Weekly Solaris Security Digest
2000/03/12 to 2001/03/19

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

None

Solaris vulnerabilities this week:

Solaris SNMP to DMI mapper daemon vulnerability
Published by: Job de Haas on Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0175.html

A worrying buffer overflow exists in the snmpXdmid daemon, that can lead to local and remote root compromise. No patches are available from Sun yet (they were informed one month ago), but this daemon can be disabled on most systems (I personally never leave it or the SNMP daemons running).  One way of disabling it would be:

sh                    [start Bourne shell]
cd /etc;
for file in rc?.d/*dmi ; do
echo "Disabling $file";
mv $file .disabled.$file;
done

# and stop DMI
/etc/init.d/init.dmi stop

To see if the DMI rpc daemon is running on a particular host on your network:

rpcinfo -p TARGET_HOST  | grep 100249

The exact udp/tcp ports used by DMI vary from system to system, but tend to be around 32780 and higher. Therefore  a port scanner could be used to collect a list of host publishing ports around this number and then rpcinfo used on each of these to verify the DMI presence.

 

Solaris 8 snmpd Vulnerability
Published by: Pablo Sor on Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0160.html

Description: The /opt/SUNWssp/snmpd command (SNMP proxy agent) is suid root and contains a buffer overflow, the problem occurs when it copy his own name (argv[0]) to an internal variable without checking out its length and this causes the overflow.
Comment: This tool is only available as part of SUNWsspop package, used by the SSP (System Service Processor) machine of a Enterprise 10'000 machine. So it's unlikely to affect many systems. This attack also requires an account on the system (local exploit)

Vulnerabilities this week - 3rd party applications:

The Bugtraq database is very quiet these days.


Patches

In this section we aim to inform you of new patches published by Sun. Patches are published [on ftp://sunsolve.sun.com/pub/patches] in two ways:

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris 'Recommended & Security Patch clusters' are as follows:

Solaris 8          Mar/13/01:

111023-01 SunOS 5.8: /kernel/fs/mntfs and /kernel/fs/sparcv9/mntfs patch 68c69
109805-03 SunOS 5.8: pam_krb5.so.1 patch
110458-01 SunOS 5.8: libcurses patch
110934-01 SunOS 5.8: pkgtrans, pkgadd, pkgchk and libpkg.a patch

Solaris 8_x86  Mar/13/01:

110459-01 SunOS 5.8_x86: libcurses patch
110076-01 SunOS 5.8_x86: /kernel/drv/devinfo patch

Solaris 7          Mar/13/01:     

110070-01 SunOS 5.7: security: libcurses:setupterm has buffer overflow
109797-01 SunOS 5.7: patch kernel/drv/stc for all packages

Solaris 2.6        Mar/12/01:

106415-04 OpenWindows 3.6: xdm patch 139a140
105405-03 SunOS 5.6: libcurses.a & libcurses.so.1 patch
105284-38 Motif 1.2.7: Runtime library patch
106625-10 SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patch

Solaris 2.5.1     Mar/09/01:

103640-35 SunOS 5.5.1: kernel, nisopaccess, & libthread patch
103696-05 SunOS 5.5.1: /sbin/su, /usr/bin/su and /sbin/sulogin patch
104490-06 SunOS 5.5.1: ufsdump and ufsrestore patch
104841-06 SunOS 5.5.1: /usr/sbin/vold patch
103461-35 Motif 1.2.3: Runtime library patch
104637-04 SunOS 5.5.1: /usr/ccs/lib/libcurses.a patch

2. New or updated individual security/recommended patches.

The patch reports a large number of changes in Solaris 2.6, probably due to formatting difference. Hence we've not been able to reliably detect changes for this week. Other Solaris versions don't seem to have changed.

Please tell us if you have suggestions or feedback on how we present this patch analysis.


News & Articles

 

Sun BigAdmin

UNIX IP Stack Tuning Guide v2.7
Rob Thomas
http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html

The purpose of this document is to strengthen the UNIX IP stack against a variety of attack types prevalent on the Internet today. This document details the settings recommended for UNIX servers designed to provide network intensive services such as HTTP or routing (firewall services). This document covers the following UNIX variants: IBM AIX 4.3.X, Sun Solaris 7, Compaq Tru64 UNIX 5.X, HP HP-UX 11.0 (research ongoing), Linux kernel 2.2 (tested both SuSE Linux 7.0 and RedHat 7.0), FreeBSD and IRIX 6.5.10.

Comment: and interesting document, but if you intend using it, compare it with
tcp tuning under Solaris, by Jens-S. Vöckler
http://www.sean.de/Solaris

 

SecurityFocus

Hardening Solaris CSNC
Ivan Buelter
http://securityfocus.com/data/library/Hardening_Solaris_CSNC_V1.0.pdf
http://www.csnc.ch/download/sources

This is the latest version of "Hardening Solaris - Compass Security Draft" (as it was called in v0.82). A PDF document, it provides a step by step tutorial for creating a Solaris system resistant to various method of attack, based on the Titan scripts. Looks good but I've not tested it in detail. It does not reference Yassp (yet).
Just as interesting is a series on documents at the second URL on installing npasswd, tripwire, ssh2, arpwatch, tcpwrapper, swatch and documentation on Websphere hardening. The links to these documents don't currently work, but hopefully that's intermittent problem.

 

JumpStart for Solaris Systems
Ido Dubrawsky
http://securityfocus.com/focus/sun/articles/jumpstart.html
This article will examine the basics of JumpStart: what it is and what benefits it may provide to system administrators. It will also discuss how these benefits can be used to create bastion hosts to be deployed throughout the enterprise. The second article in this series will discuss the complete installation of the bastion mail server using the JumpStart Architecture and Security Scripts (JASS) toolkit.

 

UnixInsider

Deconstructing DoS attacks
Sandra Henry-Stocker
http://www.sunworld.com/unixinsideronline/swol-03-2001/swol-0302-buildingblocks.html

A brief overview of how a DoS attack works, how it differs from a DDoS attack, and what you can do to protect your system from both.

 

Solaris sockets, past and present: The socket filesystem, part 2
Jim Mauro
http://www.sunworld.com/unixinsideronline/swol-03-2001/swol-0309-insidesolaris.html

This second part concentrates on socket implementations post Solaris 2.6.


Mailing Lists

FOCUS-Sun Discussions Threads

03/12/01 Starting ssh-agent from dtlogin
http://www.securityfocus.com/archive/92/168591

03/07/01 PatchDiag Tool strangeness
http://www.securityfocus.com/archive/92/167749

03/06/01 AV software for UNIX
http://www.securityfocus.com/archive/92/167748

Note: as the links to the threats themselves are too long to be published, the above links directly point on the first message of each discussion.

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.

Discussions this week:

FYI: tuning pages moved
http://www.theorygroup.com/Archive/YASSP/2001/msg00097.html

See also http://www.yassp.org


Security Tools

Security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html  

Updates to General free tools this week include OpenSSL 0.9.6a, Stunnel, TrustedBSD and Apache.
Auditing and Intrusion Monitoring tools include 1 Snort tool, Nmap and 1 Nmap tool, PIKT, Chkrootkit, BigBrother, LIDS, Samhain..
Firewalls for UNIX/Linux/BSD & Cross-platform include FwLogWatch, Zorp, Fireparse, Dante, MonMotha's IPtables, IPtables Linux Firewall.
Tools for Linux/Unix/Cross Platform include Bastille Linux, Ngrep, Passwdd, SILC.
Tools for Windows include PwDump3e, Eraser and RPC tools.

Other tools:

Securely Erasing a Hard Drive with Perl
Mark Nielsen
http://www.linuxgazette.com/issue63/nielsen2.html


Tip of the Week: Getting compilers to work

You need to compile some tools on a Sun, but the Sun has been already hardened. What packages need to be added to get a compilation environment?

The following Solaris packages need to be installed: SUNWbtool, SUNWsprot, SUNWtoo, SUNWhea, SUNWarc, SUNWlibm, SUNWlibms. The pkginfo tool can be used to check if these packages are installed, an error will be produced if the package is missing

% pkginfo SUNWbtool SUNWsprot SUNWtoo SUNWhea SUNWarc SUNWlibm SUNWlibms
system SUNWarc Archive Libraries
system SUNWbtool CCS tools bundled with SunOS
system SUNWhea SunOS Header Files
system SUNWlibm Sun WorkShop Bundled libm
system SUNWlibms Sun WorkShop Bundled shared libm
system SUNWsprot Solaris Bundled tools
system SUNWtoo Programming Tools

The missing packages can be added with pkgadd from the Solaris CD.

Other tips:

Further reading:


References and Resources

All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html

Sign up to get this digest and many others by email.

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 16 March, 2001