SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  OS (UNIX)  >  priocntl Vendors:  Sun
(Sun Confirms) Re: Solaris priocntl() System Call Lets Local Users Grab Root Privileges
SecurityTracker Alert ID:  1005724
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 28 2002
Impact:  Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  
Version(s): 2.5.1, 2.6, 7, 8, 9
Description:  An input validation vulnerability was reported in the Solaris operating system priocntl() process system scheduler system call. A remote user can load arbitrary kernel modules with root privileges.

It is reported that the priocntl(2) system call fails to filter the user-supplied pc_clname argument to remove directory traversal characters ('../'). According to the report, priocntl() will load the specified module without checking the calling user's privileges. A local user can specify a relative path containing directory traversal characters (such as '../../../tmp/module') to cause priocntl() to load an arbitrary module from any directory on the system.

Some demonstration exploit code is available in the Source Message and at:

http://www.catdogsoft.com/S8EXP/
Impact:  A local user can load arbitrary kernel modules with root privileges.
Solution:  Sun reports that there is no workaround available and a final resolution is pending completion. Sun has assigned BugID 4708822 to this flaw.
Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131 (Links to External Site)
Cause:  Input validation error
Underlying OS:  UNIX (Solaris - SunOS)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 27 2002 Solaris priocntl() System Call Lets Local Users Grab Root Privileges


 Source Message Contents
Date:  Thu, 28 Nov 2002 02:54:18 -0500
Subject:  Security Vulnerability Involving the priocntl(2) System Call

 

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131

Sun has issued an alert (49131) warning of a security vulnerability in the priocntl(2)
system call.  Sun confirmed that a local user may be able to gain unauthorized root
privileges.

The following operating system versions are affected:  Solaris 2.5.1, 2.6, 7, 8, 9

Sun reports that there is no workaround available and a final resolution is pending
completion. 

-----

    * Sun Alert ID: 49131
    * Synopsis: Security Vulnerability Involving the priocntl(2) System Call
    * Category: Security
    * Product: Solaris
    * BugIDs: 4708822
    * Avoidance: None
    * State: Committed
    * Date Released: 27-Nov-2002
    * Date Closed:
    * Date Modified:


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC