re: Solaris priocntl exploit

From: Jeff Damens (jdamens@ebbets.poly.edu)
Date: 11/28/02

  • Next message: Matthew Murphy: "Moby NetSuite POST Denial of Service Vulnerability" 
    Date: Wed, 27 Nov 2002 18:12:38 -0500 (EST)
From: Jeff Damens <jdamens@ebbets.poly.edu>
To: bugtraq@securityfocus.com

    > Solaris's Got Big problem on System Call priocntl()
    > syscall priocntl(2) is used as process scheduler control
    > ...
    > as it said, pc_clname points to a string specify the module.
    > priocntl() will load the module without any privilege check.
    > The module's name is a relative path, priocntl will search the module file
    > in only /kernel/sched and /usr/kernel/sched/ dirs.
    > but unfortunately, priocntl() never check '../' in pc_clname arg

    The supplied exploits definitely work (with a little fiddling) on a
    patched Solaris 7 system running a 32-bit kernel.

    The following will disable the offending syscall (priocntl) entirely;
    this does break nice/renice and the priocntl command.

            b=`isainfo -b`
            if [ "$b" = 32 ]; then
                echo 'sysent+0x70c/W nosys' | adb -k -w /dev/ksyms /dev/mem
            elif [ "$b" = 64 ]; then
                echo 'sysent+0xe1c/W nosys' | adb -k -w /dev/ksyms /dev/mem
                echo 'sysent32+0xe1c/W nosys' | adb -k -w /dev/ksyms /dev/mem
            fi

    (Note that isainfo wasn't available before Solaris 7).

    This has NOT been heavily tested; no warranty is expressed or
    implied.

    Happy Thanksgiving.

    Regards,

    Jeff Damens

    ----------------------------------------------------------------

    Jeff Damens Unix Systems Administrator
    Polytechnic University jdamens@poly.edu