-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL pointer dereference Advisory ID: TKADV2008-015 Revision: 1.0 Release Date: 2008/12/17 Last Modified: 2008/12/17 Date Reported: 2007/09/04 Author: Tobias Klein (tk at trapkit.de) Affected Software: Solaris 10 without patch 138888-01 (SPARC) Solaris 10 without patch 138889-01 (x86) OpenSolaris < snv_77 (SPARC) OpenSolaris < snv_77 (x86) Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.sun.com Vendor Status: Vendor has released an updated version Patch development time: 471 days ====================== Vulnerability Details: ====================== The kernel of Solaris contains a vulnerability in the code that handles SIOCGTUNPARAM IOCTL requests. Exploitation of this vulnerability can result in: 1) local denial of service attacks (system crash due to a kernel panic), or [ As all Solaris Zones (Containers) share the same kernel it is possible to crash the whole system (all Zones) even if the vulnerability is triggered in an unprivileged non-global zone. ] 2) local execution of arbitrary code at the kernel level (complete system compromise) on x86 platforms [ As all Solaris Zones (Containers) share the same kernel it is possible to escape from unprivileged non-global zones and compromise other non- global zones or the global zone. ] The issue can be triggered by sending a specially crafted IOCTL request to the kernel. ================== Technical Details: ================== The following source code references are based on the kernel source code available from http://www.opensolaris.org. http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/ inet/ip/ip.c: [...] 26692 void 26693 ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg) 26694 { [...] 26717 [1] ci.ci_ipif = NULL [...] 26735 case TUN_CMD: [...] 26740 [2] err = ip_extract_tunreq(q, mp, &ci.ci_ipif, ip_process_ioctl); 26741 if (err != 0) { 26742 ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL); 26743 return; 26744 } [...] 26782 if (!(ipip->ipi_flags & IPI_WR)) { [...] 26788 [3] err = (*ipip->ipi_func)(ci.ci_ipif, ci.ci_sin, q, mp, ipip, 26789 ci.ci_lifr); [...] [1] The value of "ci.ci_ipif" is set to "NULL". [2] When a SIOCGTUNPARAM IOCTL is called the switch case "TUN_CMD" is chosen and the "ip_extract_tunreq()" function gets called. [3] If the return value of the "ip_extract_tunreq()" function is 0 the "ci.ci_ipif" variable is later on used as the first parameter for the "ip_sioctl_tunparam()" function. http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/ inet/ip/ip_if.c: [...] 9468 int 9469 ip_sioctl_tunparam(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t *mp, 9470 ip_ioctl_cmd_t *ipip, void *dummy_ifreq) 9471 { ... 9499 [4] ill = ipif->ipif_ill; [...] In the "ip_sioctl_tunparam()" function the first parameter "ipif" is used to reference some data (see [4]). It is possible to return from the "ip_extract_tunreq()" function (see [2]) with a return value of 0 while "ci.ci_ipif" is also still set to NULL. As "ipif" has the same value as "ci.ci_ipif", which is set to NULL, this leads to a NULL pointer dereference (see [4]). On x86 (32/64bit) platforms this Null pointer dereference can be exploited to execute arbitrary code at the kernel level. On SPARC platforms the vulnerability can "only" be used for a denial of service. ========= Solution: ========= This issue is addressed in the following patch releases from Sun: SPARC Platform - Solaris 10 with patch 138888-01 or later - OpenSolaris based upon builds snv_77 or later x86 Platform - Solaris 10 with patch 138889-01 or later - OpenSolaris based upon builds snv_77 or later ======== History: ======== 2007/09/04 - Vendor notified 2007/09/05 - Vendor confirms the vulnerability 2008/12/17 - Public disclosure of vulnerability details by Sun 2008/12/17 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://sunsolve.sun.com/search/document.do?assetkey=1-26-242266-1 [2] http://www.trapkit.de/advisories/TKADV2008-015.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG iD8DBQFJSjEGkXxgcAIbhEERAi9/AKC7pVzL/0HdfX192GmPk/sE86g2IQCg8+uE 8Ln0ZHQUdP3wjFrI+NHYwJw= =Ubd3 -----END PGP SIGNATURE-----