Weekly Solaris Security Digest
2001/04/01 to 2001/04/08

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


Subscribe to our weekly newsletter
Email:
Name:

Rundown


Security Bulletins and Vulnerabilities


Security Bulletins

No Bulletins for Solaris but you may be interesting in reading up on the Linux Adare worm, which, like the Lion and Rahmen worms could be modified to propagate via Solaris.
http://www.sans.org/y2k/adore.htm


Solaris Vulnerabilities this Week

2001-03-27: Solaris tip Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2475

The following was covered last week, it is now in the Bugtraq database. Sun are working on a patch and an exploit has been released.


Vulnerabilities this Week — Third-party Applications:

Bugtraq database:

2001-03-28: Apache Tomcat 3.0 Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2518

2001-03-28: Multiple Vendor URL JSP Request Source Code Disclosure Vulnerability (Tomcat)
http://securityfocus.com/vdb/bottom.html?vid=2527

 

Hot off the Bugtraq email list:

ntpd remote root exploit
Przemyslaw Frasunek
http://archives.neohapsis.com/archives/bugtraq/2001-04/0041.html

The Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable   to remote buffer overflow attack. Since ntpd mostly runs as root, remote root access to the timeserver is possible. FreeBSD has been verified as being vulnerable, other systems probably are too.
Workarounds: Disable incoming ntp traffic from the internet, or if ntp is running ntpd on a machine only as a client, then refuse remote requests by adding the following to /etc/ntp.conf or /etc/inet/ntp.conf:
restrict default ignore



Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.


1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Mar/27/01:

No changes.

Solaris 2.6, Mar/30/01:

105401-31 SunOS 5.6: libnsl and NIS+ commands patch

Solaris 7, Mar/29/01:    

no changes

Solaris 8, Apr/02/01:

110283-03 SunOS 5.8: mkfs and newfs patch
111071-01 SunOS 5.8: cu patch
110670-01 SunOS 5.8: usr/sbin/static/rcp patch
109091-04 SunOS 5.8: /usr/lib/fs/ufs/ufsrestore patch
110668-01 SunOS 5.8: /usr/sbin/in.telnetd patch
108989-02 SunOS 5.8: /usr/kernel/sys/acctctl and /usr/kernel/sys/exacctsys patch
109893-02 SunOS 5.8: stc driver patch
108991-06 SunOS 5.8: libc and watchmalloc patch

Solaris 8_x86, Apr/02/01:

110284-03 SunOS 5.8_x86: mkfs and newfs patch
109899-02 SunOS 5.8_x86: /kernel/drv/arp patch
111072-01 SunOS 5.8_x86: cu patch
110671-01 SunOS 5.8_x86: usr/sbin/static/rcp patch
110669-01 SunOS 5.8_x86: /usr/sbin/in.telnetd patch
109092-04 SunOS 5.8_x86: /usr/lib/fs/ufs/ufsrestore patch
108990-02 SunOS 5.8_x86: acctctl & exacctsys patch
108980-09 SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
109897-04 SunOS 5.8_x86: USB patch
108992-06 SunOS 5.8_x86: libc and watchmalloc patch


2. New or updated individual security/recommended patches.

105181-26 SunOS 5.6: Kernel update patch
105401-31 SunOS 5.6: libnsl and NIS+ commands patch
105405-03 * SunOS 5.6: libcurses.a & libcurses.so.1 patch
105529-11 SunOS 5.6: /kernel/drv/tcp patch
105566-10 CDE 1.2: calendar manager patch
105633-51 OpenWindows 3.6: Xsun patch
105667-03 SunOS 5.6: /usr/bin/rdist patch
105703-25 CDE 1.2: dtlogin patch
106415-04 OpenWindows 3.6: xdm patch
106625-10 SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patch
107618-02 SunOS 5.6: patch /usr/sbin/vold
109339-02 SunOS 5.6: nscd's size grows - TTL values not implemented

106541-15 SunOS 5.7: Kernel update patch
106793-07 SunOS 5.7: ufsdump and ufsrestore patch
106942-14 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch
107022-07 CDE 1.3: Calendar Manager patch
107180-26 CDE 1.3: dtlogin patch
107259-02 SunOS 5.7: /usr/sbin/vold patch
107475-02 SunOS 5.7: /usr/sbin/in.telnetd patch
107709-10 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend
107893-11 OpenWindows 3.6.1: Tooltalk patch
107972-02 SunOS 5.7: /usr/sbin/static/rcp patch
110070-01 SunOS 5.7: security: libcurses:setupterm has buffer overflow
110869-01 SunOS 5.7: useradd, usermod do not handle some expiration dates

108968-04 SunOS 5.8: vol/vold/rmmount patch
108991-06 SunOS 5.8: libc and watchmalloc patch
109041-03 SunOS 5.8: sockfs patch
109091-04 SunOS 5.8: /usr/lib/fs/ufs/ufsrestore patch
109279-08 SunOS 5.8: /kernel/drv/ip patch
109805-03 SunOS 5.8: pam_krb5.so.1 patch
109887-03 SunOS 5.8: smartcard patch
109892-03 SunOS 5.8: ecpp patch
109893-02 SunOS 5.8: stc driver patch
109896-04 SunOS 5.8: USB patch
110068-02 * CDE 1.4: PDASync patch
110075-01 SunOS 5.8: /kernel/drv/devinfo and /kernel/drv/sparcv9/devinfo patch
110387-03 * SunOS 5.8: ufssnapshots support, ufsdump patch
110458-01 SunOS 5.8: libcurses patch
110668-01 SunOS 5.8: /usr/sbin/in.telnetd patch
110670-01 SunOS 5.8: usr/sbin/static/rcp patch
111071-01 SunOS 5.8: cu patch

108529-06 SunOS 5.8_x86: kernel update patch
108876-08 SunOS 5.8_x86: c2audit patch
108976-04 SunOS 5.8_x86: /usr/bin/rmformat and /usr/sbin/format patch
108980-09 * SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
108992-06 * SunOS 5.8_x86: libc and watchmalloc patch
109042-03 SunOS 5.8_x86: sockfs patch
109092-04 SunOS 5.8_x86: /usr/lib/fs/ufs/ufsrestore patch
109280-08 SunOS 5.8_x86: /kernel/drv/ip patch
109321-01 SunOS 5.8_x86: LP patch
109897-04 SunOS 5.8_x86: USB patch
110069-02 * CDE 1.4_x86: PDASync patch
110076-01 * SunOS 5.8_x86: /kernel/drv/devinfo patch
110459-01 SunOS 5.8_x86: libcurses patch
110669-01 SunOS 5.8_x86: /usr/sbin/in.telnetd patch
110671-01 SunOS 5.8_x86: usr/sbin/static/rcp patch
110899-01 SunOS 5.8_x86: csh/pfcsh patch
111072-01 SunOS 5.8_x86: cu patch

 

Please tell us if you have suggestions or feedback on how we present this patch analysis.



News & Articles

FreeOS: Samba NT Domain Controller
http://www.freeos.com/articles/3842


Currently, Samba can go beyond merely emulating Windows shares to actually acting as the Primary Domain Controller for your Windows network. Of course, Samba can also become a NT domain member. In this article we look at both these options.

Daemonnews

Help, I've Fallen
http://www.daemonnews.org/200104/answerman.html

We don't claim that after reading this column you'll be a perl expert, but this will give you a taste of what perl is all about.
Comment: a useful introduction to perl, with examples, if you've not yet taken the plunge.



Unix Insider

Security lies in employees' heads - Good habits are more valuable than expensive firewalls
Deb Zaborav
http://www.itworld.com/Man/3875/UIR010330unixsecurity

 

A message to Unix Insider readers
http://www.itworld.com/Comp/2402/UIR010330message

As you have discovered, the content of Unix Insider has found a new home in its sister publication, ITworld.com.....

 

DDJ

Web Applications as Java Servlets, Just say no to JSP
Brad Cox
http://www.ddj.com/articles/2001/0105/0105i/0105i.htm


Information Security Magazine

Improving Apache
Gary Bahadur & Mike Shema
http://www.infosecuritymag.com/articles/april01/features1_web_server_sec.shtml

A comprehensive look at running Apache securely.

 

Access Control
Mandy Andress
http://www.infosecuritymag.com/articles/april01/cover.shtml

An analysis of strong authentication methods for a specific company. Interesting read.

Security Focus

Chasing the Wind, Episode Five: The Devil in the Details
Robert G. Ferrell
http://www.securityfocus.com/frames/?focus=ih&content=/focus/ih/articles/chasing5.html

A great read.

 

O'Reilly Network

Securing a PHP Installation
Darrell Brogdon
http://www.oreillynet.com/pub/a/php/2001/03/29/php_admin.html

 

LinuxSecurity.com

On getting cracked and recovering with NMAP
Joe Barr
http://www.itworld.com/Sec/2202/LWD010404vcontrol1/

Call it baud karma. Call it carelessness. Call it inevitable. I was 0wn3d and didn't know it........

 

Lion Internet Worm Analysis
Max Vision
http://whitehats.com/library/worms/lion/

 

NetworkMagazine

Vulnerability Assessment Tools
http://www.networkmagazine.com/article/NMG20010321S0005


Mailing Lists

Focus-Sun Discussions Threads

04/05/01 sunscreen
http://securityfocus.com/templates/archive.pike?list=92&tid=174255&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&

04/05/01 Overflow prevention in /etc/system
http://securityfocus.com/templates/archive.pike?list=92&tid=174340&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&

04/04/01 SEAM, KRB5 and phrase length
http://securityfocus.com/templates/archive.pike?list=92&tid=174105&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&

04/04/01 Sun's attitude to minimal OS installs....
http://securityfocus.com/templates/archive.pike?list=92&tid=174345&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&

04/03/01 IDS for Education
http://securityfocus.com/templates/archive.pike?list=92&tid=173801&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&

04/02/01 restricting access to a user
http://securityfocus.com/templates/archive.pike?list=92&tid=173494&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&

04/02/01 ipsec & solaris 8
http://securityfocus.com/templates/archive.pike?list=92&tid=173428&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&

03/31/01 restricting access to a user
http://securityfocus.com/templates/archive.pike?list=92&tid=173387&fromthread=0&end=2001-03-31&threads=1&start=2001-03-25&

03/30/01 Trusted Solaris 8
http://securityfocus.com/templates/archive.pike?list=92&tid=172943&fromthread=0&end=2001-03-31&threads=1&start=2001-03-25&

 

YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:

simply question on rsh
http://www.theorygroup.com/Archive/YASSP/2001/msg00100.html

nettune (fwd)
http://www.theorygroup.com/Archive/YASSP/2001/msg00099.html


Security Tools

Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html  

Updates to General free tools this week include OpenSSL, Mod_ssl, OpenSSH, TCTUTILs, Autopsy Forensic Browser, BIND, Apache.

Auditing and Intrusion Monitoring tools include Snort, Rnmap, NEAT, NSClient, Syslog-ng, LIDS, BigBrother and Riley.

Firewalls for UNIX/Linux/BSD & Cross-platform include Smoothwall, Fireparse, GShield, Iridium
Firewall.

Tools for Linux/Unix/Cross Platform include Linux International Kernel Patch, Secure FTP, SILC and 2 other tools.

Tools for Windows include Tiny Personal Firewall and SSHD for WinNT.


Tip of the Week: pwck


The "pwck" can be used to check the consistency of /etc/passwd entries.

pwck scans the password file and notes any inconsistencies. The checks include validation of the number of fields, login name, user ID, group ID, and whether the login directory and the program-to-use-as-shell exist. The default password file is /etc/passwd.

Likewise grpck:

grpck verifies all entries in the group file. This verification includes a check of the number of fields, group name, group ID, whether any login names belong to more than NGROUPS_MAX groups and that all login names appear in the password file. The default group file is /etc/group.

Examples

%/usr/sbin/pwck 
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
        Login directory not found
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
        Login directory not found
        Optional shell file not found

Comment: The uucp packages were removed from this system, hence the lack of uucp home directories..

These tools can be very useful in detecting errors on servers with large numbers of users, or constant changes.

Don't forget to check for accounts with empty passwords now and again as well:

awk -F: '{if ($2=="") print $1}' /etc/shadow

 

If you have tips you'd like to share with others, contact us.


References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.


Receive this digest by email!