By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
none
Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
SNMP to DMI mapper daemon
Status: remote exploit being actively abused, no patches yet (Sun bug id 4412996). Workaround: disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.htmlkcsSUNWIOsolf.so KCMS_PROFILES environment variable buffer overflow
Status: local SUID exploit, no patches yet . Workaround: disable SUID as was suggested for the other kms_configure problem below.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolfCDE dtsession LANG environment variable buffer overflow
Status: local SUID exploit, no patches yet. Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. I did not carry out rigorous testing though.
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsessionftpd #1 globbing buffer overflows
Status: apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So it's less serious that originally reported. No patches yet. Workaround: watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601ftpd #2 CWD Username Enumeration
Status: remote exploit, less serious (allows an attacker to recognize valid usernames), no patch available yet. Workaround: watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564NTP buffer overflow
Status: serious remote exploit, no patches yet. Workaround: watch your ntpd servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540Xsun HOME buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561
Status: local SUID exploit, no patches yet . Workaround: remove the SETUID permissions, it should continue to work fine if Xsun is run via dtlogin or xdm.kcms_configure vulnerability
Status: local SUID exploit of command line options, no patches yet . Workaround: disable SUID.
http://www.eeye.com/html/Research/Advisories/AD20010409.htmlipcs Timezone buffer overflow vulnerability
Status: local SUID exploit, no patches yet . Workaround: disable SUID.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581
2001-04-24: Perl Web Server Path Traversal Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=26482001-04-23: WebCalendar Remote Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2639For the next two, the basic problem is that it is possible for a remote user to supply an include file to the sql.php script, and execute arbitrary code.
2001-04-23: PHPPGAdmin Include File Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2640
2001-04-23: PHPMyAdmin File Inclusion Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=26422001-04-20: Sendfile Local Arbitrary Command Execution as Group 0 Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=26312001-04-20: Sendfile Local Privileged Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=26312001-04-18: innfeed Command-Line Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=26202001-04-18: NEdit Temporary File Creation Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=26272001-04-18: iPlanet Calendar Server Plaintext Admin Password Vulnerability
Versions of Calendar Server store the username and password for the NAS LDAP database's administration account in a file which can be read by arbitrary users.
http://www.securityfocus.com/vdb/bottom.html?vid=26302001-04-17: DCForum 'AZ' Field Remote Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=26112001-04-17: Samba Insecure TMP file Symbolic Link Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=26172001-04-17: CrossWind CyberScheduler websyncd remote Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=26282001-04-15: Exuberant-ctags Symbolic Link Attack Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2614
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Apr/25/01:
103622-16 SunOS 5.5.1: /kernel/drv/sd driver patch
104212-15 SunOS 5.5.1: /kernel/drv/hme patch
104708-21 SunOS 5.5.1: ssd, pln, soc, ssaadm and ssafirmware patch
103663-16 SunOS 5.5.1: libresolv, in.named, named-xfer, nslookup & nstest patch
111279-01 SunOS 5.5.1: in.fingerd can store a NULL after end of an arraySolaris 2.6, Apr/24/01:
105356-18 SunOS 5.6: /kernel/drv/ssd and /kernel/drv/sd patch
105284-40 Motif 1.2.7: Runtime library patch
106468-03 SunOS 5.6: /usr/bin/cu and usr/bin/uustat patch
106049-02 SunOS 5.6: /usr/sbin/in.telnetd patch
105722-07 SunOS 5.6: /usr/lib/fs/ufs/ufsdump and ufsrestore patch
107991-02 SunOS 5.6: /usr/sbin/static/rcp patch
105210-36 SunOS 5.6: libaio, libc & watchmalloc patch
105401-34 SunOS 5.6: libnsl and NIS+ commands patch
105216-04 SunOS 5.6: /usr/sbin/rpcbind patchSolaris 7, Apr/24/01:
110281-02 SunOS 5.7: patch /usr/bin/find
106980-16 SunOS 5.7: libthread patch
107458-13 SunOS 5.7: dad, sd, ssd, uata kernel drivers patch
108376-22 OpenWindows 3.6.1: Xsun PatchSolaris 8, Apr/25/01:
108869-04 SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
108528-07 SunOS 5.8: kernel update patch
108991-10 SunOS 5.8: libc and watchmalloc patch
108879-07 Solstice AdminSuite 3.0.1: Auditing, compat mode, passwd, autohome
111232-01 SunOS 5.8: patch in.fingerd
111234-01 SunOS 5.8: patch finger
109887-04 SunOS 5.8: smartcard patch
109896-04 SunOS 5.8: USB driver patch
109892-03 SunOS 5.8: /kernel/drv/ecpp driver patchSolaris 8_x86, Apr/25/01:
108870-04 SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib patch
108881-07 Solstice AdminSuite 3.0.1_x86: Auditing compat mode passwd autohome
111233-01 SunOS 5.8_x86: patch in.fingerd
111235-01 SunOS 5.8_x86: patch finger
none
Argus' $50,000 "Hack Me" Challenge Cracked
http://uk.news.yahoo.com/010423/152/bmqfd.html
The hack is likely to be a major embarrassment for the company behind the high-profile
hacking competition, despite its assertion that the break in has highlighted a major new
vulnerability in the Solaris operating system running on Intel x86 microprocessors.
Comment: Argus should protect Solaris weaknesses in my opinion. They've just been taught a
little humility, perhaps companies looking for (cheap) publicity through hacker contests
will learn from this?
CERT/CC Statistics 1988-2001
http://www.cert.org/stats/cert_stats.html
CERT: The Next Generation, The Demise of the Internet's Last Objective and "Trusted" Organization
Richard Forno
http://www.infowarrior.org/articles/2001-03.html
Firewalls, VPNs, and Remote Offices
Fred Avolio
http://www.avolio.com/columns/fwvpns+remote.html
Know Your Enemy: Honeynets
Honeynet Project
http://www2.linuxsecurity.com/feature_stories/feature_story-84.htmlThe purpose of this paper is to discuss what a Honeynet is, its value to the security community, how it works, and the risks/issues involved.
A Comparison of iptables Automation Tools
by Anton Chuvakin
http://www.securityfocus.com/focus/linux/articles/iptables.htmlOver the past several years, the use of Linux as a firewall platform has grown significantly. Linux firewalling code has come a long way since the time ipfwadm was introduced in kernel 1.2. This discussion will look at IP firewalling code in Linux kernel and its configuration via various interfaces such as GUIs or scripts (written in shell scripting language, Perl or special configuration language). Specifically, this article will offer a brief overview of the means of configuring iptables, and will offer a brief review of some tools that have been developed to automate the configuration of iptables.
Comment: I know this is not Solaris related, but you might be happy to have your commercial Firewall-1 or Sunscreen after you read this.
The 'Blueprint', Solaris Operating Environment Network Settings for Security has been updated.
http://www.sun.com/blueprints/1200/network-updt1.pdfLikewise the articles on JASS
http://www.sun.com/blueprints/1100/jssec-updt1.pdf
http://www.sun.com/blueprints/1100/jssec2-updt1.pdf
http://www.sun.com/blueprints/1100/jssec3-updt1.pdf
Sun releases new version of Solaris 8: 04/01
www.sun/com/solaris
/www.sun.com/solaris/binaries
- Web Start Flash can save a system administrator hours of management time by enabling them to replicate a complete system image or reference configuration onto multiple servers using standard deployment media or over the network via HTTP or NFS. The reference configuration can include not only the Solaris Operating Environment, but application stack and system configuration as well.
A system administrator can save hours by rolling the patches or updates onto the reference system, capturing the new image, and then "flashing" it onto other systems.- Sun has also added a system ID default router. This feature makes it makes it faster and easier to set up a system gateway router for efficient network communication. A system administrator can now access the Internet during the installation of the Solaris Operating Environment to get access to online documentation or the latest updates.
- Support of features in new sun hardware:
- Reconfiguration Coordination Manager (RCM): Software applications can use new system resources as soon as they've been provisioned through dynamic reconfiguration (DR). RCM is an API set for ISVs that allows them to take advantage of additional CPU or memory power without having to bring down the application or reboot the system.
- IP Multipathing: Ensures highly reliable network connections and provides load balancing and failover with multiple network interface cards. If a network connection fails, IP Multipathing's built-in redundancy ensures that the system connection is not lost and that data continues to flow.
- Mobile IP Enhancements: Secure remote access of applications by mobile end users such as sales and telecommuters. Reverse tunneling technology automatically ensures correct address tracking and translation for mobile devices.
- Java 2 Platform, Standard Edition (J2SE) v1.3.
- Sendmail 8.10: An upgrade of the mail server version to maintain ongoing compatibility with the latest from Sendmail, Inc.
- Bind 8.2.2: An upgrade of the DNS server that includes feature enhancements and security fixes for CERT advisory 99.14. The new release also introduces significant new functionality for authentication and data integrity to help ensure the security of corporate data.
- Apache Web Server 1.3.12: The latest release includes performance and reliability enhancements.
- Netscape 4.76: Incorporates the latest security updates to help ensure files are protected.
Comment: I hope they got the BIND and Apache versions wrong, they seem way out of date. Web Start Flash sounds interesting.
04/25/01 chroot
http://www.securityfocus.com/templates/archive.pike?tid=179898&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&04/25/01 Gauntlet on solaris
http://www.securityfocus.com/templates/archive.pike?tid=179515&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&04/25/01 probable hack?
http://www.securityfocus.com/templates/archive.pike?tid=179923&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&04/25/01 bind chroot()ed
http://www.securityfocus.com/templates/archive.pike?tid=179389&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&04/23/01 sunscreen
http://www.securityfocus.com/templates/archive.pike?tid=179093&list=92&fromthread=0&threads=1&start=2001-04-22&end=2001-04-28&04/20/01 snmpXdmid vulnerability
http://www.securityfocus.com/templates/archive.pike?tid=178888&list=92&fromthread=0&threads=1&start=2001-04-15&end=2001-04-21&04/20/01 Is procfs required?
http://www.securityfocus.com/templates/archive.pike?tid=178954&list=92&fromthread=0&threads=1&start=2001-04-15&end=2001-04-21&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
YASSP and IMAP... possible problems there?
http://www.theorygroup.com/Archive/YASSP/2001/msg00108.html
Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include OpenSSH SecurID patch and PGPi.
Auditing and Intrusion Monitoring tools include IDScenter, PIKT, John the Ripper, Samhain, Cheops, Check-ps.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, Astaro Security Linux, Securepoint
Firewall Server SB, MonMotha's IPtables, Iridium Firewall, PCX Firewall, Firewall Monitor.
Tools for Linux/Unix/Cross Platform include SILC, Averist, Crank.
Tools for Windows includes IRCR and Athena-2k.
I've written a little script that you may find useful:
Backup key configuration files of several machines, remotely via SSH, into a compressed tarball.
Configuration files of many tools are automatically recognised. OpenBSD, Solaris and Redhat have been tested. Backups are maintained for as long as needed, manual purging of the backup directory is required.
Download
The script:
www.boran.com/security/sp/solaris/backup_configsAn example email log of the output generated by the script:
www.boran.com/security/sp/solaris/backup_configs.log
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.