By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
|
Sun Solaris mailtool buffer overflow vulnerability
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.htmlThe mailtool program suffers from a buffer overrun in it's handling of the OPENWINHOME environment variable. By specifying a long value for this variable containing machine executable code, it is possible to execute arbitrary command(s) as gid mail. At least Solaris 2.6-8 is affected. Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.
Fix: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
2001-05-29: GnuPG Format String Vulnerability
http://www.securityfocus.com/bid/27972001-05-28: TWIG Webmail SQL Query Modification Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=27912001-05-28: Directory Pro Arbitrary File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2793 .
Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
rpc.yppasswdd buffer overflow (updated)
Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.
Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php
mailx -F buffer Overflow
Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610
Xsun HOME buffer overflow vulnerability
Status: Local SUID exploit.
Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561
SNMP to DMI mapper daemon
Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"
kcsSUNWIOsolf.so KCMS_PROFILES environment variableStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerabilityStatus: Local SUID exploit of command line options, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605
CDE dtsession LANG environment variableStatus: Local SUID exploit, no patches yet. Exploit available for Solaris x86.
Workaround: On servers not requiring a GUI, the SUID can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflows/core dump shadow password recoveryStatus: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationStatus: Remote exploit, low impact (allows an attacker to recognize valid usernames).
Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564
NTP buffer overflowStatus: Serious remote exploit, no patches yet.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilityStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, May/16/01:
none
Solaris 2.6, May/24/01:
105580-17 SunOS 5.6: /kernel/drv/glm patch
Solaris 7, May/29/01:
107709-12 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend
106925-07 SunOS 5.7: glm driver patch
107460-09 SunOS 5.7: st driver patch
Solaris 8, May/30/01:
110458-02 SunOS 5.8: libcurses patch
110943-01 SunOS 5.8: /usr/bin/tcsh patch
110944-01 SunOS 5.8_x86: /usr/bin/tcsh patch
108991-12 SunOS 5.8: libc and watchmalloc patch
108993-03 SunOS 5.8: nss and ldap patch
109221-06 SunOS 5.8: Patch for sysidnet
Solaris 8_x86, May/29/01:
110899-02 SunOS 5.8_x86: csh/pfcsh patch
110459-02 SunOS 5.8_x86: libcurses patch
108992-12 SunOS 5.8_x86: libc and watchmalloc patch
108994-03 SunOS 5.8_x86: nss and ldap patch
109222-06 SunOS 5.8_x86: Patch for sysidnet
none
Integration of Checkpoint VPN-1/FW-1 with FreeBSD's IPsec
Jon Orbeton and Matt Hite
http://securityportal.com/articles/cpbsd20010525.html
This document explains how to configure a VPN tunnel between FreeBSD and Check Point's VPN-1/Firewall-1.
Email Filtering and Virus Scanning for UNIX Mta's
Kurt Seifried
http://securityportal.com/closet/closet20010530.html
A brief overview, with concrete examples for Postfix.
Trends in High-Tech Spying
Ric Steinberger
http://securityportal.com/articles/spying20010528.html
Network Monitoring with Dsniff
Duane Dunston
http://www.linuxsecurity.com/feature_stories/feature_story-89.html
This is a practical step by step guide showing how to use Dsniff, MRTG, IP Flow Meter, Tcpdump, NTOP, Ngrep and others.
Intrusion-Detection Systems by the Numbers
Mathius Thurman
http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO60687,00.html
Privacy becomes a strategic asset
Philip Luces
http://www.zdnet.com.au/biztech/security/story/0,2000010455,20224899,00.htm
SourceForge.net shell server compromise
http://sourceforge.net/forum/forum.php?forum_id=89285
Apache Software Foundation Server compromised, re-secured
http://www.linuxsecurity.com/articles/hackscracks_article-3094.html
Comment: I don't normally post the results of hacks here. But a whole network of hosts has been compromised in a surprising simple manner: An administrator logged on to a hacked machine at an ISP. A trojaned SSH client on this host collected all usernames and passwords he used. This provided access to SourceForge, where the SSH trojan was again installed, and on to Apache etc. This is a frightening example on how hardening alone is not enough.The clean-up operation for this relatively simple attack will be massive, the authenticity of all projects have to be verified.
Good Security Habits
Regardless of how many anti-virus programs, firewalls and other security programs computer users may utilize, human error continues to be the weakest link in the security chain. One of the best things that users can do to protect themselves against security threats is to be aware of which behaviors may place them at risk, and to eliminate those behaviors. This article is the first in a series of three that will attempt to introduce readers to good security habits.
http://www.securityfocus.com/focus/basics/articles/sechabits1.html
Configuring Squid as a web proxy
David "Del" Elson
http://www.securityfocus.com/frames/?focus=linux&content=/focus/linux/articles/squid.html
CERT Summary CS-2001-02
http://www.cert.org/summaries/CS-2001-02.html
Since the last regularly scheduled CERT summary, issued in February 2001 (CS-2001-01), we have seen a significant increase in reconnaissance activity, a number of self-propagating worms (cheese, sadmind/IIS), and active exploitation of vulnerabilities in snmpxdmid, BIND and IIS by intruders
The Cuddletech Veritas Volume Manager Series:
Exploring Layered Volumes in VxVM 3.X
http://www.cuddletech.com/veritas/layeredvols.txtAdvanced Veritas Theory
http://www.cuddletech.com/veritas/advx.txtVolume Kreation: VxMake & Her Seductive Ways
http://www.cuddletech.com/veritas/vxmake.txtFC-AL Theory and Looping: Working with Sun Storage
http://www.cuddletech.com/veritas/fcal.txtNotes on Fibre channel
http://www.cuddletech.com/fc/Veritas Krash Kourse: The Who's Who of Vx Land
http://www.cuddletech.com/veritas/vxcrashkourse.htmlRAID Theory: An Overview
http://www.cuddletech.com/veritas/raidtheory.html
Solaris Software Companion CD, Update 04/01, is available for download
http://www.sun.com/software/solaris/freeware.html
Several backup scripts for different scenarios from BackupCentral
http://www.backupcentral.com/mytools.html
beaglebros.com site: scripts and Solaris FAQs
http://www.beaglebros.com/
Turning the Tide on Perl's Attitude Toward Beginners
Casey West
http://www.perl.com/pub/2001/05/29/tides.html?wwwrrr_rss
Introduction to IPv6
Hubert Feyrer
http://www.onlamp.com/pub/a/onlamp/2001/05/24/ipv6_tutorial.html
05/30/01 2 x SPARC 2
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=187686&list=92&fromthread=0&start=2001-05-27&end=2001-06-02&
05/30/01 1 Billion Seconds
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=187679&list=92&fromthread=0&start=2001-05-27&end=2001-06-02&
05/30/01 Trusted documentation
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=187615&list=92&fromthread=0&start=2001-05-27&end=2001-06-02&
05/29/01 kerberos nfs on Solaris8
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=187628&list=92&fromthread=0&start=2001-05-27&end=2001-06-02&
05/29/01 automounter?
http://www.securityfocus.com/templates/archive.pike?threads=1&tid=187594&list=92&fromthread=0&start=2001-05-27&end=2001-06-02&
05/23/01 Speeding Up OpenSSH
http://www.securityfocus.com/templates/archive.pike?fromthread=0&mid=186423&list=92&threads=0&start=2001-05-20&end=2001-05-26&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
RE: cisecurity audit tool vs YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00199.html
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.htmlUpdates to General free tools include Mindterm SSH, OpenSSH SRP, GnuPG, OpenLDAP and Linux Kernel.
Auditing and Intrusion Monitoring tools include IDScenter, Guardian, AutoInstall, Nessus, LIDS and FireStorm NIDS.
Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, Securepoint Firewall Server SB, FwLogWatch, Dante and rTables Linux Firewall.
Tools for Linux/Unix/Cross Platform include Crypto++, Tinc, Kernel Insider.
Tools for Windows include AntiVir Personal Edition, InoculateIT Personal Edition and Advanced Directory Printer.Note: Avoid Mindterm rc1 for now, the file copy function won't work with Solaris or OpenBSD servers.
Recent experience has taught me once again that system and network hardening is of limited ise if users don't behave in a security conscious fashion. This often repeated, but valid adage of using good passwords is as valid today as it was 20 years ago.
A useful article on the subject to re-read is:
Choosing Secure Passwords, by Benjamin D. Thomas, 07/12/2000
http://www.linuxsecurity.com/tips/tip-6.html
A few tips I would add to those listed in the above article:
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.