Weekly Solaris Security Digest
2001/06/24 to 2001/07/01

By Seán Boran (sean at boran.com)

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


 


New Solaris Vulnerabilities this Week

libsldap buffer overflow in $LDAP_OPTIONS
http://archives.neohapsis.com/archives/bugtraq/2001-06/0344.html
http://www.securityfocus.com/bid/2931

Jouko Pynnönen discovered that the library implementing LDAP naming services on Solaris 8, libsldap, contains a buffer overflow in the initialization code. While parsing the environment variable LDAP_OPTIONS, a fixed size buffer is used to store its contents which can be of any length. This is a straightforward buffer overflow and exploitable in conjunction with privileged programs that use the library. Such programs include passwd, yppasswd, nispasswd, sendmail, and chkey. The library is only found on Solaris 8 systems. On vulnerable systems the buffer overflow can lead to a local root compromise.
Workaround: replace the existing 'libsldap.so' with a 'dummy' version that does not contain the offending code. This may limit or break functionality of some of the utilities

 

BIND v4 and v8 patches / Sun Bulletin #00204 / CA-2001-02
http://www.cert.org/advisories/CA-2001-02.html
http://sunsolve.sun.com/pub-cgi/secBulletin.pl

"Sun announces the release of patches for Solaris 8, 7, 2.6, 2.5.1, 2.5, and 2.4 (SunOS 5.8, 5.7, 5.6, 5.5.1, 5.5, and 5.4) which relate to several vulnerabilities reported in CERT CA-2001-02.
Sun recommends that you install the patches listed in section 4 immediately on systems running SunOS 5.8, 5.7, 5.6, 5.5.1, 5.5, and 5.4 with Sun's implementation of BIND."
Comment: I recommend you run ISC's latest BIND v9 or v8, rather than the Sun derivative on the Internet. It takes too long to get patches out (this vulnerability is several months old).

 

Vulnerabilities this Week — Third-party Applications:

Bugtraq Database:

2001-06-26: Icecast Directory Traversal Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2932

2001-06-26: Icecast DoS Vulnerability
http://www.securityfocus.com/bid/2933

2001-06-23: Samba Remote Arbitrary File Creation Vulnerability
http://www.securityfocus.com/bid/2928

A remote local user can write arbitrary files on the Samba server, as the smb daemon does not sufficiently check NetBIOS name input. It is possible to overwrite files on the Samba server, and if a user has local access, potentially gain elevated privileges. This problem makes it possible for a remote user to deny service to legitimate users, and a local user to potentially gain elevated privileges.


2001-06-21: eXtremail Remote Format String Vulnerability
http://www.securityfocus.com/bid/2908

2001-06-21: Juergen Schoenwaelder scotty ntping Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2911

2001-06-21: cfingerd Utilities Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2914

2001-06-21: Cfingerd Utilities Format String Vulnerability
http://www.securityfocus.com/bid/2915

2001-06-19: W3M Malformed MIME Header Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2895

2001-06-19: ePerl Foreign Code Execution Vulnerability
http://www.securityfocus.com/bid/2912

2001-06-19: OpenSSH PAM Session Evasion Vulnerability
http://www.securityfocus.com/bid/2917

When OpenSSH is used in an environment using PAM, it may be possible for local users to evade restrictions enforced by PAM modules (such as rlimits). A PAM session is not initiated by OpenSSH when commands are executed in an 'rsh' manner (no pty). Some systems may rely on PAM to implement system restrictions, such as resource limits on processes. This vulnerability may allow remote users to bypass these restrictions.
This could lead to an accidental or wilful denial of service.This is only a problem on multi-user server where non-trusted accounts are allowed.


Solaris vulnerabilities pending

Over the last few weeks/months, we reported on several Solaris vulnerabilities. Those which are not yet
covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

Print Protocol Daemon (in.lpd) Remote Buffer Overflow

Severity: a remote user may gain root privileges via an overflow in the in.lpd daemon. No known exploits published, yet.
Workaround: either apply network access control to the service (with tcp wrappers) or disable 'in.lpd' (in inetd.conf) or even better, disable inetd. If inetd is enabled and needed, disable ALL services that are not necessary.
No patches available yet, but patches have been announced:
Solaris 8.0_x86: 109321-04 Solaris 8.0:  109320-04 Solaris 7.0_x86: 107116-08 Solaris 7.0: 107115-08 Solaris 2.6_x86:  106236-09 Solaris 2.6:  106235-09
http://xforce.iss.net/alerts/advise80.php
http://www.securityfocus.com/bid/2894

Vulnerability in /opt/SUNWssp/bin/cb_reset

Severity: a local user may gain root privileges by overflowing by the cb_reset setuid root command in the SUNWssp package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWssp package if not needed, or remove the suid bit from cb_reset. Side effects: only root can use cb_reset.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0265.html
http://www.securityfocus.com/bid/2893

Vulnerability in /opt/SUNWvts/bin/ptexec

Severity: a local user may gain root privileges by overflowing by the ptexec setuid root command in the SUNWvts package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWvts package if not needed, or remove the suid bit from ptexec. Side effects: only root can use ptexec.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0282.html
http://www.securityfocus.com/bid/2898

/usr/bin/at language environment overflow

Status: No patch is available yet. Severity: a user with a local account may gain root privileges. Exploiting this weakness is not easy and there has been no detailed Bugtraq discussion yet, nor exploits published.
Workaround: remove the SUID from 'at'. Side effect: only root can use the 'at' command.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.html

/usr/bin/mail $HOME Buffer Overflow Vulnerability

Status: No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workaround: chmod -s /usr/bin/mail
http://www.securityfocus.com/vdb/bottom.html?vid=2819

mailtool buffer overflow in $OPENWINHOME

Status: Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.

Workarounds: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html

rpc.yppasswdd buffer overflow

Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.

Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php  

mailx -F buffer Overflow

Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.

Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610

Xsun $HOME buffer overflow vulnerability (updated)

Status: Local sgid root exploit.

Workaround: Remove the sgid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108652-35 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561

SNMP to DMI mapper daemon

Status: Remote exploit being actively abused. (Sun bug id 4412996).
Patches: 108870-06 SunOS 5.8_x86, 108869-06 SunOS 5.8

Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"


kcsSUNWIOsolf.so KCMS_PROFILES environment variable:

Status: Local suid exploit.
Patches: 107337-02 SunOS 5.7 has been released and the following should be out soon:
111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86

Workaround: Disable suid, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf


kcms_configure vulnerability:

Status: Local suid exploit of command line options.
Patches: 107337-02 SunOS 5.7 has been released and the following should be out soon:
111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86

Workaround: Disable suid, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605


CDE dtsession LANG environment variable

Status: Local suid exploit, no patches yet. Exploit available for Solaris x86.

Workaround: On servers not requiring a GUI, the suid can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession


ftpd #1 globbing buffer overflows/core dump shadow password recovery

Status: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.

Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601


ftpd #2 CWD Username Enumeration

Status: Remote exploit, low impact (allows an attacker to recognise valid usernames).

Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564


NTP buffer overflow

Status: Serious remote exploit.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540


ipcs Timezone buffer overflow vulnerability

Status: Local suid exploit.

Workaround: Disable suid, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581



Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
     
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Jun/27/01:

Solaris 2.6, Jun/26/01:

Solaris 7, Jun/26/01:    

Solaris 8, Jun/26/01:

Solaris 8_x86, Jun/25/01:

2. New or updated individual security/recommended patches.

105403-04 SunOS 5.6: ypbind/ypserv patch
105566-11 CDE 1.2: calendar manager patch
105633-56 OpenWindows 3.6: Xsun patch
108804-02 SunOS 5.6: /usr/bin/tip patch
111240-01 SunOS 5.6: Patch to /usr/bin/finger
111560-01 * SunOS 5.6: dmesg security problem


News & Articles

 

O'Reilly Net

Controlling BSD User Logins - Michael Lucas
http://www.onlamp.com/pub/a/bsd/2001/06/28/Big_Scary_Daemons.html

CVS - Michael Lucas
http://www.onlamp.com/pub/a/bsd/2001/05/03/Big_Scary_Daemons.html

JSP Security for Limiting Access to Application-Internal URLs - Jamie Jaworski
http://www.onjava.com/pub/a/onjava/2001/06/27/java_security.html

Tools of the Trade: Part 1 - Carl Constantine
http://linux.oreillynet.com/pub/a/linux/2001/06/22/linux_security.html
A quick overview of nmap, tcpdump, Ethereal, snort, syslog, and Tripwire.


Sun

Solaris Resources at Kempston
http://www.kempston.net/solaris/contents.html

Worksheets for Upgrading and Installing
http://www.sun.com/bigadmin

 

SecurityFocus

Linux Authentication Using OpenLDAP, Part One - David "Del" Elson
http://www.securityfocus.com/frames/?focus=linux&content=/focus/linux/articles/openldap.html

This is the first of two articles that will discuss an overview of LDAP, installing and configuring OpenLDAP, migrating to OpenLDAP and setting up LDAP queries.

 

SolarisGuide

Solaris Sources
http://www.sun.com/software/solaris/source/

Since the advent of the Foundation Source Program on November 30, 2000, the source code has been downloaded or sent via media kit over 2,000 times. However, recent activity has indicated that those companies and individuals who desired access to the Solaris 8 source code have done so already. Therefore, Sun is ending the Solaris 8 Foundation Source Program effective June 30, 2001. In addition, both the secure chat and code-exchange sites will also be canceled on this date.

 

Opera 5 for Solaris Released
http://www.opera.com/pressreleases/20010619.html

Opera Software has released Opera 5 for Solaris Beta 1. Opera 5 for Solaris supports the following features:

Comment: I'm a bit of an Opera fan myself. Great to see it on Solaris at last.

LinuxSecurity

Although its work is far from complete, the Intrusion Detection Exchange Format working group (IDWG) in April released a revised draft of its Intrusion Alert Protocol (IAP). The group eventually hopes to create a protocol that will enable the easy exchange and analysis of attack data from multiple IDSes.
http://www.infosecuritymag.com/articles/june01/columns_standards_watch.shtml

 

Introduction to Network-Based Intrusion Detection Systems Using Snort - Roberto Nibali
http://www.unixreview.com/articles/2001/0106/0106j/0106j.htm

This article will provide a basic overview of today's ID systems. It doesn't aim to be complete but gives a good starting point for further information. I will talk about different architecture approaches for ID systems, host and network based, to improve overall security for your business. A general security framework using Snort as the basic Open Source IDS tool will be presented together with some suggestions on how to generate audit trails, anomaly event generation, and central logging over syslog(-ng).


Mailing Lists

Focus-Sun Discussions Threads

06/19/01 Gauntlet on Solaris (again)
http://www.securityfocus.com/templates/archive.pike?list=92&tid=192193&fromthread=0&threads=1&end=2001-06-23&start=2001-06-17&

06/19/01 Sun ARP Implementation
http://www.securityfocus.com/templates/archive.pike?list=92&tid=192192&fromthread=0&threads=1&end=2001-06-23&start=2001-06-17&


YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:

Re: cisecurity audit tool vs YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00215.html


Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include Tripwire and BIND.

Auditing and Intrusion Monitoring tools include Snort, IDScenter, SARA, PIKT, FireStorm NIDS, StMichael LKM and Samhain.

Firewalls for UNIX/Linux/BSD & Cross-platform include GshieldConf and Astaro Security Linux.

Tools for Linux/Unix/Cross Platform include Ngrep, FreeS/Wan, FreeS/Wan Config, APG, SILC, Zebedee, BorZoi and Solaris Security Toolkit.

Tools for Windows include AntiVirPersonal Edition and LibnetNT.


Tip of the Week: Jass test-drive

JASS stands for JumpStart Architecture and Security Scripts (Toolkit). The primary goal behind the development of this Toolkit was to simplify and automate the process of securing Solaris systems through JumpStart or in a standalone mode. It implements the recommendations Sun's BluePrints security articles

Jass v0.3 was released last week and we gave you a description of what it's all about in 'Tip of the Week', this time we take it for a test-drive and present you with the results.

We start off with an example of running Jass on a new Solaris 8 workstation installed with a 'user bundle'. An example log of the output is [1]

First we install Jass:
pkgadd SUNWjass-0.3.pkg

Then we run the default Jass hardening for standalone use:
/opt/SUNWjass/jass-execute -d secure.driver

On rebooting it was surprising to find many daemons still running:

Although inetd is running, no services are available in inetd.conf.

BSM auditing is enabled. I have mixed feelings about this due to the patches need to make it work, logs it generates, and the problems with root crontabs. It does however create the 'root.au' file. See also [3].

Sendmail is left running is Queue mode (will deliver but not accept remote emails), which is fine.

The following daemons are left running because they're not considered risky. Personally, I prefer to stop every daemon that is not strictly necessary:
root 230 1 0 10:18:21 ? 0:00 /usr/sbin/nscd
root 240 1 0 10:18:22 ? 0:00 /usr/lib/utmpd
root 43 1 0 10:17:59 ? 0:00 /usr/lib/devfsadm/devfseventd
root 45 1 0 10:18:00 ? 0:00 /usr/lib/devfsadm/devfsadmd

Next we try the 'undo' feature which allows us to go back to the configuration before Jass was run. It very nicely asks us which 'Jass run' we would like to undo:

/opt/SUNWjass/jass-execute -u

The undo seems to work fine, except for BSM auditing which is not cleanly removed, see also the undo log [4].
Jass can be run several times, and the undo can remove the effects of each previous run or all runs. Nice.

This time, we customise Jass a bit, for a more real-world experience and let it run:

A patch bundle is copied to /opt/SUNWjass/Patches and the script Finish/install-recommended-patches.fin was adapted so that 'install_cluster' was called with the '-nosave' option. On a new installs, I don't see the point in saving old patches and tying up tens of megabytes of space.

In addition, /opt/SUNWjass/Drivers/user.init was created with some custom settings, to tailor behaviour for this system:

# user.init
# sb, 26.Jun.01
JASS_AGING_MAXWEEKS="26"
JASS_LOGIN_RETRIES="5"
JASS_PASS_LENGTH="6"
JASS_SENDMAIL_MODE="\"\""
JASS_TMPFS_SIZE="100m"
JASS_UMASK="027"

Next step was to add a new script to Finish/disable-nscd.fin which disables the nscd daemon (since it's not needed for our test system), containing:

echo "Disabling nscd startup and shutdown scripts"
echo ""
if [ "${JASS_KILL_SCRIPT_DISABLE}" = "1" ]; then
disable_rc_file ${JASS_ROOT_DIR}/etc/rcS.d K40nscd
disable_rc_file ${JASS_ROOT_DIR}/etc/rc0.d K40nscd
disable_rc_file ${JASS_ROOT_DIR}/etc/rc1.d K40nscd
fi
disable_rc_file ${JASS_ROOT_DIR}/etc/rc2.d S76nscd

Then we add 'disable-nscd.fin' to the JASS_SCRIPTS section of Drivers/hardening.driver, to activate the above script..

Finally we set Jass running with the usual command:
/opt/SUNWjass/jass-execute -d secure.driver

How good is the hardening?

What I like about Jass?

What don't I like?

Summary

Jass is an interesting tool, well worth checking out.

References and further reading:

[0]  'Tip of the Week' that gave an overview of Jass - last week:
http://securityportal.com/topnews/weekly/solaris20010625.html

[1] Log of Jass install and standalone configuration
www.boran.com/security/sp/solaris/jass03_install.txt

[2] Log of Jass install and standalone configuration
www.boran.com/security/sp/solaris/jass03_startup.txt

[3] Solaris C2/BSM security notes - Sean Boran
www.boran.com/security/sp/Solaris_bsm.html

[4] Log of Jass 'undo'
www.boran.com/security/sp/solaris/jass03_undo.txt

Discussion form for Jass feedback:
http://supportforum.sun.com/cgi-bin/WebX.cgi?/security.jass.toolkit

If you have tips you'd like to share with others, contact us.


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.