The kernel of Solaris contains a vulnerability in the code that handles SIOCSIPMSFILTER IOCTL requests. Exploitation of this vulnerability can result in denial of service or code execution.
ac9535e16712200d7f4ac8d1379c6267b56ebaf05711bd7abf525f34a2043f72
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: Sun Solaris SIOCSIPMSFILTER Kernel Integer Overflow
Advisory ID: TKADV2008-003
Revision: 1.0
Release Date: 2008/06/13
Last Modified: 2008/06/13
Date Reported: 2007/08/20
Author: Tobias Klein (tk at trapkit.de)
Affected Software: Solaris 10 without patch 137111-01 (SPARC)
Solaris 10 without patch 137112-01 (x86)
OpenSolaris based upon builds <= snv_91
(SPARC, x86)
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.sun.com
Vendor Status: Vendor has released an updated version
Patch development time: 298 days
======================
Vulnerability details:
======================
The kernel of Solaris contains a vulnerability in the code that handles
SIOCSIPMSFILTER IOCTL requests. Exploitation of this vulnerability can
result in:
1) local denial of service attacks (system crash due to a kernel panic), or
[ As all Solaris Zones (Containers) share the same kernel it is possible
to crash the whole system (all Zones) even if the vulnerability is
triggered in an unprivileged non-global zone. ]
2) local execution of arbitrary code at the kernel level (complete system
compromise)
[ As all Solaris Zones (Containers) share the same kernel it is possible
to escape from unprivileged non-global zones and compromise other non-
global zones or the global zone. ]
The issue can be triggered by sending a specially crafted IOCTL request.
======================
Technical description:
======================
The following source code references are based on the kernel source code
available from http://www.opensolaris.org.
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
inet/ip/ip_multi.c:
static int
ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
struct ip_msfilter *imsf, ipaddr_t grp, ipif_t *ipif,
boolean_t isv4mapped)
{
[...]
int i, err, insrcs, infmode, new_fmode; <-- [1]
[...]
insrcs = imsf->imsf_numsrc; <-- [2]
[...]
/* Make sure we can handle the source list */
if (insrcs > MAX_FILTER_SIZE) <-- [3]
return (ENOBUFS);
[...]
fp->sl_numsrc = insrcs; <-- [4]
ilg->ilg_filter = fp; <-- [5]
[...]
l_copy(ilg->ilg_filter, new_filter); <-- [6]
[...]
At [2] the user supplied value of "imsf->imsf_numsrc" gets assigned to
"insrcs". The "imsf->imsf_numsrc" variable is of the type unsigned int
(see [7] below) and "insrcs" is of the type signed int (see [1]). If
the user supplied value of "imsf->imsf_numsrc" is a large integer
"insrcs" gets a negative value.
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
netinet/in.h:
struct ip_msfilter {
struct in_addr imsf_multiaddr;
struct in_addr imsf_interface;
uint32_t imsf_fmode;
uint32_t imsf_numsrc; <-- [7]
struct in_addr imsf_slist[1];
};
If "insrcs" is negative the check at [3] can be bypassed. Later on the user
supplied data is used as a value for "ilg->ilg_filter" (see [4] and [5]).
This "ilg->ilg_filter" value is then used as an argument for "l_copy" (see
[6]). This leads to a kernel memory corruption vulnerability because of an
out-of-bounds write in "l_copy".
=========
Solution:
=========
This issue is addressed in the following patch releases from Sun:
SPARC Platform
- Solaris 10 with patch 137111-01 or later
- OpenSolaris based upon builds snv_92 or later
x86 Platform
- Solaris 10 with patch 137112-01 or later
- OpenSolaris based upon builds snv_92 or later
========
History:
========
2007/08/20 - Vendor notified
2007/08/27 - Vendor notified a 2nd time
2007/08/27 - Vendor confirms the vulnerability
2008/05/21 - Vendor status update
2008/05/26 - Request for more information
2008/05/26 - Vendor provides the information
2008/06/12 - SunAlert and patches released by Sun
2008/06/13 - Full technical details released to general public
========
Credits:
========
Vulnerability found and advisory written by Tobias Klein.
===========
References:
===========
[1] http://sunsolve.sun.com/search/document.do?assetkey=1-26-237965-1
[2] http://www.trapkit.de/advisories/TKADV2008-003.txt
========
Changes:
========
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===========
Disclaimer:
===========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
==================
PGP Signature Key:
==================
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2008 Tobias Klein. All rights reserved.
-----BEGIN PGP SIGNATURE-----
wj8DBQFIUZ8okXxgcAIbhEERAhqEAKCTbIVOEzpwKKOXJBPKTrAqqbFFgACgxK4x
61jGcpBp/EhdbYp6Oe3mEHY=
=Xegh
-----END PGP SIGNATURE-----