By Seán Boran (sean at boran.com)
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
/usr/bin/at language environment overflow
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.htmlGenerally a program that needs to display a message to the user will obtain the proper language specific string from the database using the original message as the search key and printing the results using the printf(3) family of functions. By building and installing a custom messages database an attacker can control the output of the message retrieval functions that get feed to the printf(3) functions. The kind of bug is discussed in Bugtraq id:1634.
Analysis: 'at' is SUID root, so exploiting this weakness, which is not easy, could yield root privileges.There has been no detailed Bugtraq discussion yet, nor exploits published.
Workaround: remove the SUID from 'at'. Side effect: only root can use the 'at' command.
Bugtraq Database:
2001-06-12: cgiCentral Webstore Administrator Authentication Bypass Vulnerability
http://www.securityfocus.com/bid/28602001-06-12: cgiCentral WebStore Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/28612001-06-11: Imapd 'Local' Buffer Overflow Vulnerabilities
http://www.securityfocus.com/bid/28562001-06-08: Xinetd Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/28402001-06-07: Thibault Godouet Fcron Symbolic Link Vulnerability
http://www.securityfocus.com/bid/28352001-06-07: Suid Wrapper Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/28372001-06-06: Exim Format String Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=28282001-06-06: TIATunnel Authentication Mechanism Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2831
Bugtraq List:
BIND Inadvertent Local Exposure of HMAC-MD5 (TSIG) Keys
A flaw exists in the dnskeygen utility under BIND version 8 and the dnssec-keygen utility included with BIND version 9. The keys generated by these utilities are stored in two files. In the case of HMAC-MD5 shared secret keys that are used for dynamic updates to DNS servers, the same secret keying material is present in both files. Only one of the files is configured by default with strong access control. The resulting exposure may allow unauthorized local users to obtain the keying information. This may allow attackers to update DNS servers that support dynamic DNS updates.
Comment. is you use Dynamic DNS or TSIGs for access control read this advisory and make sure your file permissions are OK. I think (hope) most people will have minimized the permissions on key files anyway?
Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
/usr/bin/mail $HOME Buffer Overflow Vulnerability
Status: No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workaround: chmod -s /usr/bin/mail
http://www.securityfocus.com/vdb/bottom.html?vid=2819mailtool buffer overflow in $OPENWINHOME
Status: Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workarounds: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.htmlrpc.yppasswdd buffer overflow
Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.
Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php
mailx -F buffer Overflow
Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610
Xsun $HOME buffer overflow vulnerability
Status: Local SUID root exploit.
Workaround: Remove the suid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108652-32 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561
SNMP to DMI mapper daemon
Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"
kcsSUNWIOsolf.so KCMS_PROFILES environment variableStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerabilityStatus: Local SUID exploit of command line options, no patches yet.
Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605
CDE dtsession LANG environment variableStatus: Local SUID exploit, no patches yet. Exploit available for Solaris x86.
Workaround: On servers not requiring a GUI, the SUID can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflows/core dump shadow password recoveryStatus: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationStatus: Remote exploit, low impact (allows an attacker to recognize valid usernames).
Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564
NTP buffer overflowStatus: Serious remote exploit, no patches yet.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilityStatus: Local SUID exploit, no patches yet.
Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Jun/01/01:
none
Solaris 2.6, Jun/12/01:
105802-15 OpenWindows 3.6: ToolTalk patch
105633-55 OpenWindows 3.6: Xsun patch
110991-01 SunOS 5.6_x86: Patch for ttymon
Solaris 7, Jun/12/01:
107709-13 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend
107180-28 CDE 1.3: dtlogin patch
111350-01 SunOS 5.7: Patch for ttymon process modules
Solaris 8, Jun/12/01:
108652-32 X11 6.4.1 Xsun patch
108869-06 SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
110939-01 SunOS 5.8: /usr/lib/acct/closewtmp patch
109326-04 SunOS 5.8: libresolv.so.2, in.named patch
111325-01 SunOS 5.8: /usr/lib/saf/ttymon patch
Solaris 8_x86, Jun/12/01:
108653-27 X11 6.4.1_x86: Xsun patch
108870-06 SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib patch
110940-01 SunOS 5.8_x86: /usr/lib/acct/closewtmp patch
109327-04 SunOS 5.8_x86: libresolv.so.2 in.named patch
111326-01 SunOS 5.8_x86: /usr/lib/saf/ttymon patch
none
Linux on an iPAQ - Chris Halsall
http://linux.oreillynet.com/pub/a/linux/2001/06/01/linux_ipaq.html
http://www.handhelds.org/
Proper Paranoia: Educating Your Co-Workers - Michael Lucas
http://www.onlamp.com/pub/a/onlamp/2001/06/07/paranoia.html
VPNs aren't the answer to everything - Brian Ploskina
http://www.zdnetasia.com/biztech/security/story/0%2C2000010816%2C20212408%2C00.htm
The social engineering of security - David Thompson
http://www.zdnet.com/eweek/stories/general/0,11011,2771372,00.html
Solaris Software Family Comparison Chart
http://www.sun.com/solaris/fcc/Comparison table showing features supported, partially supported, or not supported in Solaris 8, Solaris 7, and Solaris 2.6.
http://www.sun.com/software/solaris/fcc/fcc.htmlSolaris 8 Release Summary Table
Comparison table showing feature and platform updates in versions of Solaris 8 beginning with the June 2000 release to the most current release.
http://www.sun.com/software/solaris/fcc/ucc.html
Chasing the Wind, Part Seven: An Ill Wind - Robert G. Ferrell
http://www.securityfocus.com/focus/ih/articles/chasing7.html
The saga continues..
06/13/01 Solaris and ICMP error message throttling...
http://www.securityfocus.com/templates/archive.pike?tid=190994&threads=1&list=92&end=2001-06-16&fromthread=0&start=2001-06-10&06/11/01 nfs mounts monitoring
http://www.securityfocus.com/templates/archive.pike?tid=190185&threads=1&list=92&end=2001-06-16&fromthread=0&start=2001-06-10&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
CDROM issue
http://www.theorygroup.com/Archive/YASSP/2001/msg00209.html
RE: RCconf (Was: is YASSP alive?)
http://www.theorygroup.com/Archive/YASSP/2001/msg00208.html
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include OpenSSH SRP, Stunnel patches and PinePGP.
Auditing and Intrusion Monitoring tools include Snort-Stat.pl, SnortPHP, SARA, NetSaint, PIKT, gPIKT, Syslog-ng, ICU, FireStorm NIDS and Tamandua NIDS.
Firewalls for UNIX/Linux/BSD & Cross-platform include Securepoint Firewall Server SB, GuardDog and rTables.
Tools for Linux/Unix/Cross Platform include Bastille Linux, OpenCL, SILC, BeeCrypt, BeeCrypt for Java, Kaladix Linux and DansGuardian.
Tools for Windows include Eraser, Qfecheck, Qchain, DUN and Mailscanner for Postfix.
An interesting document has been published, which explains how to test your security, how to measure the testing done by your external consultants and finally, understand the approaches an attacker would use. Good read. The description below is quoted from the website. It's open source too, so you can join and contribute your experience too..
The Open-Source Security Testing Methodology Manual
http://www.ideahamster.org/
This manual is to set forth a standard for Internet security testing. Disregarding the credentials of many a security tester and focusing on the how, I present a solution to a problem which exists currently. Regardless of firm size, finance capital, and vendor backing, any network or security expert who meets the outline requirements in this manual is said to have completed a successful security snapshot. Not to say one cannot perform a test faster, more in depth, or of a different flavor. No, the tester following the methodology herein is said to have followed the standard model and therefore if nothing else, has been thorough.
......
I feel it is valid to be able to ask companies if they meet a certain standard. I would be thrilled if they went above the standard. I would also know that the standard is what they charge a certain price for and that I am not just getting a port scan to 10,000 ports and a check of 4,800 vulnerabilities. Especially since most of which only apply to a certain OS or application. I'd like to see vulnerability scanners break down that number by OS and application. I know if I go into Bugtraq (the only true vulnerability checking is research on BT) that I will be able to find all the known vulnerabilities by OS and application. If the scanner checks for 50 Redhat holes in a certain flavor and 5 Microsoft NT holes and I'm an NT shop; I think I may try a different scanner.
So following an open-source, standardized methodology that anyone and everyone can open and dissect and add to and complain about is the most valuable contribution we can make to Internet security. And if you need to know why you should recognize it and admit it exists whether or not you follow it to the letter is because you, your colleagues, and your fellow professionals have helped design it and write it. Supporting an open-source methodology is not a problem of making you equal with all the other security testers-- it's matter of showing you are just as good as all the other security testers. The rest is about firm size, finance capital, and vendor backing.
If you have tips you'd like to share with others, contact us.
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.