By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
none
Bugtraq database:
2001-05-07: Vixie Cron crontab Privilege Lowering Failure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2687
2001-05-08: PHPProjekt Directory Escaping Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2702
Bugtraq email list:
Samba 2.0.9 released - 2.0.8 did NOT fix the hole
http://archives.neohapsis.com/archives/bugtraq/2001-05/0061.html
The recent Samba 2.0.8 security fix release did NOT fix the security hole in Samba 2.0.7. I have now released Samba 2.0.9 to fix this. Note that the 2.2.0 release did fix the bug, so if you have installed that release then you can ignore this message. The 2.0.9 release is available at ftp://ftp.samba.org/pub/samba/samba-2.0.9.tar.gz. The 2.2.0 release is available at ftp://ftp.samba.org/pub/samba/samba-2.2.0.tar.gz .We do not plan on doing any more releases of Samba 2.0.x.
Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
Note: Most of these problems involved suid/sgid programs and we discussed removing a maximum of suid rights in "tip of the week" a few weeks back. An additional resource that you may find useful is Reg Quinton's walkthough of Solaris 7 suid/sgid programs, their risks, history and side effects noted when hardened etc. http://ist.uwaterloo.ca/security/howto/1999-04-21.html .mailx buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/vdb/bottom.html?vid=2610Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however with locally delivered email.
Xsun HOME buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561Status: Local SUID exploit.
Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.
SNMP to DMI mapper daemon
Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch 108869-05, released on 9th May was not available for searching on Sunsolve (the README from Version 04 appears).
kcsSUNWIOsolf.so KCMS_PROFILES environment variableStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerabilityStatus: Local SUID exploit of command line options, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
CDE dtsession LANG environment variableStatus: Local SUID exploit, no patches yet.
Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflows
Status: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationStatus: Remote exploit, low impact (allows an attacker to recognize valid usernames).
Workaround: Watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564
NTP buffer overflowStatus: Serious remote exploit, no patches yet.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilityStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Apr/25/01: no changes.
Solaris 2.6, May/9/01:
105786-14 SunOS 5.6: /kernel/drv/ip driver patch
105486-04 SunOS 5.6: /kernel/fs/hsfs patch
105741-09 SunOS 5.6: /kernel/drv/ecpp patch
106625-11 SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patchSolaris 7, May/8/01:
106541-16 SunOS 5.7: Kernel update patch
107018-03 SunOS 5.7: /usr/sbin/in.named patch
107841-03 SunOS 5.7: rpcsec patch
111093-01 SunOS 5.7: /etc/security/bsmunconv patch
107654-08 OpenWindows 3.6.1 X11R6.4 LBX & XRX Extensions Patch
107022-08 CDE 1.3: Calendar Manager patchSolaris 8, May/9/01:
109322-06 SunOS 5.8: libnsl patch
108974-10 SunOS 5.8: dada, uata, dad, sd and scsi drivers patch
110898-02 SunOS 5.8: csh/pfcsh patch
108869-05 SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
109888-05 SunOS 5.8: platform drivers patchSolaris 8_x86, May/02/01:
108653-24 X11 6.4.1_x86: Xsun patch
108870-05 SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib patch
none
Advisory CA-2001-11 sadmind/IIS Worm
http://www.cert.org/advisories/CA-2001-11.html
The sadmind/IIS worm exploits a vulnerability in Solaris systems and
subsequently installs software to attack Microsoft IIS web servers. In
addition, it includes a component to propagate itself automatically to other
vulnerable Solaris systems. It will add "+ +" to the .rhosts file
in the root user's home directory. Finally, it will modify the index.html
on the host Solaris system after compromising 2,000 IIS systems. The
worm takes advantage of a two-year-old buffer overflow vulnerability in
the Solstice sadmind program (see http://www.kb.cert.org/vuls/id/28934
).
Comment: This worm is in the wild, Make sure you disable sadmind
or have it patched on Solaris 7 or earlier.
Securing an Internet Name Server: Presentation
Cricket Liu
http://www.nsiregistry.com/dns/securing_an_internet_name_server.pdf
Securing Wireless Networks
Joe Klemencic
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=5479&id=5479Many companies make attempts to embrace new technologies, but unfortunately, many of these new technologies are not mature enough to provide adequate security mechanisms to prevent unauthorized access to such services. Wireless Network Connectivity is no exception.
Securing Linux with AIDE
http://www.securityfocus.com/frames/?focus=linux&content=/focus/linux/articles/linuxaide.html
If you'd like to try out the AIDE integrity checking tool - a free alternative to tripwire, check out this article, which is equally valid for Solaris.
Solaris Resource Manager GUI tool
http://www.sun.com/software/resourcemgr/download.html
An unsupported freeware application, srmtool, aids in the use and understanding
of Solaris Resource Manager software. The srmtool provides a graphical user
interface (GUI) alternative to the standard command line interface of Solaris
Resource Manager software.
There is a Solaris Resource Manager FAQ now available at http://www.sun.com/software/resourcemgr/faq.htm
Consolidating Oracle RDBMS Instances Using Solaris Resource Manager
http://www.sun.com/software/resourcemgr/wp-oracle/
Step-by-step instructions on how to install Solaris Resource Manager
software and Oracle RDBMS, and how they should be configured to work together.
Enterprise QoS Policy Based Systems & Network Management
http://www.sun.com/software/bandwidth/wp-policy/
This paper is a continuation of the work done by Joost Pronk Van Hoogenveen, Evert Hoogendoorn, and Jean-Christophe Martin in the area of Solaris Bandwidth Manager, and Policy Based Networks. This paper will provide an overview of QoS and policy fundamentals, and describe how these technologies fit in the various segments within the overall "end to end" solution. Performance results are presented, along with comparisons based on different traffic types and architectures. The analysis will show the advantages of introducing differentiated services deployed on certain architectures. A proposed integrated solution is described, using Sun Management Center 3.0 APIs to send server load feedback to the Policy Server, and using Solaris Bandwidth Manager 1.6 APIs to dynamically reconfigure the QoS capable network device.
Dangers of SUID Shell Scripts
Thomas Akin
http://www.sysadminmag.com/current/0106a/0106a.htm
The object of this article is to illustrate how SUID programs work in order to help others writing their own programs avoid some common mistakes. The examples I provide are detailed enough to help you understand each danger, but I don't promise that all will work exactly as demonstrated if you try to use them maliciously.
PICA: Perl Installation and Configuration Agent
Miguel Armas
del Río and Esteban Manchado Velázquez
http://www.sysadminmag.com/current/0106a/0106a.htm
We needed a way to distribute security scripts and the important services'
configuration files from a centralized location with little differences
to adapt them to each host. We also needed a way to register any change
on the configuration files, to be able to detect when a particular error
was introduced, and who did it, and we wanted to centralize all network
incident notifications and alarm management. To meet all these needs, we
developed PICA (http://pica.ulpgc.es)
Automatic UNIX Documentation with unixdoc
Roman Marxer
http://www.sysadminmag.com/current/0106o/0106o.htm
There's no need to spend days documenting your servers. I've written a program that can help. unixdoc collects all the configuration files and other information about your computers into an HTML file and sends it to a display server where it can be viewed with a browser. It works on Solaris 2.6/7/8 and on HP-UX 10.20.
A Complete Network Information Center
Benjamin King
http://www.sysadminmag.com/current/0106p/0106p.htm
This network information center keeps track of all the computers on your
networks, their operating systems, and the services they offer such as http
or telnet. This job is going to require a network scanner (nmap), a database
(mysql), and something to glue it all together. There are of three Perl
scripts. The first script, called netscan.pl, will scan your network as
often as you wish and store the results in the database. The second script,
called webnic.pl, will reside in your Web server's cgi-bin directory and
allow you to search and view the data in the database. The third script,
called scan_misc.pm, is a Perl module that contains some common functions
that both scripts will use.
Building and Using a SAN (Part II)
W. Curtis Preston
http://www.sysadminmag.com/current/0106f/0106f.htm
I examine ways that online storage consolidation makes backups easier.
I will then examine high-availability systems, followed by an overview of
what's involved in building a SAN.
Mailman
Ron McCarty
http://www.sysadminmag.com/current/0106k/0106k.htm
Mailman is definitely worth considering for your mailing list needs. The Web front end for administrators and users with easy integration with Apache makes it one of the easiest mailing list programs to maintain.
It's All About Context
Randal L. Schwartz
http://www.sysadminmag.com/current/0106i/0106i.htm
A discussion on how misunderstanding "contexts" in Perl can get you into big trouble.
05/08/01 Listening Ports and their Processes
http://www.securityfocus.com/templates/archive.pike?fromthread=0&start=2001-05-06&threads=0&list=92&end=2001-05-12&mid=183713&
05/07/01 Tricky things with SunScreen
http://www.securityfocus.com/templates/archive.pike?fromthread=0&tid=182821&list=92&start=2001-05-06&threads=1&end=2001-05-12&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
pkgrm
http://www.theorygroup.com/Archive/YASSP/2001/msg00168.html
RE: Why cant I respond to messages on this alias?
http://www.theorygroup.com/Archive/YASSP/2001/msg00156.html
changes it makes
http://www.theorygroup.com/Archive/YASSP/2001/msg00147.html
Package master for OpenSSH?
http://www.theorygroup.com/Archive/YASSP/2001/msg00132.html
OpenSSH?
http://www.theorygroup.com/Archive/YASSP/2001/msg00122.html
Yassp and Titan
http://www.theorygroup.com/Archive/YASSP/2001/msg00121.html
diskmirroring
http://www.theorygroup.com/Archive/YASSP/2001/msg00119.html
Yassp, NFSCLIENT, and FTP
http://www.theorygroup.com/Archive/YASSP/2001/msg00115.html
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to favorite free tools this week include PGP tools, sftp, iXplorer, mod_ssl. Auditing and Intrusion Monitoring tools include PIKT, chkrootkit, syslog-ng. Firewall tools include hap-linux, ferm. General Cross Platform security tools include lsof, tightVNC, silc. Tools for Windows include Sygate personal firewall.
The Netra X1 is a neat server that is cheap (starts at $999.- in the US), very compact (smaller than a pizza box) and includes the Lights Out Management (LOM) prom-like software for remote power down/up. A pity the fan is so noisy. Anyway, I don't want to sell you any X1s, but discuss some problems when you want o reinstall it from scratch yourself. These problems may well apply to other recent Sun hardware.
There is no CD reader and no scsi bus (only IDE), so booting from an internal or external CD or disk is not an option.
Which leaves remote booting/Jumpstart. The Jumpstart server must make Solaris 8 10/00 or later available. I used Solaris 8 01/01, which was the latest available for download last week (although Version 04/01 was "released" the week previously).
However, special drivers need to be patched onto the Install Server's Solaris directory (with the modify_install_server script) so that appropriate drivers are made available to the X1. This is strange, given that the X1 was release with Solaris 6 10/00 and one would have expected the new drivers to be rolled in Solaris 8 01/01. Perhaps they are in Solaris 8 04/01? The file containing the drivers is mis.netra-x1.259-3836-02.zip and can be downloaded from SunSolve.
There is a similar problem with Sun Blade 100s:
Sun Alert ID: 25969
Synopsis: Installing or Re-installing Solaris 8 10/00 or 01/01 on Sun Blade 100-based Platforms Requires CD0 or Patched Netinstall
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=salert%2F25969
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.