By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
None
2001-01-17: Solaris cu Buffer Overflow Vulnerability
http://www.securityfocus.com/bottom.html?vid=2253"cu" is a Unix communications program. It is usually installed with enhanced privileges so that it may access hardware communications hardware. The version of /usr/bin/cu that ships with Solaris contains a buffer overflow. It may be possible for a local attacker to exploit this vulnerability to gain effective group-id 'uucp'. This may lead to a root compromise. Vulnerable systems are: Sun Solaris 2.4- 8.0.
Analysis:
- Likelihood: Local users could misuse this weakness to gain elevated privileges, hence it'll become part of script kiddies toolkits.
- It could be a severe problem: Juergen P. Meier explain how to get root on a freshly installed and patched Solaris 7.0 by elevate your UID to uucp and then replace uudecode and uuencode with trojaned versions that check if [E]UID is 0 and create a backdoor when this happens. Then just wait until root processes some uuencoded file... for example by sending an uuencoded mail to root or try to get him to use uudecode by other means to accelerate this. Michael H. Warfield explains that it is possible to gain special privileges and access all the uucp control files which can contain account names and passwords on other systems. It ain't root, but it's more than what he should have. Wietse Venema confirms by saying: It is worse than that. Once UUCP privilege is gained you can replace the UUCP executables. That gives you full control over any user that happens to execute those UUCP executables - a root-owned cron job, a sendmail.cf mailer rule that executes as daemon, and so on. Casper Dik notes: in Solaris 8 we have changed the ownership of the binaries to root, except those that are set-uid uucp. Uucp configuration and tip are still uucp owned.
2001-01-23: Lotus Domino Mail Server 'Policy' Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22832001-01-23: Wu-Ftpd Debug Mode Client Hostname Format String Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22962001-01-23: Oracle XSQL Servlet Arbitrary Java Code Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22952001-01-24: Netscape Enterprise Server 'Index' Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22852001-01-22: Netscape FastTrak Cache Module DoS Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22732001-01-22: Netscape Enterprise Server DoS Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22822001-01-21: Icecast Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=22642001-01-19: bing gethostbyaddr Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22792001-01-18: mICQ Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=22542001-01-18: Mysql Local Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=22622001-01-17: Checkpoint Firewall-1 4.1 Denial of Service Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2238
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Jan/25/01
Solaris 7 Jan/24/01
Solaris 2.6 Jan/24/01
Solaris 2.5.1 Jan/24/01See also ftp://sunsolve.sun.com/pub/patches
Note: starting next week, we hope to provide you with a list of patches that have changed when a new patch bundle is published.
FAQ on Booting Solaris to either the 64-bit kernel or the 32-bit kernel
SunSolve Online
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&nolog=1&doc=infodoc/21434This InfoDoc is not directly related to security but provides a FAQ on booting Solaris to either the 64-bit kernel or the 32-bit kernel. Booting the 64-bit kernel has been available on Ultra systems with UltraSPARC(TM) processors (sun4u or greater platforms) since the first release of Solaris 7.
Just the FAQs - Online resources for Unix users
Mo Budlong
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0119-unix101.htmlWhere do you go when you need quick Unix advice, and you're nowhere near your man pages? Now you can find them online at a variety of Websites, some of which are hyperlinked to make finding an answer even quicker. In this month's Unix 101, Mo Budlong offers a list of the online man pages that he uses as well as resources for FAQs and how-tos.
Conquering IT data-protection fears - Adequate backups can help you maintain your sanity
Ron Levine
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0105-storage.htmlWhat IT manager doesn't worry about losing data because of a disk crash, a hacker, or even a spilled Coke? While you can't protect yourself against every possible accident or invasion, having the right data protection and backup devices in place can help you recover what you've lost. In this first installment of Storage Solutions, Ron Levine talks to experts at StorNet to find the best options for protecting and backing up your system.
OS identification - The more a hacker knows about your system, the easier it is for him to get in
Sandra Henry-Stocker
http://www.sunworld.com/unixinsideronline/swol-12-2000/swol-1208-buildingblocks.htmlWhen hackers plan to break into Websites, they first try to find out which operating system the site is using. Once they determine that and which services are running, their chances of successfully attacking a system are greatly increased. What can you do to stop them? In this month's Building Blocks of Security, Sandra Henry-Stocker introduces active and passive stack fingerprinting, two ways that hackers profile your systems.
SolarisGuide
First Public Release of JAIN(TM) JCC and SIP Specifications Ready For Developers
Sun Microsystems, Inc.
http://www.solarisguide.comSun announced the first public release of two JAIN(TM) specifications. The JAIN APIs are a set of Java technology-based APIs (application programming interfaces) that bring service portability, convergence, and secure network access to telephony and data networks, thus simplifying network service delivery for service providers. The newly available API specifications are for JAIN Call Control (JCC) and JAIN Session Initiation Protocol (SIP).
InfoWorld
Sun broadens StorEdge platform support
http://www2.infoworld.com/articles/hn/xml/01/01/10/010110hnstoredge.xmlSun broadens StorEdge platform support regarding support for Sun StorEdge T3 array on different platforms.
SecurityFocus
NFS and NIS Security
Kristy Westphal
http://www.securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/nfsnis.htmlWhy is it that when you read almost any book or paper about Solaris security it will explicitly say: turn off the NFS and NIS services. Some system administrators, though, cannot just turn off these services, as they are already key services implemented across their enterprises. Security issues seem to be inherent in their structure; however, there are methods and precautions that can be taken to make them more secure than their plain-vanilla implementations.
Comment: A useful introduction to RPC, NFS, NIS and methods for securing them. NIS+, NFSv4 and SecureNFS need more coverage though.
SSL - Rumours and Reality
A practical perspective on the value of SSL for protecting web servers
Charl Van Der Walt
http://www.securityfocus.com/frames/?focus=basics&content=/focus/basics/articles/ssl.htmlComment: A useful explanation of SSL, how it is used and its risks.
Safer CGI Scripting
Charles Walker and Larry Bennett
http://www.sysadminmag.com/current/feature.shtml
Establishing Good Password Policies
Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2001/01/17/FreeBSD_Basics.htmlComment: This FreeBSD article runs through issues that are also relevant on Solaris.
Security patches aren't being applied
Robert Lemos
http://www.zdnet.com/zdnn/stories/news/0,4586,2677878,00.html
Software "fixes" routinely available but often ignored
Robert Lemos
http://news.cnet.com/news/0-1005-201-4578373-0.html?tag=st.ne.1002.unkn&tag=unkn
GnuPG: An Open Solution to Data Protection
D. Hageman
http://www.unixreview.com/open_source/articles/0101gnupg.shtml
No discussions this week.
Yassp beta 15 is still current.
Key activity: the latest Solaris8 release contains a new daemon, not disabled by Yassp. Installation of recommended patch bundles can cause yassp changes to boot files to be lost!Discussions this week:
SSH inactivity timeout
http://www.theorygroup.com/Archive/YASSP/2001/msg00017.htmlPARCDaily suggested change
http://www.theorygroup.com/Archive/YASSP/2001/msg00018.htmlHow to make YASSP and patch updates co-exist...
http://www.theorygroup.com/Archive/YASSP/2001/msg00019.htmlOpenssl libraries
http://www.theorygroup.com/Archive/YASSP/2001/msg00011.htmlDefault syslog.conf config
http://www.theorygroup.com/Archive/YASSP/2001/msg00010.htmlYassp feedback
http://www.theorygroup.com/Archive/YASSP/2001/msg00005.html
http://www.theorygroup.com/Archive/YASSP/2001/msg00006.htmlSee also http://www.yassp.org
All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
How do you recognise a compromised system? The appearance of kernel kits for hiding penetrations make life much more difficult. Lets examine one kernel trojan, and consider some countermeasures.
Solaris Integrated Trojan Facility 0.2
Plasmoid/THC
http://www.infowar.co.uk/thc
http://securityfocus.com/templates/tools.html?id=1006This a publicly released Solaris Loadable Kernel Module backdoor from The Hacker's Choice.
The 'sitf0.2" module features:
- File, directory and process hiding.
The default hidden expression is 'blah', when tested with files/directories it didn't always work if several entries in the current directory contained 'blah'. Interestingly, 'find' didn't catch the same entries as 'ls'. All processes containing 'blah' were perfectly hidden.- Converting magic uid to root uid (default is uid 1001).
Tests worked perfectly. a user with uid 1001 has complete root access.- Execution redirecting (default: /usr/openwin/bin/xview/xcalc is executed instead of /bin/who).
Tests worked perfectly: xcalc was executed instead of who.- Promiscuous flag hiding: I don't see how this should work since "ifconfig -a" doesn't show the Promiscuous flag anyway?
- A switch to toggle file content and directory hiding (default 'touch mykey'). Tests: this didn't work for me, I always got the message 'touch: mykey cannot create'.
The 'anm' module is really nasty: "This is probably the most stupid module I ever programmed, instead of faking syscalls or installing backdoors, this module just corrupts a system, making it slightly unusable by randomly generating different system errors." I didn't try testing this module.
Analysis:
On a Solaris 2.7 server, the following 89 (!) standard kernel modules were loaded. This shows how difficult it is to recognise trojans.
# modinfo
Id Loadaddr Size Info Rev Module Name
6 10104000 4577 1 1 specfs (filesystem for specfs)
8 10109774 2de8 1 1 TS (time sharing sched class)
9 1010bf1c 4f0 - 1 TS_DPTBL (Time sharing dispatch table)
10 1010bf70 27818 2 1 ufs (filesystem for ufs)
11 10130224 ec4c 226 1 rpcmod (RPC syscall)
11 10130224 ec4c 1 1 rpcmod (rpc interface str mod)
12 1013d920 28d74 0 1 ip (IP Streams module)
12 1013d920 28d74 3 1 ip (IP Streams device)
13 1015fe90 15e0 1 1 rootnex (sun4u root nexus)
14 1016105c 1ec 57 1 options (options driver)
15 10161180 79c 62 1 dma (Direct Memory Access driver)
16 101616e0 75cf 59 1 sbus (SBus (sysio) nexus driver)
17 10167f18 1648 12 1 sad (Streams Administrative driver's)
18 101692a8 61f 2 1 pseudo (nexus driver for 'pseudo')
19 10169728 10e4c 32 1 sd (SCSI Disk Driver 1.300)
20 10179294 7136 - 1 scsi (SCSI Bus Utility Routines)
21 1017de84 d719 61 1 esp (ESP SCSI HBA Driver v1.264)
26 101a435c 15c3 - 1 dada ( ATA Bus Utility Routines)
27 101a53e8 886 - 1 todmostek (tod module for Mostek M48T59)
28 1018a45c 128c2 5 1 procfs (filesystem for proc)
30 101b0db4 ccec 8 1 sockfs (filesystem for sockfs)
32 1019cce8 616 11 1 clone (Clone Pseudodriver 'clone')
33 101bd0a8 17a04 2 1 tcp (TCP Streams module)
33 101bd0a8 17a04 42 1 tcp (TCP Streams device)
34 1019d0d4 1055 - 1 md5 (MD5 Message-Digest Algorithm)
35 1019e030 45e0 3 1 udp (UDP Streams module)
35 1019e030 45e0 41 1 udp (UDP Streams device)
36 101a1610 3b58 4 1 icmp (ICMP Streams module)
36 101a1610 3b58 5 1 icmp (ICMP Streams device)
37 101a5b70 51a7 5 1 arp (ARP Streams module)
37 101a5b70 51a7 44 1 arp (ARP Streams driver)
38 101a9f0c 45b7 6 1 timod (transport interface str mod)
40 101cff64 8a7f 29 1 zs (Z8530 serial driver V4.120)
41 101aece8 1800 7 1 ms (streams module for mouse)
42 101b0250 a1c 17 1 consms (Mouse Driver for Sun 'consms')
43 101d82a4 3ece 8 1 kb (streams module for keyboard)
44 101dae8c b55 16 1 conskbd (Console kbd Multiplexer driver )
45 101db684 1955 15 1 wc (Workstation multiplexer Driver )
46 101dc3ec 234f 0 1 elfexec (exec module for elf)
47 101de42c 104d 13 1 mm (memory driver)
48 101df1e8 3288 3 1 fifofs (filesystem for fifo)
49 101e1fe0 5926 9 1 ldterm (terminal line discipline)
50 101e6e90 2381 10 1 ttcompat (alt ioctl calls)
51 101e9024 14d0 26 1 ptsl (tty pseudo driver slave 'ptsl')
52 101ea15c 2053 25 1 ptc (tty pseudo driver control 'ptc')
58 101ed034 4683 105 1 tl (TPI Local Transport Driver - tl)
59 101f11b0 160a 53 1 sysmsg (System message redirection (fan)
60 101f1fdc 6d8 0 1 cn (Console redirection driver)
61 101f24b4 4c5 1 1 intpexec (exec mod for interp)
62 101a409c 2fc 42 1 pipe (pipe(2) syscall)
63 101f6494 b88e 7 1 hme (FEPS Ethernet Driver v1.114 )
65 102004d0 726a - 1 ufs_log (Logging UFS Module)
66 101f28c4 d70 12 1 fdfs (filesystem for fd)
67 101f3374 7f6 90 1 kstat (kernel statistics driver)
68 10206ec0 d8a2 11 1 tmpfs (filesystem for tmpfs)
69 101f39ac 9db 21 1 log (streams log driver)
70 1020bf08 3e12 201 1 doorfs (doors)
71 101f40ac 8c3 22 1 sy (Indirect driver for tty 'sy')
72 101f475c 875 12 1 pfmod (streams packet filter module)
73 101f4e14 1423 13 1 bufmod (streams buffer mod)
74 1020f7bc 1488 4 1 namefs (filesystem for namefs)
75 10210954 5018 91 1 vol (Volume Management Driver, 1.85)
76 1021546c b01d 36 1 fd (Floppy Driver v1.102)
77 1021f750 25c80 106 1 nfs (NFS syscall, client, and common)
77 1021f750 25c80 15 1 nfs (network filesystem)
77 1021f750 25c80 7 1 nfs (network filesystem version 2)
77 1021f750 25c80 16 1 nfs (network filesystem version 3)
78 10241a3c 92a3 - 1 rpcsec (kernel RPC security module.)
79 102486b0 1c19 - 1 tlimod (KTLI misc module)
80 1024a094 2290 53 1 semsys (System V semaphore facility)
81 101f5fc4 2d8 - 1 ipc (common ipc code)
82 1024c104 21b8 52 1 shmsys (System V shared memory)
83 1019bd54 f0f 23 1 ptm (Master streams driver 'ptm')
84 101ebe88 e53 24 1 pts (Slave Stream Pseudo Terminal dr)
85 101ad694 163b 14 1 ptem (pty hardware emulator)
86 10107f44 1934 49 1 msgsys (System V message facility)
87 101eca14 858 72 1 ksyms (kernel symbols driver)
88 1024dfbc 80d 15 1 pckt (pckt module)
89 1024e588 11b1 38 1 openeepr (OPENPROM/NVRAM Driver)A Solaris 8 system had 109 modules loaded.
The system compiled and runs on Solaris 8 too, when loaded, modinfo displayed the trojan like this:
110 fe99d59e ab3 - 1 sitf0.2 (Solaris ITF)
Detecting malevolent kernel modules:
Summary: This tool is really worrying. If any readers can add to the information/detecting measures above I like to hear from you.
If you have any security tips/scripts you'd like to share with others, contact Sean.
All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html
Sign up to get this digest and many others by email.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 26 January, 2001 |