what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TKADV2008-003.txt

TKADV2008-003.txt
Posted Jun 16, 2008
Authored by Tobias Klein | Site trapkit.de

The kernel of Solaris contains a vulnerability in the code that handles SIOCSIPMSFILTER IOCTL requests. Exploitation of this vulnerability can result in denial of service or code execution.

tags | advisory, denial of service, kernel, code execution
systems | solaris
SHA-256 | ac9535e16712200d7f4ac8d1379c6267b56ebaf05711bd7abf525f34a2043f72

TKADV2008-003.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: Sun Solaris SIOCSIPMSFILTER Kernel Integer Overflow
Advisory ID: TKADV2008-003
Revision: 1.0
Release Date: 2008/06/13
Last Modified: 2008/06/13
Date Reported: 2007/08/20
Author: Tobias Klein (tk at trapkit.de)
Affected Software: Solaris 10 without patch 137111-01 (SPARC)
Solaris 10 without patch 137112-01 (x86)
OpenSolaris based upon builds <= snv_91
(SPARC, x86)
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.sun.com
Vendor Status: Vendor has released an updated version
Patch development time: 298 days


======================
Vulnerability details:
======================

The kernel of Solaris contains a vulnerability in the code that handles
SIOCSIPMSFILTER IOCTL requests. Exploitation of this vulnerability can
result in:

1) local denial of service attacks (system crash due to a kernel panic), or

[ As all Solaris Zones (Containers) share the same kernel it is possible
to crash the whole system (all Zones) even if the vulnerability is
triggered in an unprivileged non-global zone. ]

2) local execution of arbitrary code at the kernel level (complete system
compromise)

[ As all Solaris Zones (Containers) share the same kernel it is possible
to escape from unprivileged non-global zones and compromise other non-
global zones or the global zone. ]

The issue can be triggered by sending a specially crafted IOCTL request.


======================
Technical description:
======================

The following source code references are based on the kernel source code
available from http://www.opensolaris.org.

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
inet/ip/ip_multi.c:

static int
ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
struct ip_msfilter *imsf, ipaddr_t grp, ipif_t *ipif,
boolean_t isv4mapped)
{
[...]
int i, err, insrcs, infmode, new_fmode; <-- [1]
[...]
insrcs = imsf->imsf_numsrc; <-- [2]
[...]
/* Make sure we can handle the source list */
if (insrcs > MAX_FILTER_SIZE) <-- [3]
return (ENOBUFS);
[...]
fp->sl_numsrc = insrcs; <-- [4]
ilg->ilg_filter = fp; <-- [5]
[...]
l_copy(ilg->ilg_filter, new_filter); <-- [6]
[...]

At [2] the user supplied value of "imsf->imsf_numsrc" gets assigned to
"insrcs". The "imsf->imsf_numsrc" variable is of the type unsigned int
(see [7] below) and "insrcs" is of the type signed int (see [1]). If
the user supplied value of "imsf->imsf_numsrc" is a large integer
"insrcs" gets a negative value.

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
netinet/in.h:

struct ip_msfilter {
struct in_addr imsf_multiaddr;
struct in_addr imsf_interface;
uint32_t imsf_fmode;
uint32_t imsf_numsrc; <-- [7]
struct in_addr imsf_slist[1];
};

If "insrcs" is negative the check at [3] can be bypassed. Later on the user
supplied data is used as a value for "ilg->ilg_filter" (see [4] and [5]).
This "ilg->ilg_filter" value is then used as an argument for "l_copy" (see
[6]). This leads to a kernel memory corruption vulnerability because of an
out-of-bounds write in "l_copy".


=========
Solution:
=========

This issue is addressed in the following patch releases from Sun:

SPARC Platform
- Solaris 10 with patch 137111-01 or later
- OpenSolaris based upon builds snv_92 or later

x86 Platform
- Solaris 10 with patch 137112-01 or later
- OpenSolaris based upon builds snv_92 or later


========
History:
========

2007/08/20 - Vendor notified
2007/08/27 - Vendor notified a 2nd time
2007/08/27 - Vendor confirms the vulnerability
2008/05/21 - Vendor status update
2008/05/26 - Request for more information
2008/05/26 - Vendor provides the information
2008/06/12 - SunAlert and patches released by Sun
2008/06/13 - Full technical details released to general public


========
Credits:
========

Vulnerability found and advisory written by Tobias Klein.


===========
References:
===========

[1] http://sunsolve.sun.com/search/document.do?assetkey=1-26-237965-1
[2] http://www.trapkit.de/advisories/TKADV2008-003.txt


========
Changes:
========

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


==================
PGP Signature Key:
==================

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2008 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----

wj8DBQFIUZ8okXxgcAIbhEERAhqEAKCTbIVOEzpwKKOXJBPKTrAqqbFFgACgxK4x
61jGcpBp/EhdbYp6Oe3mEHY=
=Xegh
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close