CVE-2020-2656, CVE-2020-2696 - Multiple vulnerabilities in Oracle Solaris

[Marco Ivaldi <marco.ivaldi () mediaservice net>]

Dear oss-security,

As suggested by Solar Designer, I’m cross-posting two recent advisories for the following vulnerabilities, fixed in 
Oracle's Critical Patch Update (CPU) of January 2020:

CVE-2020-2656 - Low impact information disclosure via Solaris xlock
"A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow 
local users to read partial contents of sensitive files. Due to the fact that target files must be in a very specific 
format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely."

CVE-2020-2696 - Local privilege escalation via CDE dtsession
"A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and 
earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges 
via a long palette name passed to dtsession in a malicious .Xdefaults file."

Please find the advisories attached to this email.

For further details and some background information on my recent vulnerability research project focused on Oracle 
Solaris, please refer to:
https://techblog.mediaservice.net/2020/01/local-privilege-escalation-via-cde-dtsession/
https://techblog.mediaservice.net/2019/10/local-privilege-escalation-on-solaris-11-x-via-xscreensaver/
https://techblog.mediaservice.net/2019/05/raptor-at-infiltrate-2019/

Regards,

-- 
Marco Ivaldi, Offensive Security Manager
CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
@Mediaservice.net S.r.l. con Socio Unico
https://www.mediaservice.net/
Tel: +39 011 19016595 | Fax: +39 011 3246497

Attachment: 2020-01-solaris-xlock.txt
Description: 2020-01-solaris-xlock.txt

Attachment: 2020-02-cde-dtsession.txt
Description: 2020-02-cde-dtsession.txt