By Seán Boran (sean at boran.com)
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
libsldap buffer overflow in $LDAP_OPTIONS
http://archives.neohapsis.com/archives/bugtraq/2001-06/0344.html
http://www.securityfocus.com/bid/2931Jouko Pynnönen discovered that the library implementing LDAP naming services on Solaris 8, libsldap, contains a buffer overflow in the initialization code. While parsing the environment variable LDAP_OPTIONS, a fixed size buffer is used to store its contents which can be of any length. This is a straightforward buffer overflow and exploitable in conjunction with privileged programs that use the library. Such programs include passwd, yppasswd, nispasswd, sendmail, and chkey. The library is only found on Solaris 8 systems. On vulnerable systems the buffer overflow can lead to a local root compromise.
Workaround: replace the existing 'libsldap.so' with a 'dummy' version that does not contain the offending code. This may limit or break functionality of some of the utilities
BIND v4 and v8 patches / Sun Bulletin #00204 / CA-2001-02
http://www.cert.org/advisories/CA-2001-02.html
http://sunsolve.sun.com/pub-cgi/secBulletin.pl"Sun announces the release of patches for Solaris 8, 7, 2.6, 2.5.1, 2.5, and 2.4 (SunOS 5.8, 5.7, 5.6, 5.5.1, 5.5, and 5.4) which relate to several vulnerabilities reported in CERT CA-2001-02.
Sun recommends that you install the patches listed in section 4 immediately on systems running SunOS 5.8, 5.7, 5.6, 5.5.1, 5.5, and 5.4 with Sun's implementation of BIND."
Comment: I recommend you run ISC's latest BIND v9 or v8, rather than the Sun derivative on the Internet. It takes too long to get patches out (this vulnerability is several months old).
Bugtraq Database:
2001-06-26: Icecast Directory Traversal Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=29322001-06-26: Icecast DoS Vulnerability
http://www.securityfocus.com/bid/29332001-06-23: Samba Remote Arbitrary File Creation Vulnerability
http://www.securityfocus.com/bid/2928A remote local user can write arbitrary files on the Samba server, as the smb daemon does not sufficiently check NetBIOS name input. It is possible to overwrite files on the Samba server, and if a user has local access, potentially gain elevated privileges. This problem makes it possible for a remote user to deny service to legitimate users, and a local user to potentially gain elevated privileges.
2001-06-21: eXtremail Remote Format String Vulnerability
http://www.securityfocus.com/bid/29082001-06-21: Juergen Schoenwaelder scotty ntping Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/29112001-06-21: cfingerd Utilities Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/29142001-06-21: Cfingerd Utilities Format String Vulnerability
http://www.securityfocus.com/bid/2915
2001-06-19: W3M Malformed MIME Header Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/28952001-06-19: ePerl Foreign Code Execution Vulnerability
http://www.securityfocus.com/bid/2912
2001-06-19: OpenSSH PAM Session Evasion Vulnerability
http://www.securityfocus.com/bid/2917When OpenSSH is used in an environment using PAM, it may be possible for local users to evade restrictions enforced by PAM modules (such as rlimits). A PAM session is not initiated by OpenSSH when commands are executed in an 'rsh' manner (no pty). Some systems may rely on PAM to implement system restrictions, such as resource limits on processes. This vulnerability may allow remote users to bypass these restrictions.
This could lead to an accidental or wilful denial of service.This is only a problem on multi-user server where non-trusted accounts are allowed.
Over the last few weeks/months, we reported on several Solaris vulnerabilities. Those which are not yet
covered by Solaris patches are listed below. See previous digests for a more detailed analysis.Print Protocol Daemon (in.lpd) Remote Buffer Overflow
Severity: a remote user may gain root privileges via an overflow in the in.lpd daemon. No known exploits published, yet.
Workaround: either apply network access control to the service (with tcp wrappers) or disable 'in.lpd' (in inetd.conf) or even better, disable inetd. If inetd is enabled and needed, disable ALL services that are not necessary.
No patches available yet, but patches have been announced:
Solaris 8.0_x86: 109321-04 Solaris 8.0: 109320-04 Solaris 7.0_x86: 107116-08 Solaris 7.0: 107115-08 Solaris 2.6_x86: 106236-09 Solaris 2.6: 106235-09
http://xforce.iss.net/alerts/advise80.php
http://www.securityfocus.com/bid/2894
Vulnerability in /opt/SUNWssp/bin/cb_reset
Severity: a local user may gain root privileges by overflowing by the cb_reset setuid root command in the SUNWssp package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWssp package if not needed, or remove the suid bit from cb_reset. Side effects: only root can use cb_reset.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0265.html
http://www.securityfocus.com/bid/2893
Vulnerability in /opt/SUNWvts/bin/ptexec
Severity: a local user may gain root privileges by overflowing by the ptexec setuid root command in the SUNWvts package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWvts package if not needed, or remove the suid bit from ptexec. Side effects: only root can use ptexec.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0282.html
http://www.securityfocus.com/bid/2898
/usr/bin/at language environment overflow
Status: No patch is available yet. Severity: a user with a local account may gain root privileges. Exploiting this weakness is not easy and there has been no detailed Bugtraq discussion yet, nor exploits published.
Workaround: remove the SUID from 'at'. Side effect: only root can use the 'at' command.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.html
/usr/bin/mail $HOME Buffer Overflow Vulnerability
Status: No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workaround: chmod -s /usr/bin/mail
http://www.securityfocus.com/vdb/bottom.html?vid=2819
mailtool buffer overflow in $OPENWINHOME
Status: Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.
Workarounds: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html
rpc.yppasswdd buffer overflow
Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.
Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php
mailx -F buffer Overflow
Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610
Xsun $HOME buffer overflow vulnerability (updated)
Status: Local sgid root exploit.
Workaround: Remove the sgid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108652-35 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561
SNMP to DMI mapper daemon
Status: Remote exploit being actively abused. (Sun bug id 4412996).
Patches: 108870-06 SunOS 5.8_x86, 108869-06 SunOS 5.8Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"
kcsSUNWIOsolf.so KCMS_PROFILES environment variable:Status: Local suid exploit.
Patches: 107337-02 SunOS 5.7 has been released and the following should be out soon:
111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86Workaround: Disable suid, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerability:Status: Local suid exploit of command line options.
Patches: 107337-02 SunOS 5.7 has been released and the following should be out soon:
111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86Workaround: Disable suid, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605
CDE dtsession LANG environment variableStatus: Local suid exploit, no patches yet. Exploit available for Solaris x86.
Workaround: On servers not requiring a GUI, the suid can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflows/core dump shadow password recoveryStatus: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationStatus: Remote exploit, low impact (allows an attacker to recognise valid usernames).
Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564
NTP buffer overflowStatus: Serious remote exploit.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilityStatus: Local suid exploit.
Workaround: Disable suid, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Jun/27/01:
103663-17 SunOS 5.5.1: libresolv, in.named, named-xfer, nslookup & nstest patch
105097-03 SunOS 5.5.1: usr/lib/libsocket.a and usr/lib/libsocket.so.1 patch
103603-16 SunOS 5.5.1: ftp, in.ftpd, in.rexecd and in.rshd patch
104873-07 SunOS 5.5.1: /usr/bin/uustat and other uucp fixes
Solaris 2.6, Jun/26/01:
106301-03 SunOS 5.6: /usr/sbin/in.ftpd patch
106193-06 SunOS 5.6: Patch for Taiwan timezone
106123-05 SunOS 5.6: sgml patch
Solaris 7, Jun/26/01:
107451-06 SunOS 5.7: /usr/sbin/cron patch
Solaris 8, Jun/26/01:
108652-35 X11 6.4.1 Xsun patch
109326-05 SunOS 5.8: libresolv.so.2, in.named patch
111327-02 SunOS 5.8: libsocket patch
108985-03 SunOS 5.8: /usr/sbin/in.rshd patch
109885-05 SunOS 5.8: glm patch
Solaris 8_x86, Jun/25/01:
108653-30 X11 6.4.1_x86: Xsun patch
109327-05 SunOS 5.8_x86: libresolv.so.2, in.named patch
111328-02 SunOS 5.8_x86: libsocket patch
108986-03 SunOS 5.8_x86: /usr/sbin/in.rshd patch
105403-04 SunOS 5.6: ypbind/ypserv patch
105566-11 CDE 1.2: calendar manager patch
105633-56 OpenWindows 3.6: Xsun patch
108804-02 SunOS 5.6: /usr/bin/tip patch
111240-01 SunOS 5.6: Patch to /usr/bin/finger
111560-01 * SunOS 5.6: dmesg security problem
Controlling BSD User Logins - Michael Lucas
http://www.onlamp.com/pub/a/bsd/2001/06/28/Big_Scary_Daemons.html
CVS - Michael Lucas
http://www.onlamp.com/pub/a/bsd/2001/05/03/Big_Scary_Daemons.html
JSP Security for Limiting Access to Application-Internal URLs - Jamie Jaworski
http://www.onjava.com/pub/a/onjava/2001/06/27/java_security.html
Tools of the Trade: Part 1 - Carl Constantine
http://linux.oreillynet.com/pub/a/linux/2001/06/22/linux_security.html
A quick overview of nmap, tcpdump, Ethereal, snort, syslog, and Tripwire.
Solaris Resources at Kempston
http://www.kempston.net/solaris/contents.htmlWorksheets for Upgrading and Installing
http://www.sun.com/bigadmin
Linux Authentication Using OpenLDAP, Part One - David "Del" Elson
http://www.securityfocus.com/frames/?focus=linux&content=/focus/linux/articles/openldap.htmlThis is the first of two articles that will discuss an overview of LDAP, installing and configuring OpenLDAP, migrating to OpenLDAP and setting up LDAP queries.
Solaris Sources
http://www.sun.com/software/solaris/source/Since the advent of the Foundation Source Program on November 30, 2000, the source code has been downloaded or sent via media kit over 2,000 times. However, recent activity has indicated that those companies and individuals who desired access to the Solaris 8 source code have done so already. Therefore, Sun is ending the Solaris 8 Foundation Source Program effective June 30, 2001. In addition, both the secure chat and code-exchange sites will also be canceled on this date.
Opera 5 for Solaris Released
http://www.opera.com/pressreleases/20010619.htmlOpera Software has released Opera 5 for Solaris Beta 1. Opera 5 for Solaris supports the following features:
- Fast rendering of pages. Opera is the fastest full-featured browser on the market today.
- Easy keyboard navigation. Opera's easy keyboard shortcuts save time as well as benefit people with disabilities.
- Instant toggling of image and documents settings. For even faster browsing, images can be turned on/off with just the press of a key.
- Multiple windows support. Inside Opera, users may browse in several windows at once, without straining system resources.
- Zooming. Opera users can zoom in on a page up to 1000 percent, be it text or images.
- Resume download. In the transfer window, downloads can be resumed if interrupted. Small size. Opera is only a 2 MB download so updating to the latest version available is always fast and easy.
Comment: I'm a bit of an Opera fan myself. Great to see it on Solaris at last.
Although its work is far from complete, the Intrusion Detection Exchange Format working group (IDWG) in April released a revised draft of its Intrusion Alert Protocol (IAP). The group eventually hopes to create a protocol that will enable the easy exchange and analysis of attack data from multiple IDSes.
http://www.infosecuritymag.com/articles/june01/columns_standards_watch.shtml
Introduction to Network-Based Intrusion Detection Systems Using Snort - Roberto Nibali
http://www.unixreview.com/articles/2001/0106/0106j/0106j.htmThis article will provide a basic overview of today's ID systems. It doesn't aim to be complete but gives a good starting point for further information. I will talk about different architecture approaches for ID systems, host and network based, to improve overall security for your business. A general security framework using Snort as the basic Open Source IDS tool will be presented together with some suggestions on how to generate audit trails, anomaly event generation, and central logging over syslog(-ng).
06/19/01 Gauntlet on Solaris (again)
http://www.securityfocus.com/templates/archive.pike?list=92&tid=192193&fromthread=0&threads=1&end=2001-06-23&start=2001-06-17&06/19/01 Sun ARP Implementation
http://www.securityfocus.com/templates/archive.pike?list=92&tid=192192&fromthread=0&threads=1&end=2001-06-23&start=2001-06-17&
YASSP beta 15 is still current. See also http://www.yassp.org .
Discussions this week:
Re: cisecurity audit tool vs YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00215.html
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include Tripwire and BIND.
Auditing and Intrusion Monitoring tools include Snort, IDScenter, SARA, PIKT, FireStorm NIDS, StMichael LKM and Samhain.
Firewalls for UNIX/Linux/BSD & Cross-platform include GshieldConf and Astaro Security Linux.
Tools for Linux/Unix/Cross Platform include Ngrep, FreeS/Wan, FreeS/Wan Config, APG, SILC, Zebedee, BorZoi and Solaris Security Toolkit.
Tools for Windows include AntiVirPersonal Edition and LibnetNT.
JASS stands for JumpStart Architecture and Security Scripts (Toolkit). The primary goal behind the development of this Toolkit was to simplify and automate the process of securing Solaris systems through JumpStart or in a standalone mode. It implements the recommendations Sun's BluePrints security articles
Jass v0.3 was released last week and we gave you a description of what it's all about in 'Tip of the Week', this time we take it for a test-drive and present you with the results.
We start off with an example of running Jass on a new Solaris 8 workstation installed with a 'user bundle'. An example log of the output is [1]
First we install Jass:
pkgadd SUNWjass-0.3.pkgThen we run the default Jass hardening for standalone use:
/opt/SUNWjass/jass-execute -d secure.driver
On rebooting it was surprising to find many daemons still running:
Although inetd is running, no services are available in inetd.conf.
BSM auditing is enabled. I have mixed feelings about this due to the patches need to make it work, logs it generates, and the problems with root crontabs. It does however create the 'root.au' file. See also [3].
Sendmail is left running is Queue mode (will deliver but not accept remote emails), which is fine.
The following daemons are left running because they're not considered risky. Personally, I prefer to stop every daemon that is not strictly necessary:
root 230 1 0 10:18:21 ? 0:00 /usr/sbin/nscd
root 240 1 0 10:18:22 ? 0:00 /usr/lib/utmpd
root 43 1 0 10:17:59 ? 0:00 /usr/lib/devfsadm/devfseventd
root 45 1 0 10:18:00 ? 0:00 /usr/lib/devfsadm/devfsadmd
Next we try the 'undo' feature which allows us to go back to the configuration before Jass was run. It very nicely asks us which 'Jass run' we would like to undo:
/opt/SUNWjass/jass-execute -uThe undo seems to work fine, except for BSM auditing which is not cleanly removed, see also the undo log [4].
Jass can be run several times, and the undo can remove the effects of each previous run or all runs. Nice.
This time, we customise Jass a bit, for a more real-world experience and let it run:
A patch bundle is copied to /opt/SUNWjass/Patches and the script Finish/install-recommended-patches.fin was adapted so that 'install_cluster' was called with the '-nosave' option. On a new installs, I don't see the point in saving old patches and tying up tens of megabytes of space.
In addition, /opt/SUNWjass/Drivers/user.init was created with some custom settings, to tailor behaviour for this system:
# user.init
# sb, 26.Jun.01
JASS_AGING_MAXWEEKS="26"
JASS_LOGIN_RETRIES="5"
JASS_PASS_LENGTH="6"
JASS_SENDMAIL_MODE="\"\""
JASS_TMPFS_SIZE="100m"
JASS_UMASK="027"Next step was to add a new script to Finish/disable-nscd.fin which disables the nscd daemon (since it's not needed for our test system), containing:
echo "Disabling nscd startup and shutdown scripts"
echo ""
if [ "${JASS_KILL_SCRIPT_DISABLE}" = "1" ]; then
disable_rc_file ${JASS_ROOT_DIR}/etc/rcS.d K40nscd
disable_rc_file ${JASS_ROOT_DIR}/etc/rc0.d K40nscd
disable_rc_file ${JASS_ROOT_DIR}/etc/rc1.d K40nscd
fi
disable_rc_file ${JASS_ROOT_DIR}/etc/rc2.d S76nscdThen we add 'disable-nscd.fin' to the JASS_SCRIPTS section of Drivers/hardening.driver, to activate the above script..
Finally we set Jass running with the usual command:
/opt/SUNWjass/jass-execute -d secure.driver
Jass is an interesting tool, well worth checking out.
[0] 'Tip of the Week' that gave an overview of Jass - last week:
http://securityportal.com/topnews/weekly/solaris20010625.html[1] Log of Jass install and standalone configuration
www.boran.com/security/sp/solaris/jass03_install.txt[2] Log of Jass install and standalone configuration
www.boran.com/security/sp/solaris/jass03_startup.txt[3] Solaris C2/BSM security notes - Sean Boran
www.boran.com/security/sp/Solaris_bsm.html[4] Log of Jass 'undo'
www.boran.com/security/sp/solaris/jass03_undo.txt
Discussion form for Jass feedback:
http://supportforum.sun.com/cgi-bin/WebX.cgi?/security.jass.toolkit
If you have tips you'd like to share with others, contact us.
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.