Weekly Solaris Security Digest
2000/01/22 to 2001/01/29

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

None

Bugtraq vulnerabilities this week - Solaris:

2001-01-17: Solaris cu Buffer Overflow Vulnerability
http://www.securityfocus.com/bottom.html?vid=2253

"cu" is a Unix communications program. It is usually installed with enhanced privileges so that it may access hardware communications hardware. The version of /usr/bin/cu that ships with Solaris contains a buffer overflow. It may be possible for a local attacker to exploit this vulnerability to gain effective group-id 'uucp'. This may lead to a root compromise. Vulnerable systems are: Sun Solaris 2.4- 8.0.

Analysis:

Bugtraq vulnerabilities this week - 3rd party applications:

2001-01-23: Lotus Domino Mail Server 'Policy' Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2283

2001-01-23: Wu-Ftpd Debug Mode Client Hostname Format String Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2296

2001-01-23: Oracle XSQL Servlet Arbitrary Java Code Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2295

2001-01-24: Netscape Enterprise Server 'Index' Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2285

2001-01-22: Netscape FastTrak Cache Module DoS Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2273

2001-01-22: Netscape Enterprise Server DoS Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2282

2001-01-21: Icecast Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2264

2001-01-19: bing gethostbyaddr Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2279

2001-01-18: mICQ Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2254

2001-01-18: Mysql Local Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2262

2001-01-17: Checkpoint Firewall-1 4.1 Denial of Service Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2238


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8      Jan/25/01
Solaris 7      Jan/24/01
Solaris 2.6    Jan/24/01
Solaris 2.5.1 Jan/24/01

See also ftp://sunsolve.sun.com/pub/patches

Note: starting next week, we hope to provide you with a list of patches that have changed when a new patch bundle is published.


News & Articles

SunSolve

FAQ on Booting Solaris to either the 64-bit kernel or the 32-bit kernel
SunSolve Online
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&nolog=1&doc=infodoc/21434

This InfoDoc is not directly related to security but provides a FAQ on booting Solaris to either the 64-bit kernel or the 32-bit kernel. Booting the 64-bit kernel has been available on Ultra systems with UltraSPARC(TM) processors (sun4u or greater platforms) since the first release of Solaris 7.

 

SunWorld/UnixInsider

Just the FAQs - Online resources for Unix users
Mo Budlong
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0119-unix101.html

Where do you go when you need quick Unix advice, and you're nowhere near your man pages? Now you can find them online at a variety of Websites, some of which are hyperlinked to make finding an answer even quicker. In this month's Unix 101, Mo Budlong offers a list of the online man pages that he uses as well as resources for FAQs and how-tos.

 

Conquering IT data-protection fears - Adequate backups can help you maintain your sanity
Ron Levine
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0105-storage.html

What IT manager doesn't worry about losing data because of a disk crash, a hacker, or even a spilled Coke? While you can't protect yourself against every possible accident or invasion, having the right data protection and backup devices in place can help you recover what you've lost. In this first installment of Storage Solutions, Ron Levine talks to experts at StorNet to find the best options for protecting and backing up your system.

 

OS identification - The more a hacker knows about your system, the easier it is for him to get in
Sandra Henry-Stocker
http://www.sunworld.com/unixinsideronline/swol-12-2000/swol-1208-buildingblocks.html

When hackers plan to break into Websites, they first try to find out which operating system the site is using. Once they determine that and which services are running, their chances of successfully attacking a system are greatly increased. What can you do to stop them? In this month's Building Blocks of Security, Sandra Henry-Stocker introduces active and passive stack fingerprinting, two ways that hackers profile your systems.

 

SolarisGuide

First Public Release of JAIN(TM) JCC and SIP Specifications Ready For Developers
Sun Microsystems, Inc.
http://www.solarisguide.com

Sun announced the first public release of two JAIN(TM) specifications. The JAIN APIs are a set of Java technology-based APIs (application programming interfaces) that bring service portability, convergence, and secure network access to telephony and data networks, thus simplifying network service delivery for service providers. The newly available API specifications are for JAIN Call Control (JCC) and JAIN Session Initiation Protocol (SIP).

 

InfoWorld

Sun broadens StorEdge platform support
http://www2.infoworld.com/articles/hn/xml/01/01/10/010110hnstoredge.xml

Sun broadens StorEdge platform support regarding support for Sun StorEdge T3 array on different platforms.

 

SecurityFocus

NFS and NIS Security
Kristy Westphal
http://www.securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/nfsnis.html

Why is it that when you read almost any book or paper about Solaris security it will explicitly say: turn off the NFS and NIS services. Some system administrators, though, cannot just turn off these services, as they are already key services implemented across their enterprises. Security issues seem to be inherent in their structure; however, there are methods and precautions that can be taken to make them more secure than their plain-vanilla implementations.

Comment: A useful introduction to RPC, NFS, NIS and methods for securing them. NIS+, NFSv4 and SecureNFS need more coverage though.

 

SSL - Rumours and Reality
A practical perspective on the value of SSL for protecting web servers

Charl Van Der Walt
http://www.securityfocus.com/frames/?focus=basics&content=/focus/basics/articles/ssl.html

Comment: A useful explanation of SSL, how it is used and its risks.

SysAdmin Magazine

Safer CGI Scripting
Charles Walker and Larry Bennett
http://www.sysadminmag.com/current/feature.shtml

O'ReillyNet

Establishing Good Password Policies
Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2001/01/17/FreeBSD_Basics.html

Comment: This FreeBSD article runs through issues that are also relevant on Solaris.

LinuxSecurity

Security patches aren't being applied
Robert Lemos
http://www.zdnet.com/zdnn/stories/news/0,4586,2677878,00.html

 

Software "fixes" routinely available but often ignored
Robert Lemos
http://news.cnet.com/news/0-1005-201-4578373-0.html?tag=st.ne.1002.unkn&tag=unkn

 

GnuPG: An Open Solution to Data Protection
D. Hageman
http://www.unixreview.com/open_source/articles/0101gnupg.shtml


Mailing Lists

FOCUS-Sun Discussions Threads

No discussions this week.

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.
Key activity: the latest Solaris8 release contains a new daemon, not disabled by Yassp. Installation of recommended patch bundles can cause yassp changes to boot files to be lost!

Discussions this week:

SSH inactivity timeout
http://www.theorygroup.com/Archive/YASSP/2001/msg00017.html

PARCDaily suggested change
http://www.theorygroup.com/Archive/YASSP/2001/msg00018.html

How to make YASSP and patch updates co-exist...
http://www.theorygroup.com/Archive/YASSP/2001/msg00019.html

Openssl libraries
http://www.theorygroup.com/Archive/YASSP/2001/msg00011.html

Default syslog.conf config
http://www.theorygroup.com/Archive/YASSP/2001/msg00010.html

Yassp feedback
http://www.theorygroup.com/Archive/YASSP/2001/msg00005.html
http://www.theorygroup.com/Archive/YASSP/2001/msg00006.html

See also http://www.yassp.org


Security Tools

All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html


Tip of the Week: Kernel Trojans

How do you recognise a compromised system? The appearance of kernel kits for hiding penetrations make life much more difficult. Lets examine one kernel trojan, and consider some countermeasures.

Solaris Integrated Trojan Facility 0.2
Plasmoid/THC
http://www.infowar.co.uk/thc
http://securityfocus.com/templates/tools.html?id=1006

This a publicly released Solaris Loadable Kernel Module backdoor from The Hacker's Choice.

The 'sitf0.2" module features:

The 'anm' module is really nasty: "This is probably the most stupid module I ever programmed, instead of faking syscalls or installing backdoors, this module just corrupts a system, making it slightly unusable by randomly generating different system errors." I didn't try testing this module.

Analysis:

On a Solaris 2.7 server, the following 89 (!) standard kernel modules were loaded. This shows how difficult it is to recognise trojans.

# modinfo
Id Loadaddr Size Info Rev Module Name
6 10104000 4577 1 1 specfs (filesystem for specfs)
8 10109774 2de8 1 1 TS (time sharing sched class)
9 1010bf1c 4f0 - 1 TS_DPTBL (Time sharing dispatch table)
10 1010bf70 27818 2 1 ufs (filesystem for ufs)
11 10130224 ec4c 226 1 rpcmod (RPC syscall)
11 10130224 ec4c 1 1 rpcmod (rpc interface str mod)
12 1013d920 28d74 0 1 ip (IP Streams module)
12 1013d920 28d74 3 1 ip (IP Streams device)
13 1015fe90 15e0 1 1 rootnex (sun4u root nexus)
14 1016105c 1ec 57 1 options (options driver)
15 10161180 79c 62 1 dma (Direct Memory Access driver)
16 101616e0 75cf 59 1 sbus (SBus (sysio) nexus driver)
17 10167f18 1648 12 1 sad (Streams Administrative driver's)
18 101692a8 61f 2 1 pseudo (nexus driver for 'pseudo')
19 10169728 10e4c 32 1 sd (SCSI Disk Driver 1.300)
20 10179294 7136 - 1 scsi (SCSI Bus Utility Routines)
21 1017de84 d719 61 1 esp (ESP SCSI HBA Driver v1.264)
26 101a435c 15c3 - 1 dada ( ATA Bus Utility Routines)
27 101a53e8 886 - 1 todmostek (tod module for Mostek M48T59)
28 1018a45c 128c2 5 1 procfs (filesystem for proc)
30 101b0db4 ccec 8 1 sockfs (filesystem for sockfs)
32 1019cce8 616 11 1 clone (Clone Pseudodriver 'clone')
33 101bd0a8 17a04 2 1 tcp (TCP Streams module)
33 101bd0a8 17a04 42 1 tcp (TCP Streams device)
34 1019d0d4 1055 - 1 md5 (MD5 Message-Digest Algorithm)
35 1019e030 45e0 3 1 udp (UDP Streams module)
35 1019e030 45e0 41 1 udp (UDP Streams device)
36 101a1610 3b58 4 1 icmp (ICMP Streams module)
36 101a1610 3b58 5 1 icmp (ICMP Streams device)
37 101a5b70 51a7 5 1 arp (ARP Streams module)
37 101a5b70 51a7 44 1 arp (ARP Streams driver)
38 101a9f0c 45b7 6 1 timod (transport interface str mod)
40 101cff64 8a7f 29 1 zs (Z8530 serial driver V4.120)
41 101aece8 1800 7 1 ms (streams module for mouse)
42 101b0250 a1c 17 1 consms (Mouse Driver for Sun 'consms')
43 101d82a4 3ece 8 1 kb (streams module for keyboard)
44 101dae8c b55 16 1 conskbd (Console kbd Multiplexer driver )
45 101db684 1955 15 1 wc (Workstation multiplexer Driver )
46 101dc3ec 234f 0 1 elfexec (exec module for elf)
47 101de42c 104d 13 1 mm (memory driver)
48 101df1e8 3288 3 1 fifofs (filesystem for fifo)
49 101e1fe0 5926 9 1 ldterm (terminal line discipline)
50 101e6e90 2381 10 1 ttcompat (alt ioctl calls)
51 101e9024 14d0 26 1 ptsl (tty pseudo driver slave 'ptsl')
52 101ea15c 2053 25 1 ptc (tty pseudo driver control 'ptc')
58 101ed034 4683 105 1 tl (TPI Local Transport Driver - tl)
59 101f11b0 160a 53 1 sysmsg (System message redirection (fan)
60 101f1fdc 6d8 0 1 cn (Console redirection driver)
61 101f24b4 4c5 1 1 intpexec (exec mod for interp)
62 101a409c 2fc 42 1 pipe (pipe(2) syscall)
63 101f6494 b88e 7 1 hme (FEPS Ethernet Driver v1.114 )
65 102004d0 726a - 1 ufs_log (Logging UFS Module)
66 101f28c4 d70 12 1 fdfs (filesystem for fd)
67 101f3374 7f6 90 1 kstat (kernel statistics driver)
68 10206ec0 d8a2 11 1 tmpfs (filesystem for tmpfs)
69 101f39ac 9db 21 1 log (streams log driver)
70 1020bf08 3e12 201 1 doorfs (doors)
71 101f40ac 8c3 22 1 sy (Indirect driver for tty 'sy')
72 101f475c 875 12 1 pfmod (streams packet filter module)
73 101f4e14 1423 13 1 bufmod (streams buffer mod)
74 1020f7bc 1488 4 1 namefs (filesystem for namefs)
75 10210954 5018 91 1 vol (Volume Management Driver, 1.85)
76 1021546c b01d 36 1 fd (Floppy Driver v1.102)
77 1021f750 25c80 106 1 nfs (NFS syscall, client, and common)
77 1021f750 25c80 15 1 nfs (network filesystem)
77 1021f750 25c80 7 1 nfs (network filesystem version 2)
77 1021f750 25c80 16 1 nfs (network filesystem version 3)
78 10241a3c 92a3 - 1 rpcsec (kernel RPC security module.)
79 102486b0 1c19 - 1 tlimod (KTLI misc module)
80 1024a094 2290 53 1 semsys (System V semaphore facility)
81 101f5fc4 2d8 - 1 ipc (common ipc code)
82 1024c104 21b8 52 1 shmsys (System V shared memory)
83 1019bd54 f0f 23 1 ptm (Master streams driver 'ptm')
84 101ebe88 e53 24 1 pts (Slave Stream Pseudo Terminal dr)
85 101ad694 163b 14 1 ptem (pty hardware emulator)
86 10107f44 1934 49 1 msgsys (System V message facility)
87 101eca14 858 72 1 ksyms (kernel symbols driver)
88 1024dfbc 80d 15 1 pckt (pckt module)
89 1024e588 11b1 38 1 openeepr (OPENPROM/NVRAM Driver)

A Solaris 8 system had 109 modules loaded.

The system compiled and runs on Solaris 8 too, when loaded, modinfo displayed the trojan like this:
110 fe99d59e ab3 - 1 sitf0.2 (Solaris ITF)

Detecting malevolent kernel modules:

Summary: This tool is really worrying. If any readers can add to the information/detecting measures above I like to hear from you.

 

If you have any security tips/scripts you'd like to share with others, contact Sean.


References and Resources

All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html

Sign up to get this digest and many others by email.

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 26 January, 2001