By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
Note: More feedback on the structure & focus of this digest would be appreciated from our readers. The Tip of the week sections seems to be well appreciated, but what other sections interest you most? Do we spend too much time on some topics, not enough on others, or miss others completely? Are topics too simple or too advanced? Would you list to see a list of patches that have changed for Solaris 7 and 8 each week?
Thanks in advance. sean at boran.com.
Sun Bulletin #00200 (Bugtraq ID 2193): "arp" vulnerability
http://www.securityfocus.com/bid/2193Note: This was put into the digest late last week, someone of you may not have seen it, so it's being repeated. This advisory now has a bugtraq entry too: http://securityfocus.com/vdb/bottom.html?vid=2193
Sun released patches for Solaris 7 and earlier for a setgid vulnerability in arp.
Vulnerability: "A malicious user could overflow the stack and execute shellcode which could allow unauthorized root access".
Analysis: This is a classical local exploit of unchecked command-line parameters. Exploit code has been released.OS Version Patch ID
__________ _________
SunOS 5.7 109709-01
SunOS 5.7_x86 109710-01
SunOS 5.6 109719-01
SunOS 5.6_x86 109720-01
SunOS 5.5.1 109721-01
SunOS 5.5.1_x86 109722-01
SunOS 5.5 109707-01
SunOS 5.5_x86 109708-01
SunOS 5.4 109723-01
SunOS 5.4_x86 109724-01
SSH1 Secure RPC Vulnerability
http://www.ssh.com/products/ssh/patches/secureRPCvulnerability.htmlSSH is probably used by many of you, so a brief analysis is provided here.
Vulnerability:When using secure-RPC support to encrypt a secret key file with the "SUN-DES-1 magic phrase," it is possible for SSH to generate a "magic phrase" which is easily discoverable by other users on the same host, or in the same NIS+ domain.
Analysis:
- Severity: For most people, this is not a problem. It affects SSH1, not SSH2. No mention is made of OpenSSH. The problem has to do with keyserv, it's API and how SSH1 uses the API. It's only a risk if RSA authentication is used, and SSH is compiled with secure-PC (which is non-standard). Andy Polyakov notes in http://archives.neohapsis.com/archives/bugtraq/2001-01/0314.html that he is unable to reproduce the error.
- Workarounds include using a SSH1 that does not have special secure RPC support compiled in, or using password rather than RSA authentication. Andy Polyakov suggests start keyserv with the '-d' option, disabling the use of default keys for nobody.
- Fix: Source code patches are available, but the sources author is not convinced that this fixes all cases.
No vulnerabilities in the Bugtraq database, but a buffer overflow of /bin/cu was reported on the Bugtraq email list http://archives.neohapsis.com/archives/bugtraq/2001-01/0289.html, which could allow a normal user to assume "uucp" privileges.
2001-01-17: Tinyproxy Heap Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22172001-01-16: PHP .htaccess Attribute Transfer Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22062001-01-16: splitvt Format String Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22102001-01-15: Veritas Backup Denial of Service Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22042001-01-14: Iomega JaZip Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22092001-01-14: Trend Micro Interscan VirusWall Weak Admin Password Protection Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22122001-01-14: Trend Micro Interscan VirusWall Symlink Root Compromise Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22132001-01-14: Flash Sound Write-Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22142001-01-12: PHP Engine Disable Source Viewing Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=22052001-01-11: Ultraboard Incorrect Directory Permissions Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=21972001-01-11: Basilix Webmail Incorrect File Permissions Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=21982001-01-10: Apache /tmp File Race Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2182
Comment: This mentions Apache for Immunix/RedHat, but I don't see indications why other OSs should not be vulnerable.
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Jan/17/01*
Solaris 7 Jan/05/01
Solaris 2.6 Jan/05/01
Solaris 2.5.1 Jan/05/01See also ftp://sunsolve.sun.com/pub/patches
Timo's procmail tips and recipes
http://www.uwasa.fi/~ts/info/proctips.html
Although not strictly security related, this may be of interest to you.
The Future of Operating Systems Security
Ronald L. Mendell
http://securityportal.com/cover/coverstory20010115.htmlOften computer security takes us down strange paths; for example, what is the connection between the Navajo language and the future of operating systems? These subjects seem odd bedfellows to be sure; yet, we shall learn that obscurity, contrary to the general maxim, sometimes does create a degree of security.
The latest Crypto-Gram is out and worth a read as usual.
http://www.counterpane.com/crypto-gram-0101.html
How to create a hidden sniffer with Solaris
Rob Thomas
http://www.enteract.com/~robt/Docs/Howto/Sun/sniffer-trick.txtWhile experimenting with some code, I came up with this trick for creating an unseen Solaris sniffer. It is possible, when using snoop(1M), to sniff packets through an unplumbed interface. The obvious benefit is that the interface can not be detected. Thus, the sniffer remains impervious to detection and attack.
Comment: This is basically how the Sunscreen works. Snoop can also be run on the (unplumbed) Sunscreen interfaces, even if the Sunscreen engine is running (this is a useful debugging tip if you run Sunscreens and have problems with some rules). The sniffer is still subject to buffer attacks though, even if it is not visible.
Sun Enterprise Network Security Service (SENSS)
Bruce Development Team (Sun)
http://www.sun.com/software/communitysource/senssSENSS "Bruce" is a flexible, Java-based infrastructure that permits centralized security management of small, medium and large-sized intranets. The Bruce software provides you with a network service daemon that should be installed on each host in your network; these daemons are linked together in a hierarchy of trust. This hierarchy may be used for the distribution and execution of digitally-signed packages containing (java, binary, or script) code that may be used to check and fix host security issues in a bulk, batch-oriented manner. Execution requests are likewise digitally signed, replay attacks are prevented, and network communications are secured by access-control lists and pluggable authentication and secrecy modules. Output generated during the process of checking is in HTML format, and percolates to the root of the hierarchy, where it is browsable.
The Bruce software is not yet complete; this is the Early Access 2 (EA2) release, that we (the Bruce development team) are making available for the benefit of parties with a professional interest in network security, for their experimentation and comment.Comment: sounds interesting, pity the license is not more open. Sun seem to have a tight control on changes/improvements and distribution.
Sun Provides Financing for Tripwire
http://www.telekomnet.com/writer_telekomnet/1-17-01_tripwire.aspSun Microsystems has invested $5 million in Tripwire Inc., a developer of network security software. Tripwire's network security software will complement Sun's networking hardware systems. The software prevents hackers from accessing company data, and monitors networks to provide notification of any intrusion or alteration of data.
Comment: So maybe we'll finally get a decent tripwire bundled with Solaris?
Solaris Tunable Parameters Reference Manual
http://docs.sun.com/ab2/coll.709.2/SOLTUNEPARAMREF/This document has been updated for Solaris 8, release 01/01. It includes: Overview of Solaris System Tuning, Solaris Kernel Tunables, NFS Tunable Parameters, TCP/IP Tunable Parameters, System Facility Parameters, Tunable Parameter Change History. An interesting read.
Sun Storage hints/FAQs
http://www.sun.com/bigadmin/home/index.htmlBig admins lists a few useful links:
Sun Storage Helpful Hints http://www.eng.auburn.edu/pub/mail-lists/ssastuff/ (we might have listed this one a while back)
Sun StorEdge A3500/A3500FC http://www.sun.com/storage/a3500/a3500_faq.html
Sun StorEdge T3 Array for the workgroup http://www.sun.com/storage/t3wg/t3wg_faq.html
Sun StorEdge T3 Array for the enterprise http://www.sun.com/storage/t3es/t3es_faq.html
The Honeynet Forensic Challenge
http://www.linuxsecurity.com/feature_stories/forensic-challenge.html
http://project.honeynet.org/challenge/
David DittrichThe Forensic Challenge is an effort to allow incident handlers around the world to all look at the same data -- an image reproduction of the same compromised system -- and to see who can dig the most out of that system and communicate what they've found in a concise manner. This is a nonscientific study of tools, techniques, and procedures applied to post-compromise incident handling. The challenge is to have fun, to solve a common real world problem, and for everyone to learn from the process......
Comment: You can download the 'dd' images of the compromised RedHat 6.2 system and try to figure out what happened. Interesting.
Initial Cryptanalysis of the RSA SecurID Algorithm
@stake
http://www.linuxsecurity.com/resource_files/cryptography/initial_securid_analysis.pdfThis short paper will examine several discovered statistical irregularities in functions used within the SecurID algorithm: the time computation and final conversion routines. Where and how these irregularities can be mitigated by usage and policy are explored. We are planning for the release of a more thorough analysis in the near future. This paper does not present methods of determining the secret component by viewing previously generated or successive tokencodes.
Full Text of Underground Available for Download underground-book.org
http://www.linuxsecurity.com/resource_files/documentation/suelette-dreyfus--underground.txt.bz2The full text of "Underground: tales of hacking, madness and obsession on the electronic frontier" is now available for download. Underground is the compelling true story of the rise of the computer underground and the crimes of an elite group of hackers who took on the forces of the establishment..... Underground uncovers the previously hidden story behind hackers from 8LGM, The Realm, the publishers of International Subversive and other linked Internet hacking groups.....
Process accounting with lastcomm and sa
Jeremy C. Reed
http://www.bsdtoday.com/2001/January/Features385.htmlDo you ever wonder what commands are running on your system? Do you want to find the time a particular command was executed? Or do you want to analyze your server's performance? By enabling process accounting you can find information about previously executed commands and past system resource usage.
Comment: This is BSD stuff, most of which applies to Solaris too.
Starting from scratch [Backups Explained]
Carole Fennelly
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0112-unixsecurity.htmlOf all people, security experts are the most likely to keep their own systems backed up, and verify that the backups haven't been overwritten, right? Wrong, says Carole Fennelly. In this week's Unix Security, Carole reveals how complacency caused her to lose her home directory and email, and shows you how you can prevent the same thing from happening to you.
Using umask
Ryan W. Maple
http://www.linuxsecurity.com/tips/tip-1.htmlThe umask command controls the default file and directory creation mode for newly-created files and directories. The umask command can be used to determine the default file creation mode on your system.
File transfer options -- Part I: Secure iXplorer
ApacheToday - Nick DeClario
http://www.linuxsecurity.com/articles/server_security_article-2300.htmlThis is the first-part in a series of articles about different options for secure file transfers. How to sniff connections, steal passwords or if SSH is really "secure" are not topics that will be covered by these articles. But hopefully, it will contain some information that will be valuable for your web hosting clients and for you -- the Apache webserver administrators. This first article covers a file transfer client for the end users -- it requires a secure shell server to be installed on the web server.
01/13/01 Removing default system accounts
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=156066&01/12/01 sunscreen EFS: was Testing fw1 implementation
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=155902&01/12/01 Sun Security Bulletin #00200 (fwd)
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=155944&01/12/01 Testing fw1 implementation
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=155934&01/12/01 Openssh and Solaris8(sparc)
http://securityfocus.com/templates/archive.pike?list=92&start=2001-01-07&fromthread=0&threads=1&end=2001-01-13&tid=155884&
Yassp beta 15 is still current, Jean has documented the outstanding changes planned for beta16:
- Some problem reported where the SECclean install badly failed, in two cases:
- when the OS was heavily modified before
- on the latest Sol8 HW release
I have fixed the first case, which had required some significant chances in cleanlib. For the second, I am quiet lost trying to reproduce it without success.- As I was modifying cleanlib, I am implementing changes so that the yassp modifications to init can be re-applied.
- OpenSSH: the current snapshot has port forwarding working ok, it is not implemented in the version currently with yassp. I'll see when the next release will be as I don't want to go with a snapshot :-) Also, as there was, and I understand, lot of complaints as it supports *only* Sol8, we can give a try to generate the PKG on Sol7 and test it. I will need some help I don't have Sol7 on Intel.
- nettune: new additions
Discussions this week:
Solaris Tuning Page
http://www.theorygroup.com/Archive/YASSP/2001/msg00001.htmlSshd_config corrections
http://www.theorygroup.com/Archive/YASSP/2001/msg00002.htmlSee also http://www.yassp.org
Two tips this week:
1. "ph" script:
Francisco Mancardi from U&R Consultores [fman@uyr.com.ar] is contributing a script called ph (Put Header), to create a standard header for various types of files (configuration files, readme files, cc, c++, scripts..) with a certain standard fields (customer name, hostname, full pathname, who is adding the header).
The idea is to create a standard headed containing important information for new files, for better documentation. As he says himself: "OK, maybe I have an obsession with the documentation, but I think is very useful." :)
It can be downloaded from www.boran.com/security/sp/solaris/ph.1.1.tar
2. "chk_disk" script
This is a script of my own, that I run from cron to report (via email) if any local filesystems have reached 97% or more.
It can be downloaded from www.boran.com/security/sp/solaris/chk_disk
If you have any security tips/scripts you'd like to share with others, contact us.
All security tool news is now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 19 January, 2001 | 
Sign up to get this digest and many others by email.