By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
Sun Bulletin #00200 (Bugtraq ID 2193): "arp" vulnerability
http://www.securityfocus.com/bid/2193Sun released patches for Solaris 7 and earlier for a setgid vulnerability in arp.
Vulnerability: "A malicious user could overflow the stack and execute shellcode which could allow unauthorized root access". This is a classical local exploit of unchecked commandline parameters. Exploit code has been released.OS Version Patch ID
__________ _________
SunOS 5.7 109709-01
SunOS 5.7_x86 109710-01
SunOS 5.6 109719-01
SunOS 5.6_x86 109720-01
SunOS 5.5.1 109721-01
SunOS 5.5.1_x86 109722-01
SunOS 5.5 109707-01
SunOS 5.5_x86 109708-01
SunOS 5.4 109723-01
SunOS 5.4_x86 109724-01CERT/CC Current Activity
http://www.cert.org/current/current_activity.htmlCompromises via rpc.statd Vulnerability
Compromises via 'SITE EXEC' Vulnerability in FTPD
Virus Activity
Scans and Probes
2001-01-09: Solaris exrecover Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2179"exrecover is a system binary included with Solaris, a variant of the UNIX Operating System distributed by Sun Microsystems. A problem in the binary could lead to a local attack.
The problem occurs in the handling of format strings by the program. By executing the program and using format strings as arguments to the command, it is possible to overflow buffers and cause the program to crash. The binary, as distributed with Solaris versions 2.4 through 2.6, is setuid root. While no known exploits exist for this problem, future research and exploitation of this vulnerability could occur, making it possible for a user with malicious intent to overwrite stack variables and potentially arbitrarily execute code."Analysis: Solaris 2.6 and earlier are vulnerable, remove the SUID bit to make it safe (it not really needed anyway). This is registed in Sun as Bug# 4161925.
2001-01-10: WebMaster ConferenceRoom Developer Edition DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=21782001-01-08: StorageSoft ImageCast IC3 DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=21742001-01-08: IBM HTTP Server AfpaCache DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=21752001-01-07: eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=21772001-01-05: Lotus Domino Server Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2173
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Jan/09/01
Solaris 7 Jan/05/01
Solaris 2.6 Jan/05/01
Solaris 2.5.1 Jan/05/01See also ftp://sunsolve.sun.com/pub/patches
Computer Crime Investigator's Toolkit: Part I
http://www.securityportal.com/articles/toolkit20010102.htmlA four-part series on computer crime will cover a summary of basic, practical knowledge, "tricks," if you like, that should interest all computer crime investigators. While they may not be the final word in preparing for an examination, these techniques will provide some insight into the ways and means of computer criminals. I hope to get you into the spirit of the hunt. Learning to think how a criminal looks at twisting, altering, hiding, and diverting information will definitely make the game more interesting. This part focuses on DOS and Unix tricks.
IDS Evasion with Unicode
Eric Hacker
http://www.securityfocus.com/focus/ids/articles/utf8.htmlRecently, there has been much discussion of the Unicode problem with regard to intrusion detection. Some pundits have gone so far as to claim that Unicode will contribute to the demise of Intrusion Detection Systems (IDS). This article by Eric Hacker will explain what Unicode is, how it complicates IDS and provides opportunities for IDS evasion, and what can be done about it. This discussion will focus particularly on the role of UTF-8, a means by which Unicode code points are encoded, in circumventing IDSs
Hacker Emergency Response Team Tutorials
http://plan9.hert.org/docs/tutorialsA set of links to tutorials on C C++ CGI CORBA CSS CVS DHTML Emacs Expect Fortran GIMP GNOME GTK Gnuplot HTML ILU IP-Masquerading IPC Java JavaScript Lisp MIDI ML MPI Matlab Misc Motif OpenGL PHP PVM Pascal Perl PostScript Povray Prolog Python RPC Rexx Ruby SCSI SQL SSI STL Samba Scheme Smalltalk TCP/IP Tcl/Tk TeX UNIX VRML X11 XDR XML auto debugging elm lex make networks sed shells sockets threads vi.
01/10/01 Openssh and Solaris8(sparc)
http://www.securityfocus.com/templates/archive.pike?tid=155456&fromthread=0&threads=1&end=2001-01-13&start=2001-01-07&list=92&01/10/01 Solaris specific security documentation?
http://www.securityfocus.com/templates/archive.pike?tid=155448&fromthread=0&threads=1&end=2001-01-13&start=2001-01-07&list=92&01/10/01 FW: Solaris /usr/lib/exrecover buffer overflow
http://www.securityfocus.com/templates/archive.pike?tid=155419&fromthread=0&threads=1&end=2001-01-13&start=2001-01-07&list=92&01/09/01 Solaris 7 sticky bit on directory
http://www.securityfocus.com/templates/archive.pike?tid=155093&fromthread=0&threads=1&end=2001-01-13&start=2001-01-07&list=92&01/05/01 Solaris patches
http://www.securityfocus.com/templates/archive.pike?tid=154487&fromthread=0&threads=1&end=2001-01-06&start=2000-12-31&list=92&
Yassp beta 15 is still current.
No Discussions this week.
See also http://www.yassp.org
Another reader tip this week!
SymbEl, by Richard Petit is a tool that helps spot performance problems and is useful for diagnostics. SymbEl comes with several terminal based and GUI monitoring tools (uses TCL/TK). It's not officially "supported" by Sun, but they let you download it "as is". A few quotes:
SymbEL (known as SE) is an interpreted language that provides an extensive toolkit for building performance tools and utilities. If you are fed up with the limitations of vmstat, iostat and sar, then this is the tool for you. We provide trivial scripts that are improved versions of the basic utilities and build on them to provide powerful rule-based performance monitors and viewers. The extensions package includes a Motif-based GUI library and the rules package implements Adrian's favourite performance rules.
July 18th 2000, a patch is now available to make the SE3.1preFCS packages install and run on Solaris 8 with some limitations.
The three packages provided are:
RICHPse, The SymbEL Interpreter
RICHPsex, The SE eXtensions Package
ANCrules, Adrian's Rules & Tools
Unfortunately I've not had a chance to test drive it, but it sounds interesting. There seems to be little development activity currently.
See also http://www.sun.com/sun-on-net/performance/se3
If you have any security tips/scripts you'd like to share with others, contact us.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
All security tool news is now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 13 January, 2001 |
Sign up to get this digest and many others by email.