[UNIX] Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.sun.com/software/solaris/> Solaris is a UNIX operating system
developed by Sun Microsystems. Local exploitation of an integer signedness
error in Sun Microsystem's Solaris could allow attackers to disclose
sensitive information from memory.

DETAILS

Vulnerable Systems:
* Solaris version 10 on x86 and SPARC (It is suspected that earlier
versions are also affected)

The FIFO FS (First In First Out File System) is a service provided by the
kernel that is commonly used for IPC (InterProcess Communication). A FIFO
is represented as a node in the file system, and is similar to the concept
of named pipes in Windows.

The vulnerability exists in the kernel ioctl() handler for FIFOs. The
I_PEEK ioctl is used to peek at a number of bytes contained in the FIFO
without actually removing them from the queue. One of the arguments to
this command, which represents the number of bytes to peek, is a signed
integer value. Since this parameter is not properly validated, a negative
value can cause large amounts of kernel memory contents to be disclosed.

Exploitation allows an attacker to view potentially sensitive information
belonging to the kernel or other users. For example, the root password
hash or encryption keys might be disclosed.

Vendor Status:
Sun has addressed this vulnerability by releasing patches. For more
information, consult Sun Alert 103061:
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-103061-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103061-1

Disclosure Timeline:
* 02/13/2007 - Initial vendor notification
* 02/15/2007 - Initial vendor response
* 10/02/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=603>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=603



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability ...
    (Securiteam)
  • [UNIX] SPHPBlog Multiple Vulnerabilities (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The main advantage of using Simple PHP Blog is that it ... Information disclosure, cross site scripting and path disclosure ...
    (Securiteam)
  • [NT] Multiple Information Disclosure In Hosting Controller (Log Disclosure, Admin E-Mail)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Admin E-Mail) ... Hosting Controller contains multiple information disclosure ...
    (Securiteam)
  • [NEWS] Daylite Password Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Daylite Password Disclosure ... By connecting into the Daylite server, need to provide valid user name, ...
    (Securiteam)