Well, maybe, I dont know the product. Are we talking about ipfilter? If so, kinda. It would be a varient on the "run TCP Wrappers or something similar" solution. Turning off dtspcd completly, if you can, is still a better solution. I should also point out that we are not nessasarly talking about remote X access here. The problem with dtspcd is that it can be used to start processes that never put anything up on your window. Bob. On 2002.01.16 12:32 Kevin Brown wrote: > On the last solaris machines that I maintained we ran a firewall, ipf, on > the > Solaris machines themselves. Might be a possibility for those running > Solaris > that don't need remote X access to the machine. > > "Robert A . Klahn" wrote: > > > > Greetings: > > > > One thing that I have noticed missing in the media reports about this > > exploit is the answer to the question "So, what should I do?" > > > > For a Linux system, the answer is most likely "nothing". I dont know of > > any distribution that uses CDE, at least by default. Mostly, in the > Linux > > world, we have "moved past" CDE with Gnome and KDE. > > > > For other U*IXes, the answer is a little bit more complex. Solaris, > AIX, > > and HP/UX all use CDE, and for all recent versions, by default. > > > > So, what to do, for these other U*IXes? Consider if you need to run > dtspcd > > at all. Its purpose is to permit the running of applications on your > > server, from a remote client. Useful, perhaps. Risky, clearly. How does > > one turn dtspcd off? Easy, comment out this (or a similar looking line) > > from /etc/inetd.conf: > > > > dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd > > > > Save the file, and restart the inetd process by sending it the SIGHUP > > signal. Do a "netstat" to verify that port 6112 is not open. The actual > > netstat syntax varies from U*IX to U*IX, so do a man if you are unsure. > > > > If you really need to be running dtspcd, you should block port 6112 at > > your firewall, and if you really need to run dtspcd, you really should > > have a firewall. You should also really be running dtspcd under TCP > > Wrappers, or something similar, on top of blocking the port at your > > firewall. If anyone is in this situation, let me know, and I can go > into > > more depth. But, as we are now at least two times removed from the > topic > > of the list (we are now talking about non-Linux systems that knowingly > > want to run something so risky), I will not take up any more of your > time > > on the topic. > > > > Bob. > > > > On 2002.01.16 09:43 John Mosier wrote: > > > > > >> CERT: EXPLOIT CIRCULATING FOR CDE HOLE > > >> Posted January 15, 2002 05:32 Pacific Time > > >> HACKERS ARE ACTIVELY exploiting a known vulnerability in Sun > > >> Microsystems Inc.'s Solaris version of the Unix operating system, > > >> security experts said late Monday, urging administrators to check if > > >> their system is vulnerable. > > > > > >> The U.S.-government funded Computer Emergency Response > > >> Team/Coordination Center (CERT/CC) at Carnegie Mellon University in > > >> Pittsburgh said in an advisory that it had received "credible > reports" > > >> of an exploit for Solaris systems. An exploit is a software tool > that > > >> can be used to break into computer systems and that is often used by > > >> hackers. > > >> The exploit takes advantage of a buffer overflow vulnerability that > was > > >> first discovered in March 1999. The flaw in a library function used > by > > >> the CDE (Common Desktop Environment) could allow an attacker to take > > >> full control over the system, CERT/CC said. CDE is a graphical user > > >> interface that is typically installed by default on Unix systems. > > >> CDE is "a fairly widespread product on Unix platforms" and is > included > > >> in products from Sun Microsystems Inc., IBM Corp., Hewlett-Packard > Co. > > >> and Compaq Computer Corp., according to Art Manion, an Internet > > >> security analyst with CERT/CC. > > >> The CDE Subprocess Control Service (dtspcd) is a network daemon that > > >> accepts requests from remote clients to execute commands and launch > > >> programs remotely. The service does not perform adequate input > > >> validation, as a result of which a malicious client could manipulate > > >> data sent and cause a buffer overflow, according to CERT/CC. > > > > > >> CERT/CC advises administrators to check if a system is configured to > > >> run dtspcd by looking for the entries "dtspc 6112/tcp" in > > >> "/etc/services" and "dtspc stream tcp nowait root /usr/dt/bin/dtspcd > > >> /usr/dt/bin/dtspcd" in "/etc/inetd.conf". > > >> Many Unix and Linux flavors are vulnerable and many vendors have > long > > >> issued patches to fix the problem. Any system that does not run > dtspcd > > >> is not vulnerable to this problem. > > >> For the full story: > > >> > http://www.infoworld.com/articles/hn/xml/02/01/15/020115hncert.xml?0116weam > > > > > > John Mosier, Excelco, Inc. NEW contact info: Free: 866 225-3605 > > > > > > Fax: (480) 922-6504 Voice: (480) 922-6500 > > > http://www.swinfo.com http://www.excelco.com > > > 8233 Via Paseo del Norte, Ste E-300, Scottsdale, AZ 85258 > > > > > > > > > > > -- > > Robert A. Klahn > > rklahn@acm.org > > > > "Hope has two beautiful daughters: Anger and Courage. Anger at the way > > things are, and Courage to struggle to create things as they should > be." - > > St. Augustine > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't > post to the list quickly and you use Netscape to write mail. > > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.mybutt.net > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't > post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.mybutt.net > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- Robert A. Klahn rklahn@acm.org "Hope has two beautiful daughters: Anger and Courage. Anger at the way things are, and Courage to struggle to create things as they should be." - St. Augustine