[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060724101017.32164.qmail@web27901.mail.ukl.yahoo.com>
Date: Mon, 24 Jul 2006 11:10:17 +0100 (BST)
From: Micheal Turner <wh1t3h4t3@...oo.co.uk>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
full-disclosure@...ts.grok.org.uk
Subject: Re: Re: [Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability
Exploit has been attached as problems with site
hosting over weekend.
--- Micheal Turner <wh1t3h4t3@...oo.co.uk> wrote:
>
http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c
>
> --- labs-no-reply <labs-no-reply@...fense.com>
> wrote:
>
> > Sun Microsystems Solaris sysinfo() Kernel Memory
> > Disclosure Vulnerability
> >
> > iDefense Security Advisory 07.20.06
> >
>
http://www.idefense.com/application/poi/display?type=vulnerabilities
> > July 20, 2006
> >
> > I. BACKGROUND
> >
> > Solaris is a UNIX operating system developed by
> Sun
> > Microsystems.
> >
> > II. DESCRIPTION
> >
> > Local exploitation of an integer overflow
> > vulnerability in Sun
> > Microsystems Inc. Solaris allows attackers to read
> > kernel memory from a
> > non-privileged userspace process.
> >
> > The vulnerability specifically exists due to an
> > integer overflow in
> > /usr/src/uts/common/syscall/systeminfo.c. The
> > vulnerable code is as
> > follows:
> >
> > 125 if (kstr != NULL) {
> > 126 if ((strcnt = strlen(kstr)) >= count)
> {
> > 127 getcnt = count - 1;
> > 128 if (subyte(buf + count - 1, 0) <
> 0)
> > 129 return (set_errno(EFAULT));
> > 130 } else
> > 131 getcnt = strcnt + 1;
> > 132 if (copyout(kstr, buf, getcnt))
> > 133 return (set_errno(EFAULT));
> > 134 return (strcnt + 1);
> > 135 }
> >
> >
> > If the variable count (which is a value provided
> by
> > the user invoking
> > the function) is 0, the function will call the
> > copyout function with a
> > length argument of -1. Because copyout interprets
> > the length argument as
> > an unsigned integer, a large amount of data will
> be
> > copied out to
> > userspace, well beyond the boundaries that are
> > intended.
> >
> > III. ANALYSIS
> >
> > Successful exploitation of this vulnerability
> allows
> > attackers to read
> > sensitive kernel memory. This can lead to the
> > compromise of passwords or
> > keys. It can also aid an attacker in gathering
> > information for
> > exploitation of other kernel level
> vulnerabilities.
> >
> > IV. DETECTION
> >
> > iDefense has confirmed that Solaris 10 is
> > vulnerable. Earlier versions
> > of Solaris are not affected.
> >
> > V. WORKAROUND
> >
> > iDefense is currently unaware of any workaround
> for
> > this issue.
> >
> > VI. VENDOR RESPONSE
> >
> > Sun Alert ID 102343 addresses this issue and is
> > available at:
> >
> >
> >
>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
> >
> > VII. CVE INFORMATION
> >
> > A Mitre Corp. Common Vulnerabilities and Exposures
> > (CVE) number has not
> > been assigned yet.
> >
> > VIII. DISCLOSURE TIMELINE
> >
> > 12/15/2005 Initial vendor notification
> > 12/15/2005 Initial vendor response
> > 07/20/2006 Coordinated public disclosure
> >
> > IX. CREDIT
> >
> > The discoverer of this vulnerability wishes to
> > remain anonymous.
> >
> > Get paid for vulnerability research
> > http://www.idefense.com/poi/teams/vcp.jsp
> >
> > Free tools, research and upcoming events
> > http://labs.idefense.com
> >
> > X. LEGAL NOTICES
> >
> > Copyright © 2006 iDefense, Inc.
> >
> > Permission is granted for the redistribution of
> this
> > alert
> > electronically. It may not be edited in any way
> > without the express
> > written consent of iDEFENSE. If you wish to
> reprint
> > the whole or any
> > part of this alert in any other medium other than
> > electronically, please
> > email customerservice@...fense.com for permission.
> >
> > Disclaimer: The information in the advisory is
> > believed to be accurate
> > at the time of publishing based on currently
> > available information. Use
> > of the information constitutes acceptance for use
> in
> > an AS IS condition.
> > There are no warranties with regard to this
> > information. Neither the
> > author nor the publisher accepts any liability for
> > any direct, indirect,
> > or consequential loss or damage arising from use
> of,
> > or reliance on,
> > this information.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> >
>
http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> > http://secunia.com/
> >
>
>
>
>
>
___________________________________________________________
>
> The all-new Yahoo! Mail goes wherever you go - free
> your email address from your Internet provider.
> http://uk.docs.yahoo.com/nowyoucan.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
>
___________________________________________________________
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
View attachment "prdelka-vs-SUN-sysinfo.c" of type "text/x-csrc" (1426 bytes)
Powered by blists - more mailing lists