Weekly Solaris Security Digest
2000/11/04 to 2000/12/11

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

The Rundown

Solaris vulnerabilities this week: none.
Vulnerabilities in 3rd party applications: DB2, Ultraseek/Inktomi, Majordomo, phpWebLog, apcupsd, Apache with Php3, Lexmark drivers.
Recommended Patch Bundles: for Solaris 2.6 and 8 have been updated..
Articles/news: Solaris 8 sources, PHP installation, IDS: Torn/ICMP, file attributes and modes.
Discussions summary: Yassp & Focus-sun.
Tip of the Week discusses Patch management in detail.

Advisories and Security Bulletins

Sun / CERT bulletins

none

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-12-07: Lexmark Markvision Printer Driver Buffer Overflow Vulnerabilities
http://securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2075

2000-12-06: Apache Web Server with Php 3 File Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2060
Comment: Although only Apache for NT is mentioned, there is no obvious reason why the UNIX Apache/PHP3 should not be vulnerable.

2000-12-06: Endymion MailMan WebMail Remote Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2063

2000-12-06: phpGroupWare Remote Include File Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2069

2000-12-06: APC apcupsd Local Denial of Service Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2070

2000-12-05: Ultraseek/Inktomi Search Source Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2061

2000-12-05: Ultraseek/Inktomi Search Information Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2062

2000-12-05: IBM DB2 Universal Database Known Default Password Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2068

2000-12-02: phpWebLog Administrator Authentication Bypass Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2047

2000-12-01: Majordomo Config-file admin_password Configuration Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2028

Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8 Nov/30/00*

Solaris 7 Nov/02/00

Solaris 2.6 Dec/05/00*

Solaris 2.5.1 Nov/02/00

See also: ftp://sunsolve.sun.com/pub/patches

News & Articles

Solaris Package archive
http://www.ibiblio.org/pub/packages/solaris/sparc/
This site provides precompiled Packages for many free tools, a bit like Sunfreeware.com. No SSH packages were available though.

SolarisGuide

Solaris 8 Source Available
http://www.sun.com/software/solaris/source/

Source can be either downloaded, or media kits bought for $75.- The SPARC and Intel sources are sold separately. The media kits will start shipping on 15th Dec - a nice Christmas present for yourself? :-)

O'Reilly Network

Basic Installation of PHP on a Unix System
Darrell Brogdon
http://www.oreillynet.com/pub/a/php/2000/11/17/php_admin.html

SecurityFocus

Identifying ICMP Hackery Tools Used In The Wild Today
Ofir Arkin
http://www.securityfocus.com/focus/ids/articles/icmptools.html

Several tools exist in the wild today that allow a malicious computer
attacker to send crafted ICMP datagrams. Those datagrams can be used for
various tasks: host detection, advanced host detection, Operating System
Fingerprinting and more. This article by Ofir Arkin will examine whether
we can identify the different tools used for ICMP hackery that are
available in the wild today. If we can identify the tool, we may be able
to identify the underlying operating system or a number of operating
systems that this tool might be running on top of.

Analysis of the T0rn Rootkit
Toby Miller
http://www.securityfocus.com/focus/ids/articles/t0rn.html

The purpose of this paper is to inform the IDS community of signatures related to the t0rn rootkit. This paper will not serve as a how-to guide to the t0rn rootkit; rather, it is designed to identify binaries and ports that t0rn uses. This paper will also provide md5sums of binaries and analysis on how to detect t0rn.

Sunworld

Security basics Part 2, More advice on file attribute bits and modes
Mo Budlong
http://www.sunworld.com/sunworldonline/swol-12-2000/swol-1201-unix101.html

Could you use a quick refresher course on binary numbers? Need an expert to clarify hexadecimal and octal notation? This month in Unix 101, Mo Budlong continues his three-part series on Unix security with a closer look at file attribute bits and modes.

Security Tools News

memconf
http://netnow.micron.net/~tschmidt/memconf.html

The memconf utility reports the size of each SIMM/DIMM memory module installed in a system. It also reports the system type and any empty memory sockets.
Comment: useful, but Intel users can abstain.

All tools are summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

Mailing Lists

FOCUS-Sun Discussions Threads

12/06/00 SunShield BSM and SSH
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-09&start=2000-12-03&list=92&tid=149153&fromthread=0&

12/04/00 Compiling OpenSSH [Re: SunShield BSM and SSH]
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-09&start=2000-12-03&list=92&tid=148519&fromthread=0&

2/01/00 Compiling OpenSSH [Re: SunShield BSM and SSH]
http://www.securityfocus.com/templates/archive.pike?tid=148319&end=2000-12-02&start=2000-11-26&list=92&fromthread=0&threads=1&

12/01/00 Compiling OpenSSH [Re: SunShield BSM and SSH]
http://www.securityfocus.com/templates/archive.pike?tid=148315&end=2000-12-02&start=2000-11-26&list=92&fromthread=0&threads=1&

12/01/00 firewall penetration
http://www.securityfocus.com/templates/archive.pike?tid=148318&end=2000-12-02&start=2000-11-26&list=92&fromthread=0&threads=1&

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current. V1.0 is close. If you are a Solaris sysdmin, please consider testing Yassp and providing input on the documentation, programs and hardening at this very important stage before the final release.

Discussions

unlimit rlim_fd_max
http://www.theorygroup.com/Archive/YASSP/2000/msg00763.html

RE: after.html: Post install doc
http://www.theorygroup.com/Archive/YASSP/2000/msg00762.html

Re: Beta15 feedback
http://www.theorygroup.com/Archive/YASSP/2000/msg00761.html

Re: CheckPatches
http://www.theorygroup.com/Archive/YASSP/2000/msg00756.html

See also
http://www.yassp.org

Tip of the Week: The dreaded patches

Patch strategies

Weakness are continually discovered in Solaris and 3rd party applications. Not only do the weakness pose threats but the volume of weaknesses and patches can be a threat: if not managed carefully, they will consume too much time or they will be simple ignored.

The first problem is to be aware that weaknesses and/or patches actually exist. Possible strategies are:

Get on all the mailing lists of organisations such as CERT/First, vendors like Sun, and especially Bugtraq. This can consume quite a lot of time.
Get on the mailing list of an organisation which produces regular summaries of weakness/patches and security news, for example SecurityPortal, SecurityFocus, SANS or maybe this Digest :-). If a regular source of reliable information on Solaris and the applications that you use can be found, it may save much time.
Run a tool on important servers that checks the current patch level and compares it with the newest list of patches available from Sun: This is the ideal situation (it is discussed below in more detail), but 3rd party applications will not be covered.
Check Sun's recommended patch bundles for changes every month or two: This requires little effort, but security is not as tight, 3rd party weakness are not covered and the recommended bundles do not cover all Security problems.

How do you decide whether a weakness is worth patching?

If the weakness concerns a remotely exploitable weakness in an active network daemon, exposed to a hostile environment like the Internet, install it soon.
If the weakness concerns a local exploit of a tool not normally used, not a daemon and on a host where only root or administrator accounts exist, it may be enough to install the patch together with a bundle at regular intervals (e.g. every six months).
If the weakness concerns a local exploit of a tool on a host where non-administrative users have accounts, then it depends on how critical the system is and how much the users can be trusted. Regular patches to multi-user systems are advised.
If the systems runs highly specialised software like databases, be very wary of installing Kernel, I/O and driver patches. It is advisable to test patches on a separate system first.
Patches differ by Solaris version and architecture. So it makes sense to try and keep servers of the same OS/architecture on the same patch-level and define a master host, whose patch level is automatically checked at regular intervals.

Patch Tools

Tools to help find patches relevant to your systems [1]:

GetApplyPatch and CheckPatches are two Bourne shell scripts for Solaris patch management, that I've tested quite a bit and can recommend:
1. CheckPatches: is a script that uses showrev to see what patches are installed, compare this against the Solaris patch report, and makes a list of recommended and security patches that need installation. It expects to find 'SolarisX.PatchReport' in the current directory (or you can use '-f' to download the Patch report via ftp)
  > ./CheckPatches -f
2. GetApplyPatch: is a script to get and apply a patch. Arguments are a list of patch numbers. If run from the command line, it is interactive and will ask you to confirm the download, show the patch readme, install the patch and delete the patch directory. It can also run without prompting in "batch mode".
  > ./GetApplyPatch 108875-07
3. Both scripts can be used together to get each patch that is needed and install them (you are prompted each time).
  > ./CheckPatches | ./GetApplyPatch
4. Additional features added 4thDec 2000: Solaris Intel is supported, ftp proxies may be configured and you can download from your local mirror rather than Sunsolve. Cron scripts for automating steps 1 and 3 above and emailing the results are available (CheckPatches.cron, GetApplyPatch.cron).
5. Man pages are available.
If you have a Sun support contract, the Patchdiag tool from Sunsolve can be used along with the latest patchdiag.xref to see what recommended and security patches are missing, then download & install the missing ones.
Consider checking with the SecurityFocus vulnerability calculator. Execute the following:
> showrev -p | cut -f2 -d' ' | xargs
and then paste it into the window on SecurityFocus.com and select OS version, architecture and hit run. This will probably result in a long list of vulnerabilities, most of which are not relevant. Go through the list looking for applications or services that are active on your host, that then need fixing. A link is provided for each vulnerability, where more details and fixes can be found. This list of vulnerabilities includes not just Solaris, but all third party applications.
FastPatch is a replacement for patchadd, the same but a lot faster.
Patchreport is a script that does everything CheckPatches and GetApplyPatch do, plus checking integrity of patches via MD5, logging in to sunsolve to get the public patch reports or if you have a Sunsolve ID and getting the full patchdiag.xref file. It's written in Perl and does require quite a few Perl modules to be installed. Not yet tested in detail.

References [1]:

Reg Quinton/Bruce Barnett's CheckPatches, CheckPatches.cron, GetApplyPatch, GetApplyPatch.cron scripts: http://ist.uwaterloo.ca/~reggers/drafts/

SunSolve sunsolve.sun.com (Patchdiag & XREF file)
A SunSolve Patch Primer: sunsolve.sun.com/pub-cgi/show.pl?target=content/content1

SecurityFocus Vulnerability calculator SecurityFocus.com/focus/sun/form.html
Casper Dik's FastPatch: ftp://www.wins.uva.nl/pub/solaris/auto-install/
Joe Shambin's Patchreport: ftp://x86.cs.duke.edu/pub/PatchReport/index.html

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.

References and Resources

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 08 December, 2000

NEW! Sign up to get this digest and many others by email.