By Seán Boran (sean at boran.com)
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
whodo environment variable overflow
Severity: A user with a local account may gain root privileges. Exploit published. SunOS 5.5.1 and later are vulnerable.
Workaround: remove the SUID from /usr/sbin/sparcv9/whodo /usr/sbin/sparcv7/whodo (SunOS 5.8 Sparc) /usr/sbin/i86/whodo (SunOS 5.8, 5.7 Intel) /usr/sbin/whodo (SunOS 5.5.1). Side effect: only root can use the 'whodo' command.
http://archives.neohapsis.com/archives/bugtraq/2001-07/0076.html
Oracle 8i SQLNet Denial of Service Vulnerability
http://www.cert.org/advisories/CA-2001-16.htmlA denial of service vulnerability exists in Oracle 8i. An attacker connecting to the host and sending a malformed SQLNet (Type-1) connection request, could cause the host to stop responding.
Workaround: It has been reported that the patch is still unavailable. Forthcoming updates will provide additional information when it becomes available. Until fixes are obtainable, administrators should block network access to the listener. It will be available at the Oracle MetaLink support website: http://metalink.oracle.com.
Bugtraq Database:
2001-07-02: Xvt -T Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/29642001-07-02: Xvt Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/29552001-07-02: Citrix Nfuse Webroot Disclosure Vulnerability
http://www.securityfocus.com/bid/29562001-07-02: phpMyAdmin Included File Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/29662001-07-02: phpPgAdmin Included File Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/29672001-07-02: Lotus Domino Server Cross Site Scripting Vulnerability
http://www.securityfocus.com/bid/29622001-06-30: PHP SafeMode Arbitrary File Execution Vulnerability
http://www.securityfocus.com/bid/29542001-06-28: Oracle 8i TNS Listener Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/29412001-06-28: Active Classifieds Arbitrary Code Execution Vulnerability
http://www.securityfocus.com/bid/29422001-06-27: Gnatsweb Remote Command Execution Vulnerability
http://www.securityfocus.com/bid/2938
Over the last few weeks/months, we reported on several Solaris vulnerabilities. Those which are not yet
covered by Solaris patches are listed below. See previous digests for a more detailed analysis.Summary: several exploit samples released and patches for ftp, ypbind and kcms are available. If you use NIS/YP, apply the ypbind patch very soon.
libsldap buffer overflow in $LDAP_OPTIONS (updated)
Severity: a local user main gain root privileges on Solaris 8. Exploit published.
Workaround: replace the existing 'libsldap.so' with a 'dummy' version that does not contain the offending code. This may limit or break functionality of some of the utilities
http://archives.neohapsis.com/archives/bugtraq/2001-06/0344.html
Print Protocol Daemon (in.lpd) Remote Buffer Overflow
Severity: a remote user may gain root privileges via an overflow in the in.lpd daemon. No known exploits published, yet.
Patches: No patches available yet, but patches have been announced:
Solaris 8.0_x86: 109321-04 Solaris 8.0: 109320-04 Solaris 7.0_x86: 107116-08 Solaris 7.0: 107115-08 Solaris 2.6_x86: 106236-09 Solaris 2.6: 106235-09
Workaround: either apply network access control to the service (with tcp wrappers) or disable 'in.lpd' (in inetd.conf) or even better, disable inetd. If inetd is enabled and needed, disable ALL services that are not necessary.
http://xforce.iss.net/alerts/advise80.php
http://www.securityfocus.com/bid/2894/opt/SUNWssp/bin/cb_reset
Severity: a local user may gain root privileges by overflowing by the cb_reset setuid root command in the SUNWssp package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWssp package if not needed, or remove the suid bit from cb_reset. Side effects: only root can use cb_reset.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0265.html
http://www.securityfocus.com/bid/2893
/opt/SUNWvts/bin/ptexec
Severity: a local user may gain root privileges by overflowing by the ptexec setuid root command in the SUNWvts package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWvts package if not needed, or remove the suid bit from ptexec. Side effects: only root can use ptexec.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0282.html
http://www.securityfocus.com/bid/2898/usr/bin/at language environment overflow (updated)
Severity: A user with a local account may gain root privileges. Exploit published.
Workaround: disable the suid bit. Side effect: only root can use the 'at' command.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.html
/usr/bin/mail $HOME Buffer Overflow Vulnerability
Severity: a user with a local account may gain mail privileges.
Workaround: disable the sgid bit.
http://www.securityfocus.com/vdb/bottom.html?vid=2819
mailtool buffer overflow in $OPENWINHOME
Severity: a user with a local account may gain mail privileges. Exploit released. Sun Bug ID: 4458476.
Workaround: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html
rpc.yppasswdd buffer overflow
Severity: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.
Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php
mailx -F buffer Overflow
Severity: local sgid 'mail' exploit.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610
Xsun $HOME buffer overflow vulnerability
Severity: Local sgid root exploit.
Patches: Recent patches from Sun include 108652-35 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
Workaround: Remove the sgid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561
SNMP to DMI mapper daemon
Severity: Remote root exploit being actively abused. (Sun bug id 4412996).
Patches: 108870-06 SunOS 5.8_x86, 108869-06 SunOS 5.8
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
kcsSUNWIOsolf.so KCMS_PROFILES environment variable: (updated)Severity: Local suid root exploit.
Patches: 107337-02 SunOS 5.7, 111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86.
Workaround: Disable suid, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerability: (updated)Status: Local suid exploit of command line options.
Patches: 107337-02 SunOS 5.7, 111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86.
Workaround: Disable suid, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605
CDE dtsession LANG environment variableSeverity: Local suid root exploit. Exploit available for Solaris x86.
Workaround: On servers not requiring a GUI, the suid bit can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflows/core dump shadow password recovery (updated)Severity: A local user might be able to see /etc/shadow contents. Apparently it's not easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow.
Patches: 106301-03 SunOS 5.6, 111607-01 SunOS 5.8_x86, 111606-01 SunOS 5.8.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationSeverity: Remote exploit, low impact (allows an attacker to recognise valid usernames).
Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564
NTP buffer overflowSeverity: remote root exploit.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One Sun contract customer reports that an "emergency fix" can be had from Sun. Alternatively installed the latest Public Domain ntpd, rather than that distributed with Solaris.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilitySeverity: Local suid root exploit.
Workaround: Disable suid, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Jun/29/01:
108083-01 SunOS 5.5.1: Dump patch
105165-04 SunOS 5.5.1: /usr/lib/netsvc/yp/ypbind patch
Solaris 2.6, Jun/29/01:
105580-18 SunOS 5.6: /kernel/drv/glm patch
105472-08 SunOS 5.6: /usr/lib/autofs/automountd patch
106468-04 SunOS 5.6: /usr/bin/cu and usr/bin/uustat patch
107490-01 SunOS 5.6: savecore doesn't work if swap slice is over 2G
111664-01 SunOS 5.6: bzip patch
105181-28 SunOS 5.6: Kernel update patch
105568-23 SunOS 5.6: /usr/lib/libthread.so.1 patch
Solaris 7, Jun/29/01:
107038-02 SunOS 5.7: apropos/catman/man/whatis patch
106952-02 SunOS 5.7: /usr/bin/uux patch
108331-01 SunOS 5.7: /usr/bin/uustat patch
108798-02 SunOS 5.7: /usr/bin/tip patch
106942-17 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch
110646-02 SunOS 5.7: /usr/sbin/in.ftpd Patch
111666-01 SunOS 5.7: bzip patch
Solaris 8, Jun/29/01:
111363-01 SunOS 5.8: /usr/sbin/installf patch
109324-02 SunOS 5.8: sh/jsh/rsh/pfsh patch
110322-01 SunOS 5.8: /usr/lib/netsvc/yp/ypbind patch (remote root vulnerability)
108727-07 SunOS 5.8: /kernel/fs/nfs and /kernel/fs/sparcv9/nfs patch
Solaris 8_x86, Jun/29/01:
108774-10 SunOS 5.8_x86: IIIM and X Input & Output Method patch
110323-01 SunOS 5.8_x86: /usr/lib/netsvc/yp/ypbind patch
105181-28 SunOS 5.6: Kernel update patch
106123-05 SunOS 5.6: sgml patch
106193-06 SunOS 5.6: Patch for Taiwan timezone
106301-03 SunOS 5.6: /usr/sbin/in.ftpd patch
106468-04 SunOS 5.6: /usr/bin/cu and usr/bin/uustat patch106942-17 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch
106952-02 SunOS 5.7: /usr/bin/uux patch
107038-02 SunOS 5.7: apropos/catman/man/whatis patch
107451-06 SunOS 5.7: /usr/sbin/cron patch
108750-02 SunOS 5.7: /usr/lib/netsvc/yp/ypbind patch
108798-02 SunOS 5.7: /usr/bin/tip patch
111242-01 SunOS 5.7: Patch to /usr/bin/finger108985-03 SunOS 5.8: /usr/sbin/in.rshd patch
109326-05 SunOS 5.8: libresolv.so.2, in.named patch
110322-01 SunOS 5.8: /usr/lib/netsvc/yp/ypbind patch
111400-01 * SunOS 5.8: KCMS configure tool has a security vulnerability
111570-01 * SunOS 5.8: uucp patch
111606-01 * SunOS 5.8: /usr/sbin/in.ftpd patch108774-10 SunOS 5.8_x86: IIIM and X Input & Output Method patch
108986-03 SunOS 5.8_x86: /usr/sbin/in.rshd patch
109327-05 SunOS 5.8_x86: libresolv.so.2, in.named patch
109401-09 * SunOS 5.8_x86: Updated video drivers and fixes
110323-01 SunOS 5.8_x86: /usr/lib/netsvc/yp/ypbind patch
111401-01 * SunOS 5.8_x86: KCMS configure tool has a security vulnerability
111571-01 * SunOS 5.8_x86: uucp patch
111607-01 * SunOS 5.8_x86: /usr/sbin/in.ftpd patch
The Open Source Security Testing Methodology Manual - Draft 2- Peter Vincent Herzog
http://uk.osstmm.org/osstmm.htmThe Secure Programming Standards Methodology Manual - Draft 0.5 - Victor A. Rodriguez
http://uk.osstmm.org/spsmm.htmAvailable in English - Catalan - Spanish - Italian - German - French - Russian
Tools of the Trade: Part 2 - Carl Constantine
http://linux.oreillynet.com/pub/a/linux/2001/06/29/tools_two.htmlA quick overview of Tcpdump and Tripwire.
Secure Online Behavior, Part Three: Using the World Wide Web - Sunil Hazari
http://www.securityfocus.com/frames/?focus=basics&content=/focus/basics/articles/sechabits3.htmlThis the third article in a three-part series devoted to helping readers develop secure habits when using the various components of the Internet. While software programs such as firewalls, intrusion detection systems (IDSs) and antivirus software can be provide protection, the best way to for users to ensure their security while surfing the Web is to learn and practice secure behaviour.
Intrusion Detection Systems Terminology, Part One: A-H - A. Cliff
http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/idsterms.htmlThe terminology associated with IDS is growing at rapidly. This article is intended to introduce readers to some IDS terminology, some of it basic and relatively common, some of it somewhat more obscure.
Encrypted Tunnels using SSH and MindTerm HOWTO - Duane Dunston
http://www.linuxsecurity.com/docs/HOWTO/MindTerm-SSH-HOWTO/index.htmlThis document describes how to use SSH and the Java-based program MindTerm to create quick, secure, and reliable VPN-like tunnels over insecure networks.
How to stop a service denial attack before it stops you - Shawn P. McCarthy
http://www.gcn.com/vol20_no17/news/4573-1.htmlIts not easy to defend a federal Web server against distributed service denial attacks. For years now, the government has been under the gun in an undeclared cyberwar with hackers around the globe. The simplest and so far the most common attack is denial of service, which keeps a server so busy with fake data traffic that it cant do its real job.
Sun reverses course, continues offering source code for Solaris 8
http://www.solarisguide.com/news_story.php3?ltsn=2001-07-01-001-05-NW-BU
07/03/01 Installing RSA-SecurID on Solaris8
http://www.securityfocus.com/archive/92/19478407/03/01 Solaris 8 in.rshd/in.rexecd/in.rlogind intertwined madness !?
http://www.securityfocus.com/archive/92/19478506/29/01 Permission on /etc/passwd?
http://www.securityfocus.com/archive/92/194540
YASSP beta 15 is still current. See also http://www.yassp.org.
No discussions this week.
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include OpenSSH SRP, SFTP and BIND.
Auditing and Intrusion Monitoring tools include ACID, RazorBack, SAINT, PIKT, LIDS, Samhain.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, IP Filter, Securepoint Firewall Server SB.
Tools for Linux/Unix/Cross Platform include Hypersec Linux Kernel Patch, Mcrypt, LibMcrypt, HardEncrypt and OtpCalc.
Tools for Windows include Without A Trace and BackOfficer Friendly.
The Solaris Security Digest came to life in May 2000, and each week we have tried to
include a useful tip. The following document collects those tips in FAQ style for the
first six months of 2001. http://securityportal.com/articles/solaristips20010706.html
The previous 6 months, May-Dec 2000 are also available:
http://securityportal.com/articles/solaristips20001220.html
If you have tips you'd like to share with others, contact us.
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.