Weekly Solaris Security Digest
2001/05/14 to 2001/05/20

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


Subscribe to get FREE security news, commentary, and articles.



New Solaris Vulnerabilities this Week

'syscall' vulnerability in Solaris x86

Two weeks back we noted a 'syscall' vulnerability in Solaris x86 that was used to undermine PitBull and win a hacking contest. At the time Solaris 8_x86 patches were made available. Sun have now released Security Bulletin #00202 which lists patches available:
SunOS 5.8_x86 108529-07
SunOS 5.7_x86 106542-16
SunOS 5.6_x86 105182-27 (Scheduled availability June 18, 2001)
Trusted Solaris 8_x86 110338-02 (available soon)
Trusted Solaris 7_x86 109597-05 (available soon) 
http://sunsolve.sun.com/security
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-002.txt.asc  

 

Vulnerabilities this Week — Third-party Applications:

Bugtraq database:

Bugtraq email list:


Solaris vulnerabilities pending

Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

mailx buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/vdb/bottom.html?vid=2610  

Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.

Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however with locally delivered email.

Xsun HOME buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561

Status: Local SUID exploit.

Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.

SNMP to DMI mapper daemon

Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).

Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for:
"Bug id: 4404944 libssasnmp changes the syslog message format"


kcsSUNWIOsolf.so KCMS_PROFILES environment variable

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf


kcms_configure vulnerability

Status: Local SUID exploit of command line options, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html


CDE dtsession LANG environment variable

Status: Local SUID exploit, no patches yet.

Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession


ftpd #1 globbing buffer overflows

Status: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.

Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601


ftpd #2 CWD Username Enumeration

Status: Remote exploit, low impact (allows an attacker to recognize valid usernames).

Workaround: Watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564


NTP buffer overflow

Status: Serious remote exploit, no patches yet.

Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540


ipcs Timezone buffer overflow vulnerability

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581




Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
     
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, May/16/01:

Solaris 2.6, May/16/01:

111109-01  SunOS 5.6: Patch to /usr/bin/nawk
106361-10  SunOS 5.6: csh/jsh/ksh/rksh/rsh/sh patch

Solaris 7, May/15/01:    

108376-24  OpenWindows 3.6.1: Xsun Patch

Solaris 8, May/16/01:

Solaris 8_x86, May/16/01:

2. New or updated individual security/recommended patches.



News & Articles

Source: CERT


Source: Security Focus


Source: Sun

Source: O'Reilly Network


Mailing Lists

Focus-Sun Discussions Threads

 


YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:


Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include GnuPG::Interface, PGPenvelope, OpenLDAP and BIND.
Auditing and Intrusion Monitoring tools include ACID, SnortSnarf, SAINT, SARA, PIKT, BigBrother and John the Ripper.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, IPtables Linux Firewall, Zorp,
Securepoint Firewall Server SB, Dante, Astaro Security Linux and 3 other tool.
Tools for Linux/Unix/Cross Platform include Jail, OpenCL, SILC, Lomac and 4 other tools.
Tools for Windows includes Wininterrogate and CryptoSoft Enigma.


Tip of the Week: Jumpstart

I had to setup a automated Solaris install (Jumpstart) server this week and though I pass on some links and tips on the subject. Jumpstart is a very useful feature that saves time and can be used to ensure consistent, completely, high-quality installation. Although it's relatively simply, it can be difficult to debug and run satisfactorily.

We won't run through setting up Jumpstart, there are several resources already available, for example:

 

To record exactly what happens during a "hands-off" install, and to help with troubleshooting (for example when the interactive installation programs starts unexpectedly), I attach the serial console to another Sun, and use Mindterm SSH to connect to the Sun (and use tip to access the console). Why Mindterm? Well, it has a "capture to file" option which can create a nice log of all activity in the Mindterm window (i.e. in this the case the output from the Jumpstart Installation).

After a Jumpstart installation, the logs in /var/sadm/system/logs should be checked, especially the "finish.log"

The install image contains the default patches on the Solaris CD. It makes senses to update this to the latest "Security & Recommended" bundle regularly, so that newly installed machines are up to date. For example if the install image is Solaris 8 in the directory /space/sparc_8:

Some example Jumpstart files that you may find useful:

If you have tips you'd like to share with others, contact us.


References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.


Receive this digest by email!