topic Re: ISS sysscan in Operating System - HP-UX

ISS sysscan

Donald Kok — Wed, 24 Apr 2002 08:31:10 GMT

Hi, ISS security scanner gives the 3 following advises. Does anyone know what they mean. if it really are security breaches, and last but not least how to solve them???
Thanks in Advance,
Donald

Check
Risk level
Brief description

ipcs-msg
Medium
Message queue grants world read/write permissions

Description Message queues allow co-operating processes to communicate. If a message queue permits uncontrolled reading and/or writing, then unauthorized users may be able to read data and disrupt or manipulate processes using the shared memory.

Consequences Unauthorized users may be able to access the shared memory.

Remedy Amend the access granted to be only to the users/groups of the processes using the message queue.

Vulnerability detail

Output from '/usr/bin/ipcs -q':
T ID KEY MODE OWNER GROUP
q 0 0x3c1c0465 -Rrw--w--w- root root
q 1 0x3e1c0465 --rw-r--r-- root root

Check
Risk level
Brief description

ipcs-sem
Medium
Semaphore grants world alter permissions

Description Semaphores are used to control access to shared memory segments. If a semaphore permits uncontrolled alteration, then unauthorized users may be able to disrupt or manipulate processes using the shared memory. This check determines if a semaphore grants 'alter' permission to all users.

Consequences Unauthorized users may be able to disrupt or manipulate processes using the shared memory.

Remedy Change the access so that it is only granted to the users/groups of the processes using the shared memory segment controlled by the semaphore.

Vulnerability detail

Output from '/usr/bin/ipcs -s':
T ID KEY MODE OWNER GROUP
s 0 0x411c0611 --ra-ra-ra- root root
s 1 0x4e0c0002 --ra-ra-ra- root root
s 2 0x412003c0 --ra-ra-ra- root root
s 6 0x61200cbf --ra-ra-ra- root root
s 7 0x73200cbf --ra-ra-ra- root root
s 8 0x70200cbf --ra-ra-ra- root root
s 9 0x69200cbf --ra-ra-ra- root root
s 10 0x75200cbf --ra-ra-ra- root root
s 11 0x63200cbf --ra-ra-ra- root root
s 12 0x64200cbf --ra-ra-ra- root root
s 13 0x66200cbf --ra-ra-ra- root root
s 14 0x6c200cbf --ra-ra-ra- root root
s 15 0x6d200cbf --ra-ra-ra- root root
s 16 0x6f200cbf --ra-ra-ra- root root
s 18 0x73181009 --ra-ra-ra- root root
s 20 0x410c09c1 --ra-ra-ra- root root
s 22 0x52200cbf --ra-ra-ra- root root
s 23 0x00280269 --ra-ra-ra- root root

Check
Risk level
Brief description

ipcs-shm
Medium
Shared memory segment grants world read/write permissions

Description Shared memory segments allow co-operating processes to communicate. If a memory segment permits uncontrolled reading and/or writing, then unauthorized users may be able to read data and disrupt or manipulate processes using the shared memory. This check determines if the shared memory segment grants read or write permissions to all users.

Consequences Unauthorized users may be able to read data, disrupt, or manipulate processes using the shared memory.

Remedy Access should only be granted to the users/groups of the processes using the shared memory segment.

Vulnerability detail

Output from '/usr/bin/ipcs -m':
T ID KEY MODE OWNER GROUP
m 0 0x411c0611 --rw-rw-rw- root root
m 1 0x4e0c0002 --rw-rw-rw- root root
m 2 0x412003c0 --rw-rw-rw- root root
m 4 0x06347849 --rw-rw-rw- root root
m 405 0xffffffff --rw-r--rw- root root
m 7 0x6d181009 --rw-rw-rw- root root
m 2414 0x00280267 --rw-r--r-- root root

Re: ISS sysscan

Steven Sim Kok Leong — Wed, 24 Apr 2002 09:00:34 GMT

Hi,

The following link explains how shmget() sets the permissions via the shmflg parameter:

http://www.ecst.csuchico.edu/~beej/guide/ipc/shmem.html

Extracted here for your convenience:

Creating the segment and connecting
Similarly to other forms of System V IPC, a shared memory segment is created and connected to via the shmget() call:

int shmget(key_t key, size_t size, int shmflg);

Upon successful completion, shmget() returns an identifier for the shared memory segment. The key argument should be created the same was as shown in the Message Queues document, using ftok(). The next argument, size, is the size in bytes of the shared memory segment. Finally, the shmflg should be set to the permissions of the segment bitwise-ORd with IPC_CREAT if you want to create the segment, but can be 0 otherwise. (It doesn't hurt to specify IPC_CREAT every time--it will simply connect you if the segment already exists.)

It is an internal system call that you might have to deal with specifically in your database application. I am not aware of any OS command that can manipulate the permissions of a shared memory segment, semaphore or message queue.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: ISS sysscan

Steve Bonds — Thu, 25 Apr 2002 22:46:50 GMT

----
Hi, ISS security scanner gives the 3 following advises. Does anyone know what they mean. if it really are security breaches, and last but not least how to solve them???
----

1) They mean that local processes might be able to write to the shared memory/message queue areas. Remote processes cannot.

2) They are not security breaches.

3) You can solve them by contacting HP to have them change the internal applications using those shared resources.

What people do in practice:

4) Realize that ISS is going to be overly verbose in its error checking, and ignore the messages.

In fact, if these are the only warnings ISS generates on your system, you're doing very well at securing them! (Or someone has already gone through and suppressed all the other "false" messages ISS coughs up.)

-- Steve

Re: ISS sysscan

Donald Kok — Fri, 26 Apr 2002 05:48:22 GMT

Hi Steve,

thanks for the reply. The 3 messages are definitive NOT the only messages from ISS. They are the only ones i did not have clue what ISS meant.

I think I leave it like it is.

Greetzz
Donald

Re: ISS sysscan

Donald Kok — Fri, 26 Apr 2002 06:53:38 GMT

By the way,
does the messages have anything to do with a danger for rootkits? The other day I read about rootkits that can write directly to /dev/kmem.