Weekly Solaris Security Digest
2001/07/01 to 2001/07/08

By Seán Boran (sean at boran.com)

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html



New Solaris Vulnerabilities this Week

whodo environment variable overflow

Severity:  A user with a local account may gain root privileges. Exploit published. SunOS 5.5.1 and later are vulnerable.
Workaround: remove the SUID from /usr/sbin/sparcv9/whodo /usr/sbin/sparcv7/whodo (SunOS 5.8 Sparc) /usr/sbin/i86/whodo (SunOS 5.8, 5.7 Intel) /usr/sbin/whodo (SunOS 5.5.1). Side effect: only root can use the 'whodo' command.
http://archives.neohapsis.com/archives/bugtraq/2001-07/0076.html

Vulnerabilities this Week — Third-party Applications:

Oracle 8i SQLNet Denial of Service Vulnerability
http://www.cert.org/advisories/CA-2001-16.html

A denial of service vulnerability exists in Oracle 8i. An attacker connecting to the host and sending a malformed SQLNet (Type-1) connection request, could cause the host to stop responding.
Workaround: It has been reported that the patch is still unavailable. Forthcoming updates will provide additional information when it becomes available. Until fixes are obtainable, administrators should block network access to the listener. It will be available at the Oracle MetaLink support website: http://metalink.oracle.com.

 

Bugtraq Database:

2001-07-02: Xvt -T Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2964

2001-07-02: Xvt Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2955

2001-07-02: Citrix Nfuse Webroot Disclosure Vulnerability
http://www.securityfocus.com/bid/2956

2001-07-02: phpMyAdmin Included File Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/2966

2001-07-02: phpPgAdmin Included File Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/2967

2001-07-02: Lotus Domino Server Cross Site Scripting Vulnerability
http://www.securityfocus.com/bid/2962

2001-06-30: PHP SafeMode Arbitrary File Execution Vulnerability
http://www.securityfocus.com/bid/2954

2001-06-28: Oracle 8i TNS Listener Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2941

2001-06-28: Active Classifieds Arbitrary Code Execution Vulnerability
http://www.securityfocus.com/bid/2942

2001-06-27: Gnatsweb Remote Command Execution Vulnerability
http://www.securityfocus.com/bid/2938


Solaris vulnerabilities pending

Over the last few weeks/months, we reported on several Solaris vulnerabilities. Those which are not yet
covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

Summary: several exploit samples released and patches for ftp, ypbind and kcms are available. If you use NIS/YP, apply the ypbind patch very soon.

libsldap buffer overflow in $LDAP_OPTIONS (updated)

Severity: a local user main gain root privileges on Solaris 8. Exploit published.
Workaround:  replace the existing 'libsldap.so' with a 'dummy' version that does not contain the offending code. This may limit or break functionality of some of the utilities
http://archives.neohapsis.com/archives/bugtraq/2001-06/0344.html

Print Protocol Daemon (in.lpd) Remote Buffer Overflow

Severity: a remote user may gain root privileges via an overflow in the in.lpd daemon. No known exploits published, yet.
Patches: No patches available yet, but patches have been announced:
Solaris 8.0_x86: 109321-04 Solaris 8.0:  109320-04 Solaris 7.0_x86: 107116-08 Solaris 7.0: 107115-08 Solaris 2.6_x86:  106236-09 Solaris 2.6:  106235-09
Workaround: either apply network access control to the service (with tcp wrappers) or disable 'in.lpd' (in inetd.conf) or even better, disable inetd. If inetd is enabled and needed, disable ALL services that are not necessary.
http://xforce.iss.net/alerts/advise80.php
http://www.securityfocus.com/bid/2894

/opt/SUNWssp/bin/cb_reset

Severity: a local user may gain root privileges by overflowing by the cb_reset setuid root command in the SUNWssp package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWssp package if not needed, or remove the suid bit from cb_reset. Side effects: only root can use cb_reset.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0265.html
http://www.securityfocus.com/bid/2893

/opt/SUNWvts/bin/ptexec

Severity: a local user may gain root privileges by overflowing by the ptexec setuid root command in the SUNWvts package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWvts package if not needed, or remove the suid bit from ptexec. Side effects: only root can use ptexec.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0282.html
http://www.securityfocus.com/bid/2898

/usr/bin/at language environment overflow  (updated)

Severity:  A user with a local account may gain root privileges. Exploit published.
Workaround: disable the suid bit. Side effect: only root can use the 'at' command.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.html

/usr/bin/mail $HOME Buffer Overflow Vulnerability

Severity: a user with a local account may gain mail privileges.
Workaround: disable the sgid bit.
http://www.securityfocus.com/vdb/bottom.html?vid=2819

mailtool buffer overflow in $OPENWINHOME

Severity: a user with a local account may gain mail privileges. Exploit released. Sun Bug ID: 4458476.
Workaround: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html

rpc.yppasswdd buffer overflow

Severity: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.

Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php  


mailx -F buffer Overflow

Severity: local sgid 'mail' exploit.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610

Xsun $HOME buffer overflow vulnerability

Severity: Local sgid root exploit.
Patches: Recent patches from Sun include 108652-35 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
Workaround: Remove the sgid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561

SNMP to DMI mapper daemon

Severity: Remote root exploit being actively abused. (Sun bug id 4412996).
Patches: 108870-06 SunOS 5.8_x86, 108869-06 SunOS 5.8
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html


kcsSUNWIOsolf.so KCMS_PROFILES environment variable: (updated)

Severity: Local suid root exploit.
Patches: 107337-02 SunOS 5.7, 111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86.
Workaround: Disable suid, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf


kcms_configure vulnerability: (updated)

Status: Local suid exploit of command line options.
Patches: 107337-02 SunOS 5.7, 111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86.
Workaround: Disable suid, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605


CDE dtsession LANG environment variable

Severity: Local suid root exploit. Exploit available for Solaris x86.
Workaround: On servers not requiring a GUI, the suid bit can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession


ftpd #1 globbing buffer overflows/core dump shadow password recovery (updated)

Severity: A local user might be able to see /etc/shadow contents. Apparently it's not easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow.
Patches: 106301-03 SunOS 5.6, 111607-01 SunOS 5.8_x86, 111606-01 SunOS 5.8.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601


ftpd #2 CWD Username Enumeration

Severity: Remote exploit, low impact (allows an attacker to recognise valid usernames).
Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564


NTP buffer overflow

Severity:  remote root exploit.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One Sun contract customer reports that an "emergency fix" can be had from Sun. Alternatively installed the latest Public Domain ntpd, rather than that distributed with Solaris.
http://securityfocus.com/vdb/bottom.html?vid=2540  


ipcs Timezone buffer overflow vulnerability

Severity: Local suid root exploit.
Workaround: Disable suid, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581


Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
     
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Jun/29/01:

108083-01 SunOS 5.5.1: Dump patch
105165-04 SunOS 5.5.1: /usr/lib/netsvc/yp/ypbind patch

Solaris 2.6, Jun/29/01:

105580-18 SunOS 5.6: /kernel/drv/glm patch
105472-08 SunOS 5.6: /usr/lib/autofs/automountd patch
106468-04 SunOS 5.6: /usr/bin/cu and usr/bin/uustat patch
107490-01 SunOS 5.6: savecore doesn't work if swap slice is over 2G
111664-01 SunOS 5.6: bzip patch
105181-28 SunOS 5.6: Kernel update patch
105568-23 SunOS 5.6: /usr/lib/libthread.so.1 patch

Solaris 7, Jun/29/01:    

Solaris 8, Jun/29/01:

Solaris 8_x86, Jun/29/01:

 

2. New or updated individual security/recommended patches.

105181-28 SunOS 5.6: Kernel update patch
106123-05 SunOS 5.6: sgml patch
106193-06 SunOS 5.6: Patch for Taiwan timezone
106301-03 SunOS 5.6: /usr/sbin/in.ftpd patch
106468-04 SunOS 5.6: /usr/bin/cu and usr/bin/uustat patch

106942-17 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch
106952-02 SunOS 5.7: /usr/bin/uux patch
107038-02 SunOS 5.7: apropos/catman/man/whatis patch
107451-06 SunOS 5.7: /usr/sbin/cron patch
108750-02 SunOS 5.7: /usr/lib/netsvc/yp/ypbind patch
108798-02 SunOS 5.7: /usr/bin/tip patch
111242-01 SunOS 5.7: Patch to /usr/bin/finger

108985-03 SunOS 5.8: /usr/sbin/in.rshd patch
109326-05 SunOS 5.8: libresolv.so.2, in.named patch
110322-01 SunOS 5.8: /usr/lib/netsvc/yp/ypbind patch
111400-01 * SunOS 5.8: KCMS configure tool has a security vulnerability
111570-01 * SunOS 5.8: uucp patch
111606-01 * SunOS 5.8: /usr/sbin/in.ftpd patch

108774-10 SunOS 5.8_x86: IIIM and X Input & Output Method patch
108986-03 SunOS 5.8_x86: /usr/sbin/in.rshd patch
109327-05 SunOS 5.8_x86: libresolv.so.2, in.named patch
109401-09 * SunOS 5.8_x86: Updated video drivers and fixes
110323-01 SunOS 5.8_x86: /usr/lib/netsvc/yp/ypbind patch
111401-01 * SunOS 5.8_x86: KCMS configure tool has a security vulnerability
111571-01 * SunOS 5.8_x86: uucp patch
111607-01 * SunOS 5.8_x86: /usr/sbin/in.ftpd patch


News & Articles

The Open Source Security Testing Methodology Manual - Draft 2- Peter Vincent Herzog
http://uk.osstmm.org/osstmm.htm

The Secure Programming Standards Methodology Manual - Draft 0.5 - Victor A. Rodriguez
http://uk.osstmm.org/spsmm.htm

Available in English - Catalan - Spanish - Italian - German - French - Russian


O'Reilly Net

Tools of the Trade: Part 2 - Carl Constantine
http://linux.oreillynet.com/pub/a/linux/2001/06/29/tools_two.html

A quick overview of Tcpdump and Tripwire.


SecurityFocus

Secure Online Behavior, Part Three: Using the World Wide Web - Sunil Hazari
http://www.securityfocus.com/frames/?focus=basics&content=/focus/basics/articles/sechabits3.html

This the third article in a three-part series devoted to helping readers develop secure habits when using the various components of the Internet. While software programs such as firewalls, intrusion detection systems (IDSs) and antivirus software can be provide protection, the best way to for users to ensure their security while surfing the Web is to learn and practice secure behaviour.

 

Intrusion Detection Systems Terminology, Part One: A-H - A. Cliff
http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/idsterms.html

The terminology associated with IDS is growing at rapidly. This article is intended to introduce readers to some IDS terminology, some of it basic and relatively common, some of it somewhat more obscure.


LinuxSecurity

Encrypted Tunnels using SSH and MindTerm HOWTO - Duane Dunston
http://www.linuxsecurity.com/docs/HOWTO/MindTerm-SSH-HOWTO/index.html

This document describes how to use SSH and the Java-based program MindTerm to create quick, secure, and reliable VPN-like tunnels over insecure networks.

 

How to stop a service denial attack before it stops you - Shawn P. McCarthy
http://www.gcn.com/vol20_no17/news/4573-1.html

It’s not easy to defend a federal Web server against distributed service denial attacks. For years now, the government has been under the gun in an undeclared cyberwar with hackers around the globe. The simplest and so far the most common attack is denial of service, which keeps a server so busy with fake data traffic that it can’t do its real job.

SolarisGuide

Sun reverses course, continues offering source code for Solaris 8
http://www.solarisguide.com/news_story.php3?ltsn=2001-07-01-001-05-NW-BU


Mailing Lists

Focus-Sun Discussions Threads

07/03/01 Installing RSA-SecurID on Solaris8
http://www.securityfocus.com/archive/92/194784

07/03/01 Solaris 8 in.rshd/in.rexecd/in.rlogind intertwined madness !?
http://www.securityfocus.com/archive/92/194785

06/29/01 Permission on /etc/passwd?
http://www.securityfocus.com/archive/92/194540


YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org.

No discussions this week.


Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include OpenSSH SRP, SFTP and BIND.
Auditing and Intrusion Monitoring tools include ACID, RazorBack, SAINT, PIKT, LIDS, Samhain.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, IP Filter, Securepoint Firewall Server SB.
Tools for Linux/Unix/Cross Platform include Hypersec Linux Kernel Patch, Mcrypt, LibMcrypt, HardEncrypt and OtpCalc.
Tools for Windows include Without A Trace and BackOfficer Friendly.


Tip of the Week: Solaris Tips: Jan-Jun. 2001

The Solaris Security Digest came to life in May 2000, and each week we have tried to include a useful tip. The following document collects those tips in FAQ style for the first six months of 2001. http://securityportal.com/articles/solaristips20010706.html

The previous 6 months, May-Dec 2000 are also available:
http://securityportal.com/articles/solaristips20001220.html

 

If you have tips you'd like to share with others, contact us.


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.