Weekly Solaris Security Digest
2000/01/08 to 2001/01/15

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

Sun Bulletin #00200 (Bugtraq ID 2193):  "arp" vulnerability
http://www.securityfocus.com/bid/2193 

Sun released patches for Solaris 7 and earlier for a setgid vulnerability in arp.
Vulnerability: "A malicious user could overflow the stack and execute shellcode which could allow unauthorized root access". This is a classical local exploit of unchecked commandline parameters. Exploit code has been released.

OS Version Patch ID
__________ _________
SunOS 5.7 109709-01
SunOS 5.7_x86 109710-01
SunOS 5.6 109719-01
SunOS 5.6_x86 109720-01
SunOS 5.5.1 109721-01
SunOS 5.5.1_x86 109722-01
SunOS 5.5 109707-01
SunOS 5.5_x86 109708-01
SunOS 5.4 109723-01
SunOS 5.4_x86 109724-01

CERT/CC Current Activity
http://www.cert.org/current/current_activity.html

Compromises via rpc.statd Vulnerability
Compromises via 'SITE EXEC' Vulnerability in FTPD
Virus Activity
Scans and Probes

Bugtraq vulnerabilities this week - Solaris:

2001-01-09: Solaris exrecover Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2179 

"exrecover is a system binary included with Solaris, a variant of the UNIX Operating System distributed by Sun Microsystems. A problem in the binary could lead to a local attack.
The problem occurs in the handling of format strings by the program. By executing the program and using format strings as arguments to the command, it is possible to overflow buffers and cause the program to crash. The binary, as distributed with Solaris versions 2.4 through 2.6, is setuid root. While no known exploits exist for this problem, future research and exploitation of this vulnerability could occur, making it possible for a user with malicious intent to overwrite stack variables and potentially arbitrarily execute code."

Analysis: Solaris 2.6 and earlier are vulnerable, remove the SUID bit to make it safe (it not really needed anyway). This is registed in Sun as Bug# 4161925.

Bugtraq vulnerabilities this week - 3rd party applications:

2001-01-10: WebMaster ConferenceRoom Developer Edition DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2178 

2001-01-08: StorageSoft ImageCast IC3 DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2174 

2001-01-08: IBM HTTP Server AfpaCache DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2175 

2001-01-07: eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2177 

2001-01-05: Lotus Domino Server Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2173


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8      Jan/09/01
Solaris 7      Jan/05/01
Solaris 2.6    Jan/05/01
Solaris 2.5.1 Jan/05/01

See also ftp://sunsolve.sun.com/pub/patches


News & Articles

SecurityPortal.com

Computer Crime Investigator's Toolkit: Part I
http://www.securityportal.com/articles/toolkit20010102.html

A four-part series on computer crime will cover a summary of basic, practical knowledge, "tricks," if you like, that should interest all computer crime investigators. While they may not be the final word in preparing for an examination, these techniques will provide some insight into the ways and means of computer criminals. I hope to get you into the spirit of the hunt. Learning to think how a criminal looks at twisting, altering, hiding, and diverting information will definitely make the game more interesting. This part focuses on DOS and Unix tricks.


SecurityFocus

IDS Evasion with Unicode
Eric Hacker
http://www.securityfocus.com/focus/ids/articles/utf8.html

Recently, there has been much discussion of the Unicode problem with regard to intrusion detection. Some pundits have gone so far as to claim that Unicode will contribute to the demise of Intrusion Detection Systems (IDS). This article by Eric Hacker will explain what Unicode is, how it complicates IDS and provides opportunities for IDS evasion, and what can be done about it. This discussion will focus particularly on the role of UTF-8, a means by which Unicode code points are encoded, in circumventing IDSs

HERT

Hacker Emergency Response Team Tutorials
http://plan9.hert.org/docs/tutorials 

A set of links to tutorials on C C++ CGI CORBA CSS CVS DHTML Emacs Expect Fortran GIMP GNOME GTK Gnuplot HTML ILU IP-Masquerading IPC Java JavaScript Lisp MIDI ML MPI Matlab Misc Motif OpenGL PHP PVM Pascal Perl PostScript Povray Prolog Python RPC Rexx Ruby SCSI SQL SSI STL Samba Scheme Smalltalk TCP/IP Tcl/Tk TeX UNIX VRML X11 XDR XML auto debugging elm lex make networks sed shells sockets threads vi.


Mailing Lists

FOCUS-Sun Discussions Threads

01/10/01 Openssh and Solaris8(sparc)
http://www.securityfocus.com/templates/archive.pike?tid=155456&fromthread=0&threads=1&end=2001-01-13&start=2001-01-07&list=92& 

01/10/01 Solaris specific security documentation?
http://www.securityfocus.com/templates/archive.pike?tid=155448&fromthread=0&threads=1&end=2001-01-13&start=2001-01-07&list=92& 

01/10/01 FW: Solaris /usr/lib/exrecover buffer overflow
http://www.securityfocus.com/templates/archive.pike?tid=155419&fromthread=0&threads=1&end=2001-01-13&start=2001-01-07&list=92& 

01/09/01 Solaris 7 sticky bit on directory
http://www.securityfocus.com/templates/archive.pike?tid=155093&fromthread=0&threads=1&end=2001-01-13&start=2001-01-07&list=92& 

01/05/01 Solaris patches
http://www.securityfocus.com/templates/archive.pike?tid=154487&fromthread=0&threads=1&end=2001-01-06&start=2000-12-31&list=92& 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.

No Discussions this week.

See also http://www.yassp.org


Tip of the Week: SymbEL

Another reader tip this week!

SymbEl, by Richard Petit is a tool that helps spot performance problems and is useful for diagnostics. SymbEl comes with several terminal based and GUI monitoring tools (uses TCL/TK). It's not officially "supported" by Sun, but they let you download it "as is". A few quotes:

SymbEL (known as SE) is an interpreted language that provides an extensive toolkit for building performance tools and utilities. If you are fed up with the limitations of vmstat, iostat and sar, then this is the tool for you. We provide trivial scripts that are improved versions of the basic utilities and build on them to provide powerful rule-based performance monitors and viewers. The extensions package includes a Motif-based GUI library and the rules package implements Adrian's favourite performance rules.

July 18th 2000, a patch is now available to make the SE3.1preFCS packages install and run on Solaris 8 with some limitations. 

The three packages provided are:
RICHPse, The SymbEL Interpreter
RICHPsex, The SE eXtensions Package
ANCrules, Adrian's Rules & Tools

Unfortunately I've not had a chance to test drive it, but it sounds interesting. There seems to be little development activity currently.

See also http://www.sun.com/sun-on-net/performance/se3 

If you have any security tips/scripts you'd like to share with others, contact us.


References and Resources

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

All security tool news is now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 13 January, 2001

Sign up to get this digest and many others by email.