http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c --- labs-no-reply <labs-no-reply@xxxxxxxxxxxx> wrote: > Sun Microsystems Solaris sysinfo() Kernel Memory > Disclosure Vulnerability > > iDefense Security Advisory 07.20.06 > http://www.idefense.com/application/poi/display?type=vulnerabilities > July 20, 2006 > > I. BACKGROUND > > Solaris is a UNIX operating system developed by Sun > Microsystems. > > II. DESCRIPTION > > Local exploitation of an integer overflow > vulnerability in Sun > Microsystems Inc. Solaris allows attackers to read > kernel memory from a > non-privileged userspace process. > > The vulnerability specifically exists due to an > integer overflow in > /usr/src/uts/common/syscall/systeminfo.c. The > vulnerable code is as > follows: > > 125 if (kstr != NULL) { > 126 if ((strcnt = strlen(kstr)) >= count) { > 127 getcnt = count - 1; > 128 if (subyte(buf + count - 1, 0) < 0) > 129 return (set_errno(EFAULT)); > 130 } else > 131 getcnt = strcnt + 1; > 132 if (copyout(kstr, buf, getcnt)) > 133 return (set_errno(EFAULT)); > 134 return (strcnt + 1); > 135 } > > > If the variable count (which is a value provided by > the user invoking > the function) is 0, the function will call the > copyout function with a > length argument of -1. Because copyout interprets > the length argument as > an unsigned integer, a large amount of data will be > copied out to > userspace, well beyond the boundaries that are > intended. > > III. ANALYSIS > > Successful exploitation of this vulnerability allows > attackers to read > sensitive kernel memory. This can lead to the > compromise of passwords or > keys. It can also aid an attacker in gathering > information for > exploitation of other kernel level vulnerabilities. > > IV. DETECTION > > iDefense has confirmed that Solaris 10 is > vulnerable. Earlier versions > of Solaris are not affected. > > V. WORKAROUND > > iDefense is currently unaware of any workaround for > this issue. > > VI. VENDOR RESPONSE > > Sun Alert ID 102343 addresses this issue and is > available at: > > > http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1 > > VII. CVE INFORMATION > > A Mitre Corp. Common Vulnerabilities and Exposures > (CVE) number has not > been assigned yet. > > VIII. DISCLOSURE TIMELINE > > 12/15/2005 Initial vendor notification > 12/15/2005 Initial vendor response > 07/20/2006 Coordinated public disclosure > > IX. CREDIT > > The discoverer of this vulnerability wishes to > remain anonymous. > > Get paid for vulnerability research > http://www.idefense.com/poi/teams/vcp.jsp > > Free tools, research and upcoming events > http://labs.idefense.com > > X. LEGAL NOTICES > > Copyright © 2006 iDefense, Inc. > > Permission is granted for the redistribution of this > alert > electronically. It may not be edited in any way > without the express > written consent of iDEFENSE. If you wish to reprint > the whole or any > part of this alert in any other medium other than > electronically, please > email customerservice@xxxxxxxxxxxx for permission. > > Disclaimer: The information in the advisory is > believed to be accurate > at the time of publishing based on currently > available information. Use > of the information constitutes acceptance for use in > an AS IS condition. > There are no warranties with regard to this > information. Neither the > author nor the publisher accepts any liability for > any direct, indirect, > or consequential loss or damage arising from use of, > or reliance on, > this information. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > ___________________________________________________________ The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
