By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
No Bulletins for Solaris but you may be interesting in reading up on the Linux Adare worm, which, like the Lion and Rahmen worms could be modified to propagate via Solaris.
http://www.sans.org/y2k/adore.htm
2001-03-27: Solaris tip Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2475The following was covered last week, it is now in the Bugtraq database. Sun are working on a patch and an exploit has been released.
Bugtraq database:
2001-03-28: Apache Tomcat 3.0 Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25182001-03-28: Multiple Vendor URL JSP Request Source Code Disclosure Vulnerability (Tomcat)
http://securityfocus.com/vdb/bottom.html?vid=2527
Hot off the Bugtraq email list:
ntpd remote root exploit
Przemyslaw Frasunek
http://archives.neohapsis.com/archives/bugtraq/2001-04/0041.htmlThe Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable to remote buffer overflow attack. Since ntpd mostly runs as root, remote root access to the timeserver is possible. FreeBSD has been verified as being vulnerable, other systems probably are too.
Workarounds: Disable incoming ntp traffic from the internet, or if ntp is running ntpd on a machine only as a client, then refuse remote requests by adding the following to /etc/ntp.conf or /etc/inet/ntp.conf:
restrict default ignore
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Mar/27/01:
No changes.
Solaris 2.6, Mar/30/01:
105401-31 SunOS 5.6: libnsl and NIS+ commands patch
Solaris 7, Mar/29/01:
no changes
Solaris 8, Apr/02/01:
110283-03 SunOS 5.8: mkfs and newfs patch
111071-01 SunOS 5.8: cu patch
110670-01 SunOS 5.8: usr/sbin/static/rcp patch
109091-04 SunOS 5.8: /usr/lib/fs/ufs/ufsrestore patch
110668-01 SunOS 5.8: /usr/sbin/in.telnetd patch
108989-02 SunOS 5.8: /usr/kernel/sys/acctctl and /usr/kernel/sys/exacctsys patch
109893-02 SunOS 5.8: stc driver patch
108991-06 SunOS 5.8: libc and watchmalloc patchSolaris 8_x86, Apr/02/01:
110284-03 SunOS 5.8_x86: mkfs and newfs patch
109899-02 SunOS 5.8_x86: /kernel/drv/arp patch
111072-01 SunOS 5.8_x86: cu patch
110671-01 SunOS 5.8_x86: usr/sbin/static/rcp patch
110669-01 SunOS 5.8_x86: /usr/sbin/in.telnetd patch
109092-04 SunOS 5.8_x86: /usr/lib/fs/ufs/ufsrestore patch
108990-02 SunOS 5.8_x86: acctctl & exacctsys patch
108980-09 SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
109897-04 SunOS 5.8_x86: USB patch
108992-06 SunOS 5.8_x86: libc and watchmalloc patch
105181-26 SunOS 5.6: Kernel update patch
105401-31 SunOS 5.6: libnsl and NIS+ commands patch
105405-03 * SunOS 5.6: libcurses.a & libcurses.so.1 patch
105529-11 SunOS 5.6: /kernel/drv/tcp patch
105566-10 CDE 1.2: calendar manager patch
105633-51 OpenWindows 3.6: Xsun patch
105667-03 SunOS 5.6: /usr/bin/rdist patch
105703-25 CDE 1.2: dtlogin patch
106415-04 OpenWindows 3.6: xdm patch
106625-10 SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patch
107618-02 SunOS 5.6: patch /usr/sbin/vold
109339-02 SunOS 5.6: nscd's size grows - TTL values not implemented106541-15 SunOS 5.7: Kernel update patch
106793-07 SunOS 5.7: ufsdump and ufsrestore patch
106942-14 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch
107022-07 CDE 1.3: Calendar Manager patch
107180-26 CDE 1.3: dtlogin patch
107259-02 SunOS 5.7: /usr/sbin/vold patch
107475-02 SunOS 5.7: /usr/sbin/in.telnetd patch
107709-10 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend
107893-11 OpenWindows 3.6.1: Tooltalk patch
107972-02 SunOS 5.7: /usr/sbin/static/rcp patch
110070-01 SunOS 5.7: security: libcurses:setupterm has buffer overflow
110869-01 SunOS 5.7: useradd, usermod do not handle some expiration dates108968-04 SunOS 5.8: vol/vold/rmmount patch
108991-06 SunOS 5.8: libc and watchmalloc patch
109041-03 SunOS 5.8: sockfs patch
109091-04 SunOS 5.8: /usr/lib/fs/ufs/ufsrestore patch
109279-08 SunOS 5.8: /kernel/drv/ip patch
109805-03 SunOS 5.8: pam_krb5.so.1 patch
109887-03 SunOS 5.8: smartcard patch
109892-03 SunOS 5.8: ecpp patch
109893-02 SunOS 5.8: stc driver patch
109896-04 SunOS 5.8: USB patch
110068-02 * CDE 1.4: PDASync patch
110075-01 SunOS 5.8: /kernel/drv/devinfo and /kernel/drv/sparcv9/devinfo patch
110387-03 * SunOS 5.8: ufssnapshots support, ufsdump patch
110458-01 SunOS 5.8: libcurses patch
110668-01 SunOS 5.8: /usr/sbin/in.telnetd patch
110670-01 SunOS 5.8: usr/sbin/static/rcp patch
111071-01 SunOS 5.8: cu patch108529-06 SunOS 5.8_x86: kernel update patch
108876-08 SunOS 5.8_x86: c2audit patch
108976-04 SunOS 5.8_x86: /usr/bin/rmformat and /usr/sbin/format patch
108980-09 * SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
108992-06 * SunOS 5.8_x86: libc and watchmalloc patch
109042-03 SunOS 5.8_x86: sockfs patch
109092-04 SunOS 5.8_x86: /usr/lib/fs/ufs/ufsrestore patch
109280-08 SunOS 5.8_x86: /kernel/drv/ip patch
109321-01 SunOS 5.8_x86: LP patch
109897-04 SunOS 5.8_x86: USB patch
110069-02 * CDE 1.4_x86: PDASync patch
110076-01 * SunOS 5.8_x86: /kernel/drv/devinfo patch
110459-01 SunOS 5.8_x86: libcurses patch
110669-01 SunOS 5.8_x86: /usr/sbin/in.telnetd patch
110671-01 SunOS 5.8_x86: usr/sbin/static/rcp patch
110899-01 SunOS 5.8_x86: csh/pfcsh patch
111072-01 SunOS 5.8_x86: cu patch
Please tell us if you have suggestions or feedback on how we present this patch analysis.
FreeOS: Samba NT Domain Controller
http://www.freeos.com/articles/3842
Currently, Samba can go beyond merely emulating Windows shares to actually acting as the Primary Domain Controller for your Windows network. Of course, Samba can also become a NT domain member. In this article we look at both these options.
Help, I've Fallen
http://www.daemonnews.org/200104/answerman.htmlWe don't claim that after reading this column you'll be a perl expert, but this will give you a taste of what perl is all about.
Comment: a useful introduction to perl, with examples, if you've not yet taken the plunge.
Security lies in employees' heads - Good habits are more valuable than expensive firewalls
Deb Zaborav
http://www.itworld.com/Man/3875/UIR010330unixsecurity
A message to Unix Insider readers
http://www.itworld.com/Comp/2402/UIR010330messageAs you have discovered, the content of Unix Insider has found a new home in its sister publication, ITworld.com.....
Web Applications as Java Servlets, Just say no to JSP
Brad Cox
http://www.ddj.com/articles/2001/0105/0105i/0105i.htm
Improving Apache
Gary Bahadur & Mike Shema
http://www.infosecuritymag.com/articles/april01/features1_web_server_sec.shtmlA comprehensive look at running Apache securely.
Access Control
Mandy Andress
http://www.infosecuritymag.com/articles/april01/cover.shtmlAn analysis of strong authentication methods for a specific company. Interesting read.
Chasing the Wind, Episode Five: The Devil in the Details
Robert G. Ferrell
http://www.securityfocus.com/frames/?focus=ih&content=/focus/ih/articles/chasing5.htmlA great read.
Securing a PHP Installation
Darrell Brogdon
http://www.oreillynet.com/pub/a/php/2001/03/29/php_admin.html
On getting cracked and recovering with NMAP
Joe Barr
http://www.itworld.com/Sec/2202/LWD010404vcontrol1/Call it baud karma. Call it carelessness. Call it inevitable. I was 0wn3d and didn't know it........
Lion Internet Worm Analysis
Max Vision
http://whitehats.com/library/worms/lion/
Vulnerability Assessment Tools
http://www.networkmagazine.com/article/NMG20010321S0005
04/05/01 sunscreen
http://securityfocus.com/templates/archive.pike?list=92&tid=174255&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&04/05/01 Overflow prevention in /etc/system
http://securityfocus.com/templates/archive.pike?list=92&tid=174340&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&04/04/01 SEAM, KRB5 and phrase length
http://securityfocus.com/templates/archive.pike?list=92&tid=174105&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&04/04/01 Sun's attitude to minimal OS installs....
http://securityfocus.com/templates/archive.pike?list=92&tid=174345&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&04/03/01 IDS for Education
http://securityfocus.com/templates/archive.pike?list=92&tid=173801&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&04/02/01 restricting access to a user
http://securityfocus.com/templates/archive.pike?list=92&tid=173494&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&04/02/01 ipsec & solaris 8
http://securityfocus.com/templates/archive.pike?list=92&tid=173428&fromthread=0&start=2001-04-01&end=2001-04-07&threads=1&03/31/01 restricting access to a user
http://securityfocus.com/templates/archive.pike?list=92&tid=173387&fromthread=0&end=2001-03-31&threads=1&start=2001-03-25&03/30/01 Trusted Solaris 8
http://securityfocus.com/templates/archive.pike?list=92&tid=172943&fromthread=0&end=2001-03-31&threads=1&start=2001-03-25&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
simply question on rsh
http://www.theorygroup.com/Archive/YASSP/2001/msg00100.htmlnettune (fwd)
http://www.theorygroup.com/Archive/YASSP/2001/msg00099.html
Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include OpenSSL, Mod_ssl, OpenSSH, TCTUTILs, Autopsy Forensic Browser, BIND, Apache.
Auditing and Intrusion Monitoring tools include Snort, Rnmap, NEAT, NSClient, Syslog-ng, LIDS, BigBrother and Riley.
Firewalls for UNIX/Linux/BSD & Cross-platform include Smoothwall, Fireparse, GShield, Iridium
Firewall.Tools for Linux/Unix/Cross Platform include Linux International Kernel Patch, Secure FTP, SILC and 2 other tools.
Tools for Windows include Tiny Personal Firewall and SSHD for WinNT.
The "pwck" can be used to check the consistency of /etc/passwd entries.
pwck scans the password file and notes any inconsistencies. The checks include validation of the number of fields, login name, user ID, group ID, and whether the login directory and the program-to-use-as-shell exist. The default password file is /etc/passwd.
Likewise grpck:
grpck verifies all entries in the group file. This verification includes a check of the number of fields, group name, group ID, whether any login names belong to more than NGROUPS_MAX groups and that all login names appear in the password file. The default group file is /etc/group.
Examples
%/usr/sbin/pwck
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
Login directory not found
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
Login directory not found
Optional shell file not found
Comment: The uucp packages were removed from this system, hence the lack of uucp home directories..
These tools can be very useful in detecting errors on servers with large numbers of users, or constant changes.
Don't forget to check for accounts with empty passwords now and again as well:
awk -F: '{if ($2=="") print $1}' /etc/shadow
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.