Weekly Solaris Security Digest
2001/05/28 to 2001/06/03

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


Subscribe to get FREE security news, commentary, and articles.



New Solaris Vulnerabilities this Week

Sun Solaris mailtool buffer overflow vulnerability
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html

The mailtool program suffers from a buffer overrun in it's handling of the OPENWINHOME environment variable. By specifying a long value for this variable containing machine executable code, it is possible to execute arbitrary command(s) as gid mail. At least Solaris 2.6-8 is affected. Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.
Fix: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.

Vulnerabilities this Week — Third-party Applications:

2001-05-29: GnuPG Format String Vulnerability
http://www.securityfocus.com/bid/2797

2001-05-28: TWIG Webmail SQL Query Modification Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2791

2001-05-28: Directory Pro Arbitrary File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2793 .


Solaris vulnerabilities pending

Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

rpc.yppasswdd buffer overflow (updated)

Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.

Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php  

mailx -F buffer Overflow

Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.

Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610

Xsun HOME buffer overflow vulnerability

Status: Local SUID exploit.

Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561

SNMP to DMI mapper daemon

Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).

Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"


kcsSUNWIOsolf.so KCMS_PROFILES environment variable

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf


kcms_configure vulnerability

Status: Local SUID exploit of command line options, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605


CDE dtsession LANG environment variable

Status: Local SUID exploit, no patches yet. Exploit available for Solaris x86.

Workaround: On servers not requiring a GUI, the SUID can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession


ftpd #1 globbing buffer overflows/core dump shadow password recovery

Status: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.

Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601


ftpd #2 CWD Username Enumeration

Status: Remote exploit, low impact (allows an attacker to recognize valid usernames).

Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564


NTP buffer overflow

Status: Serious remote exploit, no patches yet.

Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540


ipcs Timezone buffer overflow vulnerability

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581



Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
     
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, May/16/01:

Solaris 2.6, May/24/01:

Solaris 7, May/29/01:    

Solaris 8, May/30/01:

Solaris 8_x86, May/29/01:

2. New or updated individual security/recommended patches.



News & Articles

SecurityPortal

Integration of Checkpoint VPN-1/FW-1 with FreeBSD's IPsec
Jon Orbeton and Matt Hite
http://securityportal.com/articles/cpbsd20010525.html

This document explains how to configure a VPN tunnel between FreeBSD and Check Point's VPN-1/Firewall-1.

 

Email Filtering and Virus Scanning for UNIX Mta's
Kurt Seifried
http://securityportal.com/closet/closet20010530.html
A brief overview, with concrete examples for Postfix.

 

Trends in High-Tech Spying
Ric Steinberger
http://securityportal.com/articles/spying20010528.html

LinuxSecurity


Security-Focus

Good Security Habits
Regardless of how many anti-virus programs, firewalls and other security programs computer users may utilize, human error continues to be the weakest link in the security chain. One of the best things that users can do to protect themselves against security threats is to be aware of which behaviors may place them at risk, and to eliminate those behaviors. This article is the first in a series of three that will attempt to introduce readers to good security habits.
http://www.securityfocus.com/focus/basics/articles/sechabits1.html

CERT


Sun

O'Reilly Network


Mailing Lists

Focus-Sun Discussions Threads


YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:


Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools include Mindterm SSH, OpenSSH SRP, GnuPG, OpenLDAP and Linux Kernel.
Auditing and Intrusion Monitoring tools include IDScenter, Guardian, AutoInstall, Nessus, LIDS and FireStorm NIDS.
Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, Securepoint Firewall Server SB, FwLogWatch, Dante and rTables Linux Firewall.
Tools for Linux/Unix/Cross Platform include Crypto++, Tinc, Kernel Insider.
Tools for Windows include AntiVir Personal Edition, InoculateIT Personal Edition and Advanced Directory Printer.

Note: Avoid Mindterm rc1 for now, the file copy function won't work with Solaris or OpenBSD servers.

 


Tip of the Week: Passwords

Recent experience has taught me once again that system and network hardening is of limited ise if users don't behave in a security conscious fashion. This often repeated, but valid adage of using good passwords is as valid today as it was 20 years ago.

A useful article on the subject to re-read is:

Choosing Secure Passwords, by Benjamin D. Thomas, 07/12/2000
http://www.linuxsecurity.com/tips/tip-6.html

A few tips I would add to those listed in the above article:

If you have tips you'd like to share with others, contact us.


References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.


Receive this digest by email!