Weekly Solaris Security Digest
2001/06/10 to 2001/06/17

By Seán Boran (sean at boran.com)

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


 


New Solaris Vulnerabilities this Week

/usr/bin/at language environment overflow
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.html

Generally a program that needs to display a message to the user will obtain the proper language specific string from the database using the original message as the search key and printing the results using the printf(3) family of functions. By building and installing a custom messages database an attacker can control the output of the message retrieval functions that get feed to the printf(3) functions. The kind of bug is discussed in Bugtraq id:1634.

Analysis: 'at' is SUID root, so exploiting this weakness, which is not easy, could yield root privileges.There has been no detailed Bugtraq discussion yet, nor exploits published.
Workaround: remove the SUID from 'at'. Side effect: only root can use the 'at' command.

Vulnerabilities this Week — Third-party Applications:

Bugtraq Database:

2001-06-12: cgiCentral Webstore Administrator Authentication Bypass Vulnerability
http://www.securityfocus.com/bid/2860

2001-06-12: cgiCentral WebStore Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/2861

2001-06-11: Imapd 'Local' Buffer Overflow Vulnerabilities
http://www.securityfocus.com/bid/2856

2001-06-08: Xinetd Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2840

2001-06-07: Thibault Godouet Fcron Symbolic Link Vulnerability
http://www.securityfocus.com/bid/2835

2001-06-07: Suid Wrapper Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2837

2001-06-06: Exim Format String Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2828

2001-06-06: TIATunnel Authentication Mechanism Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2831

 

Bugtraq List:

BIND Inadvertent Local Exposure of HMAC-MD5 (TSIG) Keys

A flaw exists in the dnskeygen utility under BIND version 8 and the dnssec-keygen utility included with BIND version 9. The keys generated by these utilities are stored in two files. In the case of HMAC-MD5 shared secret keys that are used for dynamic updates to DNS servers, the same secret keying material is present in both files. Only one of the files is configured by default with strong access control. The resulting exposure may allow unauthorized local users to obtain the keying information. This may allow attackers to update DNS servers that support dynamic DNS updates.
Comment. is you use Dynamic DNS or TSIGs for access control read this advisory and make sure your file permissions are OK. I think (hope) most people will have minimized the permissions on key files anyway?


Solaris vulnerabilities pending

Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

/usr/bin/mail $HOME Buffer Overflow Vulnerability

Status: No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workaround: chmod -s /usr/bin/mail
http://www.securityfocus.com/vdb/bottom.html?vid=2819

mailtool buffer overflow in $OPENWINHOME

Status: Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.

Workarounds: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html

rpc.yppasswdd buffer overflow

Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.

Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php  

mailx -F buffer Overflow

Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.

Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610

Xsun $HOME buffer overflow vulnerability

Status: Local SUID root exploit.

Workaround: Remove the suid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108652-32 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561

SNMP to DMI mapper daemon

Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).

Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"


kcsSUNWIOsolf.so KCMS_PROFILES environment variable

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf


kcms_configure vulnerability

Status: Local SUID exploit of command line options, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605


CDE dtsession LANG environment variable

Status: Local SUID exploit, no patches yet. Exploit available for Solaris x86.

Workaround: On servers not requiring a GUI, the SUID can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession


ftpd #1 globbing buffer overflows/core dump shadow password recovery

Status: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.

Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601


ftpd #2 CWD Username Enumeration

Status: Remote exploit, low impact (allows an attacker to recognize valid usernames).

Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564


NTP buffer overflow

Status: Serious remote exploit, no patches yet.

Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540


ipcs Timezone buffer overflow vulnerability

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581



Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
     
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Jun/01/01:

Solaris 2.6, Jun/12/01:

Solaris 7, Jun/12/01:    

Solaris 8, Jun/12/01:

Solaris 8_x86, Jun/12/01:

2. New or updated individual security/recommended patches.

none


News & Articles

 

O'Reilly Net

Linux on an iPAQ - Chris Halsall
http://linux.oreillynet.com/pub/a/linux/2001/06/01/linux_ipaq.html
http://www.handhelds.org/

Proper Paranoia: Educating Your Co-Workers - Michael Lucas
http://www.onlamp.com/pub/a/onlamp/2001/06/07/paranoia.html

LinuxSecurity


Sun

Solaris Software Family Comparison Chart
http://www.sun.com/solaris/fcc/

Comparison table showing features supported, partially supported, or not supported in Solaris 8, Solaris 7, and Solaris 2.6.
http://www.sun.com/software/solaris/fcc/fcc.html

Solaris 8 Release Summary Table
Comparison table showing feature and platform updates in versions of Solaris 8 beginning with the June 2000 release to the most current release.
http://www.sun.com/software/solaris/fcc/ucc.html


SecurityFocus

Chasing the Wind, Part Seven: An Ill Wind - Robert G. Ferrell
http://www.securityfocus.com/focus/ih/articles/chasing7.html


Mailing Lists

Focus-Sun Discussions Threads

06/13/01 Solaris and ICMP error message throttling...
http://www.securityfocus.com/templates/archive.pike?tid=190994&threads=1&list=92&end=2001-06-16&fromthread=0&start=2001-06-10&

06/11/01 nfs mounts monitoring
http://www.securityfocus.com/templates/archive.pike?tid=190185&threads=1&list=92&end=2001-06-16&fromthread=0&start=2001-06-10&


YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:


Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include OpenSSH SRP, Stunnel patches and PinePGP.

Auditing and Intrusion Monitoring tools include Snort-Stat.pl, SnortPHP, SARA, NetSaint, PIKT, gPIKT, Syslog-ng, ICU, FireStorm NIDS and Tamandua NIDS.

Firewalls for UNIX/Linux/BSD & Cross-platform include Securepoint Firewall Server SB, GuardDog and rTables.

Tools for Linux/Unix/Cross Platform include Bastille Linux, OpenCL, SILC, BeeCrypt, BeeCrypt for Java, Kaladix Linux and DansGuardian.

Tools for Windows include Eraser, Qfecheck, Qchain, DUN and Mailscanner for Postfix.


Tip of the Week: The Open-Source Security Testing Methodology Manual

An interesting document has been published, which explains how to test your security,  how to measure the testing done by your external consultants and finally, understand the approaches an attacker would use. Good read. The description below is quoted from the website. It's open source too, so you can join and contribute your experience too..

The Open-Source Security Testing Methodology Manual
http://www.ideahamster.org/

This manual is to set forth a standard for Internet security testing. Disregarding the credentials of many a security tester and focusing on the how, I present a solution to a problem which exists currently. Regardless of firm size, finance capital, and vendor backing, any network or security expert who meets the outline requirements in this manual is said to have completed a successful security snapshot. Not to say one cannot perform a test faster, more in depth, or of a different flavor. No, the tester following the methodology herein is said to have followed the standard model and therefore if nothing else, has been thorough.

......

I feel it is valid to be able to ask companies if they meet a certain standard. I would be thrilled if they went above the standard. I would also know that the standard is what they charge a certain price for and that I am not just getting a port scan to 10,000 ports and a check of 4,800 vulnerabilities. Especially since most of which only apply to a certain OS or application. I'd like to see vulnerability scanners break down that number by OS and application. I know if I go into Bugtraq (the only true vulnerability checking is research on BT) that I will be able to find all the known vulnerabilities by OS and application. If the scanner checks for 50 Redhat holes in a certain flavor and 5 Microsoft NT holes and I'm an NT shop; I think I may try a different scanner.

So following an open-source, standardized methodology that anyone and everyone can open and dissect and add to and complain about is the most valuable contribution we can make to Internet security. And if you need to know why you should recognize it and admit it exists whether or not you follow it to the letter is because you, your colleagues, and your fellow professionals have helped design it and write it. Supporting an open-source methodology is not a problem of making you equal with all the other security testers-- it's matter of showing you are just as good as all the other security testers. The rest is about firm size, finance capital, and vendor backing.

If you have tips you'd like to share with others, contact us.


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.