Weekly Solaris Security Digest
2001/03/26 to 2001/04/01

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


Subscribe to our weekly newsletter
Email:
Name:

Rundown


Advisories and Security Bulletins


Sun/CERT Bulletins

None.


Solaris Vulnerabilities this Week

Vulnerability in Solaris tip(1)
Published by Pablo Sol on Bugtraq
http://www.securityportal.com/list-archive/bugtraq/2001/Mar/0417.html

Problem: Due to improper bounds checking on environment variables used by 'tip', a buffer overflow may occur, which could give an attacker uucp access (since tip is SUID uucp). An attacker may be able to achieve root access from the elevated uucp level.
This is a local exploit, that requires an account on the host.
Workaround: Disable tip, or remove the setuid bit from /usr/bin/tip (chmod u-s /usr/bin/tip). Consequences: tip is typically used to access the serial line e.g. for remote console access. If the setuid bit is removed, only root will be able to use 'tip'. The 'cu' command can also be used as an alternative to tip.

 

BIND

Note: please make sure your BIND DNS servers are up to date, the entire net is being aggressively scanned for vulnerable BIND hosts. You should be running v8.2.3 or v9.1 or later.
BIND 8 hardening:
http://securityportal.com/cover/coverstory20001002.html
BIND 9 hardening (draft)
http://www.boran.com/security/sp/bind_hardening9.html


Vulnerabilities this Week — Third-party Applications:

2001-03-27: Anaconda Clipper Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2512

2001-03-26: VIM statusline Text-Embedded Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2510

2001-03-23: Akopia Interchange Sample Files Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2499

2001-03-22: Compaq Management Software Proxy Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2500

2001-03-20: FCheck Local Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2497

2001-03-19: SWSoft ASPSeek s.cgi Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2492



Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

We analyze both reports since changes in one are not always reflected in the other.


1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 8_x86, Mar/29/01:

109182-02 SunOS 5.8_x86: /kernel/fs/cachefs patch
109321-01 SunOS 5.8_x86: LP patch
109329-01 SunOS 5.8_x86: ypserv and ypxfr patch
109471-02 CDE 1.4_x86: Actions Patch
110287-02 OpenWindows 3.6.2_x86: Tooltalk patch

Solaris 8, Mar/29/01:

108652-28 X11 6.4.1: Xsun patch
108981-06 SunOS 5.8: /kernel/drv/hme and /kernel/drv/sparcv9/hme patch
108827-08 SunOS 5.8: libthread patch
109887-03 SunOS 5.8: smartcard patch
109181-02 SunOS 5.8: /kernel/fs/cachefs patch
109328-01 SunOS 5.8: /usr/lib/netsvc/yp/ypserv and usr/lib/netsvc/yp/ypxfr patch
109470-02 CDE 1.4: Actions Patch
110286-02 OpenWindows 3.6.2: Tooltalk patch

Solaris 7, Mar/29/01:     

106793-07 SunOS 5.7: ufsdump and ufsrestore patch
107972-02 SunOS 5.7: /usr/sbin/static/rcp patch
107475-02 SunOS 5.7: /usr/sbin/in.telnetd patch
106925-06 SunOS 5.7: glm driver patch
107148-08 SunOS 5.7: /kernel/fs/cachefs patch
107149-07 SunOS 5.7_x86: /kernel/fs/cachefs patch
107469-08 SunOS 5.7: sf & socal drivers patch
107841-02 SunOS 5.7: rpcsec patch
108451-05 SunOS 5.7: rpcmod patch
107834-03 SunOS 5.7: dkio.h & commands.h patch
107458-12 SunOS 5.7: dad, sd, ssd, uata drivers patch

Solaris 2.6, Mar/29/01:

105356-17 SunOS 5.6: /kernel/drv/ssd and /kernel/drv/sd patch
105375-26 SunOS 5.6: sf & socal driver patch
105741-08 SunOS 5.6: /kernel/drv/ecpp patch
105529-11 SunOS 5.6: /kernel/drv/tcp patch
105847-09 SunOS 5.6: /kernel/drv/st.conf and /kernel/drv/st patch
105792-06 SunOS 5.6: /usr/sbin/tar patch
105693-09 SunOS 5.6: cachefs patch

Solaris 2.5.1, Mar/27/01: Date changed

No changes.


2. New or updated individual security/recommended patches.

none.


Please tell us if you have suggestions or feedback on how we present this patch analysis.



News & Articles

SecurityPortal

Developing a Successful Information Security Process Part One: Risk Assessments
John D. Johnson
http://securityportal.com/articles/risk20010329.html


Sun BigAdmin

Discuss Sun Cluster Environment
http://www.sun.com/presents/discussions/disc-032701/

Take this opportunity to ask your questions relating to Sun Cluster Environment and the content of this soon to be published book

What does Sun Patch Check do for me?
http://www.sun.com/service/support/is/patch.html

Sun Patch Check is a proactive service that helps you stay current on Solaris Operating Environment patches. It analyzes which patches are installed and which are needed on any given system with the Solaris Operating Environment. If you have a SunSpectrum contract, you can select patches for downloading. The selected patches are downloaded into a single compressed file.

 

Maintaining Network Separation with Trusted Solaris 8 Operating Environment
Glenn Faden
http://www.sun.com/blueprints/0301/MainNet.html

This article describes how MAC can be used to provide concurrent access to two isolated networks without compromising that separation. The reader is assumed to be familiar with network administration in the Solaris Operating Environment (Solaris OE) and have a general familiarity with trusted systems.

 

LinuxSecurity

Comments on 'Building a Bridging Firewall with Linux'
http://www.linuxsecurity.com/articles/firewalls_article-2697.html

Apparently this article which we listed a week or two ago has quite a few errors in it.

 

Ten Key Steps to Protection from Denial Of Service Attacks
http://enterprisesecurity.symantec.com/article.cfm?articleID=659&PID=3563283&EID=84

 

Cryptography is not the Ultimate Solution
Rik Farrow
http://www.spirit.com/Network/net1299.txt

Cryptography has an important and growing position in Internet security, as well as a long way to go yet. Sadly, we already know how to use encryption safely, but it is the implementation that escapes us. The devil is in the details.

 

Does open source mean an open door?
Natalie Walker Whitlock
http://www-106.ibm.com/developerworks/linux/library/l-oss.html?open&l=252,t=gr,p=SecImpOS

....... open source code is only as good as the skill of those who review it.....

 

Considerations of a firewall: Part 1
Laura Taylor
http://www.zdnetasia.com/biztech/security/story/0%2C2000010816%2C20192642%2C00.htm

If you're upgrading your firewall, or installing one on your network for the first time, you'll discover that firewall technology has changed a lot in the last several years. How do you select one that's appropriate for your business?


Unix Insider

suEXEC keeps you in control of your systems
Jamie Wilson
http://www.unixinsider.com/unixinsideronline/swol-03-2001/swol-0323-suexec.html

Explains how the Apache Web server's suEXEC module can be used to improve cgi security.


Information Security Magazine

Open source security
Pete Loshin
http://www.infosecuritymag.com/articles/march01/features1_open_source_sec.shtml

Vendors are increasingly including open-source components in their commercial products. What impact does this trend have on product security?

 

Java Security meets Smartcards
Gary McGraw
http://www.infosecuritymag.com/articles/march01/cover.shtml

 

Cracker Exploits
Ken Brandt, Stu Green & Enrique Zuniga
http://www.infosecuritymag.com/articles/march01/features4_battle_plans.shtml

An outline of a few of the common exploits that all infosec professionals should know and will likely encounter in their careers.

BSD Today

Comparison of Client Methods to Block Spam
Robert Haskins
http://www.unixreview.com/administration/articles/0103wa.shtml

While there are methods to address UCE at the server, legal, and mail client levels, the individual has only one way to deal with spam: through their mail client software. In this article, I will introduce various means of combating junk email.

 

Inside Solaris: Reviewing your X Window security
Boris Loza
http://www.elementkjournals.com/sun/0104/sun0141.htm

This is a very good article on how to attack and defend X Windows.


Mailing Lists

Focus-Sun Discussions Threads

03/30/01 Re: Some interfaces are not filterable on Solaris!
http://www.securityfocus.com/archive/92/172446

03/29/01 Re: Sun's security patch process
http://www.securityfocus.com/archive/92/172449

 

YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week: none.


Security Tools

Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html  

Updates to General free tools this week include TTSSH, OpenSSH, OpenSSL, PureTLS, TrustedBSD and Linux Kernel.

Auditing and Intrusion Monitoring tools include Snort, ACID, SCRAM, SAINT, SARA, Chkrootkit, PIKT, LIDS, BigBrother and 3 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, IPtables Linux Firewall and rTables
Linux Firewall.

Tools for Linux/Unix/Cross Platform include Bastille Linux, SILC, Openwall Linux kernel patch and 4 other tools.

Tools for Windows include PatchWork, DumpReg, DumpSec, PromiScan and WinPcap.

Other Tools

BIND 9.1.1 has been released. This is a maintenance release, fixing a number of bugs in BIND 9.1.0. There are no new features.
www.isc.org


Tip of the Week: strip

The strip command is great for reducing the size of binary files.

As the man page for strip(1) says:

The strip command removes the symbol table, debugging information, and line number information from ELF object files. Once this stripping process has been done, no symbolic debugging access will be available for that file; therefore, this command is normally run only on production modules that have been debugged and tested.

Why is this useful?

OK, how do we use strip?

Strip is in /usr/ccs/bin, if it's not there you need to install the SUNWbtool package.

Using the BIND 9 distribution as an example, I noticed that the program binaries are very big:

% cd bin
% ls -l
total 52762
drwxr-x--- 2 boran other 512 Mar 8 16:37 ./
drwx------ 6 boran other 512 Mar 29 11:32 ../
-rwxr-x--- 1 boran other 6755108 Mar 8 16:37 dig
-rwxr-x--- 1 boran other 6758872 Mar 8 16:37 host
-rwxr-x--- 1 boran other 2489 Mar 8 16:37 isc-config.sh
-rwxr-x--- 1 boran other 6750772 Mar 8 16:37 nslookup
-rwxr-x--- 1 boran other 6689948 Mar 8 16:37 nsupdate

So lets strip these files and check the new size:

% /usr/ccs/bin/strip *
/usr/ccs/bin/strip: isc-config.sh: invalid file type

% ls -al
total 10202
drwxr-x--- 2 boran other 512 Mar 8 16:37 ./
drwx------ 6 boran other 512 Mar 29 11:32 ../
-rwxr-x--- 1 boran other 1301616 Mar 29 11:35 dig
-rwxr-x--- 1 boran other 1295640 Mar 29 11:35 host
-rwxr-x--- 1 boran other 2489 Mar 8 16:37 isc-config.sh
-rwxr-x--- 1 boran other 1297936 Mar 29 11:35 nslookup
-rwxr-x--- 1 boran other 1275160 Mar 29 11:35 nsupdate

Strip complains about isc-config.sh, which is fair enough, it's a shell script not an ELF binary and so it cannot be stripped. We've saved 20MB on these four files alone!

Going back to the Bind example above, by stripping all binaries and also deleting the include directory (which is not needed on a production server), the uncompressed distribution was reduced from 90MB to 25MB. Compression with gzip further reduced this to a manageable 8MB tarball.

If you have tips you'd like to share with others, contact us.


References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.


Receive this digest by email!