Bugtraq mailing list archives
Re: Solaris priocntl exploit - Sol8 patches available
From: Scott Howard <scott () doc net au>
Date: Sat, 28 Dec 2002 00:15:49 +1100
Patches are now available for Solaris 8 which resolve this bug. This issue is addressed in the following releases: SPARC * Solaris 8 with patch 108528-18 or later Intel * Solaris 8 with patch 108529-18 or later Both are available from http://sunsolve.sun.com/ for both contract and non-contract customers. Patches for Solaris 2.6, 7 and 9 will follow shortly. Further details are available in Sun Alert 49131, available at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131 Scott On Wed, Nov 27, 2002 at 11:00:11AM +0800, ÝþÒãÁ? wrote:
** Moderator note: Messages with links to technical details outside of the message are not approved. Because of the potential delay waiting for another submission, the original message has been modified to include the details. Details follow: Solaris's Got Big problem on System Call priocntl() Description syscall priocntl(2) is used as process scheduler control it's declared as below: long priocntl(idtype_t idtype, id_t id, int cmd, /* arg */ ...); while set 'cmd' arg to PC_GETCID, priocntl()'s function is like below (see ManPage 'man -s 2 priocntl') "Get class ID and class attributes for a specific class given class name. The idtype and id arguments are ignored. If arg is non-null, it points to a structure of type pcinfo_t. The pc_clname buffer contains the name of the class whose attributes you are getting." as it said, pc_clname points to a string specify the module. priocntl() will load the module without any privilege check. The module's name is a relative path, priocntl will search the module file in only /kernel/sched and /usr/kernel/sched/ dirs. but unfortunately, priocntl() never check '../' in pc_clname arg we can use '../../../tmp/module' to make priocntl() load a module from anywhere
[..snip...]
Current thread:
- Re: Solaris priocntl exploit - Sol8 patches available Scott Howard (Dec 27)