I. BACKGROUNDSolaris is a UNIX operating
system developed by Sun Microsystems.
II.
DESCRIPTION
Local exploitation of an integer overflow vulnerability in Sun
Microsystems Inc. Solaris allows attackers to read kernel memory from a
non-privileged
userspace process.
The vulnerability specifically exists due to an integer overflow in
/usr/src/uts/common/syscall/systeminfo.c. The vulnerable code is as
follows:
125 if (kstr != NULL)
{
126 if ((strcnt = strlen(kstr)) >=
count)
{
127
getcnt = count -
1;
128 if
(subyte(buf + count - 1, 0) < 0)
129
return (set_errno
(EFAULT));
130 }
else
131
getcnt = strcnt + 1;
132 if (copyout(kstr,
buf, getcnt))
133 return
(set_errno(EFAULT));
134 return (strcnt
+ 1);
135 }If the variable count (which is a
value provided by the user invoking
the function) is 0, the function will call the copyout function
with a
length argument of -1. Because copyout interprets the length argument as
an
unsigned integer, a large amount of data will be copied out to
userspace, well beyond the
boundaries that are intended.
III. ANALYSISSuccessful
exploitation of this vulnerability allows attackers to read
sensitive kernel memory. This can lead
to the compromise of passwords or
keys. It can also aid an attacker in gathering information for
exploitation of other kernel level vulnerabilities.
IV.
DETECTIONiDefense has confirmed that Solaris 10 is vulnerable. Earlier
versions
of Solaris are not affected.
V.
WORKAROUNDiDefense is currently unaware of any workaround for this
issue.
VI. VENDOR RESPONSESun Alert ID 102343
addresses this issue and is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-
1VII. CVE INFORMATION
A Mitre Corp. Common
Vulnerabilities and Exposures (CVE) number has not
been assigned
yet.
VIII. DISCLOSURE TIMELINE12/15/2005
Initial vendor notification
12/15/2005 Initial vendor response
07/20/2006
Coordinated public disclosure
IX. CREDITThe
discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability
research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and
upcoming events
http://labs.idefense.com
X. LEGAL
NOTICES
Copyright © 2006 iDefense, Inc.
Permission is granted for
the redistribution of this alert
electronically. It may not be edited in any way without the
express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert
in any other medium other than electronically, please
email customerservice@idefense.com for
permission.
Disclaimer: The information in the advisory is believed to be accurate
at
the time of publishing based on currently available information. Use
of the information constitutes
acceptance for use in an AS IS condition.
There are no warranties with regard to this information.
Neither the
author nor the publisher accepts any liability for any direct, indirect,
or
consequential loss or damage arising from use of, or reliance on,
this information.
