AtomicTangerine SecurityPortal

Weekly Solaris Security Digest
2001/04/30 to 2001/05/06

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html



Subscribe to our weekly newsletter
Email:
Name:

Rundown



New Solaris Vulnerabilities This Week

mailx buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html

Pablo Sor has discovered a local vulnerability in mailx whereby the '-F' argument is subject to a buffer overflow. Since mailx is sgid 'mail', a successful attack results in 'mail' privileges.
Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.

Workaround: disable sgid on 'mailx'

chmod g-s /usr/bin/mailx

Tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read.

 

Solaris Intel sysi86
It was noted on Bugtraq this week that the vulnerability used by the LSD Hackers to crack the Argus Pit Bull system is fixed in the Solaris 8 x86 kernel patch 108529-07 (released 17th April) and is recorded as Sun bug 4404947. The problem was with sysi86 argument validation. The weakness, originally noted in NetBSD is explained at:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-002.txt.asc

 


Solaris Vulnerabilities Pending

Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

Xsun HOME buffer overflow vulnerability (10.Apr.01)
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561
Status: local SUID exploit. Workaround: remove the suid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm.

Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addresses this issue.

SNMP to DMI mapper daemon (15.Mar.01)
Status: remote exploit being actively abused, no patches yet (Sun bug id 4412996). Workaround: disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html

Recent patches from Sun include 108869-04 (Solaris 8), 108870 (Solaris 8 x86) and 107709-11 (Solaris 7) but it's unclear if these solve this issue.

kcsSUNWIOsolf.so KCMS_PROFILES environment variable (11.Apr.01)
Status: local SUID exploit, no patches yet. Workaround: disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf

kcms_configure vulnerability (9.Apr.01)
Status: local SUID exploit of command line options, no patches yet. Workaround: disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html

CDE dtsession LANG environment variable (11.Apr.01)
Status: local SUID exploit, no patches yet. Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. I did not carry out rigorous testing though.
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession

 

ftpd #1 globbing buffer overflows (17.Apr.01)
Status: apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported. No patches yet. Workaround: watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601

 

ftpd #2 CWD Username Enumeration (11.Apr.01)
Status: remote exploit, less serious (allows an attacker to recognize valid usernames). No patch available yet. Workaround: watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564

NTP buffer overflow (Mar.01)
Status: serious remote exploit, no patches yet. Workaround: watch your ntpd servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540

 

ipcs Timezone buffer overflow vulnerability (17.Apr.01)
Status: local SUID exploit, no patches yet . Workaround: disable SUID.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581

Vulnerabilities this Week — Third-party Applications:

2001-04-30: Bugzilla Remote Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2670

2001-04-30: Bugzilla Sensitive Information Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2671

2001-04-29: SAP Web Application Server for Linux Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2662

2001-04-28: NEdit Incremental Backup File Symbolic Link Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2667

2001-04-27: PerlCal Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2663



Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.

  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.


1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Apr/25/01: no changes.

 

Solaris 2.6, Apr/30/01:

105720-14 SunOS 5.6: /kernel/fs/nfs patch
105755-10 SunOS 5.6: libresolv, in.named, named-xfer, nslookup, nstest patch
105338-26 CDE 1.2: dtmail patch
105210-37 SunOS 5.6: libaio, libc & watchmalloc patch

Solaris 7, Apr/25/01:    

107709-11 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend
107180-27 CDE 1.3: dtlogin patch

Solaris 8, May/01/01:

108652-29 X11 6.4.1 Xsun patch

Solaris 8_x86, May/01/01:

108980-14 SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch

 

2. New or updated individual security/recommended patches.

105210-37 SunOS 5.6: libaio, libc & watchmalloc patch
105338-26 CDE 1.2: dtmail patch
105401-34 SunOS 5.6: libnsl and NIS+ commands patch
105722-07 SunOS 5.6: /usr/lib/fs/ufs/ufsdump and ufsrestore patch
105755-10 SunOS 5.6: libresolv, in.named, named-xfer, nslookup, nstest patch
106049-02 SunOS 5.6: /usr/sbin/in.telnetd patch
106468-03 SunOS 5.6: /usr/bin/cu and usr/bin/uustat patch
107991-02 SunOS 5.6: /usr/sbin/static/rcp patch

107180-27 CDE 1.3: dtlogin patch
107709-11 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend

108528-07 SunOS 5.8: kernel update patch
108869-04 SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
108991-10 SunOS 5.8: libc and watchmalloc patch
109887-04 SunOS 5.8: smartcard patch
109892-03 SunOS 5.8: /kernel/drv/ecpp driver patch
109894-01 *SunOS 5.8: /kernel/drv/sparcv9/bpp driver patch
109896-04 SunOS 5.8: USB dirver patch
111232-01 SunOS 5.8: patch in.fingerd
111234-01 SunOS 5.8: patch finger

108870-04 SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib patch
108980-14 *SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
111233-01 SunOS 5.8_x86: patch in.fingerd
111235-01 SunOS 5.8_x86: patch finger

 



News & Articles

SecurityPortal

Running the BIND9 DNS Server Securely
Sean Boran
http://securityportal.com/articles/bind9_20010430.html

This paper walks through compiling, installing and configuring a chroot'ed BIND v9 on Solaris 2.6 and 8. It also presents examples of advanced topics such as TSIGs and dynamic updates. It is specific to version 9 but we aim to help existing BIND 8 administrators realize what is involved in migrating to v9.

 

CERT

CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence Numbers
http://www.cert.org/advisories/CA-2001-09.html

A new vulnerability has been identified which is present when using random
increments to constantly increase TCP ISN values over time. Systems are
vulnerable if they have not incorporated RFC1948 or equivalent improvements
or do not use cryptographically secure network protocols like IPsec.

OCTAVE Threat Profiles
http://www.cert.org/archive/pdf/OCTAVEthreatProfiles.pdf

An interesting read on analyzing risks.


LinuxSecurity

DNS and BIND, 4th Edition, Chapter 11 Security
Paul Albitz & Cricket Liu
http://www.oreilly.com/catalog/dns4/chapter/ch11.html

Chapter 11 is available free online. A good read.

 

Fighting the new electronic war
http://news.cnet.com/news/0-1014-201-5784065-0.html?tag=bt_pr

An interview with Lance Spitzner about his honeynet project.

 

Securing Java Code: Part 2
Thomas Gutschmidt
http://softwaredev.earthweb.com/java/article/0,,12082_756601,00.html

In this installment in our series, we further examine the elements that should be part of a secure Java code policy, including such safeguards as compartmentilization and cryptography.


Security Focus

Chasing the Wind, Part Six: The Gathering Storm
Robert G. Ferrell
http://www.securityfocus.com/frames/?focus=ih&content=/focus/ih/articles/chasing6.html

This is the sixth installment of Robert G. Ferrell's series, Chasing the Wind. As we left off in the last episode, our aspiring hacker Ian was on his way home from a hacker's convention, eager to test his new knowledge. Bob, Acme Ailerons' CIO, was alerted to a possible virus infection in the company's systems, one which Jake, the company's systems Administrator would spend his day quashing. Douglas, Acme's Systems Engineer, looked on as an Air Force captain unveiled a frightening project. Meanwhile a group of mysterious men seemed to be hatching a shady scheme...


Sun

Sun Alert Notifications
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content14
http://sunsolve.sun.com/pub-cgi/search.pl

A Sun Alert notification proactively informs you about important hardware and software issues related to Sun Microsystems products that could potentially affect your computing environment and productivity. A new searchable collection of Sun Alert documents is now available on the SunSolve Online. The Sun Alert collection is freely available (no support contract is required to view the information).
Comment: sounds interesting indeed, searching for "security" turns up 17 alerts. However there are no Bugtraq or CVE references in these alerts and how can we get these alerts via email? Why are there no alerts that discuss the current problems listed in the section Solaris Vulnerabilities Pending above?

 

BSD Today

Running BIND from daemontools
John Levine
http://www.bsdtoday.com/2001/April/Features467.html

Since I have no DNS when BIND dies, I've taken to running it under supervise from Dan Bernstein's daemontools which automatically restarts it (or any other daemon it controls) when it dies. Supervise is nice, it gives you a consistent way to run daemons and poke them
with signals, and it also lets you log directly to files which is much faster than through syslog.

 

A permanent fix for the BIND 8 crashing problem
Matt Simerson
http://www.bsdtoday.com/2001/April/Features469.html

Install djbdns....

O'Reilly Net

BSD Firewalls: IPFW
Dru Lavigne
http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html?page=1


Mailing Lists

Focus-Sun Discussions Threads

05/02/01 Xwindows and password expiration
http://securityfocus.com/templates/archive.pike?list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&tid=181774&

05/01/01 NTP vulnerability
http://www.securityfocus.com/templates/archive.pike?tid=181275&list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&

05/01/01 kerberos nfs on Solaris8
http://www.securityfocus.com/templates/archive.pike?tid=181281&list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&

05/01/01 Solaris 8 IPSEC interoperability
http://www.securityfocus.com/templates/archive.pike?tid=181279&list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&

05/01/01 chroot
http://www.securityfocus.com/templates/archive.pike?tid=180964&list=92&fromthread=0&threads=1&start=2001-04-29&end=2001-05-05&

 

YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week: none



Security Tools

Security tool news is now summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html  

Updates to General free tools this week include GnuPG, GnuPG::Interface, OpenSSH and Linux Kernel.

Auditing and Intrusion Monitoring tools include NetSaint, SARA, PIKT, BigBrother, John the Ripper, Port Scan Attack Detector, TcpSpy.

Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, PCX Firewall, Firewall Monitor, Firestarter, Ferm, Firewall Builder.

Tools for Linux/Unix/Cross Platform include Bastille Linux, Ngrep, SILC, Srm, Grsecurity,
Libmcrypt.

Tools for Windows includes Tiny Personal Firewall, Random Number Generator Pro, ICEWatch and NTLM Authorization Proxy Server.

 

OpenSSH 2.9p1 has been released, containing many portability bug-fixes as well as several new features.


Tip of the Week: Large IDE drives

When working with Solaris 8 on PCs, IDE drives greater than 40 GB need patch  110202-01, for the full capacity to be visible (scsi drives work fine).


If you have tips you'd like to share with others, contact us.


References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Receive this digest by email!