By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
None
2001-03-15: Solaris snmpXdmid Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2417We covered this last week, it is now listed in the Bugtraq database.
SunOS application perfmon vulnerability
Published by Hackers on Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0326.htmlJSparm perfmon is not part of the Solaris base package. Through insecure file permissions it can be used to created root files. Fix: disable SUID bit.
The Bugtraq database is very quiet these days.
2001-03-15: Jelsoft vBulletin PHP Command Execution Vulnerability
http://www.securityfocus.com/bid/24742001-03-11: Ikonboard Remote File Disclosure Vulnerability
http://www.securityfocus.com/bid/24712001-03-09: Halflife Map Command Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/24762001-03-09: Free Online Dictionary of Computing Remote File Viewing Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=24842001-03-08: Elm Subject Line Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2470Bugtraq email list:
Passive Analysis of SSH (Secure Shell) Traffic
Published by Openwall on Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0225.htmlThis advisory demonstrates several weaknesses in implementations of SSH (Secure Shell) protocols. When exploited, they let the attacker obtain sensitive information by passively monitoring encrypted SSH sessions. The information can later be used to speed up brute-force attacks on passwords, including the initial login password and other passwords appearing in interactive SSH sessions, such as those used with su(1) and Cisco IOS "enable" passwords.
Comment: This well-written analysis uses quite advanced techniques to gain information by analysing the traffic (packet sizes, frequency etc.), transmitted by SSH. The weaknesses are not "critical", but demonstrate that encryption alone is not enough for a secure protocol. Thankfully, fixes have been proposed (and OpenSSH 2.5.2 which was released this week includes them). On the negative side, more detailed analysis of SSH is to be expected in the future and other weaknesses will probably arise. Therefore, consider implementing a procedure now for updating SSH on a periodic basis.
In this section we aim to inform you of new patches published by Sun. Patches are published [on ftp://sunsolve.sun.com/pub/patches] in two ways:
We analyze both reports since changes in one are not always reflected in the other.
1. The latest Solaris 'Recommended & Security Patch clusters' are as follows:
Solaris 8 Mar/21/01:
108968-04 SunOS 5.8: vol/vold/rmmount patch
110387-03 SunOS 5.8: ufssnapshots support, ufsdump patch
108981-05 SunOS 5.8: /kernel/drv/hme and /kernel/drv/sparcv9/hme patchSolaris 8_x86 Mar/21/01:
108976-04 SunOS 5.8_x86: /usr/bin/rmformat and /usr/sbin/format patch
108876-08 SunOS 5.8_x86: c2audit patch
110919-01 SunOS 5.8_x86: /kernel/drv/openeepr patchSolaris 7 Mar/22/01:
107709-10 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend
107180-26 CDE 1.3: dtlogin patch
110869-01 SunOS 5.7: useradd, usermod do not handle some expiration dates
106942-14 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patchSolaris 2.6 Mar/21/01:
105181-26 SunOS 5.6: Kernel update patch
105566-10 CDE 1.2: calendar manager patch
105703-25 CDE 1.2: dtlogin patchSolaris 2.5.1 Mar/09/01: no changes.
2. New or updated individual security/recommended patches.
105181-25 SunOS 5.6: Kernel update patch
106415-03 OpenWindows 3.6: xdm patch
107618-01 SunOS 5.6: Permissions problem in /vol.107259-01 SunOS 5.7: /usr/sbin/vold patch
107709-07 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa patch108529-05 SunOS 5.8_x86: kernel update patch
109897-03 SunOS 5.8_x86: USB patch
Please tell us if you have suggestions or feedback on how we present this patch analysis.
Asymmetric Warfare and Computer Technology
Ronald L. Mendell
http://securityportal.com/articles/asymmetricwarfare20010313.htmlTrendy name: asymmetric means that the attacker expends much less resources than the victim consumes defending himself.
http://www.sun.com/software/solaris/binaries/get.html
The Solaris CDs can now be downloaded (until now the CDs could be bought for $75.-).
As Sun say: Given the size of the download (800 Mbytes), we strongly recommend that this option be considered only by those with a fast connection (DSL, cable modem, or faster). All other customers should consider obtaining the Solaris media kit.
http://planetmirror.com/
A new, comprehensive download site for Linux, Sun, Freeware, etc for Asia/Australia
Sun System Configuration Check Tool
http://www.sun.com/service/support/is/info.htmlSun System Configuration Check is an availability maintenance tool. It's completely web based and self administered. You can use it whenever and on whichever machine you need an exact snapshot report of critical system statistics including disk, operating system, patch and single point of failure data. Sun System Configuration Check is designed to help you prevent problems and troubleshoot faster and with greater accuracy.
Costs $150 for a single system. I've not tried it.
Passive Analysis of SSH (Secure Shell) Traffic
Openwall Project
http://www.linuxsecurity.com/articles/projects_article-2700.html
Realistic Expectations for Intrusion Detection Systems
by Richard Wiens
http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/expect.htmlThe emergence of IDSs causes some security commentators to see them as a panacea, solving all of the complex and diverse threats to network security. However, as does any weapon in the security arsenal, an IDS has limited capabilities. To expect too much of an IDS places the user's network at risk. This article will discuss reasonable expectations of Intrusion Detection Systems (IDSs).
SSH inventor denied trademark request
http://www.nwfusion.com/news/2001/0321ssh.html..... As the Internet Engineering Task Force wraps up its work to standardize Secure Shell, Ylönen asked the group to change the protocol's acronym to Secsh or some other phrase to protect his company's trademarks and brand names. At a contentious meeting held here this week, the IETF's Secure Shell working group denied Ylönen's request, citing concerns that it would set a bad precedent for other trademark claims facing the standards-setting body......
Six Unix OS flavors run the gamut
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0119-flavors.html
The sound of silence: Ideas for achieving a quiet work environment
Rich Morin
http://www.sunworld.com/unixinsideronline/swol-03-2001/swol-0316-silicon.html
Re: Sun's security patch process
http://www.securityfocus.com/archive/92/170194This was a very interesting thread: first the severe lacking in Sun's bulleting and management of vulnerabilities/patches was noted by many, followed up by promises from Sun to improve this in the future. Kudos to Sun for listening, let's hope that action follows up the words...
Re: Solaris with MD5 crypted passwords ?
http://www.securityfocus.com/archive/92/170192Re: Starting ssh-agent from dtlogin
http://www.securityfocus.com/archive/92/169003
Yassp beta 15 is still current.
Discussions this week: none.
See also http://www.yassp.org
Security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include Mindterm SSH, OpenSSH, the Coroner Toolkit and Trusted BSD.
Auditing and Intrusion Monitoring tools include Snort attack scripts, NmapNT, WAP-Nmap, SAINT, NetSaint, LIDS, Chkrootkit, BigBrother, MergeLog, Samhain and 2 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include IPtables, IPfilter, IPtables Linux Firewall, Securepoint Firewall Server SB and 2 other tools.
Tools for Linux/Unix/Cross Platform include Bastille Linux, Squid, APG, NSA Security-enhanced Linux, Linux VPN, SILC, Libmcrypt, Saint Jude LKM and 4 other tools.
Tools for Windows include Winfingerprint.
Security related changes: Improved countermeasure against "Passive Analysis of SSH (Secure Shell) Traffic". The countermeasures introduced in earlier OpenSSH-2.5.x versions caused interoperability problems with some other implementations.
Improved countermeasure against "SSH protocol 1.5 session key recovery vulnerability".
The 'script' tool can be used to log all activity in an interactive login session.
For example, to run a few commands and have them appended to /var/tmp/script.log:
% script -a /var/tmp/script.log
Script started, file is /var/tmp/script.log# pwd
/secure
# df -k
Filesystem kbytes used avail capacity Mounted on
/proc 0 0 0 0% /proc
/dev/dsk/c0t2d0s0 2054233 1261038 731569 64% /
swap 204800 8 204792 1% /tmp# exit
Script done, file is /var/tmp/script.log
Notes
/bin/script -a /var/tmp/script.$$.log; logout;
.login should only be writeable by root. This is not completely-water tight, but if in parallel you do a 'tail -f ' on the script, you can follow what the vendor is doing and watch for attempts to manipulate the script file.
When the user logs in, a message "Script started, file is /var/tmp/script.log" will appear, I've not found a way of suppressing this, but it's probably good that the user is aware of the logging.
If you have tips you like to share with others, contact us.
All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html
Sign up to get this digest and many others by email.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 23 March, 2001 |