Re: Immunity Advisory: Solaris local kernel root

[Casper Dik <casper () holland sun com>]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Immunity Research has released an Advisory from the Vulnerability
> Sharing Club into the public domain. This advisory can be found at
> http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
>
> Technical Summary: There is a vulnerability in Solaris that allows
> local users to load kernel modules without being root. This is handy
> for getting around things like Argus Pitbull (if it still existed) or
> Okena or Entercept or anything like that, or simply for just taking
> root. An exploit for this was released as part of the Shellcoder's
> Handbook.
>
> There is a Solaris patch that appears to make this exploit ineffective.
> http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57479&zone_32=category%3Asecurity

I wonder why you even bother publishing this; at the time the document
claims to have been written, half the listed Solaris revisions had already
patches out for them; Solaris 10, which technically doesn't exist yet, had
the bug already fixed in its most recent Solaris Express builds.

But thanks for including the reference to the Sun Alert; that should 
prevent this from being to large a blip on the SunService radar screen.


Casper