(Sun Issues Workaround) Re: Solaris priocntl() System Call Lets Local Users Grab Root Privileges
|
|
SecurityTracker Alert ID: 1005736 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 2 2002
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Vendor Confirmed: Yes
|
Version(s): Solaris 2.5.1, 2.6, 7, 8, 9
|
Description: An input validation vulnerability was reported in the Solaris operating system priocntl() process system scheduler system call. A remote user can load arbitrary kernel modules with root privileges.
It is reported that the priocntl(2) system call fails to filter the user-supplied pc_clname argument to remove directory traversal
characters ('../'). According to the report, priocntl() will load the specified module without checking the calling user's privileges.
A local user can specify a relative path containing directory traversal characters (such as '../../../tmp/module') to cause priocntl()
to load an arbitrary module from any directory on the system.
Some demonstration exploit code is available in the Source Message
and at:
http://www.catdogsoft.com/S8EXP/
|
Impact: A local user can load arbitrary kernel modules with root privileges.
|
Solution: Sun has provided the following workaround, to be executed as a root user:
# for dir in /kernel /usr/kernel
> do
>
cd $dir
> mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
> mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
> ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched
.
> done
These commands create multiple directory levels so that a user cannot reference their own module using directory
traversal characters ('../'), because the path will be longer than the PC_CLNMSZ variable will permit.
For more information,
see the Sun Alert at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131
|
Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: UNIX (Solaris - SunOS)
|
OS Comments: 2.5.1, 2.6, 7, 8, 9
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 02 Dec 2002 14:49:16 -0500
Subject: Sun update to 49131 priocntl(2) bug
|
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131
Sun issued an update to Alert #49131 regarding a security vulnerability in the priocntl(2)
system call. In this update, Sun has provided a workaround.
The following versions of Solaris are affected: 2.5.1, 2.6, 7, 8, 9
Sun has provided the following workaround, to be executed as a root user:
# for dir in /kernel /usr/kernel
> do
> cd $dir
> mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
> mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
> ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
> done
These commands create multiple directory levels so that a user cannot reference their own
module using directory traversal characters ('../'), because the path will be longer than
the PC_CLNMSZ variable will permit.
-----
* Sun Alert ID: 49131
* Synopsis: Security Vulnerability Involving the priocntl(2) System Call
* Category: Security
* Product: Solaris
* BugIDs: 4708822
* Avoidance: Workaround
* State: Committed
* Date Released: 27-Nov-2002, 28-Nov-2002
* Date Closed:
* Date Modified: 28-Nov-2002
|
|
