Weekly Solaris Security Digest
2001/04/08 to 2001/04/15

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


Subscribe to our weekly newsletter
Email:
Name:

Rundown


Security Bulletins and Vulnerabilities


Security Bulletins

No Bulletins for Solaris but you may be interesting in reading up on the Linux Adare worm, which, like the Lion and Rahmen worms could be modified to propagate via Solaris.
http://www.sans.org/y2k/adore.htm


Solaris Vulnerabilities this Week

Solaris ftpd glob() Expansion LIST Heap Overflow Vulnerability
John McDonald of NAI's COVERT labs
http://securityfocus.com/templates/advisory.html?id=3202
http://www.cert.org/advisories/CA-2001-07.html#vendors
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://www.securityfocus.com/bid/2550

Sun and other UNIX/Linux/BSD Vendors have been caught by a serious hole in FTPD. All versions of Solaris are vulnerable to this remote root exploit (since ftpd normally runs as root). .

 

NTP

Last week, we covered the announcement of a serious NTP vulnerability on Bugtraq email, there is now a bugtraq database entry. Most Linux vendors have released patches already, there is no indicate as to why Sun's NTP should not be vulnerable, not have Sun released any bulletins.
2001-04-04: Ntpd Remote Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2540

Recommendation: Replace Sun's NTPD with the latest freeware copy on any Sun NTP servers exposed to the Internet. The following version is an "intermediate release" a fully tested release should be available soon.
ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz  

 

The eEye company have been busy poking for holes in Solaris:

Solaris kcms_configure vulnerability
eEye
http://www.eeye.com/html/Research/Advisories/solkcms.html

The problem exists in the parsing of command line options of the configuration tool for the Kodak Color Management System. By exploiting this vulnerability an attacker can achieve local root privileges.
Recommendation: disable the SUID bit, you don't need this tool anyway.
chmod ug-s /usr/openwin/bin/kcms_configure
Even better, as the kcms (Kodak Color Management System) is rarely use, either remove entirely or disable ALL SUID/SGID bits:
pkgrm SUNWkcspf SUNWkcspx SUNWkcspg SUNWkcsrt;
chmod ug-s /usr/openwin/bin/kcms

Fix: no patch or bulletin has been announced by Sun.

 

Solaris Xsun buffer overflow vulnerability
eEye
http://www.eEye.com/html/Research/Advisories/solxsun.html

Exploiting a buffer overflow in Xsun, since it is SGID root, yields local root privileges. The overflow exists in Xsun's handling of the $HOME environment variable. Solaris 7 and 8 are confirmed to be vulnerable.
Recommendation: disable the SGID bit on servers if you don't need the GUI to run. On other systems, be vigilant until patches are announced.
Fix: no patch or bulletin has been announced by Sun.

 

Solaris ipcs buffer overflow vulnerability
eEye
http://www.eEye.com/html/Research/Advisories/solipcs.html

The ipcs tool used by Solaris 7 has a vulnerability that could allow an attacker to gain local sys group privileges on an affected system. Ipcs is a tool to report the status of inter-process communication facilities and the flaw lies in the parsing of the TZ (TIMEZONE) environment variable. An attacker could exploit this vulnerability by sending a buffer overflow to the utility and gain limited local privileges on the machine.   Solaris 7 i386 is confirmed to be vulnerable. Exploitation is apparently difficult, but not impossible. Ipcs can be run to determine of IPC is in use on a particular system and hence is probably not essential to most systems.
Recommendation: Disable the SGID (chmod g-s /usr/bin/pics) bit for ipcs on hosts where inter-process communication is not needed (run ipcs first to see if IPC is operational). Even if IPC is needed, by removing the SGID bit, the IPC status can still be queried by root.
Fix: no patch or bulletin has been announced by Sun.

 

NOTE: It is recommended to remove a maximum of SUID and SGID bits on sensitive Solaris systems to minimise the exposure to local buffer overflow attacks, see the Tip of the Week section.


Vulnerabilities this Week — Third-party Applications:

Bugtraq database:

2001-04-09: Way to the Web TalkBack.cgi Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2547

2001-04-06: IPFilter Fragment Rule Bypass Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2545
IPfilter's caching of fragments can leave it open to abuse, upgrade to 3.4.17 if you use IPF.

2001-04-05: Ultimate Bulletin Board Forum Password Bypass Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2546

2001-04-03: Caucho Technology Resin JavaBean Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2533

2001-04-03: Navision Financials Server DoS Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2539

2001-04-02: Microburst uStorekeeper Remote Arbitrary Commands Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2536

2001-04-02: PHP Nuke Remote Ad Banner URL Change Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2544

2001-03-30: Shareplex Arbitary Local File Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2535

 

Oracle Alert:

Oracle Application Server shared library buffer overflow
Fyodor
http://www.solarisguide.com/news_story.php3?ltsn=2001-04-10-001-08-NW-SC

An exploitable buffer overflow has been identified in a shared library which is being shipped with Oracle Application Server 4.0.8.2, and used by iPlanet Web Server if it is configured as external web-listener.



Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.


1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Apr/06/01:

104873-06 SunOS 5.5.1: /usr/bin/uustat and other uucp fixes

Solaris 2.6, Apr/10/01:

106235-08 SunOS 5.6: lp patch
105284-39 Motif 1.2.7: Runtime library patch

Solaris 7, Apr/06/01:    

107115-07 SunOS 5.7: LP patch
108327-02 SunOS 5.7: /usr/bin/cu patch

Solaris 8, Apr/11/01:

109320-03 SunOS 5.8: LP patch
109888-06 SunOS 5.8: platform drivers patch
108974-09 SunOS 5.8: dada, uata, dad, sd and scsi drivers patch
110945-01 SunOS 5.8: /usr/sbin/syslogd patch
108725-05 SunOS 5.8: st driver patch
109892-03 SunOS 5.8: /kernel/drv/ecpp patch

Solaris 8_x86, Apr/09/01:

SunOS 5.8_x86: LP patch


2. New or updated individual security/recommended patches.

none

 

Please tell us if you have suggestions or feedback on how we present this patch analysis.



News & Articles

SecurityPortal

Ports
http://securityportal.com/firewalls/ports/

This list of ports is a comprehensive catalog of the services and applications that make use of nearly 7000 of the TCP/IP ports. Also get basic information about ports and links to other resources.

 

BSD Today

Anti-Virus with Sendmail and FBSD
http://www.defcon1.org/html/Linux_mode/install-swap/anti-virus-sendmail.html

Information on installing and configuring AMaViS and UVScan with sendmail.Should to applicable to Solaris too.

Sun

Info-doc 11371  Solaris Common Error Messages (alphabetized)
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&nolog=1&doc=infodoc/11371

 

Info-doc 17416  Sun FastEthernet Support Document/FAQ
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&nolog=1&doc=infodoc/17416

 

Sun Patch Check
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content13  

A new, free, patch checking tool from Sun that looks interesting: a perl script that compares installed patches with the entries in the patchdiag.xref file and creates an HTML patch report that lists the patches installed and not installed on the system. Then it contacts SunSolve Online for patch download, passes a list of selected patches to SunSolve Online and returns a tar file containing the requested patches. For the download a SunSolve Online account, included with a SunSpectrum contract is required.

 

Security Focus

Hacker Tools and their Signatures, Part One: bind8x.c
Toby Miller
http://www.securityfocus.com/focus/ids/articles/bind8.html

This installment will examine the Berkley Internet Name Domain exploit bind8x.c. The discussion will cover the details of bind8x.c and provide signatures that will assists an IDS in detecting it. This paper assumes that the reader has some basic knowledge of TCP/IP and understands the tcpdump format.

 

Designing Secure Networks Based on the Software Process Model
Paul Innella
http://www.securityfocus.com/focus/basics/articles/netsec.html

It has been asserted that advancements in software development have come about mainly as a result of the introduction of the software process model or software lifecycle. In a similar manner network security designers can benefit from using the principles of the software process model. The author outlines eight phases of the software process models as they apply to the design of a secure network.

SysAdmin Magazine

Achieving More Flexible File Permissions Using Solaris ACLs
Ross Oliver
http://www.samag.com/current/0105g/0105g.htm

ACLs are additional sets of read/write/execute triplets that can be added on to files, directories, devices, or any other file system objects. Using ACLs, systems administrators as well as ordinary users can now fine-tune access without resorting to multiple groups or set-UID programs. This article is a practical look at how to use ACLs on a real network.

 

A Look at ngrep
Ron McCarty
http://www.samag.com/current/0105l/0105l.htm

A good read, with many examples.

O'Reilly Network

Upgrading to BIND 9: The Top Nine Gotchas
Cricket Liu
http://sysadmin.oreilly.com/news/dnsandbind_0401.html

There are some significant differences between BIND 9 and previous versions of BIND that you should know before upgrading.

 

Security Concerns Miss the P2P Point
Jon Orwant
http://www.openp2p.com/pub/a/p2p/2001/03/27/orwant_security.html

SolarisGuide

SSH Communications Security announces SSH 3.0
http://www.ssh.com/about/press/2001/2001-04-09A.html

SSH Secure Shell 3.0 will be available in June for Linux, UNIX, Sun Solaris, and Windows platforms. It's new functionality includes support for PKI (Public Key Infrastructure), smart cards and the Rijndael (proposed AES -- Advanced Encryption Standard) algorithm.


Mailing Lists

Focus-Sun Discussions Threads

04/13/01 Trusted Solaris 8
http://securityfocus.com/templates/archive.pike?list=92&tid=176090&start=2001-04-08&end=2001-04-14&fromthread=0&threads=1&

04/11/01 Any Solaris path for CERT Advisory CA-2001-02
http://securityfocus.com/templates/archive.pike?list=92&tid=175820&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&

04/11/01 FTP vulnerability in Solaris, et al?
http://securityfocus.com/templates/archive.pike?list=92&tid=175821&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&

04/11/01 sunscreen
http://securityfocus.com/templates/archive.pike?list=92&tid=175793&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&

04/11/01 Any MD5 (PAM modules) for logins available?
http://securityfocus.com/templates/archive.pike?list=92&tid=175813&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&

04/10/01 Overflow prevention in /etc/system
http://securityfocus.com/templates/archive.pike?list=92&tid=175787&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&

04/09/01 IDS for Education
http://securityfocus.com/templates/archive.pike?list=92&tid=175671&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&

04/06/01 Sun's attitude to minimal OS installs....
http://securityfocus.com/templates/archive.pike?tid=175668&list=92&threads=1&fromthread=0&start=2001-04-01&end=2001-04-07&
http://securityfocus.com/templates/archive.pike?list=92&tid=175743&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&

04/06/01 ipsec & solaris 8
http://securityfocus.com/templates/archive.pike?tid=175665&list=92&threads=1&fromthread=0&start=2001-04-01&end=2001-04-07&
http://securityfocus.com/templates/archive.pike?list=92&tid=175785&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&

04/05/01 Overflow prevention in /etc/system
http://securityfocus.com/templates/archive.pike?tid=175310&list=92&threads=1&fromthread=0&start=2001-04-01&end=2001-04-07&

 

YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:

RE: simply question on rsh
http://www.theorygroup.com/Archive/YASSP/2001/msg00106.html

RE: nettune (fwd)
http://www.theorygroup.com/Archive/YASSP/2001/msg00105.html

RE: not able to build packages ...
http://www.theorygroup.com/Archive/YASSP/2001/msg00103.html


Security Tools

Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html  


Updates to General free tools this week include OpenSSL, KSEC, KSTAT, Apache and Linux Kernel.

Auditing and Intrusion Monitoring tools include SCRAM, Snorticus, SnortRules, Nessus, Remote Nmap, SAINT, NEAT, NetSaint_statd, Saintmap, Chkrootkit, PIKT, BigBrother, MergeLog, Samhain and 3 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, IP Filter, FwLogWatch, FloppyFw,
Knetfilter, GShield, Astaro Security Linux and 2 other tools.

Tools for Linux/Unix/Cross Platform include Bastille Linux, Amavis, FreeS/WAN, SILC, Linux
VPN, Lomac, Saint Jude LKM and 3 other tools.

Tools for Windows: no tools this week.


Tip of the Week: Whacking SUID (preventative hardening)

Preamble: 3 more Solaris SUID weaknesses this week. More worries, more work. We discuss how to disable a maximum of SUID files, to reduce the risk posed by these rogue SUID buffer overflows, even before vulnerabilities are announced..

Files which have the SUID bit set (an "s" where the execute bit for the owner/group is shown in 'ls' listings) allow the user executing the program to assume the identity/group of the owner of the program. This is typically used to allow normal users access to certain functions only allowed to root, for example binding to low ports, mounting a floppy disk, etc. The problem is that historically, many security weakness have been found in such programs (for example 3 this week alone!) allowing attackers with local accounts to become root by exploiting buffer over flows, race conditions etc.

What SUID files are on the system?

The find command can be used to list all SUID files:
> find / -perm -u+s -ls
or all SGID files:
> find / -perm -g+s -ls
They are also listed in the package database /var/adm/install.

How should we handle SUID files? Possible courses of action, in order of preference, are:

What SUID files need to be limited?

Some auditing ideas:

 

If you have tips you'd like to share with others, contact us.


References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.


Receive this digest by email!