Weekly Solaris Security Digest
2000/01/15 to 2001/01/22

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown

Note: More feedback on the structure & focus of this digest would be appreciated from our readers. The Tip of the week sections seems to be well appreciated, but what other sections interest you most? Do we spend too much time on some topics, not enough on others, or miss others completely? Are topics too simple or too advanced? Would you list to see a list of patches that have changed for Solaris 7 and 8 each week?
Thanks in advance. sean at boran.com.


Advisories and Security Bulletins

Sun / CERT bulletins

Sun Bulletin #00200 (Bugtraq ID 2193):  "arp" vulnerability
http://www.securityfocus.com/bid/2193 

Note: This was put into the digest late last week, someone of you may not have seen it, so it's being repeated. This advisory now has a bugtraq entry too: http://securityfocus.com/vdb/bottom.html?vid=2193

Sun released patches for Solaris 7 and earlier for a setgid vulnerability in arp.
Vulnerability: "A malicious user could overflow the stack and execute shellcode which could allow unauthorized root access".
Analysis: This is a classical local exploit of unchecked command-line parameters. Exploit code has been released.

OS Version Patch ID
__________ _________
SunOS 5.7 109709-01
SunOS 5.7_x86 109710-01
SunOS 5.6 109719-01
SunOS 5.6_x86 109720-01
SunOS 5.5.1 109721-01
SunOS 5.5.1_x86 109722-01
SunOS 5.5 109707-01
SunOS 5.5_x86 109708-01
SunOS 5.4 109723-01
SunOS 5.4_x86 109724-01

 

SSH1 Secure RPC Vulnerability
http://www.ssh.com/products/ssh/patches/secureRPCvulnerability.html

SSH is probably used by many of you, so a brief analysis is provided here.
Vulnerability:

When using secure-RPC support to encrypt a secret key file with the "SUN-DES-1 magic phrase," it is possible for SSH to generate a "magic phrase" which is easily discoverable by other users on the same host, or in the same NIS+ domain.

Analysis:

Bugtraq vulnerabilities this week - Solaris:

No vulnerabilities in the Bugtraq database, but a buffer overflow of /bin/cu was reported on the Bugtraq email list http://archives.neohapsis.com/archives/bugtraq/2001-01/0289.html, which could allow a normal user to assume "uucp" privileges.

Bugtraq vulnerabilities this week - 3rd party applications:

2001-01-17: Tinyproxy Heap Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2217

2001-01-16: PHP .htaccess Attribute Transfer Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2206

2001-01-16: splitvt Format String Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2210

2001-01-15: Veritas Backup Denial of Service Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2204

2001-01-14: Iomega JaZip Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2209

2001-01-14: Trend Micro Interscan VirusWall Weak Admin Password Protection Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2212

2001-01-14: Trend Micro Interscan VirusWall Symlink Root Compromise Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2213

2001-01-14: Flash Sound Write-Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2214

2001-01-12: PHP Engine Disable Source Viewing Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2205

2001-01-11: Ultraboard Incorrect Directory Permissions Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2197

2001-01-11: Basilix Webmail Incorrect File Permissions Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2198

2001-01-10: Apache /tmp File Race Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2182
Comment: This mentions Apache for Immunix/RedHat, but I don't see indications why other OSs should not be vulnerable.


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8      Jan/17/01*
Solaris 7      Jan/05/01
Solaris 2.6    Jan/05/01
Solaris 2.5.1 Jan/05/01

See also ftp://sunsolve.sun.com/pub/patches


News & Articles

Timo's procmail tips and recipes
http://www.uwasa.fi/~ts/info/proctips.html

Although not strictly security related, this may be of interest to you.

 

SecurityPortal.com

The Future of Operating Systems Security
Ronald L. Mendell
http://securityportal.com/cover/coverstory20010115.html

Often computer security takes us down strange paths; for example, what is the connection between the Navajo language and the future of operating systems? These subjects seem odd bedfellows to be sure; yet, we shall learn that obscurity, contrary to the general maxim, sometimes does create a degree of security.

Counterpane

The latest Crypto-Gram is out and worth a read as usual.
http://www.counterpane.com/crypto-gram-0101.html


SecurityFocus

How to create a hidden sniffer with Solaris
Rob Thomas
http://www.enteract.com/~robt/Docs/Howto/Sun/sniffer-trick.txt

While experimenting with some code, I came up with this trick for creating an unseen Solaris sniffer. It is possible, when using snoop(1M), to sniff packets through an unplumbed interface. The obvious benefit is that the interface can not be detected. Thus, the sniffer remains impervious to detection and attack.

Comment: This is basically how the Sunscreen works. Snoop can also be run on the (unplumbed) Sunscreen interfaces, even if the Sunscreen engine is running (this is a useful debugging tip if you run Sunscreens and have problems with some rules). The sniffer is still subject to buffer attacks though, even if it is not visible.

 

Sun Enterprise Network Security Service (SENSS)
Bruce Development Team (Sun)
http://www.sun.com/software/communitysource/senss

SENSS "Bruce" is a flexible, Java-based infrastructure that permits centralized security management of small, medium and large-sized intranets. The Bruce software provides you with a network service daemon that should be installed on each host in your network; these daemons are linked together in a hierarchy of trust. This hierarchy may be used for the distribution and execution of digitally-signed packages containing (java, binary, or script) code that may be used to check and fix host security issues in a bulk, batch-oriented manner. Execution requests are likewise digitally signed, replay attacks are prevented, and network communications are secured by access-control lists and pluggable authentication and secrecy modules. Output generated during the process of checking is in HTML format, and percolates to the root of the hierarchy, where it is browsable.
The Bruce software is not yet complete; this is the Early Access 2 (EA2) release, that we (the Bruce development team) are making available for the benefit of parties with a professional interest in network security, for their experimentation and comment.

Comment: sounds interesting, pity the license is not more open. Sun seem to have a tight control on changes/improvements and distribution.

Sun

Sun Provides Financing for Tripwire
http://www.telekomnet.com/writer_telekomnet/1-17-01_tripwire.asp

Sun Microsystems has invested $5 million in Tripwire Inc., a developer of network security software. Tripwire's network security software will complement Sun's networking hardware systems. The software prevents hackers from accessing company data, and monitors networks to provide notification of any intrusion or alteration of data.
Comment: So maybe we'll finally get a decent tripwire bundled with Solaris?

 

Solaris Tunable Parameters Reference Manual
http://docs.sun.com/ab2/coll.709.2/SOLTUNEPARAMREF/

This document has been updated for Solaris 8, release 01/01. It includes: Overview of Solaris System Tuning, Solaris Kernel Tunables, NFS Tunable Parameters, TCP/IP Tunable Parameters, System Facility Parameters, Tunable Parameter Change History. An interesting read.

 

Sun Storage hints/FAQs
http://www.sun.com/bigadmin/home/index.html

Big admins lists a few useful links:
Sun Storage Helpful Hints http://www.eng.auburn.edu/pub/mail-lists/ssastuff/ (we might have listed this one a while back)
Sun StorEdge A3500/A3500FC http://www.sun.com/storage/a3500/a3500_faq.html
Sun StorEdge T3 Array for the workgroup http://www.sun.com/storage/t3wg/t3wg_faq.html
Sun StorEdge T3 Array for the enterprise http://www.sun.com/storage/t3es/t3es_faq.html

LinuxSecurity

The Honeynet Forensic Challenge
http://www.linuxsecurity.com/feature_stories/forensic-challenge.html
http://project.honeynet.org/challenge/
David Dittrich

The Forensic Challenge is an effort to allow incident handlers around the world to all look at the same data -- an image reproduction of the same compromised system -- and to see who can dig the most out of that system and communicate what they've found in a concise manner. This is a nonscientific study of tools, techniques, and procedures applied to post-compromise incident handling. The challenge is to have fun, to solve a common real world problem, and for everyone to learn from the process......

Comment: You can download the 'dd' images of the compromised RedHat 6.2 system and try to figure out what happened. Interesting.

 

Initial Cryptanalysis of the RSA SecurID Algorithm
@stake
http://www.linuxsecurity.com/resource_files/cryptography/initial_securid_analysis.pdf

This short paper will examine several discovered statistical irregularities in functions used within the SecurID algorithm: the time computation and final conversion routines. Where and how these irregularities can be mitigated by usage and policy are explored. We are planning for the release of a more thorough analysis in the near future. This paper does not present methods of determining the secret component by viewing previously generated or successive tokencodes.

 

Full Text of Underground Available for Download underground-book.org
http://www.linuxsecurity.com/resource_files/documentation/suelette-dreyfus--underground.txt.bz2

The full text of "Underground: tales of hacking, madness and obsession on the electronic frontier" is now available for download. Underground is the compelling true story of the rise of the computer underground and the crimes of an elite group of hackers who took on the forces of the establishment..... Underground uncovers the previously hidden story behind hackers from 8LGM, The Realm, the publishers of International Subversive and other linked Internet hacking groups.....

 

BSD Today

Process accounting with lastcomm and sa
Jeremy C. Reed
http://www.bsdtoday.com/2001/January/Features385.html

Do you ever wonder what commands are running on your system? Do you want to find the time a particular command was executed? Or do you want to analyze your server's performance? By enabling process accounting you can find information about previously executed commands and past system resource usage.

Comment: This is BSD stuff, most of which applies to Solaris too.

 

SunWorld/UnixInsider

Starting from scratch [Backups Explained]
Carole Fennelly
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0112-unixsecurity.html

Of all people, security experts are the most likely to keep their own systems backed up, and verify that the backups haven't been overwritten, right? Wrong, says Carole Fennelly. In this week's Unix Security, Carole reveals how complacency caused her to lose her home directory and email, and shows you how you can prevent the same thing from happening to you.

 

Linux Security

Using umask
Ryan W. Maple
http://www.linuxsecurity.com/tips/tip-1.html

The umask command controls the default file and directory creation mode for newly-created files and directories. The umask command can be used to determine the default file creation mode on your system.

 

File transfer options -- Part I: Secure iXplorer
ApacheToday - Nick DeClario
http://www.linuxsecurity.com/articles/server_security_article-2300.html

This is the first-part in a series of articles about different options for secure file transfers. How to sniff connections, steal passwords or if SSH is really "secure" are not topics that will be covered by these articles. But hopefully, it will contain some information that will be valuable for your web hosting clients and for you -- the Apache webserver administrators. This first article covers a file transfer client for the end users -- it requires a secure shell server to be installed on the web server.


Mailing Lists

FOCUS-Sun Discussions Threads

01/13/01 Removing default system accounts
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=156066&

01/12/01 sunscreen EFS: was Testing fw1 implementation
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=155902&

01/12/01 Sun Security Bulletin #00200 (fwd)
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=155944&

01/12/01 Testing fw1 implementation
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=155934&

01/12/01 Openssh and Solaris8(sparc)
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=155884&

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current, Jean has documented the outstanding changes planned for beta16:

Discussions this week:

Solaris Tuning Page
http://www.theorygroup.com/Archive/YASSP/2001/msg00001.html

Sshd_config corrections
http://www.theorygroup.com/Archive/YASSP/2001/msg00002.html

See also http://www.yassp.org


Tip of the Week:

Two tips this week:

1. "ph" script:

Francisco Mancardi from U&R Consultores [fman@uyr.com.ar] is contributing a script called ph (Put Header), to create a standard header for various types of files (configuration files, readme files, cc, c++, scripts..) with a certain standard fields (customer name, hostname, full pathname, who is adding the header).

The idea is to create a standard headed containing important information for new files, for better documentation. As he says himself: "OK, maybe I have an obsession with the documentation, but I think is very useful." :)

It can be downloaded from www.boran.com/security/sp/solaris/ph.1.1.tar

2. "chk_disk" script

This is a script of my own, that I run from cron to report (via email) if any local filesystems have reached 97% or more.

It can be downloaded from www.boran.com/security/sp/solaris/chk_disk

 

If you have any security tips/scripts you'd like to share with others, contact us.


References and Resources

All security tool news is now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 19 January, 2001

Sign up to get this digest and many others by email.