Monday, February 12, 2007

Secure By Default

Learn to love SBD.

When doing the initial install of Solaris 10, select the secure by default (SBD) option. If this is Solaris Nevada, no option is given, it will be (mostly) secure by default. If the install is an upgrade, then it will not change the previous install. To activate the secure profile, run the following:

# /usr/sbin/netservices limited

Note that this will only allow local smtp and rpc, and only ssh remotely, so be careful if you are on a production box, everything else is tight.

Why should you care? Because you are safe from the latest Solaris 10 hack. If you haven't heard of it yet, you might want to search the web and learn more. Basically, it enables an attacker to telnet into a Solaris 10 machine.

I decided to head over the OpenGrok OpenSolaris source code browser, and look at login.c:
In login.c:

525 /*
526 * validate user
527 */
528 /* we are already authenticated. fill in what we must, then continue */
529 if (fflag) {
531 if ((pwd = getpwnam(user_name)) == NULL) {
532 audit_error = ADT_FAIL_VALUE_USERNAME;
534 log_bad_attempts();
535 (void) printf("Login failed: unknown user '%s'.\n",
536 user_name);
537 login_exit(1);
538 }
540 } else {
541 /*
542 * Perform the primary login authentication activity.
543 */
544 login_authenticate();
545 }

So as long as the f flag is set, it never does the login_authenticate(). If that option was somewhat injected in a string...

1399 case 'f':
1400 /*
1401 * Must be root to bypass authentication
1402 * otherwise we exit() as punishment for trying.
1403 */
1404 if (getuid() != 0 || geteuid() != 0) {
1405 audit_error = ADT_FAIL_VALUE_AUTH_BYPASS;
1407 login_exit(1); /* sigh */
1409 }
1410 /* save fflag user name for future use */
1411 SCPYL(user_name, optarg);
1412 fflag = B_TRUE;
1413 break;

Quite the punishment for trying, no? This is similar to an old rlogin issue.

Sun Studio now has a thread analyzer that does race detection and other similar complex detection of problems in your code. Maybe security hole detection should be next? :)

So why did this come back?

54 * -f : This flag was introduced by PSARC 1995/039 in support
55 * of Kerberos. But it's not used by Sun's Kerberos implementation.
56 * It is however employed by zlogin(1), since it allows one to tell
57 * login: "This user is authenticated." In the case of zlogin that's
58 * true because the zone always trusts the global zone.

So if you are running Solaris secure by default and have not re-enabled telnet, you are safe.

Learn to love SBD.



For Tpatches and details from the sausage factory, see this blog:
Alan Hargreaves - the in.telnetd exploit

No comments: