By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
|
Multiple Vendor Small TCP MSS Denial of Service Vulnerability
http://www.securityfocus.com/bid/2997
http://www.securityfocus.com/archive/1/195457A potential denial of service vulnerability exists in several TCP stack implementations. TCP has a MSS (maximum segment size) option that is used by a TCP client to announce to a peer the maximum amount of TCP data that can be sent per segment. The potential for attacks exists because in many cases only a small minimum value is enforced for the MSS. By setting the MSS to a low value (such as 1) and making requests for large amounts of data through a TCP service, an attacker could effectively cause a denial of service by causing a large workload on a system.
Severity: Potential denial of service. Exploit published. Solaris 8.0, Solaris 7.0 and Solaris 2.5.1 are vulnerable.
Workaround: Currently no patch released.
Apache Autoindexing Module Possible Directory Index Disclosure Vulnerability
http://www.securityfocus.com/bid/3009?id=3009
The AutoIndex module for Apache provides automatic indexing of directories within the webroot. Some administrators may rely on the presence of an 'index.html' to ensure that the actual contents of the directory will not be disclosed. There exists a possible vulnerability in this module that can allow for disclosure of directory contents despite the presence of an 'index.html'.
Severity: Apache 1.3.20 and 1.3.19 are vulnerable. Exploitation of this vulnerability may disclose sensitive information to attackers.
Workaround: Disable the module or remove the index options from the Apache configuration file. Currently no patch available.
Check Point RDP Bypass Vulnerability
http://www.cert.org/advisories/CA-2001-17.htmlA vulnerability has been discovered in CheckPoint FireWall-1 and VPN-1 that allows an intruder to bypass the firewall. The default FireWall-1 management rules allow arbitrary RDP connections to traverse the firewall.
Severity: Systems affected are CheckPoint VPN-1 and FireWall-1 Version 4.1. This vulnerability may allow an intruder to pass traffic with arbitrary content through the firewall on port 259/UDP in violation of implied security policies.
Workaround: Until a patch can be applied, you may be able to reduce your exposure to this vulnerability by configuring your router to block access to 259/UDP at your network perimeter.Check Point has issued an alert for this vulnerability at http://www.checkpoint.com/techsupport/alerts/rdp.html and a patch is available from Check Point's web site: http://www.checkpoint.com/techsupport/downloads.html.
Tripwire Insecure Temporary File Symbolic Link Vulnerability
http://www.securityfocus.com/bid/3003
http://www.securityfocus.com/archive/1/195617Tripwire insecurely creates files using the mktemp() system call, and does not check for the existence of the file prior to attempting to create it. This makes it possible for a local user to launch a symbolic link attack. As a result, a malicious local user may be able to overwrite system files, creating a denial of service, or potentially gain elevated privileges.
Severity: Possible local file overwrite (symlink attack). No exploit has been published yet. Tripwire 2.3.0, 2.2.1 and 1.3.1 are vulnerable.
Workaround: Install a fixed tripwire or the patches available from http://prdownloads.sourceforge.net/tripwire and use the new TEMPDIRECTORY configuration option so tripwire can use only root writable temporary directory.
Weakness of the OpenSSL PRNG
http://www.openssl.org/news/secadv_prng.txtThe pseudo-random number generator (PRNG) in SSLeay/OpenSSL versions up to 0.9.6a is weakened by a design error. Knowing the output of specific PRNG requests would allow an attacker to determine the PRNG's internal state and thus to predict future PRNG output.
Severity: Typical applications are not vulnerable to this attack because PRNG requests usually happen in larger chunks.
Workaround: OpenSSL 0.9.6b has been corrected and does not require this patch. It is recommended to upgrade to OpenSSL 0.9.6b. If upgrading is not immediately possible, the source code patch contained at the end of the advisory should be applied.
Bugtraq Database:
2001-07-09: Trend Micro Interscan Applet Trap '//' Bypass Vulnerability
http://www.securityfocus.com/bid/29962001-07-09: Trend Micro Interscan Applet Trap Encoding Bypass Vulnerability
http://www.securityfocus.com/bid/29982001-07-09: Trend Micro Interscan Applet Trap '0' IP Bypass Vulnerability
http://www.securityfocus.com/bid/30002001-07-06: Lucent RADIUS Format String Vulnerability
http://www.securityfocus.com/bid/29942001-07-06: Basilix Webmail File Disclosure Vulnerability
http://www.securityfocus.com/bid/29952001-07-05: Lucent RADIUS Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/29892001-07-05: Merit RADIUS Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/29912001-07-04: Cobalt Raq3 PopRelayD Arbitrary SMTP Relay Vulnerability
http://www.securityfocus.com/bid/2986
Over the last few weeks/months, we reported on several Solaris vulnerabilities. Those which are not yet
covered by Solaris patches are listed below. See previous digests for a more detailed analysis.Summary: several exploit samples released and patches for ftp, ypbind and kcms are available. If you use NIS/YP, apply the ypbind patch very soon.
libsldap buffer overflow in $LDAP_OPTIONS
Severity: a local user main gain root privileges on Solaris 8. Exploit published.
Workaround: replace the existing 'libsldap.so' with a 'dummy' version that does not contain the offending code. This may limit or break functionality of some of the utilities
http://archives.neohapsis.com/archives/bugtraq/2001-06/0344.html
Print Protocol Daemon (in.lpd) Remote Buffer Overflow
Severity: a remote user may gain root privileges via an overflow in the in.lpd daemon. No known exploits published, yet.
Patches: No patches available yet, but patches have been announced:
Solaris 8.0_x86: 109321-04 Solaris 8.0: 109320-04 Solaris 7.0_x86: 107116-08 Solaris 7.0: 107115-08 Solaris 2.6_x86: 106236-09 Solaris 2.6: 106235-09
Workaround: either apply network access control to the service (with tcp wrappers) or disable 'in.lpd' (in inetd.conf) or even better, disable inetd. If inetd is enabled and needed, disable ALL services that are not necessary.
http://xforce.iss.net/alerts/advise80.php
http://www.securityfocus.com/bid/2894/opt/SUNWssp/bin/cb_reset
Severity: a local user may gain root privileges by overflowing by the cb_reset setuid root command in the SUNWssp package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWssp package if not needed, or remove the suid bit from cb_reset. Side effects: only root can use cb_reset.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0265.html
http://www.securityfocus.com/bid/2893
/opt/SUNWvts/bin/ptexec
Severity: a local user may gain root privileges by overflowing by the ptexec setuid root command in the SUNWvts package (not in the standard install). No known exploits published, yet.
Workaround: remove the SUNWvts package if not needed, or remove the suid bit from ptexec. Side effects: only root can use ptexec.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0282.html
http://www.securityfocus.com/bid/2898/usr/bin/at language environment overflow
Severity: A user with a local account may gain root privileges. Exploit published.
Workaround: disable the suid bit. Side effect: only root can use the 'at' command.
http://archives.neohapsis.com/archives/bugtraq/2001-06/0134.html
/usr/bin/mail $HOME Buffer Overflow Vulnerability
Severity: a user with a local account may gain mail privileges.
Workaround: disable the sgid bit.
http://www.securityfocus.com/vdb/bottom.html?vid=2819
mailtool buffer overflow in $OPENWINHOME
Severity: a user with a local account may gain mail privileges. Exploit released. Sun Bug ID: 4458476.
Workaround: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html
rpc.yppasswdd buffer overflow
Severity: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.
Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php
mailx -F buffer Overflow
Severity: local sgid 'mail' exploit.
Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610
Xsun $HOME buffer overflow vulnerability
Severity: Local sgid root exploit.
Patches: Recent patches from Sun include 108652-35 (Solaris 8), but there are no notes in the README to indicate that they addressed this issue.
Workaround: Remove the sgid permissions. It should continue to work fine if Xsun is run via dtlogin or xdm.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561
SNMP to DMI mapper daemon
Severity: Remote root exploit being actively abused. (Sun bug id 4412996).
Patches: 108870-06 SunOS 5.8_x86, 108869-06 SunOS 5.8
Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
kcsSUNWIOsolf.so KCMS_PROFILES environment variableSeverity: Local suid root exploit.
Patches: 107337-02 SunOS 5.7, 111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86.
Workaround: Disable suid, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf
kcms_configure vulnerabilityStatus: Local suid exploit of command line options.
Patches: 107337-02 SunOS 5.7, 111400-01 SunOS 5.8, 111401-01 SunOS 5.8_x86.
Workaround: Disable suid, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605
CDE dtsession LANG environment variableSeverity: Local suid root exploit. Exploit available for Solaris x86.
Workaround: On servers not requiring a GUI, the suid bit can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession
ftpd #1 globbing buffer overflows/core dump shadow password recoverySeverity: A local user might be able to see /etc/shadow contents. Apparently it's not easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow.
Patches: 106301-03 SunOS 5.6, 111607-01 SunOS 5.8_x86, 111606-01 SunOS 5.8.
Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601
ftpd #2 CWD Username EnumerationSeverity: Remote exploit, low impact (allows an attacker to recognize valid usernames).
Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564
NTP buffer overflowSeverity: remote root exploit.
Workaround: Watch your NTP servers carefully, restricting access by IP address. One Sun contract customer reports that an "emergency fix" can be had from Sun. Alternatively installed the latest Public Domain ntpd, rather than that distributed with Solaris.
http://securityfocus.com/vdb/bottom.html?vid=2540
ipcs Timezone buffer overflow vulnerabilitySeverity: Local suid root exploit.
Workaround: Disable suid, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581
In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:
We analyze both reports since changes in one are not always reflected in the other.
Solaris 2.5.1, Jul/09/01:
111576-01 SunOS 5.5.1: catman makes dangerous use of tmpfiles
Solaris 2.6, Jul/11/01:
110002-02 Security and other fixes for 32-bit CRE
105633-57 OpenWindows 3.6: Xsun patch
Solaris 7, Jul/11/01:
106978-11 SunOS 5.7: sysid patch
110003-02 Security and other fixes for 64-bit CRE
110002-02 Security and other fixes for 32-bit CRE
107656-07 OpenWindows 3.6.1 libXt Patch
107081-33 Motif 1.2.7 and 2.1.1: Runtime library patch for Solaris 7
107636-08 SunOS 5.7: X Input & Output Method patch
Solaris 8, Jul/11/01:
111570-01 SunOS 5.8: uucp patch
111548-01 SunOS 5.8: catman, man, whatis, apropos and makewhatis patch
110003-02 Security and other fixes for 64-bit CRE
110002-02 Security and other fixes for 32-bit CRE 107c111
109887-08 SunOS 5.8: smartcard patch
108879-08 Solstice AdminSuite 3.0.1: Auditing compat mode passwd autohome fixes
Solaris 8_x86, Jul/11/01:
111571-01 SunOS 5.8_x86: uucp patch
111549-01 SunOS 5.8_x86: catman, man, whatis, apropos and makewhatis patch
108881-08 Solstice AdminSuite 3.0.1_x86: Auditing compat mode passwd autohome
None
Symmetric Cryptography in Perl - Abhijit Menon-Sen
http://www.perl.com/pub/a/2001/07/10/crypto.htmlThis article explains how to use Perl to keep your secrets... secret.
Hardening HTAccess, Part One - Robert Hansen
http://www.securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/htaccess.htmlThis article is the first in a three-part series that will provide a way to harden Apache's htaccess to make it more stable and lessen the chances of successful brute force attacks.
Survey of Log Analysis Tools for Snort - Yen-Ming Chen
http://www.unixreview.com/articles/2001/0107/0107f/0107f.htmThis article introduces current tools that can help systems administrators analyze different log formats generated by Snort.
Top 10 security mistakes - Alan S. Horowitz, Computerworld
http://www.itworld.com/Sec/2052/CWD010709security/?idgnetThis article lists some notable errors that people and IT professionals commit when it comes to computer security.
PKI policy pitfalls - Mike Bobbitt
http://www.infosecuritymag.com/articles/july01/features_pki.shtmlA properly developed PKI policy can turn a piece of security technology into an integral part of your organization's trust model.
Cybercrime: supporting cyber sleuths - Todd G. Shipley
http://www.infosecuritymag.com/articles/july01/features_cybercrime.shtmlThe easier you make it for the cops, the faster they can help you solve a computer crime.
Tripwire in the Enterprise: Integrating Tripwire into Big Brother - Elena Khan
http://www.sysadminmag.com/articles/2001/0108/0108a/0108a.htmThis article describes a system created for making Tripwire administration across an enterprise as easy as possible.
Freeware Intrusion Detection Tools - Ido Dubrawsky
http://www.sysadminmag.com/articles/2001/0108/0108o/0108o.htmSurvey of host-based and network-based intrusion detection tools.
Homebrew Intrusion Detection Systems - Chris Kuethe
http://www.sysadminmag.com/articles/2001/0108/0108m/0108m.htmCovers some basic setup considerations for a network intrusion detection system. This article will discuss how to make all your tools and toys play nicely together.
Firewall Reporter - Alex Le Fevre
http://www.sysadminmag.com/articles/2001/0108/0108n/0108n.htmThis article describes a tool to allow administrators to generate firewall reports on demand and provide automatic notification of potential problems.
Integrit for File Verification - Ed L. Cashin
http://www.sysadminmag.com/articles/2001/0108/0108l/0108l.htmThis article describes a free software tool to help sysadmins stay in touch with and trust the files on their systems. This free tool has been recently updated in the Weekly Tools Digest.
No discussions this week.
YASSP beta 15 is still current. See also http://www.yassp.org.
07/09/01 Small TCP packets == very large overhead == DoS?
http://www.theorygroup.com/Archive/YASSP/2001/msg00216.html
Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include OpenSSL and PinePGP.
Auditing and Intrusion Monitoring tools include Snort, Nmap, ACID, RazorBack, Snort2IPtables, PIKT, LIDS, Syslog-ng and SecureIT.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, GuardDog, Astaro Security Linux and Fwanalog.
Tools for Linux/Unix/Cross Platform include Secure FTP, Jail, APG, SILC, Grsecurity, Hogwash and Tsocks.
Tools for Windows include Stealth HTTP Security Scanner and Log2Intrusions.
The tip of the Week describes a procedure to automatically synchronize files using rsync over SSH.
A useful article on the subject to read is:
http://www-ad.fsl.noaa.gov/Admin/globalDocs/sshref/userref.html
(used as input of the tip)
SSH access without passwords
When a user connects via SSH, he must prove his identity to the remote machine using one of several methods. A common question usually arise: "How can I access a remote host without entering a password at each login?".
SSH provides two solutions to allow remote logins without password prompt:
In our situation, let's imagine that we have a user backup on a machine called master that need to login to his account backup on a remote machine called mirror without to provide a password for each login. This login without password prompt is necessary to automate the synchronization of a directory.
First, both machine should run SSH (http://www.openssh.org/portable.html). Then a personal key for master can be generated using ssh-keygen from the command line. The user will be prompted three times during the generation of the keys: once for the name of the output file and twice for the passphrase, just hit enter three times:
backup@master:~ > ssh-keygen Generating RSA keys: Key generation complete Enter file in which to save the key (/home/backup/.ssh/identity): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/backup/.ssh/identity Your public key has been saved in /home/backup/.ssh/identity.pub The key fingerprint is: 0d:e1:9b:55:88:4d:fa::0c:c3:45:df:82:23:67:d8:57 backup@master backup@master:~ >
During a login, SSH will look for a file named authorized_keys in the user's .ssh/ directory. This file contains the keys of users allowed to login to this account. Now master must copy the content of identity.pub to the file .ssh/authorized_keys in the home directory of user backup on the machine mirror. If not present the directory .ssh should be created on the machine mirror:
backup@master:~ > scp .ssh/identity.pub backup@mirror:/home/backup/.ssh/authorized_keys backup@mirror's password: identity.pub 100% *****************************| 329 00:00 backup@master:~ >
The access to authorized_keys must be restricted. Now the user backup on machine master should be able to login to the account backup on machine mirror without to be prompted for a password:
backup@master:~ > ssh -l backup mirror Last login: Wed Jul 11 18:38:29 2001 from backup No mail. backup@mirror:~ >
Using rsync over SSH
rsync is a program that can be used in automated scripts to synchronize the content of a directory with the content of another directory. Recent versions of rsync have the capability of tunneling rsync data though SSH. Now the user can automate the synchronization of a local directory (on master) with a remote directory on mirror. This command line could be used in a script to automate the process:
backup@master:~ > /usr/bin/rsync -r -e ssh /home/backup/test backup@mirror:~>
The options -r allows a recursive synchronization and -e allows to specify SSH as tunnel. Other rsync options could be used to optimize the transfer.
If you have tips you'd like to share with others, contact us.
All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html