<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability



http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c

--- labs-no-reply <labs-no-reply@xxxxxxxxxxxx> wrote:

> Sun Microsystems Solaris sysinfo() Kernel Memory
> Disclosure Vulnerability
> 
> iDefense Security Advisory 07.20.06
>
http://www.idefense.com/application/poi/display?type=vulnerabilities
> July 20, 2006
> 
> I. BACKGROUND
> 
> Solaris is a UNIX operating system developed by Sun
> Microsystems.
> 
> II. DESCRIPTION
> 
> Local exploitation of an integer overflow
> vulnerability in Sun
> Microsystems Inc. Solaris allows attackers to read
> kernel memory from a
> non-privileged userspace process.
> 
> The vulnerability specifically exists due to an
> integer overflow in
> /usr/src/uts/common/syscall/systeminfo.c. The
> vulnerable code is as
> follows:
> 
> 125     if (kstr != NULL) {
> 126         if ((strcnt = strlen(kstr)) >= count) {
> 127             getcnt = count - 1;
> 128             if (subyte(buf + count - 1, 0) < 0)
> 129                 return (set_errno(EFAULT));
> 130         } else
> 131             getcnt = strcnt + 1;
> 132         if (copyout(kstr, buf, getcnt))
> 133             return (set_errno(EFAULT));
> 134         return (strcnt + 1);
> 135     }
> 
> 
> If the variable count (which is a value provided by
> the user invoking
> the function) is 0, the function will call the
> copyout function with a
> length argument of -1. Because copyout interprets
> the length argument as
> an unsigned integer, a large amount of data will be
> copied out to
> userspace, well beyond the boundaries that are
> intended.
> 
> III. ANALYSIS
> 
> Successful exploitation of this vulnerability allows
> attackers to read
> sensitive kernel memory. This can lead to the
> compromise of passwords or
> keys. It can also aid an attacker in gathering
> information for
> exploitation of other kernel level vulnerabilities.
> 
> IV. DETECTION
> 
> iDefense has confirmed that Solaris 10 is
> vulnerable. Earlier versions
> of Solaris are not affected.
> 
> V. WORKAROUND
> 
> iDefense is currently unaware of any workaround for
> this issue.
> 
> VI. VENDOR RESPONSE
> 
> Sun Alert ID 102343 addresses this issue and is
> available at:
> 
>    
>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
> 
> VII. CVE INFORMATION
> 
> A Mitre Corp. Common Vulnerabilities and Exposures
> (CVE) number has not
> been assigned yet.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 12/15/2005  Initial vendor notification
> 12/15/2005  Initial vendor response
> 07/20/2006  Coordinated public disclosure
> 
> IX. CREDIT
> 
> The discoverer of this vulnerability wishes to
> remain anonymous.
> 
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> 
> Free tools, research and upcoming events
> http://labs.idefense.com
> 
> X. LEGAL NOTICES
> 
> Copyright © 2006 iDefense, Inc.
> 
> Permission is granted for the redistribution of this
> alert
> electronically. It may not be edited in any way
> without the express
> written consent of iDEFENSE. If you wish to reprint
> the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is
> believed to be accurate
> at the time of publishing based on currently
> available information. Use
> of the information constitutes acceptance for use in
> an AS IS condition.
> There are no warranties with regard to this
> information. Neither the
> author nor the publisher accepts any liability for
> any direct, indirect,
> or consequential loss or damage arising from use of,
> or reliance on,
> this information.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 



                
___________________________________________________________ 
The all-new Yahoo! Mail goes wherever you go - free your email address from 
your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html