lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060724101017.32164.qmail@web27901.mail.ukl.yahoo.com>
Date: Mon, 24 Jul 2006 11:10:17 +0100 (BST)
From: Micheal Turner <wh1t3h4t3@...oo.co.uk>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
	full-disclosure@...ts.grok.org.uk
Cc: 
Subject: Re: Re: iDefense Security Advisory 07.20.06: Sun
	Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability

Exploit has been attached as problems with site
hosting over weekend.

--- Micheal Turner <wh1t3h4t3@...oo.co.uk> wrote:

>
http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c
> 
> --- labs-no-reply <labs-no-reply@...fense.com>
> wrote:
> 
> > Sun Microsystems Solaris sysinfo() Kernel Memory
> > Disclosure Vulnerability
> > 
> > iDefense Security Advisory 07.20.06
> >
>
http://www.idefense.com/application/poi/display?type=vulnerabilities
> > July 20, 2006
> > 
> > I. BACKGROUND
> > 
> > Solaris is a UNIX operating system developed by
> Sun
> > Microsystems.
> > 
> > II. DESCRIPTION
> > 
> > Local exploitation of an integer overflow
> > vulnerability in Sun
> > Microsystems Inc. Solaris allows attackers to read
> > kernel memory from a
> > non-privileged userspace process.
> > 
> > The vulnerability specifically exists due to an
> > integer overflow in
> > /usr/src/uts/common/syscall/systeminfo.c. The
> > vulnerable code is as
> > follows:
> > 
> > 125     if (kstr != NULL) {
> > 126         if ((strcnt = strlen(kstr)) >= count)
> {
> > 127             getcnt = count - 1;
> > 128             if (subyte(buf + count - 1, 0) <
> 0)
> > 129                 return (set_errno(EFAULT));
> > 130         } else
> > 131             getcnt = strcnt + 1;
> > 132         if (copyout(kstr, buf, getcnt))
> > 133             return (set_errno(EFAULT));
> > 134         return (strcnt + 1);
> > 135     }
> > 
> > 
> > If the variable count (which is a value provided
> by
> > the user invoking
> > the function) is 0, the function will call the
> > copyout function with a
> > length argument of -1. Because copyout interprets
> > the length argument as
> > an unsigned integer, a large amount of data will
> be
> > copied out to
> > userspace, well beyond the boundaries that are
> > intended.
> > 
> > III. ANALYSIS
> > 
> > Successful exploitation of this vulnerability
> allows
> > attackers to read
> > sensitive kernel memory. This can lead to the
> > compromise of passwords or
> > keys. It can also aid an attacker in gathering
> > information for
> > exploitation of other kernel level
> vulnerabilities.
> > 
> > IV. DETECTION
> > 
> > iDefense has confirmed that Solaris 10 is
> > vulnerable. Earlier versions
> > of Solaris are not affected.
> > 
> > V. WORKAROUND
> > 
> > iDefense is currently unaware of any workaround
> for
> > this issue.
> > 
> > VI. VENDOR RESPONSE
> > 
> > Sun Alert ID 102343 addresses this issue and is
> > available at:
> > 
> >    
> >
>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
> > 
> > VII. CVE INFORMATION
> > 
> > A Mitre Corp. Common Vulnerabilities and Exposures
> > (CVE) number has not
> > been assigned yet.
> > 
> > VIII. DISCLOSURE TIMELINE
> > 
> > 12/15/2005  Initial vendor notification
> > 12/15/2005  Initial vendor response
> > 07/20/2006  Coordinated public disclosure
> > 
> > IX. CREDIT
> > 
> > The discoverer of this vulnerability wishes to
> > remain anonymous.
> > 
> > Get paid for vulnerability research
> > http://www.idefense.com/poi/teams/vcp.jsp
> > 
> > Free tools, research and upcoming events
> > http://labs.idefense.com
> > 
> > X. LEGAL NOTICES
> > 
> > Copyright © 2006 iDefense, Inc.
> > 
> > Permission is granted for the redistribution of
> this
> > alert
> > electronically. It may not be edited in any way
> > without the express
> > written consent of iDEFENSE. If you wish to
> reprint
> > the whole or any
> > part of this alert in any other medium other than
> > electronically, please
> > email customerservice@...fense.com for permission.
> > 
> > Disclaimer: The information in the advisory is
> > believed to be accurate
> > at the time of publishing based on currently
> > available information. Use
> > of the information constitutes acceptance for use
> in
> > an AS IS condition.
> > There are no warranties with regard to this
> > information. Neither the
> > author nor the publisher accepts any liability for
> > any direct, indirect,
> > or consequential loss or damage arising from use
> of,
> > or reliance on,
> > this information.
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> >
>
http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> > http://secunia.com/
> > 
> 
> 
> 
> 		
>
___________________________________________________________
> 
> The all-new Yahoo! Mail goes wherever you go - free
> your email address from your Internet provider.
> http://uk.docs.yahoo.com/nowyoucan.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 


		
___________________________________________________________ 
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
View attachment "prdelka-vs-SUN-sysinfo.c" of type "text/x-csrc" (1425 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ