By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
none
2000-12-30: Solaris mailx Lockfile Denial Of Service Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2169"The problem involves lockfiles in the /var/mail directory. By default, the /var/mail directory is world writeable as deployed with the Solaris Operating Environment. When a file is created in the /var/mail directory using the extension $LOGNAME.lock, it is possible to deny service to a legitimate user of mailx if the $LOGNAME.lock file is not removable by the mailx user. This problem makes it possible for a user with malicious intent to deny service to any user of mailx."
Comment: This is a Denial of Service attack against, requiring a local account. It's only a problem on multi-user systems where mailx is used. A sample exploit script has been published. Sun have not yet released a patch.
2001-01-29: Macromedia Flash SWF Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=21622001-01-02: GTK+ Arbitrary Loadable Module Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=21652000-12-31: Emacs Inadequate PTY Permissions Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=21642000-12-30: Informix Webdriver Remote Administration Access Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=21662000-12-30: Informix Local File Overwrite Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=21682000-12-28: ikonboard Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2157
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Dec/19/00
Solaris 7 Dec/19/00
Solaris 2.6 Dec/05/00
Solaris 2.5.1 Dec/12/00See also ftp://sunsolve.sun.com/pub/patches
Top 10 Security Stories of 2000
http://securityportal.com/cover/coverstory20010101.html
Vulnerability Assessment Scanners
http://www.nwc.com/1201/1201f1b1.htmlWe decided to entrust the security of our test network to Axent Technologies' NetRecon, BindView Corp.'s HackerShield, eEye Digital Security's Retina, Internet Security Systems' Internet Scanner, Network Associates' CyberCop Scanner, and two open-source products: Nessus Security Scanner and Security Administrator's Research Assistant (SARA). One product, World Wide Digital Security's System Analyst Integrated Network Tool (SAINT), is open source, with a commercial reporting tool. ........ We set up 17 of the most common and critical vulnerabilities out there, and not one product detected them all....... The two that shined the brightest on this front were ISS' Internet Scanner and Nessus Security Scanner. Unfortunately, it's a case of the best of the worst.
Comment: a detailed report that makes sober reading.
The 101 Uses of OpenSSH: Part I
Mick Bauer
http://www2.linuxjournal.com/lj-issues/issue81/4412.htmlThis month we'll cover ssh's background and architecture, how to build and/or install OpenSSH, how to use ssh as an encrypted replacement for Telnet, how to set some basic ssh configuration options and how to use scp for encrypted file transfers. Next month I'll cover RSA/DSA authentication, local port-forwarding, remote-command-execution and other more advanced, and extremely powerful functions of ssh/OpenSSH.
Comment: A good introduction to SSH.
Wireless acrobatics: Is the convenience of wireless technology worth the security risks?
Carole Fennelly
http://www.sunworld.com/unixinsideronline/swol-12-2000/swol-1229-unixsecurity.html
12/31/00 Solaris 7 sticky bit on directory
http://securityfocus.com/templates/archive.pike?threads=1&end=2001-01-06&start=2000-12-31&list=92&tid=153687&fromthread=0&Frank Heimann noted that if a file is group writeable in a sticky directory, it can be deleted, whereas this is not the case on Linux/BSD. Casper Dik summarised the use of the directory sticky bit in Solaris and it's antecedents:
- When SystemVr4 took on the sticky bit, they modified the semantics from "remove if owner" to "remove if owner or write access".
- It makes sense to the point that the user "foobar" can modify the content of the file completely., so why not allow removal.
- SVr4 and Solaris 7 and earlier implemented this rather more awkwardly as those operating system apply this rule not only to plain files, but also sockets, symlinks (fixed 777 mode), directories, pipes, etc.
- In Solaris 8; the SVR4 rule now only applies to non-files.
It was noted that the sticky(5) man page does not document the fact that the file being writeable by the user group allows deletion, whereas the chmod(2) man page does.
Yassp beta 15 is still current.
No Discussions this week.
See also http://www.yassp.org
Garry J. Garrett writes in with another useful tip:
It is useful to know when a system shutdown or is started, especially when you have many hosts to manage and logs are not automatically monitored, or you don't have active SNMP monitoring.
Garry puts a startup file in /etc/rc3.d that kicks out e-mail when a system is stopped or booted. The message for the shutdown is different than the startup message, so if a startup happens without a shutdown, it probably crashed and it will have to be checked out.
It is installed in /etc/init.d/bootmail and make links /etc/rc3.d/S99bootmail and /etc/rc0.d/K00bootmail. Instead of "root" you can make an alias (put it in /etc/mail/aliases and run "newaliases") and e-mail it to a list of folks who care, which may include more than just the SysAdmins (besides, not everyone likes the idea of forwarding root's e-mail off of the box - you can send it to root *and* to an e-mail address that goes off of the box). Obviously, sendmail (the client, not the server) must be working properly to send e-mail off of the box (this usually boils down to defining "mailhost" say in /etc/hosts or DNS, etc.).
#!/bin/sh ##########
# bootmail
# # Send mail to SysAdmins upon reboot so that they are aware should:
# - someone else reboot the machine
# - the machine crashes
# etc.
# 27-Jan-1999 Garry J. Garrettcase "$1" in
'start' | 'boot' | 'reboot') /bin/echo "`/bin/uname -n` rebooted `date`" \ | /bin/mailx -s "`/bin/uname -n` rebooted" root ;;
'stop' | 'shutdown' | 'down') /bin/echo "`/bin/uname -n` going down `date`" \ | /bin/mailx -s "`/bin/uname -n` going down" root ;;
*) /bin/echo "Usage: /etc/init.d/bootmail { start | stop }" ;; esac
If you have any security tips/scripts you'd like to share with others, contact us.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
All security tool news is now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 08 January, 2001 | 
Sign up to get this digest and many others by email.