By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
None
2001-02- 05: SSH1 SSH Daemon Logging Failure Vulnerability
http://www.securityfocus.com/bid/2345
A problem with the implementation of the SSH1 daemon could allow an attacker to by-pass numerous attempts at brute force cracking a system. The logging routine in the SSH1 code does not capture failed attempts beyond the fourth attempt. In a brute force attack scenario, there are numerous successive attempts at logging in as a specific user. This danger is escalated by the SSH1 package allowing remote root logins by default. It is possible for a remote user with malicious intent to launch a brute force attack against a system and successfully remain unnoticed by system logging utilities beyond the fourth attempted login. By use of this method, it is possible for the remote user to gain access to any account, and potentially the root account.
Confidence: this vulnerability was announced to Bugtraq (http://www.securityfocus.com/archive/1/160648) by Jose Nazario in a Crimelabs Security Note on February 5, 2001. SSH.com release a patch. There is currently no Bugtraq discussions regarding this topic.
Severity: a remote user could gain access to any account, and potentially the root account.
Fix: a patch supplied by Jose Nazario is available. SSH upgrade: ftp://ftp.ssh.com/pub/ssh/ssh-1.2.31.tar.gz
2001-02-07: SSH protocol 1.5 session key recovery vulnerability
http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htmThis advisory describes a vulnerability in the SSH 1.5 protocol that allows an attacker to exploit some design or implementation problem on either client or server to obtain the session key and the proceed to decrypt the stored session using any implementation of the crypto algorithm used. All versions of SSH supporting the protocol 1.5 key exchange are vulnerable. This vulnerability applies to SSH servers only.
Confidence: this advisory has been posted by Core SDI. Currently we are not aware of any CERT bulletin/advisory.
Severity: the session key could be obtained to decrypt the stored session.
Fix: for information about the workaround, please consult the advisory at http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm.Comments/Analysis:
- Comment from Dan Harkless about SSH.com response:
"I run a version 1 ssh.com sshd out of inetd using Wietse Venema's tcpd because tcp_wrappers support is incomplete/buggy in the daemon itself (at least in 1.2.27). The daemon linked with libwrap doesn't support the rfc931 action and I've had problems with it being overly permissive when specifying allowed IP ranges. With:
ssh stream tcp nowait root /usr/local/sbin/tcpd /usr/local/sbin/sshd -i
there's a fresh daemon for each connection. Annoying waiting for the server key to be generated for each connection if your machine isn't blazing fast, but a side effect is that this attack is prevented.
2001-02-08: SSH1 CRC-32 compensation attack detector vulnerability
http://www.linuxsecurity.com/advisories/other_advisory-1149.htmlIn 1998 Ariel Futoransky and Emiliano Kargieman discovered a design flaw in the SSH1 protocol (protocol 1.5) that could lead an attacker to inject malicious packets into an SSH encrypted stream that would allow execution of arbitrary commands on either client or server. The problem was not fixable without breaking the protocol 1.5 semantics and thus a patch was devised that would detect an attack that exploited the vulnerability found. The attack detection is done in the file deattack.c from the SSH1 source distribution. A vulnerability was found in the attack detection code that could lead to the execution of arbitrary code in SSH servers and clients that incorporated the patch. This problem affects both SSH servers and clients. All versions of SSH supporting the protocol 1 (1.5) that use the CRC compensation attack detector are vulnerable. For information about the workaround, please consult http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm.
This advisory has been posted by Core SDI. Currently we are not aware of any CERT bulletin/advisory. There is currently no Bugtraq discussions regarding this topic.
2001-02-02: QNX RTP ftpd stat Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2342
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Feb/06/01*
Solaris 7 Jan/30/01
Solaris 2.6 Feb/08/01*
Solaris 2.5.1 Jan/26/01See also ftp://sunsolve.sun.com/pub/patches.
New patches for Solaris 8:
- 109888-02 SunOS 5.8: platform drivers patch
- 109888-05 SunOS 5.8: platform drivers patchNew patches for Solaris 2.6:
- 105568-21 SunOS 5.6: /usr/lib/libthread.so.1 patch
- 105568-22 SunOS 5.6: /usr/lib/libthread.so.1 patch
SolarisGuide
DNS proves to be weak link in Internet chain
Dennis Fisher
http://dailynews.yahoo.com/h/zd/20010205/tc/dns_proves_to_be_weak_link_in_internet_chain_1.htmlA series of high-profile events over the last few weeks has highlighted the fact that the DNS that is so critical to the Internet's operation is also one of its weakest links. Though many of the specific problems have only recently come to light, security experts and CIOs said they have known for years that the Domain Name System is full of holes and have been holding their breaths, hoping to avoid a major incident.
SunWorld/UnixInsider
Stopping the Ramen worm - Linux and Unix administrators need to be more vigilant in their security measures
Dev Zaborav
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0202-unixsecurity-dv.htmlThe recent outbreak of the worm known as Ramen poses a familiar question: How can we keep worms and viruses from intruding on and infecting our systems? The first thing to do, recommends Unix Security writer Dev Zaborav, is take some basic hardening and security measures, and stop putting Linux servers on the Internet in a default installation.
Which language is right for you? Try each one and find a good fit
Cameron Laird and Kathryn Soraiz
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0202-regex.htmlHow do you choose between all of the available scripting languages? Cameron Laird and Kathyrn Soraiz recommend trying them out individually. Each language has its own benefits and its own limits, and only you can determine which best suits your work.
BIND news and DNS alternatives
Jeremy C. Reed
http://www.bsdtoday.com/2001/February/Features402.html
Establishing Good Password Policies
Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2001/01/17/FreeBSD_Basics.html?delta=1"One of the responsibilities of the system administrator is to create a password policy that is appropriate for the users of the network." This article covers several ideas for creating a password policy and configuring login.conf classes to implement policies.
LinuxSecurity
BIND-MEMBER Forum FAQ
Paul Vixie / ISC
http://www.linuxsecurity.com/feature_stories/bind-members.htmlIn this FAQ, Paul answers some of the more frequently asked questions surrounding the bind-members forum mailing list. There has been quite a bit of controversy surrounding this action by the ISC. In this FAQ, Paul talks about why it was formed, what the intentions of the ISC are, and how he feels it will actually improve the level of security of BIND.
Case Study: Building a small-business VPN
Karen J. Bannan, PC Magazine
http://www.zdnet.com/smallbusiness/stories/general/0,5821,2671137,00.htmlIt was a common enough problem for a small business: the needed for a company to connect to its headquarters.
A year later, DDoS attacks still a major Web threat
Robert Lemos
http://news.cnet.com/news/0-1003-201-4735597-0.html?tag=mn_hdThe DDoS attack that knocked out Yahoo used a host of hacked servers--dubbed "slaves" or "zombies"--to inundate a Web site or Internet-connected server with data, effectively stopping the server's ability to respond to Web page requests. This kind of attacks seems to be still a major threat.
Pathologically Polluting Perl
Brian Ingerson
http://www.perl.com/pub/2001/02/inline.htmlNo programming language is Perfect. Perl comes very close. P! e! r! l? :-( Not quite ``Perfect''. Sometimes it just makes sense to use another language for part of your work. You might have a stable, pre-existing code base to take advantage of. Perhaps maximum performance is the issue. Maybe you just ``know how to do it'' that way. Or very likely, it's a project requirement forced upon you by management. Whatever the reason, wouldn't it be great to use Perl most of the time, but be able to invoke something else when you had to?
Security Issues in Perl Scripts
Jordan Dimov & John Viega
http://opensourceit.earthweb.com/dlink.index-jhtml.72.1077.-.0.jhtmlPerl is one of the most widely used languages for writing interactive applications on the Web, and Perl programs are widely used for various system administration tasks. Applications that serve these tasks must provide reliable access to security sensitive functions and information, and at the same time ensure that no one is granted access to data or functionality that was not intended for them. In this two-part article, Jordan Dimov and John Viega evaluate some of the common security weaknesses and vulnerabilities of Perl applications and give an overview of the features that the Perl language provides to aid the programmer in hardening the security of their applications.
Security Issues in Perl Scripts: Perl Taint Mode
Jordan Dimov & John Viega
http://opensourceit.earthweb.com/dlink.index-jhtml.72.1077.-.0.jhtmlIn this second of a two parts, Jordan Dimov and John Viega discuss a method for preventing you from making the security mistakes discussed in their first article.
Network Security at the Dawn of the New Millenium
Brett Glass
http://www.boardwatch.com/bw/jan01/Network_Sec_Dawn.htmThis article will discuss the good and bad points of today's Internet security systems, and suggest where we can and should go from here.Currently, the most commonly used Internet protocols - HTTP, Telnet, FTP, SMTP and POP3 - either lack measures...
O'Reilly
Buffer-Overflow Problems in BIND
Noel Davis
http://www.oreillynet.com/pub/a/linux/2001/02/06/insecurities.htmlAn overview of recent Unix and open-source security advisories. In this column, we look at buffer-overflow problems in BIND, gnuserv, and tinyProxy; format string attacks against ntop and LPRng; and denial-of-service attacks against inetd, CUPS, and InterNetNews (INN2).
Remark: nothing really new since the last Solaris Digest.
SecurityFocus
Chasing the Wind, Episode Four: Through a Glass, Darkly
Robert G. Ferrell
http://www.securityfocus.com/focus/ih/articles/chasing4.html SecurityFocus.com presents the fourth installation in the highly popular "Chasing the Wind" series, entitled "Through a Glass, Darkly". In this episode, while Jake, the exhausted system administrator, is sleeping obliviously at home, our ambitious script-kiddy and aspiring hacker, Ian, successfully defaces the Acme Ailerons site, hoping to impress his heartthrob, if not the vaunted Br04dB4ndits. Meanwhile, Bob travels to the high-security Command, Control, Communications, Computers, and Intelligence (C4I) center for a very high-level, very secretive meeting...
Securing OSPF
Jason Chan
http://www.liquifried.com/securingospf.htmlThis paper presents a short how-to for securing a heterogeneous OSPF routing environment.
02/09/01 X11 / Port 6000
http://www.securityfocus.com/archive/92/16136602/09/01 SunScreen Lite
http://www.securityfocus.com/archive/92/16147202/08/01 Configuring BSM Question
http://www.securityfocus.com/archive/92/16146802/02/01 sshd2
http://www.securityfocus.com/archive/92/160258Note: as the links to the threats themselves are too long to be published, the above links directly point on the first message of each discussion.
Yassp beta 15 is still current.
Discussions this week:
Pseudo TTY limit on Solaris 8
http://www.theorygroup.com/Archive/YASSP/2001/msg00030.htmlMissing package for man in the core os distrib
http://www.theorygroup.com/Archive/YASSP/2001/msg00028.htmlSee also http://www.yassp.org
All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include MindTerm, PGP, PGPenvelope, Stunnel,
Ssldump, Tripwire, BIND, Tcpdump and Linux Kernel.
Auditing and Intrusion Monitoring tools include Snort, RazorBack which seems interesting,
NetSaint, LIDS, ICU, SAStk and 3 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include Firewalk, Ferm, GShield,
GShieldconf, IPtables, FirewallLogDaemon and 5 other tools.
Tools for Linux/Unix/Cross Platform include Libnet, Zebedee, Anomy Sanitizer, APG,
SecureFTP, Sectar, Linux VPN masquerade and 10 other tools.
Tools for Windows include Backlog, WinNTConfig and IDA Pro freeware version.
"Underground: Hacking, madness and obsession on the electronic
frontier"
By Suelette Dreyfus with Research by Julian Assange
ISBN 1 86330 595 5
http://www.underground-book.com
This book was published in 1997 in paper form. It's now been released free for download as a text file. It is a fascinating read, an excellent documentation of the hacker scene of the late 80s/early 90s. Well worth reading - in fact, save your eyes some strain and buy the paper copy. :)
Points that stand out for me are the sheer determination and genius of some hackers, and the futility of Security by Obscurity for sensitive systems - VMS systems, and X.25 financial networks have been penetrated, without the hackers having access to decent determination).
All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html
Sign up to get this digest and many others by email.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 09 février, 2001 |