Weekly Solaris Security Digest
2000/12/11 to 2000/12/18

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

The Rundown

• Solaris vulnerabilities this week: none.
• Vulnerabilities in 3rd party applications:  17 new vulnerabilities.
• Recommended Patch Bundles: Solaris 8 & 2.5.1 have changed.
• Articles/news: Chasing the Wind, Kernel options, Apache clusters, RH on Sparc.
• Discussions summary: Yassp & Focus-sun.
• Tip of the Week Solaris on Headless PCs

Advisories and Security Bulletins

Sun / CERT bulletins

none

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-12-14: SafeWord e.Id Trivial PIN Brute-Force Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2105

2000-12-14: Leif M. Wright simplestguest.cgi Remote Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2106

2000-12-14: Subscribe-Me Lite Administration Access Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2108

2000-12-13: KDE Kmail Weak Password Encryption Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2104

2000-12-13: Alex Heiphetz Group EZShopper Directory Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2109

2000-12-11: Oops Proxy Server Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2099

2000-12-11: ssldump Format String Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2096
Comment: no fix is yet available.

2000-12-11: University of Washington Pico File Overwrite Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2097

2000-12-11: Leif M. Wright everythingform.cgi Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2101

2000-12-11: Leif M. Wright simplestmail.cgi Remote Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2102

2000-12-08: BroadVision One-To-One Enterprise Path Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2088

2000-12-08: KTH Kerberos 4 Arbitrary Proxy Usage Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2090

2000-12-08: KTH Kerberos 4 Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2091

2000-12-08: KTH Kerberos 4 User-Supplied Configuration Files Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2092

2000-12-08: KTH Kerberos 4 Temporary File Race Condition Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2093

2000-12-08: Allaire ColdFusion Sample Script DoS Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2094

Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8	Dec/13/00*
Solaris 7	Nov/02/00
Solaris 2.6	Dec/05/00
Solaris 2.5.1	Dec/12/00*
See also:	ftp://sunsolve.sun.com/pub/patches

News & Articles

SecurityPortal

System and Network Security - Kernel Options
Kurt Seifried
http://securityportal.com/closet/closet20001206.html

Kernel tuning for increasing security on Solaris, Linux and BSD is discussed.

 

Securing Your Business in the Age of the Internet
M.E. Kabay
http://securityportal.com/cover/coverstory20001204.html

Information technology is permeating all aspects of modern life and business. The growth of the Internet and in particular of the World Wide Web presents increasing challenges to information technology and business managers.

 

UltraLinux

Additional Red Hat SPARC information
http://www.ultralinux.org/

Red Hat has further said that it will continue to provide the unsupported SPARC edition in its Rawhide developers version. In addition the company could restart SPARC support if demand picks up. Earlier versions of the SPARC edition will still be supported.
Comment: Suse (www.suse.com) however are shipping a Linux for SPARC, without ifs and buts

Sysadmin Magazine: January

An Apache Load Balancing Cluster
Don Gourley
http://www.sysadminmag.com/current/feature.shtml

In this article, I describe the Java Application Server Pseudo-cluster (JASPer), a simple cluster built with commodity hardware and free software from the Apache Foundation. The master server runs the Apache HTTP daemon and the cluster nodes are running the Apache JServ Java application server.

SecurityFocus

Chasing the Wind - Episode Three: From Out of the Blue
Robert G. Ferrell
http://securityfocus.com/focus/ih/articles/chasing3.html

Security Focus presents the third installation in the highly popular "Chasing the Wind" series. In this episode, entitled "From Out of the Blue", our intrepid system administrator Jake continues to do battle with Ian, an ambitious script-kiddie and aspiring hacker. Meanwhile, their battle starts to take on mysterious overtones as Bob, Jake's boss and company CIO, receives a haunting message from the past, one that hints of intrigue and serious security ramifications.
Comment: Good article.

Mailing Lists

FOCUS-Sun Discussions Threads

12/14/00 Solaris 8 and Windows NT...
http://securityfocus.com/templates/archive.pike?fromthread=0&tid=150998&end=2000-12-16&start=2000-12-10&list=92&threads=1&

12/13/00 SEAM, KRB5 and phrase length
http://securityfocus.com/templates/archive.pike?fromthread=0&tid=150630&end=2000-12-16&start=2000-12-10&list=92&threads=1&

12/13/00 Packages Installation
http://securityfocus.com/templates/archive.pike?fromthread=0&tid=150634&end=2000-12-16&start=2000-12-10&list=92&threads=1&

12/09/00 rc*.d directories
http://securityfocus.com/templates/archive.pike?fromthread=0&tid=149800&end=2000-12-09&start=2000-12-03&threads=1&list=92&

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current. Yassp is being moved to SourceForge the main activity this week was updating of the post-install documentation. If you are a Solaris sysdmin, please consider testing Yassp and providing input on the documentation, programs and hardening at this very important stage before the final release.

Discussions

after.html update
http://www.theorygroup.com/Archive/YASSP/2000/msg00772.html

Re: nit about improper quoting...
http://www.theorygroup.com/Archive/YASSP/2000/msg00771.html

See also
http://www.yassp.org

Tip of the Week:  Solaris on Headless PCs

Sun system administrators often manage the consoles of servers via serial lines: almost everything can be done remotely including OS installations. This feature is possible due to the powerful boot prom monitor included in Sun's SPARC systems (an advantage that Sun hardware has over all others I've so far).

The fun starts when trying to do the same with PCs running Solaris. The PC does not have an intelligent prom, so what Sun did was to implement the boot prom monitor in Software (it is called the Device Configuration Assistant). Booting a Solaris PC has several key steps:

1. The PC BIOS decides what devices will be used for booting, in what order and whether certain devices are disabled.
2. The SCSI controller (if there is one) can be configured to insist on it's own boot device.
3. The boot disk has been now selected and activated.
4. Device Configuration Assistant detects devices and makes them visible to the boot manager. If ESC is pressed when this is booting, devices can be changed as can default boot order, boot disks etc. via a menu-based interface. It is installed in the first few disk cylinders, in a separate partition (/boot).
5. Boot Manager: Allow options to be given to Solaris on booting, or using the boot interpreter
6. Solaris

It is possible to get PCs to use the serial port A (COM1) as their console, you just need a null modem cable and a bit of patience....

On Solaris 8, the following commands divert console input and output to the first COM port and ignore "carrier detect" signals (other the machine won't reboot unless you are connected to the serial line). The Device Configuration Assistant can also be used to set these options.

eeprom ttya-ignore-cd=true
eeprom input-device=ttya
eeprom output-device=ttya

Note: Apparently the console redirection can also be actived by editing /platform/i86pc/boot/solaris/bootenv.rc and adding: "setprop output-device com1", "setprop input-device com1".

Connection to the serial console

If connecting from another Solaris box, say on it's second serial port:

• Set the speed for cuab to 9600 in /etc/remote
• Connect using a command like:
  tip cuab
• Tips on using tip commands...

  ~? Get a summary of the tilde escapes.
  ~. Drop the connection and exit (you may still be logged in on the remote machine).
  ~! Escape to an interactive shell on the local machine (exiting the shell returns you to tip).
  ~# Send a BREAK to the remote system (THIS IS THE SAME AS STOP-A, but has not effect in x86 hosts).

• If you use SSH to access the host which has its second port connect to the Console on the target, and you use tip, you'll find the tilde escapes giving SSH commands. So add an extra tilde to the front of the tip commands, e.g. ~~# for break.

Notes

• The keyboard must often be left attached (e.g. test Compaq PC did not have a BIOS option to disable the keyboard).
• There is no "STOP-A" equivalent to drop down to the boot monitor prompt on Intel.
• These instructions should be valid for Solaris 2.56 and 7 also, but I've not tested them.

References

• Question 6.20 on http://www.sun.pmbc.com/faq/6.html
• http://aa11.cjb.net/sun_managers/2000/01/msg00326.html  
• http://sun.pmbc.com/faq/s86faq.html

If you have any security tips/scripts you'd like to share with others, contact us.

References and Resources

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

All security tool news is summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

NEW! Sign up to get this digest and many others by email.