Security Hole in Unix / Linux Systems

Kevin Brown plug-discuss@lists.plug.mybutt.net
Wed, 16 Jan 2002 12:32:16 -0700


On the last solaris machines that I maintained we ran a firewall, ipf, on the
Solaris machines themselves.  Might be a possibility for those running Solaris
that don't need remote X access to the machine.

"Robert A . Klahn" wrote:
> 
> Greetings:
> 
> One thing that I have noticed missing in the media reports about this
> exploit is the answer to the question "So, what should I do?"
> 
> For a Linux system, the answer is most likely "nothing". I dont know of
> any distribution that uses CDE, at least by default. Mostly, in the Linux
> world, we have "moved past" CDE with Gnome and KDE.
> 
> For other U*IXes, the answer is a little bit more complex. Solaris, AIX,
> and HP/UX all use CDE, and for all recent versions, by default.
> 
> So, what to do, for these other U*IXes? Consider if you need to run dtspcd
> at all. Its purpose is to permit the running of applications on your
> server, from a remote client. Useful, perhaps. Risky, clearly. How does
> one turn dtspcd off? Easy, comment out this (or a similar looking line)
> from /etc/inetd.conf:
> 
> dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
> 
> Save the file, and restart the inetd process by sending it the SIGHUP
> signal. Do a "netstat" to verify that port 6112 is not open. The actual
> netstat syntax varies from U*IX to U*IX, so do a man if you are unsure.
> 
> If you really need to be running dtspcd, you should block port 6112 at
> your firewall, and if you really need to run dtspcd, you really should
> have a firewall. You should also really be running dtspcd under TCP
> Wrappers, or something similar, on top of blocking the port at your
> firewall. If anyone is in this situation, let me know, and I can go into
> more depth. But, as we are now at least two times removed from the topic
> of the list (we are now talking about non-Linux systems that knowingly
> want to run something so risky), I will not take up any more of your time
> on the topic.
> 
> Bob.
> 
> On 2002.01.16 09:43 John Mosier wrote:
> >
> >> CERT: EXPLOIT CIRCULATING FOR CDE HOLE
> >> Posted January 15, 2002 05:32 Pacific Time
> >> HACKERS ARE ACTIVELY exploiting a known vulnerability in Sun
> >> Microsystems Inc.'s Solaris version of the Unix operating system,
> >> security experts said late Monday, urging administrators to check if
> >> their system is vulnerable.
> >
> >> The U.S.-government funded Computer Emergency Response
> >> Team/Coordination Center (CERT/CC) at Carnegie Mellon University in
> >> Pittsburgh said in an advisory that it had received "credible reports"
> >> of an exploit for Solaris systems. An exploit is a software tool that
> >> can be used to break into computer systems and that is often used by
> >> hackers.
> >> The exploit takes advantage of a buffer overflow vulnerability that was
> >> first discovered in March 1999. The flaw in a library function used by
> >> the CDE (Common Desktop Environment) could allow an attacker to take
> >> full control over the system, CERT/CC said. CDE is a graphical user
> >> interface that is typically installed by default on Unix systems.
> >> CDE is "a fairly widespread product on Unix platforms" and is included
> >> in products from Sun Microsystems Inc., IBM Corp., Hewlett-Packard Co.
> >> and Compaq Computer Corp., according to Art Manion, an Internet
> >> security analyst with CERT/CC.
> >> The CDE Subprocess Control Service (dtspcd) is a network daemon that
> >> accepts requests from remote clients to execute commands and launch
> >> programs remotely. The service does not perform adequate input
> >> validation, as a result of which a malicious client could manipulate
> >> data sent and cause a buffer overflow, according to CERT/CC.
> >
> >> CERT/CC advises administrators to check if a system is configured to
> >> run dtspcd by looking for the entries "dtspc 6112/tcp" in
> >> "/etc/services" and "dtspc stream tcp nowait root /usr/dt/bin/dtspcd
> >> /usr/dt/bin/dtspcd" in "/etc/inetd.conf".
> >> Many Unix and Linux flavors are vulnerable and many vendors have long
> >> issued patches to fix the problem. Any system that does not run dtspcd
> >> is not vulnerable to this problem.
> >> For the full story:
> >> http://www.infoworld.com/articles/hn/xml/02/01/15/020115hncert.xml?0116weam
> >
> > John Mosier, Excelco, Inc. NEW contact info: Free:  866 225-3605
> >
> > Fax:  (480) 922-6504                       Voice: (480) 922-6500
> > http://www.swinfo.com                     http://www.excelco.com
> > 8233 Via Paseo del Norte, Ste E-300, Scottsdale, AZ 85258
> >
> >
> >
> --
> Robert A. Klahn
> rklahn@acm.org
> 
> "Hope has two beautiful daughters: Anger and Courage. Anger at the way
> things are, and Courage to struggle to create things as they should be." -
> St. Augustine
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.mybutt.net
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss