Weekly Solaris Security Digest
2001/06/17 to 2001/06/24

By Seán Boran (sean at boran.com)

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


Bumper crop this week, make sure you at least read up on the in.lpd vulnerability.

 


New Solaris Vulnerabilities this Week

ypbind remote root exploit

All Solaris versions prior to SunOS 5.8 01/01 contain a ypbind (part of NIS) vulnerability which may be exploited remotely.
Severity: a local or remote user may gain root privileges.
The alert was published under Sun Bulletin #00203 and AusCERT AA-2001.03. The alert is not yet up on the web but should appear later on
http://www.auscert.org.au/Information/Advisories/aus_2001.html
http://sunsolve.sun.com/pub-cgi/secBulletin.pl?mode=latest
Patches have been released by Sun:

OS Version Patch ID
__________ _________
SunOS 5.8 110322-01
SunOS 5.8_x86 110323-01
SunOS 5.7 108750-02
SunOS 5.7_x86 108751-02
SunOS 5.6 105403-04
SunOS 5.6_x86 105404-04
SunOS 5.5.1 105165-04
SunOS 5.5.1_x86 105166-04
SunOS 5.5 105169-04
SunOS 5.5_x86 105170-04
SunOS 5.4 101973-41
SunOS 5.4_x86 101974-41

 

Vulnerability in /opt/SUNWssp/bin/cb_reset
http://archives.neohapsis.com/archives/bugtraq/2001-06/0265.html

A problem discovered by Pablo Sor, whereby the cb_reset setuid root command included in the SUNWssp package (not in the standard install), can have a buffer overflowed and potentially arbitrary code executed.

Severity: a local user may gain root privileges. No known exploits published, yet.
Workaround: remove the SUNWssp package if not needed, or remove the suid bit from cb_reset. Side effects: only root can use cb_reset.

 

Vulnerability in /opt/SUNWvts/bin/ptexec
http://archives.neohapsis.com/archives/bugtraq/2001-06/0282.html

Another problem discovered by Pablo Sor, whereby the ptexec setuid root command included in the SUNWvts package (not in the standard install), can have a buffer overflowed and potentially arbitrary code executed. SunVTS is a system validation and test suite designed to support Sun hardware platforms and peripherals. It enables its users to assess system device connection status and to effectively isolate the cause of detected system faults.

Severity: a local user may gain root privileges. No known exploits published yet.
Workaround: remove the SUNWvts package if not needed, or remove the suid bit from ptexec. Side effects: only root can use ptexec.

 

Print Protocol Daemon (in.lpd) Remote Buffer Overflow
http://xforce.iss.net/alerts/advise80.php
http://www.securityfocus.com/bid/2894

ISS X-Force has discovered a buffer overflow in the Solaris line printer daemon (in.lpd with listens on tcp port 515) that may allow a remote or local attacker to crash the daemon or execute arbitrary code with super user privileges. All Solaris version are vulnerable and it is enabled by default.

Severity: a remote user may gain root privileges. No known exploits published, yet.

Workaround: either apply network access control to the service (with tcp wrappers) or disable 'in.lpd' (in inetd.conf) or even better, disable inetd. If inetd is enabled and needed, disable ALL services that are not necessary.

No patches available yet, but patches have been announced:

Solaris 8.0_x86: 109321-04
Solaris 8.0:  109320-04
Solaris 7.0_x86: 107116-08
Solaris 7.0: 107115-08
Solaris 2.6_x86:  106236-09
Solaris 2.6:  106235-09

 

Vulnerabilities this Week — Third-party Applications:

Bugtraq Database:

2001-06-18: Microburst uDirectory Remote Command Execution Vulnerability
http://www.securityfocus.com/bid/2884

2001-06-17: Gaztek HTTP Daemon Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2879

2001-06-15: Fetchmail Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2877

2001-06-13: SiteWare Editor Desktop Directory Traversal Vulnerability
http://www.securityfocus.com/bid/2868

2001-06-13: Multiple Vendor CGI Script Forced URL Request Vulnerability
http://www.securityfocus.com/bid/2871


Solaris vulnerabilities pending

Over the last few weeks/months, we reported on several Solaris vulnerabilities. Those which are not yet
covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
Good news: Sun has released some patches for kcms and Xsun vulnerabilities, see the vulnerabilities marked 'UPDATED' in red below.

/usr/bin/at language environment overflow

Status: No patch is available yet. Severity: a user with a local account may gain root privileges. Exploiting this weakness is not easy and there has been no detailed Bugtraq discussion yet, nor exploits published.
Workaround: remove the SUID from 'at'. Side effect: only root can use the 'at' command.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.html

/usr/bin/mail $HOME Buffer Overflow Vulnerability

Status: No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workaround: chmod -s /usr/bin/mail
http://www.securityfocus.com/vdb/bottom.html?vid=2819

mailtool buffer overflow in $OPENWINHOME

Status: Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.

Workarounds: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html

rpc.yppasswdd buffer overflow

Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.

Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php  

mailx -F buffer Overflow

Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.

Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610

Xsun $HOME buffer overflow vulnerability

Status: Local suid root exploit.

Workaround: Remove the suid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108652-32 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561

SNMP to DMI mapper daemon UPDATED!

Status: Remote exploit being actively abused. (Sun bug id 4412996).
Patches: 108870-06 SunOS 5.8_x86, 108869-06 SunOS 5.8

Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"


kcsSUNWIOsolf.so KCMS_PROFILES environment variable: UPDATED!

Status: Local suid exploit.
Patches: 107337-02 SunOS 5.7 has been released and the following should be out soon:
111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86

Workaround: Disable suid, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf


kcms_configure vulnerability: UPDATED!

Status: Local suid exploit of command line options.
Patches: 107337-02 SunOS 5.7 has been released and the following should be out soon:
111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86

Workaround: Disable suid, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605


CDE dtsession LANG environment variable

Status: Local suid exploit, no patches yet. Exploit available for Solaris x86.

Workaround: On servers not requiring a GUI, the suid can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession


ftpd #1 globbing buffer overflows/core dump shadow password recovery

Status: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.

Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601


ftpd #2 CWD Username Enumeration

Status: Remote exploit, low impact (allows an attacker to recognize valid usernames).

Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564


NTP buffer overflow

Status: Serious remote exploit.

Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540


ipcs Timezone buffer overflow vulnerability

Status: Local suid exploit.

Workaround: Disable suid, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581



Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
     
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Jun/20/01:

Solaris 2.6, Jun/19/01:

Solaris 7, Jun/19/01:    

Solaris 8, Jun/19/01:

Solaris 8_x86, Jun/19/01:

2. New or updated individual security/recommended patches.

105633-55 OpenWindows 3.6: Xsun patch
105802-15 OpenWindows 3.6: ToolTalk patch
107180-28 CDE 1.3: dtlogin patch

107337-02 SunOS 5.7: KCMS configure tool has a security vulnerability
107709-13 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend

108869-06 SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
109134-19 * SunOS 5.8: WBEM patch
109326-04 SunOS 5.8: libresolv.so.2, in.named patch
109354-09 * CDE 1.4: dtsession patch
111504-01 * SunOS 5.8: /usr/bin/tip patch
111548-01 * SunOS 5.8: catman, man, whatis, apropos and makewhatis patch

108870-06 SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib patch
109135-19 * SunOS 5.8_x86: WBEM patch
109280-10 SunOS 5.8_x86: /kernel/drv/ip patch
109327-04 SunOS 5.8_x86: libresolv.so.2 in.named patch
109355-09 * CDE 1.4_x86: dtsession patch
109401-07 * SunOS 5.8_x86: Updated video drivers and fixes
111505-01 * SunOS 5.8_x86: /usr/bin/tip patch
111549-01 * SunOS 5.8_x86: catman, man, whatis, apropos and makewhatis patch


News & Articles

 

O'Reilly Net

IPFW Logging - Dru Lavigne
http://www.onlamp.com/pub/a/bsd/2001/06/21/FreeBSD_Basics.html

IPFW Logging 06/21/2001 I've spent the last few articles creating rules to allow ipfw to just allow the IP traffic I wish to enter my FreeBSD computer. This week, I'd like to take a look at logging and will probably end up tweaking my firewall further as I do so.

SysAdmin magazine: July

Securing SNMP on Solaris - Reg Quinton
http://www.samag.com/articles/2001/0107/0107m/0107m.htm

The default SNMP configuration, while perhaps reasonably secure, can be made substantially more secure with a little effort. If you require SNMP services (e.g., to monitor a server in case of failover), you should configure it better.

 

Which OS is Fastest for High-Performance Network Applications?
Jeffrey B. Rothman and John Buckman
http://www.samag.com/articles/2001/0107/0107a/0107a.htm

In this article, we compare Linux, Solaris (for Intel), FreeBSD, and Windows 2000 to determine which operating system (OS) runs high-performance network applications the fastest.

 

Backup on a Budget - W. Curtis Preston
http://www.samag.com/articles/2001/0107/0107o/0107o.htm
http://www.backupcentral.com/free-backup-software2.html

Not everybody has the money to buy a million-dollar storage area network (SAN) completely dedicated to backup and recovery. Not everybody needs a SAN!


Sun

Solaris 2.6 Firewall, Example Installation & Configuration
http://www.roble.com/docs/secure_solaris.html

Steps to Securing a Solaris 2.X Host
http://www.netwizards.net/~varmav/tips-tools/solaris.shtml

SecurityFocus

Hacker Tools and their Signatures, Part Two: Juno and Unisploit - Toby Miller
http://www.securityfocus.com/focus/ids/articles/junisploit.html

This is the second installment in the Hacker Tools and Their Signatures series, a series written to assist system administrators, security administrators, and the security community as a whole to identify and understand the tools that are being used in the hacker community. The first article examined This installment will focus on two tools: Juno and Unisploit. This paper will provide a detailed analysis of these tools, including tcpdump examples and other useful references.

 

Secure Online Behavior, Part II: Secure E-Mail Behavior - Dr. Sunil Hazari
http://www.securityfocus.com/frames/?focus=basics&content=/focus/basics/articles/sechabits2.html

This article will discuss secure e-mail behavior by looking at the various threats posed by using e-mail applications, as well as the steps users should take to minimize those risks.

Information Security Magazine

Sealing the pipes - Pete Loshin
http://www.infosecuritymag.com/articles/june01/features_protocols.shtml

SSH is a powerful security protocol, but it can prove dangerous if used incorrectly.

 

Stronger passwords aren't - Peter Tippet
http://www.infosecuritymag.com/articles/june01/columns_executive_view.shtml

In the real world, an eight-character mixed alphanumeric password is no more secure than a simple four-character password.
Comment: a though provoking article, I also agree that ultra strong password policies back-fire.

 

Hidden hacks - Al Berg
http://www.infosecuritymag.com/articles/june01/cover.shtml

Countering lesser-known or hidden vulnerabilities is just as important as plugging the big holes.

SolarisGuide

Samba on Solaris
www.veritas.com/us/article/article-061901.html

For everyone who has wanted an officially supported Samba on Solaris solution, supported by Sun, check out the VERITAS whitepaper. Yes, it's Samba based (currently 2.0.9). VERITAS is working with us to add new stuff like MS-DFS and MMC support to 2.2 as well.

LinuxSecurity

Hacker vigilantes strike back
http://www.idg.net/ic_626988_1794_9-10000.html

Striking back at hackers with, for example, denial of service attacks is a sensitive subject, since doing so is illegal in most countries......


Mailing Lists

Focus-Sun Discussions Threads

06/19/01 Gauntlet on Solaris (again)
http://www.securityfocus.com/templates/archive.pike?list=92&tid=192193&fromthread=0&threads=1&end=2001-06-23&start=2001-06-17&

06/19/01 Sun ARP Implementation
http://www.securityfocus.com/templates/archive.pike?list=92&tid=192192&fromthread=0&threads=1&end=2001-06-23&start=2001-06-17&


YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week: none


Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include OpenSSH 2.9p2.

Auditing and Intrusion Monitoring tools include Snort, ACID, SAINT, SARA, FireStorm NIDS and John the Ripper.

Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, Securepoint Firewall Server SB, GuardDog, Knetfilter and PCX Firewall.

Tools for Linux/Unix/Cross Platform include Secure FTP, Kaladix Linux, SILC, NSA Security-enhanced Linux and Hypersec Linux Kernel Patch.

Tools for Windows include Tiny Personal Firewall and Pulse.


Tip of the Week: Jass v0.3

Jass v0.3 has been released and the associated documents updated. Jass is Sun's answer to Yassp and Titan, and appears to have evolved into a capable, interesting, Solaris hardening tool.

"The Solaris Security Toolkit is a tool designed to assist in creation and deployment of secured Solaris Operating Environment systems. The Toolkit is comprised of a set of scripts and directories implementing the recommendations made in the Sun BluePrints OnLine program.
These scripts can be executed on Solaris systems through the JumpStart technology or directly from the command line. The Toolkit includes scripts to harden, patch, and minimize Solaris Operating Environment systems. Sun does not support the Toolkit."

http://www.sun.com/blueprints
http://www.sun.com/blueprints/tools/
http://www.sun.com/blueprints/0601/jass_release_notes-v03.pdf
http://www.sun.com/blueprints/0601/jass_internals-v03.pdf
http://www.sun.com/blueprints/0601/jass_quick_start-v03.pdf
http://www.sun.com/blueprints/0601/jass_conf_install-v03.pdf

Summary of changes since version 0.2 (November 2000):

The license is still quite tight: you can use freely for you own private or corporate, but cannot distribute or publish derivative works.

I hope to do some tests over the coming week and report back in the next Tip of the Week.

 

If you have tips you'd like to share with others, contact us.


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.