| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4D2A2127.8080509@digit-security.com>
Date: Sun, 09 Jan 2011 20:57:11 +0000
From: Digit Security Research <research@...it-security.com>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Silicon Graphics Inc (SGI) - IRIX - Local Kernel
Memory Disclosure/Denial of Service
===============================ADVISORY===============================
Advisory: Silicon Graphics Inc (SGI) - IRIX - Local Kernel
Memory Disclosure/Denial of Service
Advisory ID: DSEC-2010-0001
Author: Neil Kettle, Digit Security Ltd
Affected Software: Silicon Graphics (SGI) IRIX
Vendor URL: http://www.sgi.com
Vendor Status: patched
Category: Denial of Service/Memory Disclosure/Privilege
Escalation
Date Reported: 2010/10/07
Last Modified: 2011/01/08
Release Date: 2011/01/08
===============================ADVISORY===============================
Description
-----------
A vulnerability has been discovered in the Silicon Graphics Inc (SGI) IRIX
kernel, an attacker exploiting this vulnerability may access arbitrary
kernel memory, or cause a Denial of Service attack via a page fault caused
by an invalid pointer dereference resulting in a call to panic().
Analysis
--------
The vulnerability exists due to a signedness condition in the
validation of a user-supplied array index value in the syssgi system call.
The vulnerable request value is SGI_XLV_ATTR_GET with a request attribute
value of XLV_ATTR_STATS.
Exploitation
------------
An exploit will be made available to the public in due course at the
following URL,
http://www.digit-labs.org/
http://www.digit-security.com/research.php
Technologies Affected
------------------------------
Silicon Graphics Inc (SGI) - IRIX (6.5.X)
Vendor Response
------------------------------
https://support.sgi.com/content_request/914341/index.html
(requires a valid Supportfolio login)
Disclosure Timeline
------------------------------
7th September 2010 – Vendor Disclosure
8th January 2011 – Vendor Releases Patches
Credits
------------------------------
Neil Kettle of Digit Security Ltd
Thanks
------------------------------
Micheal O'Conner of SGI for a very prompt response which gave us hope that
IRIX is not dead yet.
About Digit Security Ltd
----------------------------------
Digit Security is a computer security consultancy based in the United
Kingdom, albeit with a slight difference. The company is a co-operatively
controlled entity comprised of professionals who are experts in their
respective fields. Thus, as a corollary, nearly everyone at Digit Security
is a both a Consultant, Developer and a Director (although we prefer the
term 'equal').
Web: www.digit-security.com
Email: research@...it-security.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists