By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
New Solaris vulnerabilities: mailx.
5 Third-party vulnerabilities.
Most Solaris patch bundles have changed, many new patches.
Top Articles: Bind, Chasing the wind, risk analysis, TCP sequence prediction, OpenSSH.
Discussions summary: YASSP & Focus-sun.
Tip of the Week: Large IDE drives
mailx buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.htmlPablo Sor has discovered a local vulnerability in mailx whereby the '-F' argument is subject to a buffer overflow. Since mailx is sgid 'mail', a successful attack results in 'mail' privileges.
Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.Workaround: disable sgid on 'mailx'
chmod g-s /usr/bin/mailx
Tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read.
Solaris Intel sysi86
It was noted on Bugtraq this week that the vulnerability used by the LSD Hackers to crack the Argus Pit Bull system is fixed in the Solaris 8 x86 kernel patch 108529-07 (released 17th April) and is recorded as Sun bug 4404947. The problem was with sysi86 argument validation. The weakness, originally noted in NetBSD is explained at:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-002.txt.asc
Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
Xsun HOME buffer overflow vulnerability (10.Apr.01)
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561
Status: local SUID exploit. Workaround: remove the suid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm.Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addresses this issue.
SNMP to DMI mapper daemon (15.Mar.01)
Status: remote exploit being actively abused, no patches yet (Sun bug id 4412996). Workaround: disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.htmlRecent patches from Sun include 108869-04 (Solaris 8), 108870 (Solaris 8 x86) and 107709-11 (Solaris 7) but it's unclear if these solve this issue.
kcsSUNWIOsolf.so KCMS_PROFILES environment variable (11.Apr.01)
Status: local SUID exploit, no patches yet. Workaround: disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerability (9.Apr.01)
Status: local SUID exploit of command line options, no patches yet. Workaround: disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
CDE dtsession LANG environment variable (11.Apr.01)
Status: local SUID exploit, no patches yet. Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. I did not carry out rigorous testing though.
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflows (17.Apr.01)
Status: apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported. No patches yet. Workaround: watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username Enumeration (11.Apr.01)
Status: remote exploit, less serious (allows an attacker to recognize valid usernames). No patch available yet. Workaround: watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564NTP buffer overflow (Mar.01)
Status: serious remote exploit, no patches yet. Workaround: watch your ntpd servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerability (17.Apr.01)
Status: local SUID exploit, no patches yet . Workaround: disable SUID.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581
2001-04-30: Bugzilla Remote Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=26702001-04-30: Bugzilla Sensitive Information Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=26712001-04-29: SAP Web Application Server for Linux Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2662
2001-04-28: NEdit Incremental Backup File Symbolic Link Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=26672001-04-27: PerlCal Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2663
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Apr/25/01: no changes.
Solaris 2.6, Apr/30/01:
105720-14 SunOS 5.6: /kernel/fs/nfs patch
105755-10 SunOS 5.6: libresolv, in.named, named-xfer, nslookup, nstest patch
105338-26 CDE 1.2: dtmail patch
105210-37 SunOS 5.6: libaio, libc & watchmalloc patch
Solaris 7, Apr/25/01:
107709-11 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend
107180-27 CDE 1.3: dtlogin patch
Solaris 8, May/01/01:
108652-29 X11 6.4.1 Xsun patch
Solaris 8_x86, May/01/01:
108980-14 SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
105210-37 SunOS 5.6: libaio, libc & watchmalloc patch
105338-26 CDE 1.2: dtmail patch
105401-34 SunOS 5.6: libnsl and NIS+ commands patch
105722-07 SunOS 5.6: /usr/lib/fs/ufs/ufsdump and ufsrestore patch
105755-10 SunOS 5.6: libresolv, in.named, named-xfer, nslookup, nstest patch
106049-02 SunOS 5.6: /usr/sbin/in.telnetd patch
106468-03 SunOS 5.6: /usr/bin/cu and usr/bin/uustat patch
107991-02 SunOS 5.6: /usr/sbin/static/rcp patch107180-27 CDE 1.3: dtlogin patch
107709-11 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend
108528-07 SunOS 5.8: kernel update patch
108869-04 SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
108991-10 SunOS 5.8: libc and watchmalloc patch
109887-04 SunOS 5.8: smartcard patch
109892-03 SunOS 5.8: /kernel/drv/ecpp driver patch
109894-01 *SunOS 5.8: /kernel/drv/sparcv9/bpp driver patch
109896-04 SunOS 5.8: USB dirver patch
111232-01 SunOS 5.8: patch in.fingerd
111234-01 SunOS 5.8: patch finger108870-04 SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib patch
108980-14 *SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
111233-01 SunOS 5.8_x86: patch in.fingerd
111235-01 SunOS 5.8_x86: patch finger
Running the BIND9 DNS Server Securely
Sean Boran
http://securityportal.com/articles/bind9_20010430.htmlThis paper walks through compiling, installing and configuring a chroot'ed BIND v9 on Solaris 2.6 and 8. It also presents examples of advanced topics such as TSIGs and dynamic updates. It is specific to version 9 but we aim to help existing BIND 8 administrators realize what is involved in migrating to v9.
CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence Numbers
http://www.cert.org/advisories/CA-2001-09.htmlA new vulnerability has been identified which is present when using random
increments to constantly increase TCP ISN values over time. Systems are
vulnerable if they have not incorporated RFC1948 or equivalent improvements
or do not use cryptographically secure network protocols like IPsec.
OCTAVE Threat Profiles
http://www.cert.org/archive/pdf/OCTAVEthreatProfiles.pdfAn interesting read on analyzing risks.
DNS and BIND, 4th Edition, Chapter 11 Security
Paul Albitz & Cricket Liu
http://www.oreilly.com/catalog/dns4/chapter/ch11.htmlChapter 11 is available free online. A good read.
Fighting the new electronic war
http://news.cnet.com/news/0-1014-201-5784065-0.html?tag=bt_prAn interview with Lance Spitzner about his honeynet project.
Securing Java Code: Part 2
Thomas Gutschmidt
http://softwaredev.earthweb.com/java/article/0,,12082_756601,00.htmlIn this installment in our series, we further examine the elements that should be part of a secure Java code policy, including such safeguards as compartmentilization and cryptography.
Chasing the Wind, Part Six: The Gathering Storm
Robert G. Ferrell
http://www.securityfocus.com/frames/?focus=ih&content=/focus/ih/articles/chasing6.html
This is the sixth installment of Robert G. Ferrell's series, Chasing the Wind. As we left off in the last episode, our aspiring hacker Ian was on his way home from a hacker's convention, eager to test his new knowledge. Bob, Acme Ailerons' CIO, was alerted to a possible virus infection in the company's systems, one which Jake, the company's systems Administrator would spend his day quashing. Douglas, Acme's Systems Engineer, looked on as an Air Force captain unveiled a frightening project. Meanwhile a group of mysterious men seemed to be hatching a shady scheme...
Sun Alert Notifications
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content14
http://sunsolve.sun.com/pub-cgi/search.plA Sun Alert notification proactively informs you about important hardware and software issues related to Sun Microsystems products that could potentially affect your computing environment and productivity. A new searchable collection of Sun Alert documents is now available on the SunSolve Online. The Sun Alert collection is freely available (no support contract is required to view the information).
Comment: sounds interesting indeed, searching for "security" turns up 17 alerts. However there are no Bugtraq or CVE references in these alerts and how can we get these alerts via email? Why are there no alerts that discuss the current problems listed in the section Solaris Vulnerabilities Pending above?
Running BIND from daemontools
John Levine
http://www.bsdtoday.com/2001/April/Features467.htmlSince I have no DNS when BIND dies, I've taken to running it under supervise from Dan Bernstein's daemontools which automatically restarts it (or any other daemon it controls) when it dies. Supervise is nice, it gives you a consistent way to run daemons and poke them
with signals, and it also lets you log directly to files which is much faster than through syslog.
A permanent fix for the BIND 8 crashing problem
Matt Simerson
http://www.bsdtoday.com/2001/April/Features469.htmlInstall djbdns....
BSD Firewalls: IPFW
Dru Lavigne
http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html?page=1
05/02/01 Xwindows and password expiration
http://securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&tid=181774&05/01/01 NTP vulnerability
http://www.securityfocus.com/templates/archive.pike?tid=181275&list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&05/01/01 kerberos nfs on Solaris8
http://www.securityfocus.com/templates/archive.pike?tid=181281&list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&05/01/01 Solaris 8 IPSEC interoperability
http://www.securityfocus.com/templates/archive.pike?tid=181279&list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&05/01/01 chroot
http://www.securityfocus.com/templates/archive.pike?tid=180964&list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week: none
Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include GnuPG, GnuPG::Interface, OpenSSH and Linux Kernel.
Auditing and Intrusion Monitoring tools include NetSaint, SARA, PIKT, BigBrother, John the Ripper, Port Scan Attack Detector, TcpSpy.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, PCX Firewall, Firewall Monitor, Firestarter, Ferm, Firewall Builder.
Tools for Linux/Unix/Cross Platform include Bastille Linux, Ngrep, SILC, Srm, Grsecurity,
Libmcrypt.Tools for Windows includes Tiny Personal Firewall, Random Number Generator Pro, ICEWatch and NTLM Authorization Proxy Server.
OpenSSH 2.9p1 has been released, containing many portability bug-fixes as well as several new features.
When working with Solaris 8 on PCs, IDE drives greater than 40 GB need patch 110202-01, for the full capacity to be visible (scsi drives work fine).
If you have tips you'd like to share with others, contact
us.