Weekly Solaris Security Digest
2001/04/22 to 2001/04/29

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


Subscribe to our weekly newsletter
Email:
Name:

Rundown


New Solaris Vulnerabilities this Week

none

Solaris vulnerabilities pending

Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

SNMP to DMI mapper daemon
Status: remote exploit being actively abused, no patches yet (Sun bug id 4412996). Workaround: disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html

kcsSUNWIOsolf.so KCMS_PROFILES environment variable buffer overflow
Status: local SUID exploit, no patches yet . Workaround: disable SUID as was suggested for the other kms_configure problem below.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf

CDE dtsession LANG environment variable buffer overflow
Status: local SUID exploit, no patches yet. Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. I did not carry out rigorous testing though.
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html  
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession

ftpd #1 globbing buffer overflows
Status: apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So it's less serious that originally reported. No patches yet. Workaround: watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601

ftpd #2 CWD Username Enumeration
Status: remote exploit, less serious (allows an attacker to recognize valid usernames), no patch available yet. Workaround: watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564

NTP buffer overflow
Status: serious remote exploit, no patches yet. Workaround: watch your ntpd servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540

Xsun HOME buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561
Status: local SUID exploit, no patches yet . Workaround: remove the SETUID permissions, it should continue to work fine if Xsun is run via dtlogin or xdm.

kcms_configure vulnerability
Status: local SUID exploit of command line options, no patches yet . Workaround: disable SUID.
http://www.eeye.com/html/Research/Advisories/AD20010409.html

ipcs Timezone buffer overflow vulnerability
Status: local SUID exploit, no patches yet . Workaround: disable SUID.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581

Vulnerabilities this Week — Third-party Applications:

2001-04-24: Perl Web Server Path Traversal Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2648

2001-04-23: WebCalendar Remote Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2639

For the next two, the basic problem is that it is possible for a remote user to supply an include file to the sql.php script, and execute arbitrary code.

2001-04-23: PHPPGAdmin Include File Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2640
2001-04-23: PHPMyAdmin File Inclusion Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2642

2001-04-20: Sendfile Local Arbitrary Command Execution as Group 0 Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2631

2001-04-20: Sendfile Local Privileged Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2631

2001-04-18: innfeed Command-Line Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2620

2001-04-18: NEdit Temporary File Creation Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2627

2001-04-18: iPlanet Calendar Server Plaintext Admin Password Vulnerability
Versions of Calendar Server store the username and password for the NAS LDAP database's administration account in a file which can be read by arbitrary users.
http://www.securityfocus.com/vdb/bottom.html?vid=2630

2001-04-17: DCForum 'AZ' Field Remote Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2611

2001-04-17: Samba Insecure TMP file Symbolic Link Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2617

2001-04-17: CrossWind CyberScheduler websyncd remote Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2628

2001-04-15: Exuberant-ctags Symbolic Link Attack Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2614



Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.


1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Apr/25/01:

103622-16 SunOS 5.5.1: /kernel/drv/sd driver patch
104212-15 SunOS 5.5.1: /kernel/drv/hme patch
104708-21 SunOS 5.5.1: ssd, pln, soc, ssaadm and ssafirmware patch
103663-16 SunOS 5.5.1: libresolv, in.named, named-xfer, nslookup & nstest patch
111279-01 SunOS 5.5.1: in.fingerd can store a NULL after end of an array

Solaris 2.6, Apr/24/01:

105356-18 SunOS 5.6: /kernel/drv/ssd and /kernel/drv/sd patch
105284-40 Motif 1.2.7: Runtime library patch
106468-03 SunOS 5.6: /usr/bin/cu and usr/bin/uustat patch
106049-02 SunOS 5.6: /usr/sbin/in.telnetd patch
105722-07 SunOS 5.6: /usr/lib/fs/ufs/ufsdump and ufsrestore patch
107991-02 SunOS 5.6: /usr/sbin/static/rcp patch
105210-36 SunOS 5.6: libaio, libc & watchmalloc patch
105401-34 SunOS 5.6: libnsl and NIS+ commands patch
105216-04 SunOS 5.6: /usr/sbin/rpcbind patch

Solaris 7, Apr/24/01:    

110281-02 SunOS 5.7: patch /usr/bin/find
106980-16 SunOS 5.7: libthread patch
107458-13 SunOS 5.7: dad, sd, ssd, uata kernel drivers patch
108376-22 OpenWindows 3.6.1: Xsun Patch

Solaris 8, Apr/25/01:

108869-04 SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
108528-07 SunOS 5.8: kernel update patch
108991-10 SunOS 5.8: libc and watchmalloc patch
108879-07 Solstice AdminSuite 3.0.1: Auditing, compat mode, passwd, autohome
111232-01 SunOS 5.8: patch in.fingerd
111234-01 SunOS 5.8: patch finger
109887-04 SunOS 5.8: smartcard patch
109896-04 SunOS 5.8: USB driver patch
109892-03 SunOS 5.8: /kernel/drv/ecpp driver patch

Solaris 8_x86, Apr/25/01:

108870-04 SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib patch
108881-07 Solstice AdminSuite 3.0.1_x86: Auditing compat mode passwd autohome
111233-01 SunOS 5.8_x86: patch in.fingerd
111235-01 SunOS 5.8_x86: patch finger

 

2. New or updated individual security/recommended patches.

none


News & Articles

Argus' $50,000 "Hack Me" Challenge Cracked
http://uk.news.yahoo.com/010423/152/bmqfd.html

The hack is likely to be a major embarrassment for the company behind the high-profile hacking competition, despite its assertion that the break in has highlighted a major new vulnerability in the Solaris operating system running on Intel x86 microprocessors.
Comment: Argus should protect Solaris weaknesses in my opinion. They've just been taught a little humility, perhaps companies looking for (cheap) publicity through hacker contests will learn from this?

 

CERT/CC Statistics 1988-2001
http://www.cert.org/stats/cert_stats.html

 

LinuxSecurity

CERT: The Next Generation, The Demise of the Internet's Last Objective and "Trusted" Organization
Richard Forno
http://www.infowarrior.org/articles/2001-03.html

 

Firewalls, VPNs, and Remote Offices
Fred Avolio
http://www.avolio.com/columns/fwvpns+remote.html

 

Know Your Enemy: Honeynets
Honeynet Project
http://www2.linuxsecurity.com/feature_stories/feature_story-84.html

The purpose of this paper is to discuss what a Honeynet is, its value to the security community, how it works, and the risks/issues involved.

Security Focus

 
A Comparison of iptables Automation Tools
by Anton Chuvakin
http://www.securityfocus.com/focus/linux/articles/iptables.html

Over the past several years, the use of Linux as a firewall platform has grown significantly. Linux firewalling code has come a long way since the time ipfwadm was introduced in kernel 1.2. This discussion will look at IP firewalling code in Linux kernel and its configuration via various interfaces such as GUIs or scripts (written in shell scripting language, Perl or special configuration language). Specifically, this article will offer a brief overview of the means of configuring iptables, and will offer a brief review of some tools that have been developed to automate the configuration of iptables.
Comment: I know this is not Solaris related, but you might be happy to have your commercial Firewall-1 or Sunscreen after you read this.

 

Sun

The 'Blueprint', Solaris Operating Environment Network Settings for Security has been updated.
http://www.sun.com/blueprints/1200/network-updt1.pdf

Likewise the articles on JASS
http://www.sun.com/blueprints/1100/jssec-updt1.pdf
http://www.sun.com/blueprints/1100/jssec2-updt1.pdf
http://www.sun.com/blueprints/1100/jssec3-updt1.pdf

 

Sun releases new version of Solaris 8: 04/01
www.sun/com/solaris
/www.sun.com/solaris/binaries

Comment: I hope they got the BIND and Apache versions wrong, they seem way out of date. Web Start Flash sounds interesting.

 


Mailing Lists

Focus-Sun Discussions Threads

04/25/01 chroot
http://www.securityfocus.com/templates/archive.pike?tid=179898&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&

04/25/01 Gauntlet on solaris
http://www.securityfocus.com/templates/archive.pike?tid=179515&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&

04/25/01 probable hack?
http://www.securityfocus.com/templates/archive.pike?tid=179923&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&

04/25/01 bind chroot()ed
http://www.securityfocus.com/templates/archive.pike?tid=179389&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&

04/23/01 sunscreen
http://www.securityfocus.com/templates/archive.pike?tid=179093&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&

04/20/01 snmpXdmid vulnerability
http://www.securityfocus.com/templates/archive.pike?tid=178888&list=92&fromthread=0&threads=1&start=2001-04-15&end=2001-04-21&

04/20/01 Is procfs required?
http://www.securityfocus.com/templates/archive.pike?tid=178954&list=92&fromthread=0&threads=1&start=2001-04-15&end=2001-04-21&

 

YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:

YASSP and IMAP... possible problems there?
http://www.theorygroup.com/Archive/YASSP/2001/msg00108.html


Security Tools

Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html  

Updates to General free tools this week include OpenSSH SecurID patch and PGPi.

Auditing and Intrusion Monitoring tools include IDScenter, PIKT, John the Ripper, Samhain, Cheops, Check-ps.

Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, Astaro Security Linux, Securepoint

Firewall Server SB, MonMotha's IPtables, Iridium Firewall, PCX Firewall, Firewall Monitor.

Tools for Linux/Unix/Cross Platform include SILC, Averist, Crank.

Tools for Windows includes IRCR and Athena-2k.


Tip of the Week: script 'backup_configs'

I've written a little script that you may find useful:

Backup key configuration files of several machines, remotely via SSH, into a compressed tarball.

Configuration files of many tools are automatically recognised. OpenBSD, Solaris and Redhat have been tested. Backups are maintained for as long as needed, manual purging of the backup directory is required.

Download

The script:
www.boran.com/security/sp/solaris/backup_configs

An example email log of the output generated by the script:
www.boran.com/security/sp/solaris/backup_configs.log

 

If you have tips you'd like to share with others, contact us.


References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.


Receive this digest by email!