Printer Friendly

Entercept Security Advisory/SEA SNMP - Buffer Overflow and Format String Vulnerabilities in Sun Solaris Discovered by Entercept Security.

Business Editors and High Tech Writers

SAN JOSE, Calif.--(BUSINESS WIRE)--June 4, 2002

Entercept Security Technologies


Scope: An unchecked buffer in a component of Sun's Solaris Operating
System can be overrun and remotely exploited, allowing an attacker to
execute arbitrary code with root privileges. There is also a format
string vulnerability in the same component that can cause the same
damage.

Both of these vulnerabilities exist in the SNMP components snmpdx and
mibiisa, which are installed by default with the Solaris Operating
System. Exploiting these vulnerabilities would give an attacker
complete control of the attacked server.

Versions Affected: SunOS 5.8, 5.8_x86, 5.7, 5.7_x86, 5.6, 5.6_x86

The vulnerabilities were discovered by Sinan Eren of Entercept's
Ricochet Team. Entercept Security Technologies worked closely with the
Sun Security team, while they developed a patch.

For additional details, read Sun's Security Bulletin #00219:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
219&type=0&nav=sec.sbl&ttl=sec.sbl (Due to the length of this URL, it
may be necessary to copy and paste this hyperlink into your Internet
browser's URL address field.)

What is a Buffer Overflow Exploit?

Most application programs have fixed-size buffers that hold data. If
an attacker sends too much data into one of these buffers and the
program does not check the size of the data, the buffer overflows. The
server may then execute the data that 'overflowed' as if it were a
program. If the exploitable buffer exists in a privileged process, a
malicious program could then take full control of the server and can
do any number of things, including executing commands on the victim
machine, stealing passwords or other confidential information,
altering system configurations and/or installing backdoors, etc.

What is a Format String Exploit?

A format string vulnerability exist if a user can manipulate the
format specification passed to a basic C function, such as printf,
fprintf, or sprintf, a vulnerability exists. Format string
vulnerabilities represent a significant threat for servers and
commercial applications. Format string vulnerabilities can be used to
locally or remotely execute arbitrary code on a system.

The manufacturer's patch for these vulnerabilities is available and
can be downloaded on their Web site:
http://sunsolve.sun.com/securitypatch

Entercept's(TM) Protection

Entercept's(TM) patented protection against buffer overflow and format
string exploits prevents the execution of arbitrary code as a result
of a buffer overflow or a format string attack. Entercept would
prevent attack code from being executed as a result of a buffer
overrun or format string condition due to these vulnerabilities,
protecting the integrity of the server. Additionally, it is important
to note that Entercept provides this protection without any signature
or code updates.

How Entercept's Protection Works:

Entercept examines system calls before the OS executes them.
Entercept's patented protection can determine whether the code to be
executed came from a regular application program or from an overflowed
buffer. If the code came from a writable buffer, Entercept blocks it.
If it came from a regular application, Entercept allows it to be
executed.

Recommendations:

In order to best counter this threat, Entercept recommends following
its Security Best Practices, including:

1. Install Sun's SNMP Server patch(es) as appropriate

2. Deploy Entercept on all critical Solaris servers. This will prevent
the buffer overflow or format string attacks from being exploited, and
protect the systems' integrity.

DISCLAIMER STATEMENT: The information in this bulletin is provided by
Entercept Security Technologies, Inc. ("Entercept") and is intended to
provide information on a particular security issue or incident. Given
that each exploitation technique is unique, Entercept makes no claim
to prevent any specific exploit related to the vulnerability discussed
in this bulletin. Entercept expressly disclaims any and all warranties
with respect to the information provided in this bulletin, express or
implied or otherwise, including, but not limited to, warranty of
fitness for a particular purpose. Under no circumstances may this
information be used to exploit vulnerabilities in any other
environment.

About Entercept Security Technologies

Entercept Security Technologies is the proven leader in intrusion
prevention software. Based on patented technology, Entercept
safeguards the entire server by preventing known and unknown malicious
attacks. Unlike other security solutions, Entercept uses a combination
of behavioral rules and signatures to proactively prevent attacks
rather than merely detecting and reporting them after they occur.
Strategic partners include Cisco, Check Point, Foundstone and other
leading companies. Entercept has received numerous awards and industry
recognition, including Network Magazine's 2001 & 2002 Product of the
Year, Fortune Small Business Magazine's '65 Big Ideas List', SC
Magazine's 'Best Pick of the Year 2000 and 2001', InfoWorld magazine's
'Business Impact of the Year Award', and InfoWorld magazine's Readers
Choice 'Security Product of the Year'. www.entercept.com

The information provided is identified, assessed and measured by
the Entercept Ricochet(TM) security research team, a leading group of
security experts dedicated to collecting and evaluating intelligence
against server threats.

About Entercept Ricochet (TM)

Entercept's Ricochet Team is a specialized group of security
researchers dedicated to identifying, assessing, and evaluating
intelligence regarding server threats. The Ricochet Team researches
current and future avenues of attack and builds this knowledge into
Entercept's intrusion prevention solution. Ricochet is dedicated to
providing critical, viable security content via security advisories
and technical briefs. This content is designed to educate
organizations and security professionals about the nature and severity
of Internet security threats, vulnerabilities and exploits.

Note to Editors: Entercept and the Entercept logo are trademarks of
Entercept Security Technologies. All other trademarks, trade names or
service marks are the property of their respective owners.
COPYRIGHT 2002 Business Wire
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2002, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Business Wire
Date:Jun 4, 2002
Words:933
Previous Article:Multimedia Available: Genpass Inc. Signs Peter Davidson - Former President of Speer & Associates - As President of Genpass Card Solutions.
Next Article:S&P Afms Rtgs on 5 Ser of UCFC Acceptance Corp. Certs.
Topics:


Related Articles
Entercept Names Robert Mines as New SVP of Product Development; Veteran Security Executive to Bolster Product Roadmap and Lead Research Efforts.
Predictive Systems Joins Forces With Entercept to Tighten Enterprise Security.
Entercept Teams With Ascolta to Deliver Server-Based Intrusion Prevention Training for End-Users and Security Value-Add-Resellers.
ADVISORY/Entercept Stops the SQL Worm; Also known as: Microsoft SQL Spida Worm Propagation, Digispid.B.Worm, and SQLSnake.
Entercept Introduces Elite Security Squad -- The Ricochet Team; Intrusion Prevention Leader Provides In-Depth Analysis to Educate Enterprises About...
Entercept Discovers Vulnerability Affecting Multiple UNIX Operating Systems; Intrusion Prevention Leader Works with CERT to Alert Major Vendors.
Microsoft critical flaw.
eSafe 4 mail thwarts 55 security attacks.
Conference clippings--Infosecurity Europe 2005.
IBM Internet Security Systems shields customers from critical Microsoft vulnerabilities.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters