By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
None
Solaris SNMP to DMI mapper daemon vulnerability
Published by: Job de Haas on Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0175.htmlA worrying buffer overflow exists in the snmpXdmid daemon, that can lead to local and remote root compromise. No patches are available from Sun yet (they were informed one month ago), but this daemon can be disabled on most systems (I personally never leave it or the SNMP daemons running). One way of disabling it would be:
sh [start Bourne shell]
cd /etc;
for file in rc?.d/*dmi ; do
echo "Disabling $file";
mv $file .disabled.$file;
done# and stop DMI
/etc/init.d/init.dmi stopTo see if the DMI rpc daemon is running on a particular host on your network:
rpcinfo -p TARGET_HOST | grep 100249
The exact udp/tcp ports used by DMI vary from system to system, but tend to be around 32780 and higher. Therefore a port scanner could be used to collect a list of host publishing ports around this number and then rpcinfo used on each of these to verify the DMI presence.
Solaris 8 snmpd Vulnerability
Published by: Pablo Sor on Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0160.htmlDescription: The /opt/SUNWssp/snmpd command (SNMP proxy agent) is suid root and contains a buffer overflow, the problem occurs when it copy his own name (argv[0]) to an internal variable without checking out its length and this causes the overflow.
Comment: This tool is only available as part of SUNWsspop package, used by the SSP (System Service Processor) machine of a Enterprise 10'000 machine. So it's unlikely to affect many systems. This attack also requires an account on the system (local exploit)
The Bugtraq database is very quiet these days.
In this section we aim to inform you of new patches published by Sun. Patches are published [on ftp://sunsolve.sun.com/pub/patches] in two ways:
We analyze both reports since changes in one are not always reflected in the other.
1. The latest Solaris 'Recommended & Security Patch clusters' are as follows:
Solaris 8 Mar/13/01:
111023-01 SunOS 5.8: /kernel/fs/mntfs and /kernel/fs/sparcv9/mntfs patch 68c69
109805-03 SunOS 5.8: pam_krb5.so.1 patch
110458-01 SunOS 5.8: libcurses patch
110934-01 SunOS 5.8: pkgtrans, pkgadd, pkgchk and libpkg.a patchSolaris 8_x86 Mar/13/01:
110459-01 SunOS 5.8_x86: libcurses patch
110076-01 SunOS 5.8_x86: /kernel/drv/devinfo patchSolaris 7 Mar/13/01:
110070-01 SunOS 5.7: security: libcurses:setupterm has buffer overflow
109797-01 SunOS 5.7: patch kernel/drv/stc for all packagesSolaris 2.6 Mar/12/01:
106415-04 OpenWindows 3.6: xdm patch 139a140
105405-03 SunOS 5.6: libcurses.a & libcurses.so.1 patch
105284-38 Motif 1.2.7: Runtime library patch
106625-10 SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patchSolaris 2.5.1 Mar/09/01:
103640-35 SunOS 5.5.1: kernel, nisopaccess, & libthread patch
103696-05 SunOS 5.5.1: /sbin/su, /usr/bin/su and /sbin/sulogin patch
104490-06 SunOS 5.5.1: ufsdump and ufsrestore patch
104841-06 SunOS 5.5.1: /usr/sbin/vold patch
103461-35 Motif 1.2.3: Runtime library patch
104637-04 SunOS 5.5.1: /usr/ccs/lib/libcurses.a patch
2. New or updated individual security/recommended patches.
The patch reports a large number of changes in Solaris 2.6, probably due to formatting difference. Hence we've not been able to reliably detect changes for this week. Other Solaris versions don't seem to have changed.
Please tell us if you have suggestions or feedback on how we present this patch analysis.
UNIX IP Stack Tuning Guide v2.7
Rob Thomas
http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.htmlThe purpose of this document is to strengthen the UNIX IP stack against a variety of attack types prevalent on the Internet today. This document details the settings recommended for UNIX servers designed to provide network intensive services such as HTTP or routing (firewall services). This document covers the following UNIX variants: IBM AIX 4.3.X, Sun Solaris 7, Compaq Tru64 UNIX 5.X, HP HP-UX 11.0 (research ongoing), Linux kernel 2.2 (tested both SuSE Linux 7.0 and RedHat 7.0), FreeBSD and IRIX 6.5.10.
Comment: and interesting document, but if you intend using it, compare it with
tcp tuning under Solaris, by Jens-S. Vöckler
http://www.sean.de/Solaris
Hardening Solaris CSNC
Ivan Buelter
http://securityfocus.com/data/library/Hardening_Solaris_CSNC_V1.0.pdf
http://www.csnc.ch/download/sourcesThis is the latest version of "Hardening Solaris - Compass Security Draft" (as it was called in v0.82). A PDF document, it provides a step by step tutorial for creating a Solaris system resistant to various method of attack, based on the Titan scripts. Looks good but I've not tested it in detail. It does not reference Yassp (yet).
Just as interesting is a series on documents at the second URL on installing npasswd, tripwire, ssh2, arpwatch, tcpwrapper, swatch and documentation on Websphere hardening. The links to these documents don't currently work, but hopefully that's intermittent problem.
JumpStart for Solaris Systems
Ido Dubrawsky
http://securityfocus.com/focus/sun/articles/jumpstart.html
This article will examine the basics of JumpStart: what it is and what benefits it may provide to system administrators. It will also discuss how these benefits can be used to create bastion hosts to be deployed throughout the enterprise. The second article in this series will discuss the complete installation of the bastion mail server using the JumpStart Architecture and Security Scripts (JASS) toolkit.
Deconstructing DoS attacks
Sandra Henry-Stocker
http://www.sunworld.com/unixinsideronline/swol-03-2001/swol-0302-buildingblocks.htmlA brief overview of how a DoS attack works, how it differs from a DDoS attack, and what you can do to protect your system from both.
Solaris sockets, past and present: The socket filesystem, part 2
Jim Mauro
http://www.sunworld.com/unixinsideronline/swol-03-2001/swol-0309-insidesolaris.html
This second part concentrates on socket implementations post Solaris 2.6.
03/12/01 Starting ssh-agent from dtlogin
http://www.securityfocus.com/archive/92/16859103/07/01 PatchDiag Tool strangeness
http://www.securityfocus.com/archive/92/16774903/06/01 AV software for UNIX
http://www.securityfocus.com/archive/92/167748Note: as the links to the threats themselves are too long to be published, the above links directly point on the first message of each discussion.
Yassp beta 15 is still current.
Discussions this week:
FYI: tuning pages moved
http://www.theorygroup.com/Archive/YASSP/2001/msg00097.htmlSee also http://www.yassp.org
Security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include OpenSSL 0.9.6a, Stunnel, TrustedBSD and Apache.
Auditing and Intrusion Monitoring tools include 1 Snort tool, Nmap and 1 Nmap tool, PIKT, Chkrootkit, BigBrother, LIDS, Samhain..
Firewalls for UNIX/Linux/BSD & Cross-platform include FwLogWatch, Zorp, Fireparse, Dante, MonMotha's IPtables, IPtables Linux Firewall.
Tools for Linux/Unix/Cross Platform include Bastille Linux, Ngrep, Passwdd, SILC.
Tools for Windows include PwDump3e, Eraser and RPC tools.
Other tools:
Securely Erasing a Hard Drive with Perl
Mark Nielsen
http://www.linuxgazette.com/issue63/nielsen2.html
You need to compile some tools on a Sun, but the Sun has been already hardened. What packages need to be added to get a compilation environment?
The following Solaris packages need to be installed: SUNWbtool, SUNWsprot, SUNWtoo, SUNWhea, SUNWarc, SUNWlibm, SUNWlibms. The pkginfo tool can be used to check if these packages are installed, an error will be produced if the package is missing
% pkginfo SUNWbtool SUNWsprot SUNWtoo SUNWhea SUNWarc SUNWlibm SUNWlibms
system SUNWarc Archive Libraries
system SUNWbtool CCS tools bundled with SunOS
system SUNWhea SunOS Header Files
system SUNWlibm Sun WorkShop Bundled libm
system SUNWlibms Sun WorkShop Bundled shared libm
system SUNWsprot Solaris Bundled tools
system SUNWtoo Programming Tools
The missing packages can be added with pkgadd from the Solaris CD.
Other tips:
Further reading:
All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html
Sign up to get this digest and many others by email.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 16 March, 2001 |