Re: Solaris priocntl exploit

From: Casper *** (Casper.***@Sun.COM)
Date: 11/28/02

  • Next message: Arne Vidstrom: "Kerberos login sniffer and cracker for Windows 2000/XP" 
    To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Date: Thu, 28 Nov 2002 01:26:40 +0100
From: Casper *** <Casper.***@Sun.COM>

    >
    >>The module's name is a relative path, priocntl will search the module file
    >>in only /kernel/sched and /usr/kernel/sched/ dirs.
    >>but unfortunately, priocntl() never check '../' in pc_clname arg
    >>we can use '../../../tmp/module' to make priocntl() load a module from anywhere
    >
    >
    >The "pc_clname[]" argument is limited in size; to prevent this particular
    >bug from being exploited you could:
    >
    >
    > for dir in /kernel /usr/kernel
    > do
    > cd $dir
    > mkdir -p a/b/c/d/e/f/g/h
    > mv sched a/b/c/d/e/f/g/h
    > ln -s a/b/c/d/e/f/g/h/sched .
    > done

    Just a small amendment; the code also doesn't add a trailing NUL to the
    pathname copied from user space, so we actually need to take care
    about the rest of the size of the structure. (16 + 32 bytes; i.e.,
    16 levels of ../)

    So this should really keep the bad kernel module out:

            for dir in /kernel /usr/kernel
            do
                    cd $dir
                    mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
                    mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
                    ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
            done

    Casper

    • Quantcast