By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
None.
Vulnerability in Solaris tip(1)
Published by Pablo Sol on Bugtraq
http://www.securityportal.com/list-archive/bugtraq/2001/Mar/0417.htmlProblem: Due to improper bounds checking on environment variables used by 'tip', a buffer overflow may occur, which could give an attacker uucp access (since tip is SUID uucp). An attacker may be able to achieve root access from the elevated uucp level.
This is a local exploit, that requires an account on the host.
Workaround: Disable tip, or remove the setuid bit from /usr/bin/tip (chmod u-s /usr/bin/tip). Consequences: tip is typically used to access the serial line e.g. for remote console access. If the setuid bit is removed, only root will be able to use 'tip'. The 'cu' command can also be used as an alternative to tip.
BIND
Note: please make sure your BIND DNS servers are up to date, the entire net is being aggressively scanned for vulnerable BIND hosts. You should be running v8.2.3 or v9.1 or later.
BIND 8 hardening:
http://securityportal.com/cover/coverstory20001002.html
BIND 9 hardening (draft)
http://www.boran.com/security/sp/bind_hardening9.html
2001-03-27: Anaconda Clipper Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25122001-03-26: VIM statusline Text-Embedded Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25102001-03-23: Akopia Interchange Sample Files Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=24992001-03-22: Compaq Management Software Proxy Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25002001-03-20: FCheck Local Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=24972001-03-19: SWSoft ASPSeek s.cgi Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2492
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
1. The latest Solaris "Recommended & Security Patch clusters" are as
follows:
Solaris 8_x86, Mar/29/01:
109182-02 SunOS 5.8_x86: /kernel/fs/cachefs patch
109321-01 SunOS 5.8_x86: LP patch
109329-01 SunOS 5.8_x86: ypserv and ypxfr patch
109471-02 CDE 1.4_x86: Actions Patch
110287-02 OpenWindows 3.6.2_x86: Tooltalk patchSolaris 8, Mar/29/01:
108652-28 X11 6.4.1: Xsun patch
108981-06 SunOS 5.8: /kernel/drv/hme and /kernel/drv/sparcv9/hme patch
108827-08 SunOS 5.8: libthread patch
109887-03 SunOS 5.8: smartcard patch
109181-02 SunOS 5.8: /kernel/fs/cachefs patch
109328-01 SunOS 5.8: /usr/lib/netsvc/yp/ypserv and usr/lib/netsvc/yp/ypxfr patch
109470-02 CDE 1.4: Actions Patch
110286-02 OpenWindows 3.6.2: Tooltalk patchSolaris 7, Mar/29/01:
106793-07 SunOS 5.7: ufsdump and ufsrestore patch
107972-02 SunOS 5.7: /usr/sbin/static/rcp patch
107475-02 SunOS 5.7: /usr/sbin/in.telnetd patch
106925-06 SunOS 5.7: glm driver patch
107148-08 SunOS 5.7: /kernel/fs/cachefs patch
107149-07 SunOS 5.7_x86: /kernel/fs/cachefs patch
107469-08 SunOS 5.7: sf & socal drivers patch
107841-02 SunOS 5.7: rpcsec patch
108451-05 SunOS 5.7: rpcmod patch
107834-03 SunOS 5.7: dkio.h & commands.h patch
107458-12 SunOS 5.7: dad, sd, ssd, uata drivers patchSolaris 2.6, Mar/29/01:
105356-17 SunOS 5.6: /kernel/drv/ssd and /kernel/drv/sd patch
105375-26 SunOS 5.6: sf & socal driver patch
105741-08 SunOS 5.6: /kernel/drv/ecpp patch
105529-11 SunOS 5.6: /kernel/drv/tcp patch
105847-09 SunOS 5.6: /kernel/drv/st.conf and /kernel/drv/st patch
105792-06 SunOS 5.6: /usr/sbin/tar patch
105693-09 SunOS 5.6: cachefs patchSolaris 2.5.1, Mar/27/01: Date changed
No changes.
2. New or updated individual security/recommended patches.
none.
Please tell us if you have suggestions or feedback on
how we present this patch analysis.
Developing a Successful Information Security Process Part One: Risk Assessments
John D. Johnson
http://securityportal.com/articles/risk20010329.html
Discuss Sun Cluster Environment
http://www.sun.com/presents/discussions/disc-032701/Take this opportunity to ask your questions relating to Sun Cluster Environment and the content of this soon to be published book
What does Sun Patch Check do for me?
http://www.sun.com/service/support/is/patch.htmlSun Patch Check is a proactive service that helps you stay current on Solaris Operating Environment patches. It analyzes which patches are installed and which are needed on any given system with the Solaris Operating Environment. If you have a SunSpectrum contract, you can select patches for downloading. The selected patches are downloaded into a single compressed file.
Maintaining Network Separation with Trusted Solaris 8 Operating Environment
Glenn Faden
http://www.sun.com/blueprints/0301/MainNet.htmlThis article describes how MAC can be used to provide concurrent access to two isolated networks without compromising that separation. The reader is assumed to be familiar with network administration in the Solaris Operating Environment (Solaris OE) and have a general familiarity with trusted systems.
Comments on 'Building a Bridging Firewall with Linux'
http://www.linuxsecurity.com/articles/firewalls_article-2697.htmlApparently this article which we listed a week or two ago has quite a few errors in it.
Ten Key Steps to Protection from Denial Of Service Attacks
http://enterprisesecurity.symantec.com/article.cfm?articleID=659&PID=3563283&EID=84
Cryptography is not the Ultimate Solution
Rik Farrow
http://www.spirit.com/Network/net1299.txtCryptography has an important and growing position in Internet security, as well as a long way to go yet. Sadly, we already know how to use encryption safely, but it is the implementation that escapes us. The devil is in the details.
Does open source mean an open door?
Natalie Walker Whitlock
http://www-106.ibm.com/developerworks/linux/library/l-oss.html?open&l=252,t=gr,p=SecImpOS....... open source code is only as good as the skill of those who review it.....
Considerations of a firewall: Part 1
Laura Taylor
http://www.zdnetasia.com/biztech/security/story/0%2C2000010816%2C20192642%2C00.htmIf you're upgrading your firewall, or installing one on your network for the first time, you'll discover that firewall technology has changed a lot in the last several years. How do you select one that's appropriate for your business?
suEXEC keeps you in control of your systems
Jamie Wilson
http://www.unixinsider.com/unixinsideronline/swol-03-2001/swol-0323-suexec.htmlExplains how the Apache Web server's suEXEC module can be used to improve cgi security.
Open source security
Pete Loshin
http://www.infosecuritymag.com/articles/march01/features1_open_source_sec.shtmlVendors are increasingly including open-source components in their commercial products. What impact does this trend have on product security?
Java Security meets Smartcards
Gary McGraw
http://www.infosecuritymag.com/articles/march01/cover.shtml
Cracker Exploits
Ken Brandt, Stu Green & Enrique Zuniga
http://www.infosecuritymag.com/articles/march01/features4_battle_plans.shtmlAn outline of a few of the common exploits that all infosec professionals should know and will likely encounter in their careers.
Comparison of Client Methods to Block Spam
Robert Haskins
http://www.unixreview.com/administration/articles/0103wa.shtmlWhile there are methods to address UCE at the server, legal, and mail client levels, the individual has only one way to deal with spam: through their mail client software. In this article, I will introduce various means of combating junk email.
Inside Solaris: Reviewing your X Window security
Boris Loza
http://www.elementkjournals.com/sun/0104/sun0141.htmThis is a very good article on how to attack and defend X Windows.
03/30/01 Re: Some interfaces are not filterable on Solaris!
http://www.securityfocus.com/archive/92/17244603/29/01 Re: Sun's security patch process
http://www.securityfocus.com/archive/92/172449
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week: none.
Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include TTSSH, OpenSSH, OpenSSL, PureTLS, TrustedBSD and Linux Kernel.
Auditing and Intrusion Monitoring tools include Snort, ACID, SCRAM, SAINT, SARA, Chkrootkit, PIKT, LIDS, BigBrother and 3 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, IPtables Linux Firewall and rTables
Linux Firewall.Tools for Linux/Unix/Cross Platform include Bastille Linux, SILC, Openwall Linux kernel patch and 4 other tools.
Tools for Windows include PatchWork, DumpReg, DumpSec, PromiScan and WinPcap.
BIND 9.1.1 has been released. This is a maintenance release, fixing a number of bugs in BIND 9.1.0. There are no new features.
www.isc.org
The strip command is great for reducing the size of binary files.
As the man page for strip(1) says:
The strip command removes the symbol table, debugging information, and line number information from ELF object files. Once this stripping process has been done, no symbolic debugging access will be available for that file; therefore, this command is normally run only on production modules that have been debugged and tested.
Why is this useful?
OK, how do we use strip?
Strip is in /usr/ccs/bin, if it's not there you need to install the SUNWbtool package.
Using the BIND 9 distribution as an example, I noticed that the program binaries are very big:
% cd bin
% ls -l
total 52762
drwxr-x--- 2 boran other 512 Mar 8 16:37 ./
drwx------ 6 boran other 512 Mar 29 11:32 ../
-rwxr-x--- 1 boran other 6755108 Mar 8 16:37 dig
-rwxr-x--- 1 boran other 6758872 Mar 8 16:37 host
-rwxr-x--- 1 boran other 2489 Mar 8 16:37 isc-config.sh
-rwxr-x--- 1 boran other 6750772 Mar 8 16:37 nslookup
-rwxr-x--- 1 boran other 6689948 Mar 8 16:37 nsupdateSo lets strip these files and check the new size:
% /usr/ccs/bin/strip *
/usr/ccs/bin/strip: isc-config.sh: invalid file type% ls -al
total 10202
drwxr-x--- 2 boran other 512 Mar 8 16:37 ./
drwx------ 6 boran other 512 Mar 29 11:32 ../
-rwxr-x--- 1 boran other 1301616 Mar 29 11:35 dig
-rwxr-x--- 1 boran other 1295640 Mar 29 11:35 host
-rwxr-x--- 1 boran other 2489 Mar 8 16:37 isc-config.sh
-rwxr-x--- 1 boran other 1297936 Mar 29 11:35 nslookup
-rwxr-x--- 1 boran other 1275160 Mar 29 11:35 nsupdateStrip complains about isc-config.sh, which is fair enough, it's a shell script not an ELF binary and so it cannot be stripped. We've saved 20MB on these four files alone!
Going back to the Bind example above, by stripping all binaries and also deleting the include directory (which is not needed on a production server), the uncompressed distribution was reduced from 90MB to 25MB. Compression with gzip further reduced this to a manageable 8MB tarball.
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.