-18: Ethereal AFS Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19722000-11-17: Vixie Cron /var/spool/cron Temporary Crontab File Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1960%3Fvid%3D1960
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Nov/17/00*
Solaris 7 Nov/02/00
Solaris 2.6 Nov/03/00
Solaris 2.5.1 Nov/02/00
Tapping on the walls, Learn to think like your attacker, by Sandra Henry-Stocker
http://www.sunworld.com/sunworldonline/swol-11-2000/swol-1117-buildingblocks.htmlParing down your network services isn't the only way to protect your systems against attacks: port scanning can also be an effective tool.
Real hackers go to Usenix, An informal look at the Usenix 9th Security Symposium
Carole Fennelly
http://www.sunworld.com/sunworldonline/swol-11-2000/swol-1117-security.htmlComment: Usenix sounds like a good place to go. Carole also mentions the following paper which dates from Nov.99: Distributed Firewalls, by Steven M. Bellovin
http://www.research.att.com/~smb/papers/distfw.html
Discovering System Processes Part II, by Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2000/11/22/FreeBSD_Basics.htmlA look at signals in interprocess communication.
Introduction to Firewalls, by Brad Marshall
http://www.linux.com/sysadmin/newsitem.phtml?sid=1&aid=11296In this article we'll cover some of the design decisions that have to be made before creating a firewall, from architecture of the firewall to various decisions that need to be made.
Replacing Telnet; OpenSSH, a secure alternative, by Mayank Sarup
http://www.freeos.com/articles/2745/2/13/
All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
11/21/00 Bind (3Tk)
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2000-11-25&start=2000-11-19&tid=145997&threads=1&list=92&11/20/00 locking a user immediately on Solaris 8
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2000-11-25&start=2000-11-19&tid=145903&threads=1&list=92&
Exciting times, Yassp beta 14 and 15 were released this week, several more minor problems were found. V1.0 is tantalizingly close. If you are a Solaris sysdmin, please consider testing Yassp and providing input on the documentation, programs and hardening at this very important stage before the final release.
Discussions
OPENssh : sshd stop
http://www.theorygroup.com/Archive/YASSP/2000/msg00740.htmlOpenWindows and RPC
http://www.theorygroup.com/Archive/YASSP/2000/msg00739.htmlBeta15 feedback
http://www.theorygroup.com/Archive/YASSP/2000/msg00735.htmlnscd in yassp.conf
http://www.theorygroup.com/Archive/YASSP/2000/msg00729.htmlbeta 15 yassp.conf error
http://www.theorygroup.com/Archive/YASSP/2000/msg00727.htmlBeta 15 bug
http://www.theorygroup.com/Archive/YASSP/2000/msg00726.htmlLooking for user feedback/references
http://www.theorygroup.com/Archive/YASSP/2000/msg00725.htmlYASSP Beta#15 Out
http://www.theorygroup.com/Archive/YASSP/2000/msg00720.htmlPARCdaily
http://www.theorygroup.com/Archive/YASSP/2000/msg00719.htmlYassp Beta#14 Out & Web updated
http://www.theorygroup.com/Archive/YASSP/2000/msg00717.htmlMethods of installing TCP wrappers
http://www.theorygroup.com/Archive/YASSP/2000/msg00715.htmlbeta 13 for Sol 8
http://www.theorygroup.com/Archive/YASSP/2000/msg00713.htmlMoving on!
http://www.theorygroup.com/Archive/YASSP/2000/msg00712.htmlRe: Beta#12: feedback
http://www.theorygroup.com/Archive/YASSP/2000/msg00711.htmlSee also
http://www.yassp.org
In a discussion on 'focus-sun' this week, Bennet Todd suggests a useful way of temporarily locking a user on Solaris, without destroying his/her password:
On other OSes, the command "usermod -L acct" prepends a "!" to the encrypted password field, and -U removes the "!". If you don't have something like that handy it's easy enough to do with perl, something like:
perl -pi.bak -e 's/^'$user':/'$user':!/' /etc/shadow
The complementary command to unlock an account would be the very similar:
perl -pi.bak -e 's/^'$user':!/'$user':/' /etc/shadow
The usermod(1M) command is normally used to change a users fields in /etc/passwd and /etc/shadow, e.g. home directory, shell, expiry date, login name. The idea is to write a script of the same name that accepts additional options '-L' and '-U' and otherwise calls the standard usermod. The script must be in the path before the real usermod command.
Note: This script directly edits /etc/shadow, so it won't work for NIS+ and must be run as root (hence permissions of 700 are suggested).
I've written an improved script that checks that the account really exists and confirms that the change has been made.
#!/bin/sh
#
# used wrapper:
# make sure this is in your path before /usr/sbin
#
# If 1st argument is -L, locks users account by prepending
# a '!' to the encrypted password in /etc/shadow.
# If 1st argument is -U, remove the '!'
# Otherwise call the normal Solaris 'usermod' tool.
#
# We check to make sure there is a valid entry in the shadow file first.
# A backup of the shadow is also made in /etc/shadow.bak
shadow="/etc/shadow";
usermod="/usr/sbin/usermod";
case "$1" in
-L)
if [ `egrep -c "^$2:" $shadow` = 1 ] ; then
perl -pi.bak -e 's/^'$2':/'$2':!/' $shadow
echo "Account $2 now blocked."
else
echo "$0 Error: invalid account '$2'"
fi;;
-U)
if [ `egrep -c "^$2:" /etc/shadow` = 1 ] ; then
perl -pi.bak -e 's/^'$2':!/'$2':/' $shadow
echo "Account $2 re-enabled."
else
echo "Error: invalid account '$2'"
fi;;
*) $usermod $*;;
esac
If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 24 November, 2000 |