By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
kcsSUNWIOsolf.so KCMS_PROFILES environment variable buffer overflow
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolfThere is a buffer overflow vulnerability in the way the KCMS_PROFILES environment variable is handled by the kcsSUNWIOsolf.so library. When appropriately exploited through, for example, a kcms_configure program it can lead to a local root compromise on a vulnerable system.
Status: local SUID exploit, no patches yet . Workaround: disable SUID as was suggested for the other kms_configure problem last week.
CDE dtsession LANG environment variable buffer overflow
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsessionThe dtsession binary (which is suid root) is vulnerable to a buffer overflow in the LANG environment variable. This is a local attack that could lead to root privileges. An exploit is available for Solaris x86.
Workaround: There hasn't been a bugtraq discussion on this topic yet. On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. I did not carry out rigorous testing though..
Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
ftpd #1 globbing buffer overflows
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
Status: apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So it's less serious that originally reported. No patches yet. Workaround: watch your ftp servers carefully for core dumps, consider restricting access by IP address.ftpd #2 CWD Username Enumeration
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564
Status: remote exploit, less serious (allows an attacker to recognize valid usernames), no patch available yet. Workaround: watch your ftp servers carefully.NTP buffer overflow
http://securityfocus.com/vdb/bottom.html?vid=2540
Status: serious remote exploit, no patches yet. Workaround: watch your ntpd servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.Xsun HOME buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561
Status: local SUID exploit, no patches yet . Workaround: remove the SETUID permissions, it should continue to work fine if Xsun is run via dtlogin or xdm.kcms_configure vulnerability
http://www.eeye.com/html/Research/Advisories/AD20010409.html
Status: local SUID exploit of command line options, no patches yet . Workaround: disable SUID.ipcs Timezone buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581
Status: local SUID exploit, no patches yet . Workaround: disable SUID.SNMP to DMI mapper daemon
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
Status: remote exploit, no patches yet (Sun bug id 4412996). Workaround: disable DMI daemons.
Bugtraq database:
2001-04-13: Trend Micro Interscan Viruswall Multiple Program Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25792001-04-13: NCM Content Management System content.pl Input Validation Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25842001-04-13: IBM Websphere/Net.Commerce Installation Directory Revealing Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25872001-04-13: IBM Websphere/Net.Commerce CGI-BIN Macro Denial of Service Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=25882001-04-11: Oracle Application Server ndwfn4.so buffer overflow
http://securityfocus.com/vdb/bottom.html?vid=2569
2001-04-10: nph-maillist Arbitrary Code Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2563
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Apr/17/01:
104489-12 OpenWindows 3.5.1: ToolTalk patch
Solaris 2.6, Apr/17/01:
106040-16 SunOS 5.6: X Input & Output Method patch
111029-01 SunOS 5.6: /kernel/sys/semsys patch
105703-27 CDE 1.2: dtlogin patchSolaris 7, Apr/17/01:
110881-01 SunOS 5.7: semop() hangs due to receipt of a signal
107285-03 SunOS 5.7: passwd & pam library patch
108376-22 OpenWindows 3.6.1: Xsun PatchSolaris 8, Apr/16/01:
108968-05 SunOS 5.8: vol/vold/rmmount patch
108827-10 SunOS 5.8: libthread patchSolaris 8_x86, Apr/17/01:
108969-05 SunOS 5.8_x86: vol/vold/rmmount patch
108529-07 SunOS 5.8_x86: kernel update patch
108980-13 SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
108992-10 SunOS 5.8_x86: libc and watchmalloc patch
106235-08 SunOS 5.6: lp patch
105703-27 CDE 1.2: dtlogin patch
107115-07 SunOS 5.7: LP patch
107285-03 SunOS 5.7: passwd & pam library patch
108327-02 SunOS 5.7: /usr/bin/cu patch
108376-22 OpenWindows 3.6.1: Xsun Patch
108968-05 SunOS 5.8: vol/vold/rmmount patch
109320-03 SunOS 5.8: LP patch
109888-06 SunOS 5.8: platform drivers patch
109892-03 SunOS 5.8: /kernel/drv/ecpp patch
109894-01 * SunOS 5.8: /kernel/drv/sparcv9/bpp patch108969-05 SunOS 5.8_x86: vol/vold/rmmount patch
109321-03 SunOS 5.8_x86: LP patch
108529-07 SunOS 5.8_x86: kernel update patch
108980-13 * SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
108992-10 * SunOS 5.8_x86: libc and watchmalloc patch
SMTP over an SSH Tunnel
Jim Mock
http://www.freebsdzine.org/200104/tunnel.php3
CRYPTO-GRAM
Bruce Schneier
http://www.counterpane.com/
Interesting discussions saying that Insurance is not the Silver Bullet that Bruce was making it out to be.
CERT Coordination Center 2000 Annual Report
http://www.cert.org/annual_rpts/cert_rpt_00.html
Cert wasn't bored last year: From January through December 2000, the CERT/CC received
56,365 email messages and more than 1,280 hotline calls reporting computer security
incidents or requesting information. We received 774 vulnerability reports and handled
21,756 computer security incidents during this period. More than 9,350,000 hosts were
affected by these incidents.
......some of the most serious intruder activities included DDoS, BIND, ftp, rpc.statd,
ActiveX, "Love letter". Links to the 22 advisories in 2000 are also provided.
CERT going commercial?
http://www.msnbc.com/news/561513.asp?cp1=1
The effort, to be announced here Thursday, would distribute up-to-the-minute warnings to international corporations about cyber-threats, offer security advice and ultimately establish a seal program to certify the security of companies’ computer networks. Companies would pay $2,500 to $70,000 annually, depending on their revenue, and in exchange would receive warnings about new Internet threats generally 45 days before anyone else.
Avoiding security holes when developing an application - Part 2: memory, stack and functions, shellcode
Frédéric Raynal, Christophe Blaess, Christophe Grenier
http://mercury.chem.pitt.edu/~tiho/LinuxFocus/English/March2001/article183.shtmlThis series of articles tries to put the emphasis on the main security holes that can appear within applications. It shows ways to avoid those holes by changing development habits a little. This article, focuses on memory organization and layout and explains the relationship between a function and memory. The last section shows how to build shellcode.
This article is available in: English, Deutsch, Francais, Turkce.
Security flaw in Linux 2.4 IPTables using FTP PORT
http://www.tempest.com.br/advisories/01-2001.htmlLinux's 2.4 kernel packet filter takes a serious knock on the head...
IPTables Basics NHF
Prince_Kenshi
http://www.linuxnewbie.org/nhf/intel/security/iptables_basics.html
Corporate E-mail: What's Your Policy?
Fred Avolio, Avolio Consulting, Inc.
http://www.avolio.com/columns/email-sec-pol.htmlSome good policy suggestions in this article.
Firewall Design White Paper, Or a Heretics View of Access Nexuses
Angelos Karageorgiou
http://www.unix.gr/fwdesign.htmlGood humor and good information.
Using GnuPG with Pine for Secure E-Mail
Ryan W. Maple
http://www.linuxsecurity.com/feature_stories/feature_story-83.html
JumpStart for Solaris Systems Part II
Ido Dubrawsky
http://www.securityfocus.com/focus/sun/articles/jumpstart2.htmlThis is the second of two articles examining JumpStart, a tool that enables Solaris system administrators to install and configure systems remotely. In the first article we introduced Sun's JumpStart system as well as the JumpStart Architecture and Security Scripts (JASS) toolkit from Sun. We also showed how the JumpStart system allows a system administrator to automate the installation of Solaris systems, while the JASS toolkit builds on top of JumpStart to allow the automated installation of hardened systems. This article will focus on the use of the JASS toolkit in the installation of a bastion mail host.
Infectable Objects, Part Five - HTML and Other Scripts
Robert Vibert
http://www.securityfocus.com/focus/virus/articles/infobj5.html
Detecting Loadable Kernel Modules (LKM)
Toby Miller
http://members.prestige.net/tmiller12/papers/lkm.htm
SuSE Linux AG has released the latest version 7.1 of SuSE Linux the for SPARC architecture from Sun Microsystems. You can read the announcement or download a version from ftp://ftp.suse.com/pub/suse/sparc/suse-sparc/
Using Certificate Revocation Lists
http://www.apacheweek.com/features/crlWe look how to get CRLs working with mod_ssl and Apache
Scanning Your Network (with Nmap)
Dru Lavigne
http://www.onlamp.com/pub/a/bsd/2001/04/18/FreeBSD_Basics.html
Securing Your Apache Server
Ben Laurie and Peter Laurie
http://www.onlamp.com/pub/a/apache/excerpts/chpt13/index.htmlAn excerpt from Chapter 3, "Security," of Apache: The Definitive Guide, 2nd Edition. Enable Apache to communicate securely over Secure Sockets Layer (SSL). Covers building, configuring, and securing an SSL-enabled Apache server under Unix.
Comment: A good read (this book is worth buying..) but this article covers Apache-SSL (with SSLeay) and not mod_ssl. Mod_ssl which uses OpenSSL is probably the most common SSL implementation used for Apache.
Sun's MID: the ultimate in wireless security?
http://www.solarisguide.com/news_story.php3?ltsn=2001-04-18-002-05-NW-SC-BUSun Microsystems' Mobile Information Device (MID) profile is being touted as the most secure and dynamic wireless development platform to date. The result of 3 years of co-operation between Sun, Nokia, Motorola, and a global team of Java programmers, MID is Java that has been streamlined to suit mobile applications.
Comment: I'm always wary of claims like "ultimate security"...
04/19/01 Re: setuid scripts
http://www.securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&tid=178027&start=2001-04-15&end=2001-04-21&04/19/01 Is procfs required?
http://www.securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&tid=178017&start=2001-04-15&end=2001-04-21&04/18/01 Re: Any Solaris patch for CERT Advisory CA-2001-02
http://www.securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&tid=177592&start=2001-04-15&end=2001-04-21&04/17/01 Re: Sun's attitude to minimal OS installs...
http://www.securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&tid=177267&start=2001-04-15&end=2001-04-21&04/14/01 Overflow prevention in /etc/system
http://www.securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&tid=177019&start=2001-04-08&end=2001-04-14&04/13/01 root $PATH
http://www.securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&tid=177002&start=2001-04-08&end=2001-04-14&04/13/01 setuid scripts
http://www.securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&tid=176314&start=2001-04-08&end=2001-04-14&04/13/01 sunscreen
http://www.securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&tid=176374&start=2001-04-08&end=2001-04-14&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week: none
Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include PGPenvelope.
Auditing and Intrusion Monitoring tools include SnortSnarf, Smack, PIKT, AIDE, SAStk, Port Scan Attack Detector, Lsof and Carbonite.
Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, Iridium Firewall, GShield, Astaro Security Linux and Ferm.
Tools for Linux/Unix/Cross Platform include BFBTester, Jail, Ethereal, Crypto++, SILC, Srm.
Tools for Windows include Advanced Password Generator.One interesting tool is:
Jail is a chrooted environment using bash. its main use is to put it as shell for any user you want to be chrooted. Their primary goals is to be simple, clean, and highly portable. http://www.gsyc.inf.uc3m.es/~assman/jail/
When formatting disks make sure you don't overlap cylinders, or you'll end up with
messages like the following in the logs:
WARNING: ufs_readir: bad dir, inumber = 332288, fs = /
What do overlapping cylinders look like?
Part Tag Flag Cylinders Size Blocks
0 root wm 0 - 884 2.00GB (885/0/0) 4194900
1 swap wm 884 - 1186 701.28MB (303/0/0) 1436220
2 backup wu 0 - 7498 16.95GB (7499/0/0) 35545260
6 var wm 1186 - 7498 14.27GB (6313/0/0) 29923620
The following is what should be used:
Part Tag Flag Cylinders Size Blocks
0 root wm 0 - 884 2.00GB (885/0/0) 4194900
1 swap wm 885 - 1185 696.65MB (301/0/0) 1426740
2 backup wu 0 - 7498 16.95GB (7499/0/0) 35545260
6 var wm 1186 - 7498 14.27GB (6313/0/0) 29923620
This kind of mistake is easy to do where you're tired/distracted and Solaris doesn't catch it (which seems strange).
Another tip:
Sun's BigAdmin has a list of useful command-line examples:
http://www.sun.com/bigadmin/shellme/index.html;$sessionid$0OHCCVQAAAY3BAMTA1LU4GQI especially like the one for listing files by size of a particular partition, e.g. /var:
du -ad /var |sort -nAnother way of doing this is to use find, e.g. list files greater that 1MB older than 7 days on the current filesystem:
find . -xdev -mtime -7 -size +1000 -ls
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.