By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
|
none
none.
Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
mailx buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/vdb/bottom.html?vid=2610Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however with locally delivered email.
Xsun HOME buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561Status: Local SUID exploit.
Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.
SNMP to DMI mapper daemon
Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for:
"Bug id: 4404944 libssasnmp changes the syslog message format"
kcsSUNWIOsolf.so KCMS_PROFILES environment variableStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerabilityStatus: Local SUID exploit of command line options, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
CDE dtsession LANG environment variableStatus: Local SUID exploit, no patches yet.
Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflowsStatus: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationStatus: Remote exploit, low impact (allows an attacker to recognize valid usernames).
Workaround: Watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564
NTP buffer overflowStatus: Serious remote exploit, no patches yet.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilityStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, May/16/01:
none
Solaris 2.6, May/23/01:
105338-27 CDE 1.2: dtmail patch
105633-53 OpenWindows
3.6: Xsun patch
105210-38 SunOS 5.6: libaio, libc & watchmalloc
patch
Solaris 7, May/23/01:
107684-02 SunOS 5.7: sendmail patch
Solaris 8, May/23/01:
108875-09 SunOS 5.8: c2audit patch
108652-31 X11 6.4.1
Xsun patch
108528-08 SunOS 5.8: kernel update patch
109041-04
SunOS 5.8: sockfs patch
109322-07 SunOS 5.8: libnsl patch
Solaris 8_x86, May/23/01:
111334-01 SunOS 5.8_x86: /kernel/drv/adp patch
108529-08
SunOS 5.8_x86: kernel update patch
109042-04 SunOS 5.8_x86:
sockfs patch
108653-26 X11 6.4.1_x86: Xsun patch
none
Encrypted Tunnels using SSH and Mindterm
Duane Dunston
http://www.linuxsecurity.com/feature_stories/feature_story-88.html
Installing and Operating ssldump 0.9 Beta 1 on Solaris
http://www.cert.org/security-improvement/implementations/i091.01.html
Installing The Coroner's Toolkit and using the mactime utility
http://www.cert.org/security-improvement/implementations/i091.01.html
Using The Coroner's Toolkit : Harvesting information with grave-robber
http://www.cert.org/security-improvement/implementations/i046.02.html
Using The Coroner's Toolkit : Rescuing files with lazarus
http://www.cert.org/security-improvement/implementations/i046.03.html
CERT were victim of a DOS attack this week:
http://www.zdnet.com/zdnn/stories/news/0,4586,5083371,00.html
Now's your chance to try out an early preview release of "Exploring the GNOME 1.4 Desktop for the Solaris 8 Operating Environment."
Running Multiple Solaris Operating Environment Naming Services on
a Client
Tom Bialaski
http://www.sun.com/blueprints/0501/Running.html
The native LDAP client installation program assumes that you will not be running another naming service on your client. Some customers, who I have worked with, do not want to disable NIS when they configure native LDAP. This can be done, but there is no readily available document which describes how to do it. The article not only describes this procedure, but also highlights best practices for running NIS and LDAP together.
Datacenter Naming Scheme
Mark Garner
http://www.sun.com/blueprints/0501/Naming.html
Eighty percent of outages are allegedly the result of people or process issues. An intuitive and informative naming scheme can define and highlight the composition and function of components within a service infrastructure. The article looks at the merits of such a naming scheme and includes an example system for servers, storage, networks and cables that may help reduce operational error.
Building blocks to security: Passwords -- the first line of defense
S.
Lee Henry
http://www.itworld.com/AppDev/1313/UIR010509buildingblocks/
Passwords -- the first line of defense and the oldest form of security on Unix systems -- might seem a very tired topic. You might even think there would be nothing left to say about passwords but, even today, people are making the same basic mistakes -- choosing obvious passwords, writing passwords down, or sharing passwords -- that they were making 10 years or more ago.
Perl Program Repair Shop and Red Flags
Mark-Jason Dominus
http://www.oreillynet.com/pub/a/network/2001/05/18/perl_redflags.html
Understanding Routing Protocols
Michael Norton
http://www.oreillynet.com/pub/a/network/2001/05/22/net_2nd_lang.html
The Agenda VR3: Real Linux in a PDA
Chris Halsall
http://linux.oreillynet.com/pub/a/linux/2001/05/18/agenda_pda.html
Comment: When are we going to get Solaris on a PDA? :-)
IP Filter License Change?
http://www.bsdtoday.com/2001/May/News489.html
Solaris Security Benchmark and Tools
The Solaris V1.0 Benchmark and Scanning/Scoring Tools are now available.
They may be downloaded from www.cisecurity.org
.
Comment: This tool is useful and your feedback is valuable. There has
already been quite a bit of discussion on the Yassp list (see below).
05/23/01 Speeding Up OpenSSH
http://www.securityfocus.com/templates/archive.pike?fromthread=0&mid=186423&list=92&threads=0&start=2001-05-20&end=2001-05-26&
05/23/01 FW: ASET & umask
http://www.securityfocus.com/templates/archive.pike?list=92&end=2001-05-26&start=2001-05-20&fromthread=0&threads=1&tid=186160&
05/21/01 ANNOUNCE: The Solaris Fingerprint Database - A Security Tool
for Solaris
http://www.securityfocus.com/templates/archive.pike?list=92&end=2001-05-26&start=2001-05-20&fromthread=0&threads=1&tid=185926&
05/18/01 Shells being executed
http://www.securityfocus.com/templates/archive.pike?fromthread=0&threads=1&tid=185364&end=2001-05-19&list=92&start=2001-05-13&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
cisecurity audit tool vs YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00184.html
Oracle after YASSP is installed..
http://www.theorygroup.com/Archive/YASSP/2001/msg00181.html
Logging login/logout messages via syslog
http://www.theorygroup.com/Archive/YASSP/2001/msg00180.html
reyassping after patches.
http://www.theorygroup.com/Archive/YASSP/2001/msg00179.html
yassp - pkgadd problem is related to root's umask.
http://www.theorygroup.com/Archive/YASSP/2001/msg00178.html
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include Mod_ssl, OpenLDAP and Apache.
Auditing and Intrusion Monitoring tools include SnortSnarf, LIDS, BigBrother and John the Ripper.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, FloppyFw, netfilter and rTables Linux Firewall.
Tools for Linux/Unix/Cross Platform include AES Encryption for Shell Script, Ethereal, SILC, Samhain, FreeVSD and 3 other tools.
Tools for Windows include RATS.
Apache 1.3.20: This version of Apache is principally a security fix release which closes a problem under the Windows and OS2 ports that would segfault the server in response to a carefully constructed URL. It also fixes some potential configuration quirks present in the 1.3.19 release.
Sun has just announced a very interesting service:
"The Solaris Fingerprint Database (sfpDB) is a free SunSolve Online service that enables users to verify the integrity of files distributed with the Solaris Operating Environment. Examples of these files include the /bin/su executable file, Solaris patches, and unbundled products such as Sun Forte Developer Tools. The list of checksums, generated for a system, must be updated after the system is modified by patch installation and software installations. The issue with these tools has always been verifying that the files used to generate the baseline checksums are correct and current."
...... "Our goal is to provide a comprehensive collection of digital
fingerprint for Solaris software. To this end, the Solaris Fingerprint Database
is updated daily, and it now contains close to 1 million digital fingerprints
for files used in the Solaris Operating Environment, Solaris patches, and
unbundled products.
Limitations: Currently, foreign language versions
of the Solaris Operating Environment and many encryption products are not
supported. If you would like to suggest a product to be added to sfpDB,
please send email to fingerprints@sun.com."
http://www.sun.com/blueprints/0501/Fingerprint.html
http://www.sun.com/blueprints/0501/Fingerprint.pd
Alex
Noordergraaf, Lou Ordorica
I like to use tripwire to verify file integrity on critical Solaris systems, but tripwire does have it's limits. For instance if you've never run tripwire on a system, there is obviously little tripwire can do to detect changes. The Sun method however, can detect changes on a system that has never had an integrity checking tool installed! Nice.
To try it out, run md5 on a Solaris binary of your choice, and paste it into the appropriate field on http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl. If you paste more than one entry, make sure they are cleanly separate by newlines. For example, pasting:
MD5(listdgrp)= ee06584223290be70843fe0b807ef1f2
MD5(listusers)= 8e055aebc9825e743374334dd29290d4
results in:
ee06584223290be70843fe0b807ef1f2 - (listdgrp) - 1 match(es)
canonical-path:
/usr/bin/listdgrp
package: SUNWcsu
version: 11.8.0,REV=2000.01.08.18.12
architecture:
sparc
source: Solaris 8/SPARC
8e055aebc9825e743374334dd29290d4 - (listusers) - 1 match(es)
canonical-path:
/usr/bin/listusers
package: SUNWcsu
version: 11.8.0,REV=2000.01.08.18.12
architecture:
sparc
source: Solaris 8/SPARC
Accompanying tools: Sun provide a few tools to help with automating the fingerprint checking, which can be downloaded from http://www.sun.com/blueprints/tools/fingerprint_license.html .
"The Solaris Fingerprint Database Companion (sfpC) is a tool designed to automate the process of querying the Solaris Fingerprint Database (sfpDB). sfpC is used to process MD5 file signatures and present the collected database output information in human readable form. The tool eliminates the need for the manual task of cut and pasting MD5 output onto an HTML form. In addition, the tool performs the necessary checks to enable files of arbitrary size to be processed using multiple queries if necessary." An example of usage:
% find / -type f -perm -2000 -o -perm -4000 \
-exec /opt/md5/md5-sparc
{} \;> md5.list
% spfC.pl md5.list
"SideKick is a (bourne shell) tool developed to automate the collection of MD5 file signatures. SideKick can be used to collect signatures for files known to be replaced by "rootkits", files with Set-UID or Set-GID permissions in addition to several other collection methods. SideKick can optionally be used with sfpC to automated the collection and processing of MD5 file signatures. SideKick can also be used in a standalone capacity for distributed signature collection."
A new notes
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.