|
|
|
|
| |
The kernel of Solaris contains a vulnerability in the code that handles SIOCGTUNPARAM IOCTL requests. Exploitation of this vulnerability can result in:
1) Local denial of service attacks (system crash due to a kernel panic), or
[ As all Solaris Zones (Containers) share the same kernel it is possible to crash the whole system (all Zones) even if the vulnerability is triggered in an unprivileged non-global zone. ]
2) Local execution of arbitrary code at the kernel level (complete system compromise) on x86 platforms
[ As all Solaris Zones (Containers) share the same kernel it is possible to escape from unprivileged non-global zones and compromise other non-global zones or the global zone. ]
The issue can be triggered by sending a specially crafted IOCTL request to the kernel. |
| |
Credit:
The information has been provided by Tobias Klein.
The original article can be found at: http://www.trapkit.de/advisories/TKADV2008-015.txt
|
| |
Vulnerable Systems:
* Solaris 10 without patch 138888-01 (SPARC)
* Solaris 10 without patch 138889-01 (x86)
* OpenSolaris versions prior to snv_77 (SPARC)
* OpenSolaris versions prior to snv_77 (x86)
Immune Systems:
* Solaris 10 with patch 138888-01 or later (SPARC)
* OpenSolaris based upon builds snv_77 or later (SPARC)
* Solaris 10 with patch 138889-01 or later (x86)
* OpenSolaris based upon builds snv_77 or later (x86)
Technical Details:
The following source code references are based on the kernel source code available from http://www.opensolaris.org.
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip.c:
[...]
26692 void
26693 ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
26694 {
[...]
26717 [1] ci.ci_ipif = NULL
[...]
26735 case TUN_CMD:
[...]
26740 [2] err = ip_extract_tunreq(q, mp, &ci.ci_ipif, ip_process_ioctl);
26741 if (err != 0) {
26742 ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
26743 return;
26744 }
[...]
26782 if (!(ipip->ipi_flags & IPI_WR)) {
[...]
26788 [3] err = (*ipip->ipi_func)(ci.ci_ipif, ci.ci_sin, q, mp, ipip,
26789 ci.ci_lifr);
[...]
[1] The value of "ci.ci_ipif" is set to "NULL".
[2] When a SIOCGTUNPARAM IOCTL is called the switch case "TUN_CMD" is chosen and the "ip_extract_tunreq()" function gets called.
[3] If the return value of the "ip_extract_tunreq()" function is 0 the "ci.ci_ipif" variable is later on used as the first parameter for the "ip_sioctl_tunparam()" function.
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip_if.c:
[...]
9468 int
9469 ip_sioctl_tunparam(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t
*mp,
9470 ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
9471 {
...
9499 [4] ill = ipif->ipif_ill;
[...]
In the "ip_sioctl_tunparam()" function the first parameter "ipif" is used to reference some data (see [4]).
It is possible to return from the "ip_extract_tunreq()" function (see [2]) with a return value of 0 while "ci.ci_ipif" is also still set to NULL. As "ipif" has the same value as "ci.ci_ipif", which is set to NULL, this leads to a NULL pointer dereference (see [4]).
On x86 (32/64bit) platforms this Null pointer dereference can be exploited to execute arbitrary code at the kernel level. On SPARC platforms the vulnerability can "only" be used for a denial of service.
Solution:
This issue is addressed in the following patch releases from Sun:
SPARC Platform
- Solaris 10 with patch 138888-01 or later
- OpenSolaris based upon builds snv_77 or later
x86 Platform
- Solaris 10 with patch 138889-01 or later
- OpenSolaris based upon builds snv_77 or later
Disclosure Timeline:
2007/09/04 - Vendor notified
2007/09/05 - Vendor confirms the vulnerability
2008/12/17 - Public disclosure of vulnerability details by Sun
2008/12/17 - Release date of this security advisory
References:
[1] http://sunsolve.sun.com/search/document.do?assetkey=1-26-242266-1
[2] http://www.trapkit.de/advisories/TKADV2008-015.txt
|
|
|
|
|
