Sun Security Blog
Security
|
28 Feb 2007
Sun Alert 102802 Security Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host
Product: Solaris 10 Operating System A security vulnerability in the in.telnetd(1M) daemon shipped with Solaris 10 may allow a local or remote unprivileged user who is able to connect to a host using the telnet(1) service to gain unauthorized access to that host by connecting as any user on the system, allowing them to execute arbitrary commands with the privileges of that user. This would include the root user (uid 0) if the host is configured to accept telnet logins as the root user. Note: There is at least one WORM in existence that is making use of this exploit to compromise system integrity. This issue is described in the following documents: CERT VU#881872 at http://www.kb.cert.org/vuls/id/881872 CVE-2007-0882 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882 Avoidance: Patch, Workaround State: Resolved First released: 12-Feb-2007
Permalink
|
Comments [0]
Sun Microsystems is aware of an active worm which exploits the in.telnetd vulnerability described in Sun Alert 102802. Here are a few steps to help determine if a Solaris 10 or Nevada system may be infected: $ ls -la /var/adm/wtmpx If the permissions are: -rw-r--rw- 1 adm adm 1116 Feb 28 12:03 wtmpxthe system may be infected. Next the following command can be run: $ ls -la /var/adm/sa If there is directory named .adm the system is probably infected. Other possible indications include the existence of the files: /var/adm/.profile /var/spool/lp/.profile Additionally possible indications include modified crontab entries for users adm and lp. # cd /var/spool/cron/crontabs # grep PATH=\. * adm:#10 1 * * * (cd /var/adm/sa/ && cd .adm && [ -x sysadm ] && PATH=. sysadm) >/dev/null 2>&1 & lp:#10 1 * * * (cd /var/spool/lp/admins/ && cd .lp && [ -x lpsystem ] && PATH=. lpsystem) >/dev/null 2>&1 & The following Korn shell script, inoculate.local, can be run locally on an infected system to remove the worm and prevent further re-infection by disabling the telnet service. Copy the script into a file (for example, in /tmp or /var/tmp) and run the script as the root user.
Permalink
|
Comments [3]
Product: Sun Java System Access Manager 6 2005Q1, Sun Java System Access Manager 7 2005Q4 A Cross Site Scripting (CSS or XSS) vulnerability in the Sun Java System Access Server may allow an unprivileged remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server. Additional information about cross-site scripting and web script vulnerabilities can be found at the following URLs: http://www.cert.org/archive/pdf/cross_site_scripting.pdf Avoidance: Patch State: Resolved First released: 29-Jan-2007
Permalink
|
Comments [0]
Product: Sun Java System Web Server 6.0 Service Pack 10, Sun Java System Application Server Platform Edition 8.1 2005Q1, Sun ONE Application Server 7, Enterprise Edition, Sun ONE Application Server 7, Standard Edition, Sun Java System Application Server Platform Edition 8.1 2005Q1 Update Release 1, Sun Java System Web Proxy Server 4.0, Sun Java System Web Server 6.1, Sun Java System Application Server Enterprise Edition 8.1 2005Q1, Sun Java System Web Proxy Server 3.6 If the Sun Java System Proxy Server is used in conjunction with the Sun Java System Application Server or the Sun Java System Web Server then it may be susceptible to "HTTP Request Smuggling" (HRS) which can allow remote unprivileged users to be able to poison web caches, hijack sessions, perform cross-site scripting (CSS or XSS) attacks or bypass web application firewall protection. Further information about HRS can be found at https://www.watchfire.com/securearea/whitepapers.aspx?id=12. Avoidance: Patch State: Resolved First released: 30-Nov-2006
Permalink
|
Comments [0]
23 Feb 2007
Sun Alert 102722 Security Vulnerability With RSA Signature Affects Solaris Applications Utilizing the libike Library
Product: Solaris 9 Operating System, Solaris 10 Operating System A security vulnerability in the libike library may cause applications which link against this library to incorrectly verify certain forged RSA signatures. The exact impact of this vulnerability depends on the individual application and the system configuration. The in.iked(1M) daemon, which is shipped with Solaris 9 and 10, uses the libike library for signature verification, and is affected by this vulnerability. In addition, the following applications which are shipped with Solaris 10 only, also make use of the libike library and are affected by this vulnerability:
The in.iked(1M) daemon can be configured to rely on RSA signature verification for authenticating remote hosts during IKE phase 1 exchanges. This vulnerability may allow a remote privileged user to complete an IKE phase 1 exchange using a forged identity, which may eventually lead to the possibility of gaining unauthorized access to private networks. elfsign(1M) uses certificates for signing and verification of ELF binaries. This security vulnerability may allow signatures made with certain certificates to be forged, causing elfsign(1M) to incorrectly verify a signed binary. System configurations which depend on the output of elfsign(1M), such as a configuration which forbids execution of unsigned binaries, may therefore be circumvented. kcfd(1M), which is running by default on Solaris 10 systems, uses certificates for verification of kernel cryptographic modules. An untrusted privileged user could forge the signature of a cryptographic module and therefore load a module which would otherwise be rejected by kcfd(1M). However, the loading of kernel modules is limited to privileged users. This issue is also described in the following documents:
Note 1: The issue described in this Sun Alert is specific to libike library. Multiple Sun products are affected by this issue. For more details please see Sun Alert 102648 at: Avoidance: Patch, Workaround State: Resolved First released: 27-Nov-2006
Permalink
|
Comments [0]
21 Feb 2007
Sun Alert 102782 Security Vulnerability in rm(1) may Lead to Unauthorized Deletion of Files or Directories
Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System A race condition vulnerability in handling recursive directory deletion via the rm(1) command with either the "-r" or "-R" option may lead to deletion of files or directories external to the argument directory hierarchy. An unprivileged user may exploit this vulnerability by creating a specially crafted directory hierarchy which, when deleted by a privileged user using the rm(1) command, may lead to deletion of system files and directories causing a Denial of Service (DoS) condition. Sun acknowledges with thanks, Jim Meyering <jim@meyering.net>, for bringing this issue to our attention. Additional information regarding this issue can be found at:
Avoidance: Patch State: Resolved First released: 08-Feb-2007
Permalink
|
Comments [0]
21 Feb 2007
Sun Alert 102686 Security Vulnerability in RSA Signature Verification Affects Java 2 Platform, Standard Edition
Product: Java 2 Platform, Standard Edition The Java Runtime Environment and the Java Secure Socket Extension may verify incorrect RSA PKCS #1 v1.5 signatures if the RSA public key exponent is 3. This may allow applets or applications that are signed by forged signing certificates and web sites with forged web server certificates to be verified as valid. For information about this general issue, see:
Note: The issue described in this Sun Alert is specific to the Java 2 Platform, Standard Edition. Multiple Sun products are affected by this issue; for more details please see Sun Alert 102648 at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1 Avoidance: Upgrade State: Resolved First released: 15-Nov-2006
Permalink
|
Comments [0]
13 Feb 2007
Sun Alert 102796 A Security Vulnerability in the TCP Implementation of Solaris 10 Systems May Result in a System Panic Under High TCP/IP Traffic
Product: Solaris 10 Operating System A remote priviledged or unpriviledged user may be able to trigger a race condition in the TCP subsystem which can result in a system panic. The ability to panic a system is a type of Denial of Service (DoS). Avoidance: Patch State: Resolved First released: 13-Feb-2007
Permalink
|
Comments [0]
06 Feb 2007
Sun Alert 102763 Multiple Security Vulnerabilites in Mozilla 1.7 for Solaris 8, 9, and 10
Product: Mozilla v1.7, Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System Multiple security vulnerabilities are present in Mozilla version 1.7 for Solaris 8, 9 and 10. These vulnerabilities may allow a remote unprivileged user who controls a website that is visited by a local user using the Mozilla browser, or in some cases by sending an email that is read by a local user using Mozilla, to execute arbitrary code with the privileges of the user running Mozilla. Mozilla can be used as a web browser and editor, an irc client, an email client and a news client. For Mozilla 1.7 (Solaris 8, 9, and 10): Bug 6415123 Mozilla contains a flaw within the "crypto.generateCRMFRequest" method which may allow a remote user to execute arbitrary code with the privileges of the local user, including the installation of unknown software. This issue is described in the following documents: http://www.mozilla.org/security/announce/mfsa2006-24.html CERT VU# 932734 at http://www.kb.cert.org/vuls/id/932734 CVE-2006-1728 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1728
Bug 6447020 Web content could access the nsISelectionPrivate interface of the "Selection" object and use it to add a SelectionListener. The listener would be called when the user did a "Find" on the page or a "select all". These notifications created in a privileged environment could result in arbitrary code execution. This issue is described in the following documents: http://www.mozilla.org/security/announce/2006/mfsa2006-43.html CERT VU# 237257 at http://www.kb.cert.org/vuls/id/237257 CVE-2006-2777 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2777
Bug 6447021 An array index bug in crypto.signText() that results in overflowing an allocated array of pointers by two when optional Certificate Authority name arguments are passed in. This issue is described in the following documents: http://www.mozilla.org/security/announce/2006/mfsa2006-38.html CERT VU#421529 at http://www.kb.cert.org/vuls/id/421529 CVE-2006-2778 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2778
Bug 6458750 A VCard attachment with a malformed base64 field (such as a photo) can trigger a heap buffer overwrite, which can be exploited. This issue is described in the following documents: http://www.mozilla.org/security/announce/2006/mfsa2006-49.html CERT VU#897540 at http://www.kb.cert.org/vuls/id/897540 CVE-2006-3804 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3804
Bug 6458753 Potential integer overflow issues with long strings in the toSource() methods of the Object, Array and String objects as well as string function arguments. This issue is described in the following documents: http://www.mozilla.org/security/announce/2006/mfsa2006-50.html CERT VU#655892 at http://www.kb.cert.org/vuls/id/655892 CVE-2006-3806 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3806
Bug 6458754 Java script constructors may be changed to return reference to privileged objects which may be used to execute attacker supplied code. This issue is described in the following documents: http://www.mozilla.org/security/announce/2006/mfsa2006-51.html CERT VU#687396 at http://www.kb.cert.org/vuls/id/687396 CVE-2006-3807 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3807 Avoidance: Patch, Workaround State: Resolved First released: 04-Jan-2007
Permalink
|
Comments [0]
01 Feb 2007
Sun Alert 102699 A Security Vulnerability in the Solaris 10 Loopback FileSystem (LOFS) May Allow Files in a Non-global Zone to be Moved or Renamed From a Read-Only Fileystem
Product: Solaris 10 Operating System Local privileged users inside a non-global zone may be able to move or rename files which are part of a read-only mounted loopback file system (see lofs(7FS)). This filesystem may be shared with the global zone, which would result in the files being removed from the global zone also. This can result in a Denial of Service (DoS) to the non-global zone and the global zone. Avoidance: Patch State: Resolved First released: 01-Feb-2007
Permalink
|
Comments [0]
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
