By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
|
Solaris yppassword buffer overflow
http://www.incidents.org/news/yppassword.php
A buffer overflow exploit (for the SPARC architecture) has been found in the wild which takes advantage of an unchecked buffer in the 'yppasswd' service. Solaris 6 or 7 SPARC running Yellow Pages (YP also called NIS) are known to be vulnerable. I've not yet seem any detailed explanation of the weakness (for example on Bugtraq), which makes me think is may be one of the old NIS vulnerabilities?. Workarounds:
'syscall' vulnerability in Solaris x86
Two weeks back we noted a 'syscall' vulnerability in Solaris x86 that was used to undermine PitBull and win a hacking contest. At the time Solaris 8_x86 patches were made available. Sun have now released Security Bulletin #00202 which lists patches available:
SunOS 5.8_x86 108529-07
SunOS 5.7_x86 106542-16
SunOS 5.6_x86 105182-27 (Scheduled availability June 18, 2001)
Trusted Solaris 8_x86 110338-02 (available soon)
Trusted Solaris 7_x86 109597-05 (available soon)
http://sunsolve.sun.com/security
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-002.txt.asc
Bugtraq database:
2001-05-08: PHPProjekt Directory Escaping Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2702
Bugtraq email list:
iPlanet – Netscape Enterprise Web Publisher Buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2001-05/0132.html
The Web Publisher feature in Netscape Enterprise 4.1 is vulnerable to
a buffer overflow. By sending a large buffer containing executable code
and a new Instruction Pointer, an attacker is able to gain remote system
shell access to the vulnerable server.
The NSAPI patch is available at:
http://iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html
. This issue will also be addressed by the release of iPlanet Web Server,
Enterprise Edition version 4.1 Service Pack 8.
iPlanet Web Server 4.1 SP 3-7
http://archives.neohapsis.com/archives/bugtraq/2001-05/0093.html
A manipulation of the HTTP request headers sent to iWS or Netscape Enterprise Server (NES) that have the Web Publisher feature enabled can be exploited as a Denial of Service attack. The risk from these attacks is completely eliminated by deployment of the following NSAPI: solaris_flexlog2.tgz
Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
mailx buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/vdb/bottom.html?vid=2610Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however with locally delivered email.
Xsun HOME buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561Status: Local SUID exploit.
Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.
SNMP to DMI mapper daemon
Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for:
"Bug id: 4404944 libssasnmp changes the syslog message format"
kcsSUNWIOsolf.so KCMS_PROFILES environment variableStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerabilityStatus: Local SUID exploit of command line options, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
CDE dtsession LANG environment variableStatus: Local SUID exploit, no patches yet.
Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflowsStatus: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationStatus: Remote exploit, low impact (allows an attacker to recognize valid usernames).
Workaround: Watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564
NTP buffer overflowStatus: Serious remote exploit, no patches yet.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilityStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, May/16/01:
103891-06 SunOS 5.5.1: ksh and rksh patch
Solaris 2.6, May/16/01:
111109-01 SunOS 5.6: Patch to /usr/bin/nawk
106361-10 SunOS 5.6: csh/jsh/ksh/rksh/rsh/sh patchSolaris 7, May/15/01:
108376-24 OpenWindows 3.6.1: Xsun Patch
Solaris 8, May/16/01:
108974-11 SunOS 5.8: dada, uata, dad, sd and scsi drivers patch
109279-10
SunOS 5.8: /kernel/drv/ip patch
109740-04 SunOS 5.8:
/kernel/drv/udp patch
111111-01 SunOS 5.8: nawk line length
limit corrupts patch dependency checking
108987-04 SunOS 5.8:
Patch for patchadd and patchrm
109472-05 SunOS 5.8: /kernel/drv/tcp
patch
108875-08 SunOS 5.8: c2audit patch
109181-03 SunOS 5.8: /kernel/fs/cachefs
patch
Solaris 8_x86, May/16/01:
111112-01 SunOS 5.8_x86: nawk line length limit corrupts patch
dependency check
108774-08 SunOS 5.8_x86: IIIM and X Input
& Output Method patch
108988-04 SunOS 5.8_x86: Patch for
patchadd and patchrm
110610-01 SunOS 5.8_x86: cdio.h and commands.h
USB patch
108994-02 SunOS 5.8_x86: nss and ldap patch
109897-05
SunOS 5.8_x86: USB patch
109182-03 SunOS 5.8_x86: /kernel/fs/cachefs
patch
105786-14 SunOS 5.6: /kernel/drv/ip driver patch
106625-11
SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patch
111240-01
* SunOS 5.6: Patch to /usr/bin/finger
106541-16 SunOS 5.7: Kernel update patch
107018-03 SunOS
5.7: /usr/sbin/in.named patch
107022-08 CDE 1.3: Calendar
Manager patch
107654-08 OpenWindows 3.6.1 X11R6.4 LBX &
XRX Extensions Patch
108376-24 OpenWindows 3.6.1: Xsun Patch
111093-01
SunOS 5.7: /etc/security/bsmunconv patch
111238-01 * SunOS
5.7: Patch to /usr/sbin/in.fingerd
111242-01 * SunOS 5.7: Patch to /usr/bin/finger
108773-08 * SunOS 5.8: IIIM and X Input & Output Method patch
108869-05
SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
108875-08
SunOS 5.8: c2audit patch
109279-10 SunOS 5.8:
/kernel/drv/ip patch
109322-06 SunOS 5.8: libnsl patch
109888-05
SunOS 5.8: platform drivers patch
110898-02 SunOS
5.8: csh/pfcsh patch
108774-08 SunOS 5.8_x86: IIIM and X Input & Output Method
patch
108870-05 SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib
patch
109323-06 SunOS 5.8_x86: libnsl patch
109897-05
SunOS 5.8_x86: USB patch
The "cheese" Worm, Incident Note IN-2001-05
The 'cheese
worm' is a worm designed to remove all inetd services referencing '/bin/sh'
from systems with root shells listening on TCP port 10008. In reality, the
'cheese worm' will attempt to execute a series of shell commands on any
host which accepts TCP connections on TCP port 10008.
Comment:
This worm is unusual in that it detects and cleans up systems affected
by the Li0n worm.
http://www.cert.org/incident_notes/IN-2001-05.html
http://linuxtoday.com/news_story.php3?ltsn=2001-05-17-002-20-SC
Studying Normal Traffic, Part Three: TCP Headers
Karen Frederick
http://www.securityfocus.com/focus/ids/articles/normaltraf3.htm
This is the final article in a three-part series devoted to studying normal traffic. The first two articles in this series showed how to capture packets using WinDump and reviewed some of the basics of normal TCP/IP traffic. In this article, we will be looking at two other aspects of normal TCP traffic: the structure of TCP packets and the use of TCP options. Note that in order to understand this material, you should already know the fundamentals of TCP/IP.
Solaris and IP Filter: How to Make Them Your NAT solution
This article will examine the ways in which IP Filter can be used for Network Address Translation on a Solaris system. For the purposes of this discussion, the author will be using IPFilter on a Solaris 7, x86 platform. The scope of this article is limited to IP Filter's NAT capabilities (i.e. not filtering).
http://dnsupdate.sourceforge.net/
dnsupdate is a tool used to create/update(dynamic) DNS tables.
IPFW Rulesets
Dru Lavigne
http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html
System Logging (syslog)
Michael Lucas
http://www.onlamp.com/pub/a/bsd/2001/05/17/Big_Scary_Daemons.html
The syslog system is one of the most delightful things about Unix. Unlike
some operating systems that force you to use the limited range of logs that
they condescend to provide, Unix allows you to log almost anything, at almost
any level of detail. While system logging hooks are provided for the most
common Unix resources, administrators can choose a logging configuration
that meets their needs.
Comment: A useful overview. Some example syslog
configurations that may help you further are:
www.boran.com/security/sp/solaris/syslog.conf
www.boran.com/security/sp/solaris/syslog_2.conf
05/15/01 ASET & umask
http://securityfocus.com/templates/archive.pike?threads=1&fromthread=0&tid=185024&list=92&start=2001-05-13&end=2001-05-19&
05/15/01 Re: Listening Ports and their Processes
http://securityfocus.com/templates/archive.pike?threads=1&fromthread=0&tid=184467&list=92&start=2001-05-13&end=2001-05-19&
05/13/01 Administrivia: Move to EZMLM
http://securityfocus.com/templates/archive.pike?threads=1&fromthread=0&tid=184396&list=92&start=2001-05-13&end=2001-05-19&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
yassp - pkgadd problem is related to root's umask.
http://www.theorygroup.com/Archive/YASSP/2001/msg00177.html
RE: disk mirroring
http://www.theorygroup.com/Archive/YASSP/2001/msg00176.html
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include GnuPG::Interface, PGPenvelope, OpenLDAP and BIND.
Auditing and Intrusion Monitoring tools include ACID, SnortSnarf, SAINT, SARA, PIKT, BigBrother and John the Ripper.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, IPtables Linux Firewall, Zorp,
Securepoint Firewall Server SB, Dante, Astaro Security Linux and 3 other tool.
Tools for Linux/Unix/Cross Platform include Jail, OpenCL, SILC, Lomac and 4 other tools.
Tools for Windows includes Wininterrogate and CryptoSoft Enigma.
I had to setup a automated Solaris install (Jumpstart) server this week and though I pass on some links and tips on the subject. Jumpstart is a very useful feature that saves time and can be used to ensure consistent, completely, high-quality installation. Although it's relatively simply, it can be difficult to debug and run satisfactorily.
We won't run through setting up Jumpstart, there are several resources already available, for example:
Hands-off Jumpstart using "sysidcfg" with no Nameservice
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/doc16484
How to copy a directory from server to client via a Jumpstart finish script http://sunsolve.sun.com/pub-cgi/show.pl?target=content/doc23323
Solaris 8 Installation Collection >> Solaris 8 Advanced Installation
Guide
http://docs.sun.com/ab2/coll.214.7/SPARCINSTALL/@Ab2TocView?Ab2Lang=C&Ab2Enc=iso-8859-1&DwebQuery=jumpstart&oqt=jumpstart
Adding a Kernel Patch to a Jumpstart Installation Boot Image
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/doc21571
jumpstart: How to install two or more different Solaris install images?
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/doc19282
Solaris Jumpstart Automated Installation
http://www.amorin.org/professional/jumpstart.php
Configuring Solaris Jumpstart Without a Name Service
http://www.cuug.ab.ca/~leblancj/labs/jumpstart.html
The Jumpstart Rules and Class Files
http://www.bu.edu/dsgsupport/sun/jumpstart/rules.html
Creating Finish Scripts
http://sgi-sw.rz.ruhr-uni-bochum.de/advanced_install_documentation/files/c0702.htm
Using Jumpstart to install/upgrade systems over the network
http://www.netwiz.net/~varmav/tips-tools/jumpstart/
To record exactly what happens during a "hands-off" install, and to help with troubleshooting (for example when the interactive installation programs starts unexpectedly), I attach the serial console to another Sun, and use Mindterm SSH to connect to the Sun (and use tip to access the console). Why Mindterm? Well, it has a "capture to file" option which can create a nice log of all activity in the Mindterm window (i.e. in this the case the output from the Jumpstart Installation).
After a Jumpstart installation, the logs in /var/sadm/system/logs should be checked, especially the "finish.log"
The install image contains the default patches on the Solaris CD. It makes senses to update this to the latest "Security & Recommended" bundle regularly, so that newly installed machines are up to date. For example if the install image is Solaris 8 in the directory /space/sparc_8:
# move existing patches
cd /space/sparc_8/Solaris_8/Patches;
mkdir .oldpatches.`date +%yy%mm%dd`
mv * .oldpatches.`date
+%yy%mm%dd`
# get latest recommended bundle
cd /space/sparc_8/Solaris_8/Patches;
ftp
sunsolve.sun.com
# extract bundle and clean up
unzip -q 8_Recommended.zip
mv
8_Recommended/* .
rmdir 8_Recommended
rm 8_Recommended.zip
CLUSTER_README copyright install_cluster patch_order
Some example Jumpstart files that you may find useful:
www.boran.com/security/sp/solaris/any_machine
www.boran.com/security/sp/solaris/finish
www.boran.com/security/sp/solaris/rules
www.boran.com/security/sp/solaris/sysidcfg
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.