Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(Sun Issues Patches and T-Patches) Re: Solaris priocntl() System Call Lets Local Users Grab Root Privileges
|
|
SecurityTracker Alert ID: 1006288 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 14 2003
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.5.1, 2.6, 7, 8, 9
|
Description: An input validation vulnerability was reported in the Solaris operating system priocntl() process system scheduler system call. A remote user can load arbitrary kernel modules with root privileges.
It is reported that the priocntl(2) system call fails to filter the user-supplied pc_clname argument to remove directory traversal
characters ('../'). According to the report, priocntl() will load the specified module without checking the calling user's privileges.
A local user can specify a relative path containing directory traversal characters (such as '../../../tmp/module') to cause priocntl()
to load an arbitrary module from any directory on the system.
Some demonstration exploit code is available in the Source Message
and at:
http://www.catdogsoft.com/S8EXP/
|
Impact: A local user can load arbitrary kernel modules with root privileges.
|
Solution: Sun has released preliminary T-Patches for Solaris 2.6 and 7, available at:
http://sunsolve.sun.com/tpatches
SPARC Platform
Solaris 2.6 T-patch T105181-34
Solaris 7 T-patch T106541-24
x86 Platform
Solaris 2.6 T-patch T105182-34
Solaris
7 T-patch T106542-24
Sun has also issued the following patches:
SPARC
Solaris 8 with patch 108528-18 or later
Solaris
9 with patch 112233-04 or later
x86 Platform
Solaris 8 with patch 108529-18 or later
Solaris 9 with patch 112234-04 or
later
Sun reports that they are working on a final resolution Solaris 2.6 and Solaris 7.
Sun has provided the following
workaround, to be executed as a root user:
# for dir in /kernel /usr/kernel
> do
> cd $dir
> mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
> mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
> ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
> done
These commands
create multiple directory levels so that a user cannot reference their own module using directory traversal characters ('../'),
because the path will be longer than the PC_CLNMSZ variable will permit.
Sun warns that the workaround must be "undone" before
installing any revision of the Kernel Update Patch (KUP):
# for dir in /kernel /usr/kernel
> do
> cd $dir
> rm sched # remove symlink
> mv a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
> rm -fr a
> done
|
Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: UNIX (Solaris - SunOS)
|
OS Comments: 2.5.1, 2.6, 7, 8, 9
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 14 Mar 2003 09:41:04 -0500
Subject: Sun update to 49131 priocntl(2) bug
|
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131
Sun issued an update to Alert #49131 regarding a security vulnerability in the priocntl(2)
system call. In this update, Sun has added some temporary patches.
The following versions of Solaris are affected: 2.5.1, 2.6, 7, 8, 9
Sun has provided the following workaround, to be executed as a root user:
# for dir in /kernel /usr/kernel
> do
> cd $dir
> mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
> mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
> ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
> done
These commands create multiple directory levels so that a user cannot reference their own
module using directory traversal characters ('../'), because the path will be longer than
the PC_CLNMSZ variable will permit.
Sun warns that the workaround must be "undone" before installing any revision of the Kernel
Update
Patch (KUP):
# for dir in /kernel /usr/kernel
> do
> cd $dir
> rm sched # remove symlink
> mv a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
> rm -fr a
> done
Sun has released preliminary T-Patches for Solaris 2.6 and 7, available at:
http://sunsolve.sun.com/tpatches
SPARC Platform
Solaris 2.6 T-patch T105181-34
Solaris 7 T-patch T106541-24
x86 Platform
Solaris 2.6 T-patch T105182-34
Solaris 7 T-patch T106542-24
Sun has also issued the following patches:
SPARC
Solaris 8 with patch 108528-18 or later
Solaris 9 with patch 112233-04 or later
x86 Platform
Solaris 8 with patch 108529-18 or later
Solaris 9 with patch 112234-04 or later
Sun reports that they are working on a final resolution Solaris 2.6 and Solaris 7.
-----
Sun Alert ID: 49131
Synopsis: Security Vulnerability Involving the priocntl(2) System Call
Category: Security
Product: Solaris
BugIDs: 4708822
Avoidance: Workaround, Patch
State: Committed
Date Released: 27-Nov-2002, 28-Nov-2002, 17-Dec-2002, 23-Dec-2002, 06-Feb-2003
Date Closed:
Date Modified: 28-Nov-2002, 17-Dec-2002, 23-Dec-2002, 06-Feb-2003, 13-Mar-2003
|
|
Go to the Top of This SecurityTracker Archive Page
|
