Weekly Solaris Security Digest
2000/01/01 to 2001/01/08

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

none

Bugtraq vulnerabilities this week - Solaris:

2000-12-30: Solaris mailx Lockfile Denial Of Service Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2169

"The problem involves lockfiles in the /var/mail directory. By default, the /var/mail directory is world writeable as deployed with the Solaris Operating Environment. When a file is created in the /var/mail directory using the extension $LOGNAME.lock, it is possible to deny service to a legitimate user of mailx if the $LOGNAME.lock file is not removable by the mailx user. This problem makes it possible for a user with malicious intent to deny service to any user of mailx."

Comment: This is a Denial of Service attack against, requiring a local account. It's only a problem on multi-user systems where mailx is used. A sample exploit script has been published. Sun have not yet released a patch.

Bugtraq vulnerabilities this week - 3rd party applications:

2001-01-29: Macromedia Flash SWF Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2162

2001-01-02: GTK+ Arbitrary Loadable Module Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2165

2000-12-31: Emacs Inadequate PTY Permissions Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2164

2000-12-30: Informix Webdriver Remote Administration Access Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2166

2000-12-30: Informix Local File Overwrite Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2168

2000-12-28: ikonboard Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2157


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8      Dec/19/00
Solaris 7      Dec/19/00
Solaris 2.6    Dec/05/00
Solaris 2.5.1 Dec/12/00

See also ftp://sunsolve.sun.com/pub/patches


News & Articles

SecurityPortal.com

Top 10 Security Stories of 2000
http://securityportal.com/cover/coverstory20010101.html

 

Network Computing Magazine

Vulnerability Assessment Scanners
http://www.nwc.com/1201/1201f1b1.html

We decided to entrust the security of our test network to Axent Technologies' NetRecon, BindView Corp.'s HackerShield, eEye Digital Security's Retina, Internet Security Systems' Internet Scanner, Network Associates' CyberCop Scanner, and two open-source products: Nessus Security Scanner and Security Administrator's Research Assistant (SARA). One product, World Wide Digital Security's System Analyst Integrated Network Tool (SAINT), is open source, with a commercial reporting tool. ........ We set up 17 of the most common and critical vulnerabilities out there, and not one product detected them all....... The two that shined the brightest on this front were ISS' Internet Scanner and Nessus Security Scanner. Unfortunately, it's a case of the best of the worst.

Comment: a detailed report that makes sober reading.

 

BSD Today

The 101 Uses of OpenSSH: Part I
Mick Bauer
http://www2.linuxjournal.com/lj-issues/issue81/4412.html

This month we'll cover ssh's background and architecture, how to build and/or install OpenSSH, how to use ssh as an encrypted replacement for Telnet, how to set some basic ssh configuration options and how to use scp for encrypted file transfers. Next month I'll cover RSA/DSA authentication, local port-forwarding, remote-command-execution and other more advanced, and extremely powerful functions of ssh/OpenSSH.

Comment: A good introduction to SSH.

Unix Insider

Wireless acrobatics: Is the convenience of wireless technology worth the security risks?
Carole Fennelly
http://www.sunworld.com/unixinsideronline/swol-12-2000/swol-1229-unixsecurity.html


Mailing Lists

FOCUS-Sun Discussions Threads

12/31/00 Solaris 7 sticky bit on directory
http://securityfocus.com/templates/archive.pike?threads=1&end=2001-01-06&start=2000-12-31&list=92&tid=153687&fromthread=0&

Frank Heimann noted that if a file is group writeable in a sticky directory, it can be deleted, whereas this is not the case on Linux/BSD. Casper Dik summarised the use of the directory sticky bit in Solaris and it's antecedents:

It was noted that the sticky(5) man page does not document the fact that the file being writeable by the user group allows deletion, whereas the chmod(2) man page does.

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.

No Discussions this week.

See also http://www.yassp.org


Tip of the Week

Garry J. Garrett writes in with another useful tip:

It is useful to know when a system shutdown or is started, especially when you have many hosts to manage and logs are not automatically monitored, or you don't have active SNMP monitoring.

Garry puts a startup file in /etc/rc3.d that kicks out e-mail when a system is stopped or booted. The message for the shutdown is different than the startup message, so if a startup happens without a shutdown,  it probably crashed and  it will have to be checked out.

It is installed in /etc/init.d/bootmail and make links /etc/rc3.d/S99bootmail and /etc/rc0.d/K00bootmail. Instead of "root" you can make an alias (put it in /etc/mail/aliases and run "newaliases") and e-mail it to a list of folks who care, which may include more than just the SysAdmins (besides, not everyone likes the idea of forwarding root's e-mail off of the box - you can send it to root *and* to an e-mail address that goes off of the box). Obviously, sendmail (the client, not the server) must be working properly to send e-mail off of the box (this usually boils down to defining "mailhost" say in /etc/hosts or DNS, etc.).

#!/bin/sh ##########
# bootmail
# # Send mail to SysAdmins upon reboot so that they are aware should:
# - someone else reboot the machine
# - the machine crashes
# etc.
# 27-Jan-1999 Garry J. Garrett

case "$1" in

'start' | 'boot' | 'reboot') /bin/echo "`/bin/uname -n` rebooted `date`" \ | /bin/mailx -s "`/bin/uname -n` rebooted" root ;;

'stop' | 'shutdown' | 'down') /bin/echo "`/bin/uname -n` going down `date`" \ | /bin/mailx -s "`/bin/uname -n` going down" root ;;

*) /bin/echo "Usage: /etc/init.d/bootmail { start | stop }" ;; esac

 

If you have any security tips/scripts you'd like to share with others, contact us.


References and Resources

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

All security tool news is now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 08 January, 2001

Sign up to get this digest and many others by email.