Security Hole in Unix / Linux Systems

Robert A . Klahn plug-discuss@lists.plug.mybutt.net
Wed, 16 Jan 2002 13:17:04 -0700


Well, maybe, I dont know the product. Are we talking about ipfilter? If 
so, kinda. It would be a varient on the "run TCP Wrappers or something 
similar" solution. Turning off dtspcd completly, if you can, is still a 
better solution.

I should also point out that we are not nessasarly talking about remote X 
access here. The problem with dtspcd is that it can be used to start 
processes that never put anything up on your window.

Bob.

On 2002.01.16 12:32 Kevin Brown wrote:
> On the last solaris machines that I maintained we ran a firewall, ipf, on
> the
> Solaris machines themselves.  Might be a possibility for those running
> Solaris
> that don't need remote X access to the machine.
> 
> "Robert A . Klahn" wrote:
> >
> > Greetings:
> >
> > One thing that I have noticed missing in the media reports about this
> > exploit is the answer to the question "So, what should I do?"
> >
> > For a Linux system, the answer is most likely "nothing". I dont know of
> > any distribution that uses CDE, at least by default. Mostly, in the
> Linux
> > world, we have "moved past" CDE with Gnome and KDE.
> >
> > For other U*IXes, the answer is a little bit more complex. Solaris,
> AIX,
> > and HP/UX all use CDE, and for all recent versions, by default.
> >
> > So, what to do, for these other U*IXes? Consider if you need to run
> dtspcd
> > at all. Its purpose is to permit the running of applications on your
> > server, from a remote client. Useful, perhaps. Risky, clearly. How does
> > one turn dtspcd off? Easy, comment out this (or a similar looking line)
> > from /etc/inetd.conf:
> >
> > dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
> >
> > Save the file, and restart the inetd process by sending it the SIGHUP
> > signal. Do a "netstat" to verify that port 6112 is not open. The actual
> > netstat syntax varies from U*IX to U*IX, so do a man if you are unsure.
> >
> > If you really need to be running dtspcd, you should block port 6112 at
> > your firewall, and if you really need to run dtspcd, you really should
> > have a firewall. You should also really be running dtspcd under TCP
> > Wrappers, or something similar, on top of blocking the port at your
> > firewall. If anyone is in this situation, let me know, and I can go
> into
> > more depth. But, as we are now at least two times removed from the
> topic
> > of the list (we are now talking about non-Linux systems that knowingly
> > want to run something so risky), I will not take up any more of your
> time
> > on the topic.
> >
> > Bob.
> >
> > On 2002.01.16 09:43 John Mosier wrote:
> > >
> > >> CERT: EXPLOIT CIRCULATING FOR CDE HOLE
> > >> Posted January 15, 2002 05:32 Pacific Time
> > >> HACKERS ARE ACTIVELY exploiting a known vulnerability in Sun
> > >> Microsystems Inc.'s Solaris version of the Unix operating system,
> > >> security experts said late Monday, urging administrators to check if
> > >> their system is vulnerable.
> > >
> > >> The U.S.-government funded Computer Emergency Response
> > >> Team/Coordination Center (CERT/CC) at Carnegie Mellon University in
> > >> Pittsburgh said in an advisory that it had received "credible
> reports"
> > >> of an exploit for Solaris systems. An exploit is a software tool
> that
> > >> can be used to break into computer systems and that is often used by
> > >> hackers.
> > >> The exploit takes advantage of a buffer overflow vulnerability that
> was
> > >> first discovered in March 1999. The flaw in a library function used
> by
> > >> the CDE (Common Desktop Environment) could allow an attacker to take
> > >> full control over the system, CERT/CC said. CDE is a graphical user
> > >> interface that is typically installed by default on Unix systems.
> > >> CDE is "a fairly widespread product on Unix platforms" and is
> included
> > >> in products from Sun Microsystems Inc., IBM Corp., Hewlett-Packard
> Co.
> > >> and Compaq Computer Corp., according to Art Manion, an Internet
> > >> security analyst with CERT/CC.
> > >> The CDE Subprocess Control Service (dtspcd) is a network daemon that
> > >> accepts requests from remote clients to execute commands and launch
> > >> programs remotely. The service does not perform adequate input
> > >> validation, as a result of which a malicious client could manipulate
> > >> data sent and cause a buffer overflow, according to CERT/CC.
> > >
> > >> CERT/CC advises administrators to check if a system is configured to
> > >> run dtspcd by looking for the entries "dtspc 6112/tcp" in
> > >> "/etc/services" and "dtspc stream tcp nowait root /usr/dt/bin/dtspcd
> > >> /usr/dt/bin/dtspcd" in "/etc/inetd.conf".
> > >> Many Unix and Linux flavors are vulnerable and many vendors have
> long
> > >> issued patches to fix the problem. Any system that does not run
> dtspcd
> > >> is not vulnerable to this problem.
> > >> For the full story:
> > >> 
> http://www.infoworld.com/articles/hn/xml/02/01/15/020115hncert.xml?0116weam
> > >
> > > John Mosier, Excelco, Inc. NEW contact info: Free:  866 225-3605
> > >
> > > Fax:  (480) 922-6504                       Voice: (480) 922-6500
> > > http://www.swinfo.com                     http://www.excelco.com
> > > 8233 Via Paseo del Norte, Ste E-300, Scottsdale, AZ 85258
> > >
> > >
> > >
> > --
> > Robert A. Klahn
> > rklahn@acm.org
> >
> > "Hope has two beautiful daughters: Anger and Courage. Anger at the way
> > things are, and Courage to struggle to create things as they should
> be." -
> > St. Augustine
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.mybutt.net
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.mybutt.net
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
-- 
Robert A. Klahn
rklahn@acm.org

"Hope has two beautiful daughters: Anger and Courage. Anger at the way
things are, and Courage to struggle to create things as they should be." -
St. Augustine