SECOBJADV-2008-04: Symantec Veritas Storage Foundation Memory Disclosure Vulnerability
- From: Security Objectives Corporation <advisories@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Oct 2008 08:29:14 -0700 (PDT)
======================================================================
= Security Objectives Advisory (SECOBJADV-2008-04) =
======================================================================
Veritas Storage Foundation Memory Disclosure Vulnerability
http://www.security-objectives.com/advisories/SECOBJSADV-2008-04.txt
AFFECTED: Veritas Storage Foundation 5.0
PLATFORM: Solaris, Linux, AIX, HP-UX
CLASSIFICATION: Sensitive Information Uncleared Before Release (CWE-226)
RESEARCHER: Derek Callaway
IMPACT: Data Leakage
SEVERITY: Low
DIFFICULTY: Trivial
REFERENCES: CVE-2008-3248, SYM08-018, BID 31678
BACKGROUND
Veritas Storage Foundation 5.0 from Symantec provides a complete solution for heterogeneous online storage management. Based on the industry-leading Veritas Volume Manager and Veritas File System, it provides a standard set of integrated tools to centrally manage explosive data growth, maximize storage hardware investments, provide data protection and adapt to changing business requirements.
SUMMARY
VxFS (VERITAS File System) is an extent based, journaling filesystem
included with Symantec's Storage Foundation Suite. It implements a
"Quick I/O for Databases" feature; the set-uid root program qiomkfile
manages special files that help to increase transaction processing
efficiency. Uninitialized chunks of memory are written to a hidden file
that qiomkfile creates at runtime. Depending on system activity prior
to invocation, the new file may contain sensitive information.
ANALYSIS
qiomkfile will write the unitialized data to a dot-file whose name is provided
as an argument. Varying the numeric values passed to qiomkfile on the command-line through the -s and -h flags will cause disparate chunks of file system memory to be written to the dot-file. According to C99, (7.20.3.3.2) "The malloc function allocates space for an object whose size is specified by size and whose value is indeterminate."
WORKAROUND
Remove the set-uid bit from the qiomkfile binary.
chmod u-s /opt/VRTS/bin/qiomkfile
VENDOR RESPONSE
Symantec included a fix for this problem in the recent maintenance release Veritas Software File System 5.0 MP3.
DISCLOSURE TIMELINE
30-May-2008 Discovery of Vulnerability
31-May-2008 Developed Proof-of-Concept
10-Jun-2008 Reported to Vendor
20-Oct-2008 Maintenance Release
21-Oct-2008 Published Advisory
ABOUT SECURITY OBJECTIVES
Security Objectives is a security centric consultancy and software development corporation which operates in the area of application assurance software. Security Objectives employs methods that are centered on software comprehension, therefore a more in-depth contextual understanding of the application is developed.
http://security-objectives.com/
LEGAL
Permission is granted for electronic distribution of this advisory.
It may not be edited without the written consent of Security Objectives.
The information contained in this advisory is believed to be accurate based on currently available information and is provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the information is with you.
- Prev by Date: Google Chrome OnbeforeUload and OnUnload Null Check Vulnerability.
- Next by Date: n.runs-SA-2008.008 - Internet Explorer HTML Object Memory Corruption and Remote Code Execution
- Previous by thread: Google Chrome OnbeforeUload and OnUnload Null Check Vulnerability.
- Next by thread: n.runs-SA-2008.008 - Internet Explorer HTML Object Memory Corruption and Remote Code Execution
- Index(es):
Relevant Pages
|
