[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060721223458.30578.qmail@web27901.mail.ukl.yahoo.com>
Date: Fri, 21 Jul 2006 23:34:58 +0100 (BST)
From: Micheal Turner <wh1t3h4t3@...oo.co.uk>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability
http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c
--- labs-no-reply <labs-no-reply@...fense.com> wrote:
> Sun Microsystems Solaris sysinfo() Kernel Memory
> Disclosure Vulnerability
>
> iDefense Security Advisory 07.20.06
>
http://www.idefense.com/application/poi/display?type=vulnerabilities
> July 20, 2006
>
> I. BACKGROUND
>
> Solaris is a UNIX operating system developed by Sun
> Microsystems.
>
> II. DESCRIPTION
>
> Local exploitation of an integer overflow
> vulnerability in Sun
> Microsystems Inc. Solaris allows attackers to read
> kernel memory from a
> non-privileged userspace process.
>
> The vulnerability specifically exists due to an
> integer overflow in
> /usr/src/uts/common/syscall/systeminfo.c. The
> vulnerable code is as
> follows:
>
> 125 if (kstr != NULL) {
> 126 if ((strcnt = strlen(kstr)) >= count) {
> 127 getcnt = count - 1;
> 128 if (subyte(buf + count - 1, 0) < 0)
> 129 return (set_errno(EFAULT));
> 130 } else
> 131 getcnt = strcnt + 1;
> 132 if (copyout(kstr, buf, getcnt))
> 133 return (set_errno(EFAULT));
> 134 return (strcnt + 1);
> 135 }
>
>
> If the variable count (which is a value provided by
> the user invoking
> the function) is 0, the function will call the
> copyout function with a
> length argument of -1. Because copyout interprets
> the length argument as
> an unsigned integer, a large amount of data will be
> copied out to
> userspace, well beyond the boundaries that are
> intended.
>
> III. ANALYSIS
>
> Successful exploitation of this vulnerability allows
> attackers to read
> sensitive kernel memory. This can lead to the
> compromise of passwords or
> keys. It can also aid an attacker in gathering
> information for
> exploitation of other kernel level vulnerabilities.
>
> IV. DETECTION
>
> iDefense has confirmed that Solaris 10 is
> vulnerable. Earlier versions
> of Solaris are not affected.
>
> V. WORKAROUND
>
> iDefense is currently unaware of any workaround for
> this issue.
>
> VI. VENDOR RESPONSE
>
> Sun Alert ID 102343 addresses this issue and is
> available at:
>
>
>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
>
> VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures
> (CVE) number has not
> been assigned yet.
>
> VIII. DISCLOSURE TIMELINE
>
> 12/15/2005 Initial vendor notification
> 12/15/2005 Initial vendor response
> 07/20/2006 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to
> remain anonymous.
>
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
>
> Free tools, research and upcoming events
> http://labs.idefense.com
>
> X. LEGAL NOTICES
>
> Copyright © 2006 iDefense, Inc.
>
> Permission is granted for the redistribution of this
> alert
> electronically. It may not be edited in any way
> without the express
> written consent of iDEFENSE. If you wish to reprint
> the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@...fense.com for permission.
>
> Disclaimer: The information in the advisory is
> believed to be accurate
> at the time of publishing based on currently
> available information. Use
> of the information constitutes acceptance for use in
> an AS IS condition.
> There are no warranties with regard to this
> information. Neither the
> author nor the publisher accepts any liability for
> any direct, indirect,
> or consequential loss or damage arising from use of,
> or reliance on,
> this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
>
___________________________________________________________
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
Powered by blists - more mailing lists