Weekly Solaris Security Digest
2001/05/07 to 2001/05/13

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html



Subscribe to get FREE security news, commentary, and articles.



New Solaris Vulnerabilities this Week

none

Vulnerabilities this Week — Third-party Applications:

Bugtraq database:

Bugtraq email list:

 


Solaris vulnerabilities pending

Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
Note: Most of these problems involved suid/sgid programs and we discussed removing a maximum of suid rights in "tip of the week" a few weeks back. An additional resource that you may find useful is Reg Quinton's walkthough of Solaris 7 suid/sgid programs, their risks, history and side effects noted when hardened etc. http://ist.uwaterloo.ca/security/howto/1999-04-21.html .

mailx buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/vdb/bottom.html?vid=2610  

Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.

Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however with locally delivered email.

Xsun HOME buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561

Status: Local SUID exploit.

Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.

SNMP to DMI mapper daemon

Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).

Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch 108869-05, released on 9th May was not available for searching on Sunsolve (the README from Version 04 appears).


kcsSUNWIOsolf.so KCMS_PROFILES environment variable

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf


kcms_configure vulnerability

Status: Local SUID exploit of command line options, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html


CDE dtsession LANG environment variable

Status: Local SUID exploit, no patches yet.

Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession


ftpd #1 globbing buffer overflows

Status: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.

Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601


ftpd #2 CWD Username Enumeration

Status: Remote exploit, low impact (allows an attacker to recognize valid usernames).

Workaround: Watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564


NTP buffer overflow

Status: Serious remote exploit, no patches yet.

Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540


ipcs Timezone buffer overflow vulnerability

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581




Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
     
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Apr/25/01: no changes.

Solaris 2.6, May/9/01:

105786-14  SunOS 5.6: /kernel/drv/ip driver patch
105486-04  SunOS 5.6: /kernel/fs/hsfs patch
105741-09  SunOS 5.6: /kernel/drv/ecpp patch
106625-11  SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patch

Solaris 7, May/8/01:    

106541-16  SunOS 5.7: Kernel update patch
107018-03  SunOS 5.7: /usr/sbin/in.named patch
107841-03  SunOS 5.7: rpcsec patch
111093-01  SunOS 5.7: /etc/security/bsmunconv patch
107654-08  OpenWindows 3.6.1 X11R6.4 LBX & XRX Extensions Patch
107022-08  CDE 1.3: Calendar Manager patch

Solaris 8, May/9/01:

109322-06  SunOS 5.8: libnsl patch
108974-10  SunOS 5.8: dada, uata, dad, sd and scsi drivers patch
110898-02  SunOS 5.8: csh/pfcsh patch
108869-05  SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
109888-05  SunOS 5.8: platform drivers patch 

Solaris 8_x86, May/02/01:

108653-24  X11 6.4.1_x86: Xsun patch
108870-05  SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib patch 

2. New or updated individual security/recommended patches.

 none



News & Articles

Advisory CA-2001-11 sadmind/IIS Worm
http://www.cert.org/advisories/CA-2001-11.html  


Source: Security Focus

Securing Wireless Networks
Joe Klemencic
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=5479&id=5479

Many companies make attempts to embrace new technologies, but unfortunately, many of these new technologies are not mature enough to provide adequate security mechanisms to prevent unauthorized access to such services. Wireless Network Connectivity is no exception.


Source: Sun


Source: SysAdmin Magazine (June 2001)

Dangers of SUID Shell Scripts
Thomas Akin
http://www.sysadminmag.com/current/0106a/0106a.htm

The object of this article is to illustrate how SUID programs work in order to help others writing their own programs avoid some common mistakes. The examples I provide are detailed enough to help you understand each danger, but I don't promise that all will work exactly as demonstrated if you try to use them maliciously.

 



Mailing Lists

Focus-Sun Discussions Threads


YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:

Yassp, NFSCLIENT, and FTP
http://www.theorygroup.com/Archive/YASSP/2001/msg00115.html


Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html



Tip of the Week: Solaris on Netra X1

The Netra X1 is a neat server that is cheap (starts at $999.- in the US), very compact (smaller than a pizza box) and includes the Lights Out Management (LOM) prom-like software for remote power down/up. A pity the fan is so noisy. Anyway, I don't want to sell you any X1s, but discuss some problems when you want o reinstall it from scratch yourself. These problems may well apply to other recent Sun hardware.

There is no CD reader and no scsi bus (only IDE), so booting from an internal or external CD or disk is not an option.

Which leaves remote booting/Jumpstart. The Jumpstart server must make Solaris 8 10/00 or later available. I used Solaris 8 01/01, which was the latest available for download last week (although Version 04/01 was "released" the week previously).

However, special drivers need to be patched onto the Install Server's Solaris directory (with the modify_install_server script) so that appropriate drivers are made available to the X1. This is strange, given that the X1 was release with Solaris 6 10/00 and one would have expected the new drivers to be rolled in Solaris 8 01/01. Perhaps they are in Solaris 8 04/01? The file containing the drivers is mis.netra-x1.259-3836-02.zip and can be downloaded from SunSolve.

There is a similar problem with Sun Blade 100s:

Sun Alert ID: 25969
Synopsis: Installing or Re-installing Solaris 8 10/00 or 01/01 on Sun Blade 100-based Platforms Requires CD0 or Patched Netinstall
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=salert%2F25969

 

If you have tips you'd like to share with others, contact us.


References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html



About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.



Receive this digest by email!