By Seán Boran (sean at boran.com)
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
Bumper crop this week, make sure you at least read up on the in.lpd vulnerability.
ypbind remote root exploit
All Solaris versions prior to SunOS 5.8 01/01 contain a ypbind (part of NIS) vulnerability which may be exploited remotely.
Severity: a local or remote user may gain root privileges.
The alert was published under Sun Bulletin #00203 and AusCERT AA-2001.03. The alert is not yet up on the web but should appear later on
http://www.auscert.org.au/Information/Advisories/aus_2001.html
http://sunsolve.sun.com/pub-cgi/secBulletin.pl?mode=latest
Patches have been released by Sun:OS Version Patch ID
__________ _________
SunOS 5.8 110322-01
SunOS 5.8_x86 110323-01
SunOS 5.7 108750-02
SunOS 5.7_x86 108751-02
SunOS 5.6 105403-04
SunOS 5.6_x86 105404-04
SunOS 5.5.1 105165-04
SunOS 5.5.1_x86 105166-04
SunOS 5.5 105169-04
SunOS 5.5_x86 105170-04
SunOS 5.4 101973-41
SunOS 5.4_x86 101974-41
Vulnerability in /opt/SUNWssp/bin/cb_reset
http://archives.neohapsis.com/archives/bugtraq/2001-06/0265.htmlA problem discovered by Pablo Sor, whereby the cb_reset setuid root command included in the SUNWssp package (not in the standard install), can have a buffer overflowed and potentially arbitrary code executed.
Severity: a local user may gain root privileges. No known exploits published, yet.
Workaround: remove the SUNWssp package if not needed, or remove the suid bit from cb_reset. Side effects: only root can use cb_reset.
Vulnerability in /opt/SUNWvts/bin/ptexec
http://archives.neohapsis.com/archives/bugtraq/2001-06/0282.htmlAnother problem discovered by Pablo Sor, whereby the ptexec setuid root command included in the SUNWvts package (not in the standard install), can have a buffer overflowed and potentially arbitrary code executed. SunVTS is a system validation and test suite designed to support Sun hardware platforms and peripherals. It enables its users to assess system device connection status and to effectively isolate the cause of detected system faults.
Severity: a local user may gain root privileges. No known exploits published yet.
Workaround: remove the SUNWvts package if not needed, or remove the suid bit from ptexec. Side effects: only root can use ptexec.
Print Protocol Daemon (in.lpd) Remote Buffer Overflow
http://xforce.iss.net/alerts/advise80.php
http://www.securityfocus.com/bid/2894ISS X-Force has discovered a buffer overflow in the Solaris line printer daemon (in.lpd with listens on tcp port 515) that may allow a remote or local attacker to crash the daemon or execute arbitrary code with super user privileges. All Solaris version are vulnerable and it is enabled by default.
Severity: a remote user may gain root privileges. No known exploits published, yet.
Workaround: either apply network access control to the service (with tcp wrappers) or disable 'in.lpd' (in inetd.conf) or even better, disable inetd. If inetd is enabled and needed, disable ALL services that are not necessary.
No patches available yet, but patches have been announced:
Solaris 8.0_x86: 109321-04
Solaris 8.0: 109320-04
Solaris 7.0_x86: 107116-08
Solaris 7.0: 107115-08
Solaris 2.6_x86: 106236-09
Solaris 2.6: 106235-09
Bugtraq Database:
2001-06-18: Microburst uDirectory Remote Command Execution Vulnerability
http://www.securityfocus.com/bid/28842001-06-17: Gaztek HTTP Daemon Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/28792001-06-15: Fetchmail Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/28772001-06-13: SiteWare Editor Desktop Directory Traversal Vulnerability
http://www.securityfocus.com/bid/28682001-06-13: Multiple Vendor CGI Script Forced URL Request Vulnerability
http://www.securityfocus.com/bid/2871
Over the last few weeks/months, we reported on several Solaris vulnerabilities. Those which are not yet
covered by Solaris patches are listed below. See previous digests for a more detailed analysis.
Good news: Sun has released some patches for kcms and Xsun vulnerabilities, see the vulnerabilities marked 'UPDATED' in red below./usr/bin/at language environment overflow
Status: No patch is available yet. Severity: a user with a local account may gain root privileges. Exploiting this weakness is not easy and there has been no detailed Bugtraq discussion yet, nor exploits published.
Workaround: remove the SUID from 'at'. Side effect: only root can use the 'at' command.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.html
/usr/bin/mail $HOME Buffer Overflow Vulnerability
Status: No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workaround: chmod -s /usr/bin/mail
http://www.securityfocus.com/vdb/bottom.html?vid=2819
mailtool buffer overflow in $OPENWINHOME
Status: Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workarounds: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html
rpc.yppasswdd buffer overflow
Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.
Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php
mailx -F buffer Overflow
Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610
Xsun $HOME buffer overflow vulnerability
Status: Local suid root exploit.
Workaround: Remove the suid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108652-32 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561
SNMP to DMI mapper daemon UPDATED!
Status: Remote exploit being actively abused. (Sun bug id 4412996).
Patches: 108870-06 SunOS 5.8_x86, 108869-06 SunOS 5.8Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"
kcsSUNWIOsolf.so KCMS_PROFILES environment variable: UPDATED!Status: Local suid exploit.
Patches: 107337-02 SunOS 5.7 has been released and the following should be out soon:
111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86Workaround: Disable suid, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerability: UPDATED!Status: Local suid exploit of command line options.
Patches: 107337-02 SunOS 5.7 has been released and the following should be out soon:
111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86Workaround: Disable suid, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605
CDE dtsession LANG environment variableStatus: Local suid exploit, no patches yet. Exploit available for Solaris x86.
Workaround: On servers not requiring a GUI, the suid can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflows/core dump shadow password recoveryStatus: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationStatus: Remote exploit, low impact (allows an attacker to recognize valid usernames).
Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564
NTP buffer overflowStatus: Serious remote exploit.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilityStatus: Local suid exploit.
Workaround: Disable suid, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Jun/20/01:
111281-01 SunOS 5.5.1: finger doesn't always correctly match NULL usernames
104605-12 SunOS 5.5.1: ecpp driver patch
108802-02 SunOS 5.5.1: /usr/bin/tip patch
Solaris 2.6, Jun/19/01:
106125-11 SunOS 5.6: Patch for patchadd and patchrm
105566-11 CDE 1.2: calendar manager patch
105633-56 OpenWindows 3.6: Xsun patch
105403-04 SunOS 5.6: ypbind/ypserv patch
108804-02 SunOS 5.6: /usr/bin/tip patch
106361-11 SunOS 5.6: csh/jsh/ksh/rksh/rsh/sh patch
110990-01 SunOS 5.6: Patch for ttymon
111240-01 SunOS 5.6: Patch to /usr/bin/finger
Solaris 7, Jun/19/01:
107337-02 SunOS 5.7: KCMS configure tool has a security vulnerability
108750-01 SunOS 5.7: /usr/lib/netsvc/yp/ypbind patch
108750-02 SunOS 5.7: /usr/lib/netsvc/yp/ypbind patch
111242-01 SunOS 5.7: Patch to /usr/bin/finger
111113-01 SunOS 5.7: nawk Patch
Solaris 8, Jun/19/01:
108652-33 X11 6.4.1: Xsun patch
110944-01 SunOS 5.8_x86: /usr/bin/tcsh patch
109587-03 SunOS 5.8: libspmistore patch
109221-06 SunOS 5.8: Patch for sysidnet
109318-12 SunOS 5.8: suninstall patch
Solaris 8_x86, Jun/19/01:
108653-28 X11 6.4.1_x86: Xsun patch
109280-10 SunOS 5.8_x86: /kernel/drv/ip patch
109741-05 SunOS 5.8_x86: /kernel/drv/udp patch
109743-05 SunOS 5.8_x86: /kernel/drv/icmp patch
110944-01 SunOS 5.8_x86: /usr/bin/tcsh patch
109588-04 SunOS 5.8_x86: libspmistore patch
109473-06 SunOS 5.8_x86: /kernel/drv/tcp patch
109319-13 SunOS 5.8_x86: suninstall patch
105633-55 OpenWindows 3.6: Xsun patch
105802-15 OpenWindows 3.6: ToolTalk patch
107180-28 CDE 1.3: dtlogin patch107337-02 SunOS 5.7: KCMS configure tool has a security vulnerability
107709-13 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend108869-06 SunOS 5.8: snmpdx/mibiisa/libssasnmp/snmplib patch
109134-19 * SunOS 5.8: WBEM patch
109326-04 SunOS 5.8: libresolv.so.2, in.named patch
109354-09 * CDE 1.4: dtsession patch
111504-01 * SunOS 5.8: /usr/bin/tip patch
111548-01 * SunOS 5.8: catman, man, whatis, apropos and makewhatis patch108870-06 SunOS 5.8_x86: snmpdx/mibiisa/libssasnmp/snmplib patch
109135-19 * SunOS 5.8_x86: WBEM patch
109280-10 SunOS 5.8_x86: /kernel/drv/ip patch
109327-04 SunOS 5.8_x86: libresolv.so.2 in.named patch
109355-09 * CDE 1.4_x86: dtsession patch
109401-07 * SunOS 5.8_x86: Updated video drivers and fixes
111505-01 * SunOS 5.8_x86: /usr/bin/tip patch
111549-01 * SunOS 5.8_x86: catman, man, whatis, apropos and makewhatis patch
IPFW Logging - Dru Lavigne
http://www.onlamp.com/pub/a/bsd/2001/06/21/FreeBSD_Basics.html
IPFW Logging 06/21/2001 I've spent the last few articles creating rules to allow ipfw to just allow the IP traffic I wish to enter my FreeBSD computer. This week, I'd like to take a look at logging and will probably end up tweaking my firewall further as I do so.
Securing SNMP on Solaris - Reg Quinton
http://www.samag.com/articles/2001/0107/0107m/0107m.htmThe default SNMP configuration, while perhaps reasonably secure, can be made substantially more secure with a little effort. If you require SNMP services (e.g., to monitor a server in case of failover), you should configure it better.
Which OS is Fastest for High-Performance Network Applications?
Jeffrey B. Rothman and John Buckman
http://www.samag.com/articles/2001/0107/0107a/0107a.htmIn this article, we compare Linux, Solaris (for Intel), FreeBSD, and Windows 2000 to determine which operating system (OS) runs high-performance network applications the fastest.
Backup on a Budget - W. Curtis Preston
http://www.samag.com/articles/2001/0107/0107o/0107o.htm
http://www.backupcentral.com/free-backup-software2.htmlNot everybody has the money to buy a million-dollar storage area network (SAN) completely dedicated to backup and recovery. Not everybody needs a SAN!
Solaris 2.6 Firewall, Example Installation & Configuration
http://www.roble.com/docs/secure_solaris.htmlSteps to Securing a Solaris 2.X Host
http://www.netwizards.net/~varmav/tips-tools/solaris.shtml
Hacker Tools and their Signatures, Part Two: Juno and Unisploit - Toby Miller
http://www.securityfocus.com/focus/ids/articles/junisploit.htmlThis is the second installment in the Hacker Tools and Their Signatures series, a series written to assist system administrators, security administrators, and the security community as a whole to identify and understand the tools that are being used in the hacker community. The first article examined This installment will focus on two tools: Juno and Unisploit. This paper will provide a detailed analysis of these tools, including tcpdump examples and other useful references.
Secure Online Behavior, Part II: Secure E-Mail Behavior - Dr. Sunil Hazari
http://www.securityfocus.com/frames/?focus=basics&content=/focus/basics/articles/sechabits2.htmlThis article will discuss secure e-mail behavior by looking at the various threats posed by using e-mail applications, as well as the steps users should take to minimize those risks.
Sealing the pipes - Pete Loshin
http://www.infosecuritymag.com/articles/june01/features_protocols.shtmlSSH is a powerful security protocol, but it can prove dangerous if used incorrectly.
Stronger passwords aren't - Peter Tippet
http://www.infosecuritymag.com/articles/june01/columns_executive_view.shtmlIn the real world, an eight-character mixed alphanumeric password is no more secure than a simple four-character password.
Comment: a though provoking article, I also agree that ultra strong password policies back-fire.
Hidden hacks - Al Berg
http://www.infosecuritymag.com/articles/june01/cover.shtmlCountering lesser-known or hidden vulnerabilities is just as important as plugging the big holes.
Samba on Solaris
www.veritas.com/us/article/article-061901.htmlFor everyone who has wanted an officially supported Samba on Solaris solution, supported by Sun, check out the VERITAS whitepaper. Yes, it's Samba based (currently 2.0.9). VERITAS is working with us to add new stuff like MS-DFS and MMC support to 2.2 as well.
Hacker vigilantes strike back
http://www.idg.net/ic_626988_1794_9-10000.htmlStriking back at hackers with, for example, denial of service attacks is a sensitive subject, since doing so is illegal in most countries......
06/19/01 Gauntlet on Solaris (again)
http://www.securityfocus.com/templates/archive.pike?list=92&tid=192193&fromthread=0&threads=1&end=2001-06-23&start=2001-06-17&06/19/01 Sun ARP Implementation
http://www.securityfocus.com/templates/archive.pike?list=92&tid=192192&fromthread=0&threads=1&end=2001-06-23&start=2001-06-17&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week: none
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include OpenSSH 2.9p2.
Auditing and Intrusion Monitoring tools include Snort, ACID, SAINT, SARA, FireStorm NIDS and John the Ripper.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, Securepoint Firewall Server SB, GuardDog, Knetfilter and PCX Firewall.
Tools for Linux/Unix/Cross Platform include Secure FTP, Kaladix Linux, SILC, NSA Security-enhanced Linux and Hypersec Linux Kernel Patch.
Tools for Windows include Tiny Personal Firewall and Pulse.
Jass v0.3 has been released and the associated documents updated. Jass is Sun's answer to Yassp and Titan, and appears to have evolved into a capable, interesting, Solaris hardening tool.
"The Solaris Security Toolkit is a tool designed to assist in creation and deployment of secured Solaris Operating Environment systems. The Toolkit is comprised of a set of scripts and directories implementing the recommendations made in the Sun BluePrints OnLine program.
These scripts can be executed on Solaris systems through the JumpStart technology or directly from the command line. The Toolkit includes scripts to harden, patch, and minimize Solaris Operating Environment systems. Sun does not support the Toolkit."http://www.sun.com/blueprints
http://www.sun.com/blueprints/tools/
http://www.sun.com/blueprints/0601/jass_release_notes-v03.pdf
http://www.sun.com/blueprints/0601/jass_internals-v03.pdf
http://www.sun.com/blueprints/0601/jass_quick_start-v03.pdf
http://www.sun.com/blueprints/0601/jass_conf_install-v03.pdf
Summary of changes since version 0.2 (November 2000):
The license is still quite tight: you can use freely for you own private or corporate, but cannot distribute or publish derivative works.
I hope to do some tests over the coming week and report back in the next Tip of the Week.
If you have tips you'd like to share with others, contact us.
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.