[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Open letter to SUN/Cobalt

Subject: Re: [cobalt-security] Open letter to SUN/Cobalt
From: Jeff Lovell <jlovell@xxxxxxx>
Date: Wed, 2 May 2001 09:52:10 -0700
Organization: Cobalt Networks, Inc.
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Wed, 02 May 2001, Michael Stauber wrote:

> Since ages Qpopper 2.53 which is commonly used on all RaQs allows local users 
> to gain privileges via a formatting string in the From: header, which is 
> processed by the euidl command.

This was fixed ages ago.  If you have update 4.0 installed on your
RaQ3 (assuming this is what you have the RaQ4 shipped with 3.0.2),
you should be running 3.0.2 of qpopper.  If for some reason you
are still showing 2.53 and you have update 4.0 installed, you most
likely installed an old version of pop-before-relay which may have
contained a qpopper binary.

You can grab the latest qpopper RPM from here:

ftp://ftp.cobaltnet.com/pub/products/raq3/RPMS/qpopper-3.0.2-C6.i386.rpm

> For several months now there are a couple of known vulnerabilities of ProFTPD 
> 1.2.0rc3 which is commonly used on the RaQ's. Among those exploits are those 
> which allow it to root a box or to run a DOS-attack (the later vulnerability 
> can be fixed with a small entry in the configuration file).

This has been in testing, and should be posted by the end of this week.
In the meantime, you can pick up experimental copies of the RPMS we are
testing from here:

RaQ1 and Qube2:
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/proftpd-1.2.2rc1-C1-NOPAM.mips.rpm

RaQ2:
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/proftpd-1.2.2rc1-C1.mips.rpm

RaQ3, RaQ4, Qube3, RaQXTR:
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/i386/proftpd-1.2.2rc1-C2.i386.rpm

I am only aware of a DoS against proftpd the proftp version that is
currently on boxes.  If you could point me to a root exploit for this
version (1.2.0rc3), I would greatly appreciate it.  I can make sure a working
exploit gets into the hands of the sustaining/sqa group so they
can test appropriately.

> For weeks it is known that all 2.2.X Kernels below 2.2.19 can be rooted by 
> local users by exploiting the ptrace() and sysctl() bugs.
>
> As far as I understand it there are no patches available to close *any* of 
> the above mentioned vulnerabilities on a RaQ3 or RaQ4 at the present time. 
> The RaQ4-All-Kernel-1.0.1-2.216C24III.pkg apparently doesn't fix what it's 
> supposed to fix, which members of this list just recently proved.

The kernel has already been fixed, and is going through an SQA cycle.
It should be available shortly, it is 2.2.16C25, it is currently available
in an unsupported rpm at:

RaQ3/4:
ftp://ftp.cobaltnet.com/pub/kernel/gen_III/

RaQXTR:
ftp://ftp.cobaltnet.com/pub/kernel/gen_V/

> Question:
> =======
> 
> Is it safe to assume that none of the above mentioned holes will be closed in 
> the forseeable future? 
>
> If otherwise it would be nice to hear which holes you are planning to close 
> and it would be nice to get an estimate on when that will be done for which 
> plattform.

I hope I have addressed all of your concerns above.  I know some of the updates
have been a little slow to come out, and I can tell you that sustaining
team is addressing these issues.

Jeff
-- 
Jeff Lovell
Sun Microsystems
Server Appliance Business Unit

Follow-Ups:
- Re: [cobalt-security] Open letter to SUN/Cobalt
  - From: Michael Stauber

References:
- [cobalt-security] FTPD DoS
  - From: Gossi The Dog
- Re: [cobalt-security] Open letter to SUN/Cobalt
  - From: Michael Stauber

Prev by Date: Re: [cobalt-security] RaQ4-All-Kernel-1.0.1-2.216C24III.pkg
Next by Date: Re: [cobalt-security] RaQ4-All-Kernel-1.0.1-2.216C24III.pkg (fwd)
Previous by thread: Re: [cobalt-security] Open letter to SUN/Cobalt
Next by thread: Re: [cobalt-security] Open letter to SUN/Cobalt

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index