Re: Solaris priocntl exploit - Sol8 patches available

From: Scott Howard (scott@doc.net.au)
Date: 12/27/02

  • Next message: Andreas Tscharner: "Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)"
    Date: Sat, 28 Dec 2002 00:15:49 +1100
    From: Scott Howard <scott@doc.net.au>
    To: bugtraq@securityfocus.com
    
    

    Patches are now available for Solaris 8 which resolve this bug.

       This issue is addressed in the following releases:
       SPARC
         * Solaris 8 with patch 108528-18 or later

       Intel
         * Solaris 8 with patch 108529-18 or later

    Both are available from http://sunsolve.sun.com/ for both contract and
    non-contract customers.

    Patches for Solaris 2.6, 7 and 9 will follow shortly.

    Further details are available in Sun Alert 49131, available at
    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131

      Scott

    On Wed, Nov 27, 2002 at 11:00:11AM +0800, ? wrote:
    > ** Moderator note:
    >
    > Messages with links to technical details outside of the message are not approved.
    > Because of the potential delay waiting for another submission, the original message
    > has been modified to include the details.
    >
    > Details follow:
    >
    > Solaris's Got Big problem on System Call priocntl()
    >
    > Description
    > syscall priocntl(2) is used as process scheduler control
    > it's declared as below:
    >
    > long priocntl(idtype_t idtype, id_t id, int cmd, /* arg */ ...);
    >
    > while set 'cmd' arg to PC_GETCID, priocntl()'s function is like below
    > (see ManPage 'man -s 2 priocntl')
    > "Get class ID and class attributes for a specific class
    > given class name. The idtype and id arguments are
    > ignored. If arg is non-null, it points to a structure
    > of type pcinfo_t. The pc_clname buffer contains the
    > name of the class whose attributes you are getting."
    >
    > as it said, pc_clname points to a string specify the module.
    > priocntl() will load the module without any privilege check.
    > The module's name is a relative path, priocntl will search the module file
    > in only /kernel/sched and /usr/kernel/sched/ dirs.
    > but unfortunately, priocntl() never check '../' in pc_clname arg
    > we can use '../../../tmp/module' to make priocntl() load a module from anywhere
    [..snip...]