By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
No Bulletins for Solaris but you may be interesting in reading up on the Linux Adare worm, which, like the Lion and Rahmen worms could be modified to propagate via Solaris.
http://www.sans.org/y2k/adore.htm
Solaris ftpd glob() Expansion LIST Heap Overflow Vulnerability
John McDonald of NAI's COVERT labs
http://securityfocus.com/templates/advisory.html?id=3202
http://www.cert.org/advisories/CA-2001-07.html#vendors
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://www.securityfocus.com/bid/2550Sun and other UNIX/Linux/BSD Vendors have been caught by a serious hole in FTPD. All versions of Solaris are vulnerable to this remote root exploit (since ftpd normally runs as root). .
- Description: The flaw occurs because the FTP servers incorrectly handle buffers that are related to the use of the glob() function. The glob() function, or filename "globbing," is the process of expanding short-hand notation into complete file names. On Solaris, the buffer overflow can be initiated by using the list command.
- Exploit: non has been published for Solaris so far.
- Workaround: Disable ftpd, or restrict access to certain IP addresses. Avoid anonymous ftp. Be especially wary of ftp servers that are on Internal or sensitive networks, but accessible from the Internet via a packet filter.
Solaris has a "stack execution" protection mechanism, it is unclear if enabling this in /etc/system helps (i.e. set noexec_user_stack=1 set noexec_user_stack_log=1). I tend to enable this on all Sun systems.- Fix: Sun have verified the problem, but a patch is not available yet and they have not issued a security bulletin either.
- Aside: unfortunately, you can't rely on Sun's bulletins at all to keep you up-to-date on Solaris weakness and fixes.
- More problems with FTPD globbing on Solaris have since been reported on Bugtraq:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
NTP
Last week, we covered the announcement of a serious NTP vulnerability on Bugtraq email, there is now a bugtraq database entry. Most Linux vendors have released patches already, there is no indicate as to why Sun's NTP should not be vulnerable, not have Sun released any bulletins.
2001-04-04: Ntpd Remote Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2540Recommendation: Replace Sun's NTPD with the latest freeware copy on any Sun NTP servers exposed to the Internet. The following version is an "intermediate release" a fully tested release should be available soon.
ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
The eEye company have been busy poking for holes in Solaris:
Solaris kcms_configure vulnerability
eEye
http://www.eeye.com/html/Research/Advisories/solkcms.htmlThe problem exists in the parsing of command line options of the configuration tool for the Kodak Color Management System. By exploiting this vulnerability an attacker can achieve local root privileges.
Recommendation: disable the SUID bit, you don't need this tool anyway.
chmod ug-s /usr/openwin/bin/kcms_configure
Even better, as the kcms (Kodak Color Management System) is rarely use, either remove entirely or disable ALL SUID/SGID bits:
pkgrm SUNWkcspf SUNWkcspx SUNWkcspg SUNWkcsrt;
chmod ug-s /usr/openwin/bin/kcms
Fix: no patch or bulletin has been announced by Sun.
Solaris Xsun buffer overflow vulnerability
eEye
http://www.eEye.com/html/Research/Advisories/solxsun.htmlExploiting a buffer overflow in Xsun, since it is SGID root, yields local root privileges. The overflow exists in Xsun's handling of the $HOME environment variable. Solaris 7 and 8 are confirmed to be vulnerable.
Recommendation: disable the SGID bit on servers if you don't need the GUI to run. On other systems, be vigilant until patches are announced.
Fix: no patch or bulletin has been announced by Sun.
Solaris ipcs buffer overflow vulnerability
eEye
http://www.eEye.com/html/Research/Advisories/solipcs.htmlThe ipcs tool used by Solaris 7 has a vulnerability that could allow an attacker to gain local sys group privileges on an affected system. Ipcs is a tool to report the status of inter-process communication facilities and the flaw lies in the parsing of the TZ (TIMEZONE) environment variable. An attacker could exploit this vulnerability by sending a buffer overflow to the utility and gain limited local privileges on the machine. Solaris 7 i386 is confirmed to be vulnerable. Exploitation is apparently difficult, but not impossible. Ipcs can be run to determine of IPC is in use on a particular system and hence is probably not essential to most systems.
Recommendation: Disable the SGID (chmod g-s /usr/bin/pics) bit for ipcs on hosts where inter-process communication is not needed (run ipcs first to see if IPC is operational). Even if IPC is needed, by removing the SGID bit, the IPC status can still be queried by root.
Fix: no patch or bulletin has been announced by Sun.
NOTE: It is recommended to remove a maximum of SUID and SGID bits on sensitive Solaris systems to minimise the exposure to local buffer overflow attacks, see the Tip of the Week section.
Bugtraq database:
2001-04-09: Way to the Web TalkBack.cgi Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25472001-04-06: IPFilter Fragment Rule Bypass Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2545
IPfilter's caching of fragments can leave it open to abuse, upgrade to 3.4.17 if you use IPF.2001-04-05: Ultimate Bulletin Board Forum Password Bypass Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2546
2001-04-03: Caucho Technology Resin JavaBean Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25332001-04-03: Navision Financials Server DoS Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25392001-04-02: Microburst uStorekeeper Remote Arbitrary Commands Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25362001-04-02: PHP Nuke Remote Ad Banner URL Change Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25442001-03-30: Shareplex Arbitary Local File Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2535
Oracle Alert:
Oracle Application Server shared library buffer overflow
Fyodor
http://www.solarisguide.com/news_story.php3?ltsn=2001-04-10-001-08-NW-SCAn exploitable buffer overflow has been identified in a shared library which is being shipped with Oracle Application Server 4.0.8.2, and used by iPlanet Web Server if it is configured as external web-listener.
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Apr/06/01:
104873-06 SunOS 5.5.1: /usr/bin/uustat and other uucp fixes
Solaris 2.6, Apr/10/01:
106235-08 SunOS 5.6: lp patch
105284-39 Motif 1.2.7: Runtime library patchSolaris 7, Apr/06/01:
107115-07 SunOS 5.7: LP patch
108327-02 SunOS 5.7: /usr/bin/cu patchSolaris 8, Apr/11/01:
109320-03 SunOS 5.8: LP patch
109888-06 SunOS 5.8: platform drivers patch
108974-09 SunOS 5.8: dada, uata, dad, sd and scsi drivers patch
110945-01 SunOS 5.8: /usr/sbin/syslogd patch
108725-05 SunOS 5.8: st driver patch
109892-03 SunOS 5.8: /kernel/drv/ecpp patchSolaris 8_x86, Apr/09/01:
SunOS 5.8_x86: LP patch
none
Please tell us if you have suggestions or feedback on how we present this patch analysis.
Ports
http://securityportal.com/firewalls/ports/This list of ports is a comprehensive catalog of the services and applications that make use of nearly 7000 of the TCP/IP ports. Also get basic information about ports and links to other resources.
Anti-Virus with Sendmail and FBSD
http://www.defcon1.org/html/Linux_mode/install-swap/anti-virus-sendmail.htmlInformation on installing and configuring AMaViS and UVScan with sendmail.Should to applicable to Solaris too.
Info-doc 11371 Solaris Common Error Messages (alphabetized)
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&nolog=1&doc=infodoc/11371
Info-doc 17416 Sun FastEthernet Support Document/FAQ
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&nolog=1&doc=infodoc/17416
Sun Patch Check
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content13A new, free, patch checking tool from Sun that looks interesting: a perl script that compares installed patches with the entries in the patchdiag.xref file and creates an HTML patch report that lists the patches installed and not installed on the system. Then it contacts SunSolve Online for patch download, passes a list of selected patches to SunSolve Online and returns a tar file containing the requested patches. For the download a SunSolve Online account, included with a SunSpectrum contract is required.
Hacker Tools and their Signatures, Part One: bind8x.c
Toby Miller
http://www.securityfocus.com/focus/ids/articles/bind8.htmlThis installment will examine the Berkley Internet Name Domain exploit bind8x.c. The discussion will cover the details of bind8x.c and provide signatures that will assists an IDS in detecting it. This paper assumes that the reader has some basic knowledge of TCP/IP and understands the tcpdump format.
Designing Secure Networks Based on the Software Process Model
Paul Innella
http://www.securityfocus.com/focus/basics/articles/netsec.htmlIt has been asserted that advancements in software development have come about mainly as a result of the introduction of the software process model or software lifecycle. In a similar manner network security designers can benefit from using the principles of the software process model. The author outlines eight phases of the software process models as they apply to the design of a secure network.
Achieving More Flexible File Permissions Using Solaris ACLs
Ross Oliver
http://www.samag.com/current/0105g/0105g.htmACLs are additional sets of read/write/execute triplets that can be added on to files, directories, devices, or any other file system objects. Using ACLs, systems administrators as well as ordinary users can now fine-tune access without resorting to multiple groups or set-UID programs. This article is a practical look at how to use ACLs on a real network.
A Look at ngrep
Ron McCarty
http://www.samag.com/current/0105l/0105l.htmA good read, with many examples.
Upgrading to BIND 9: The Top Nine Gotchas
Cricket Liu
http://sysadmin.oreilly.com/news/dnsandbind_0401.htmlThere are some significant differences between BIND 9 and previous versions of BIND that you should know before upgrading.
Security Concerns Miss the P2P Point
Jon Orwant
http://www.openp2p.com/pub/a/p2p/2001/03/27/orwant_security.html
SSH Communications Security announces SSH 3.0
http://www.ssh.com/about/press/2001/2001-04-09A.htmlSSH Secure Shell 3.0 will be available in June for Linux, UNIX, Sun Solaris, and Windows platforms. It's new functionality includes support for PKI (Public Key Infrastructure), smart cards and the Rijndael (proposed AES -- Advanced Encryption Standard) algorithm.
04/13/01 Trusted Solaris 8
http://securityfocus.com/templates/archive.pike?list=92&tid=176090&start=2001-04-08&end=2001-04-14&fromthread=0&threads=1&04/11/01 Any Solaris path for CERT Advisory CA-2001-02
http://securityfocus.com/templates/archive.pike?list=92&tid=175820&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&04/11/01 FTP vulnerability in Solaris, et al?
http://securityfocus.com/templates/archive.pike?list=92&tid=175821&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&04/11/01 sunscreen
http://securityfocus.com/templates/archive.pike?list=92&tid=175793&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&04/11/01 Any MD5 (PAM modules) for logins available?
http://securityfocus.com/templates/archive.pike?list=92&tid=175813&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&04/10/01 Overflow prevention in /etc/system
http://securityfocus.com/templates/archive.pike?list=92&tid=175787&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&04/09/01 IDS for Education
http://securityfocus.com/templates/archive.pike?list=92&tid=175671&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&04/06/01 Sun's attitude to minimal OS installs....
http://securityfocus.com/templates/archive.pike?tid=175668&list=92&threads=1&fromthread=0&start=2001-04-01&end=2001-04-07&
http://securityfocus.com/templates/archive.pike?list=92&tid=175743&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&04/06/01 ipsec & solaris 8
http://securityfocus.com/templates/archive.pike?tid=175665&list=92&threads=1&fromthread=0&start=2001-04-01&end=2001-04-07&
http://securityfocus.com/templates/archive.pike?list=92&tid=175785&fromthread=0&threads=1&end=2001-04-14&start=2001-04-08&04/05/01 Overflow prevention in /etc/system
http://securityfocus.com/templates/archive.pike?tid=175310&list=92&threads=1&fromthread=0&start=2001-04-01&end=2001-04-07&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
RE: simply question on rsh
http://www.theorygroup.com/Archive/YASSP/2001/msg00106.htmlRE: nettune (fwd)
http://www.theorygroup.com/Archive/YASSP/2001/msg00105.htmlRE: not able to build packages ...
http://www.theorygroup.com/Archive/YASSP/2001/msg00103.html
Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include OpenSSL, KSEC, KSTAT, Apache and Linux Kernel.Auditing and Intrusion Monitoring tools include SCRAM, Snorticus, SnortRules, Nessus, Remote Nmap, SAINT, NEAT, NetSaint_statd, Saintmap, Chkrootkit, PIKT, BigBrother, MergeLog, Samhain and 3 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, IP Filter, FwLogWatch, FloppyFw,
Knetfilter, GShield, Astaro Security Linux and 2 other tools.Tools for Linux/Unix/Cross Platform include Bastille Linux, Amavis, FreeS/WAN, SILC, Linux
VPN, Lomac, Saint Jude LKM and 3 other tools.Tools for Windows: no tools this week.
Preamble: 3 more Solaris SUID weaknesses this week. More worries, more work. We discuss how to disable a maximum of SUID files, to reduce the risk posed by these rogue SUID buffer overflows, even before vulnerabilities are announced..
Files which have the SUID bit set (an "s" where the execute bit for the owner/group is shown in 'ls' listings) allow the user executing the program to assume the identity/group of the owner of the program. This is typically used to allow normal users access to certain functions only allowed to root, for example binding to low ports, mounting a floppy disk, etc. The problem is that historically, many security weakness have been found in such programs (for example 3 this week alone!) allowing attackers with local accounts to become root by exploiting buffer over flows, race conditions etc.
What SUID files are on the system?
The find command can be used to list all SUID files:
> find / -perm -u+s -ls
or all SGID files:
> find / -perm -g+s -ls
They are also listed in the package database /var/adm/install.
How should we handle SUID files? Possible courses of action, in order of preference, are:
What SUID files need to be limited?
After appling the above commands on a Solaris 7 or 8 "user bundle" install,
the list of SUIDs left is reduced to the following:
find / -type f \( -perm -u+s -o -perm -g+s \) -ls
SUID files:
/usr/lib/pt_chmod /usr/lib/utmp_update /usr/bin/login /usr/bin/passwd /usr/bin/pfexec
/usr/bin/su /usr/sbin/ping /opt/local/bin/ssh
SGID files:
/usr/bin/mail /usr/bin/mailx
Note: You'll also find that /usr/bin/yppasswd /usr/bin/nispasswd are SUID, but they
are links to /usr/bin/passwd, so removing the SUID bits will stop normal users from
changing their local passwords!
Some auditing ideas:
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.