Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[TKADV2008-003] Sun Solaris SIOCSIPMSFILTER Kernel Integer Overflow
From: "Tobias Klein" <tk () trapkit de>
Date: Sat, 14 Jun 2008 13:00:54 +0200 (MEST)

Hash: SHA1

Advisory:               Sun Solaris SIOCSIPMSFILTER Kernel Integer Overflow
Advisory ID:            TKADV2008-003
Revision:               1.0              
Release Date:           2008/06/13 
Last Modified:          2008/06/13 
Date Reported:          2007/08/20
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      Solaris 10 without patch 137111-01 (SPARC)         
                        Solaris 10 without patch 137112-01 (x86)
                        OpenSolaris based upon builds <= snv_91 
                        (SPARC, x86)
Remotely Exploitable:   No
Locally Exploitable:    Yes  
Vendor URL:             http://www.sun.com 
Vendor Status:          Vendor has released an updated version         
Patch development time: 298 days

Vulnerability details: 

The kernel of Solaris contains a vulnerability in the code that handles
SIOCSIPMSFILTER IOCTL requests. Exploitation of this vulnerability can
result in:

1) local denial of service attacks (system crash due to a kernel panic), or

   [ As all Solaris Zones (Containers) share the same kernel it is possible
   to crash the whole system (all Zones) even if the vulnerability is
   triggered in an unprivileged non-global zone. ]

2) local execution of arbitrary code at the kernel level (complete system 

   [ As all Solaris Zones (Containers) share the same kernel it is possible
   to escape from unprivileged non-global zones and compromise other non-
   global zones or the global zone. ]

The issue can be triggered by sending a specially crafted IOCTL request.

Technical description:

The following source code references are based on the kernel source code
available from http://www.opensolaris.org.


static int
ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
   struct ip_msfilter *imsf, ipaddr_t grp, ipif_t *ipif, 
   boolean_t isv4mapped)
 int i, err, insrcs, infmode, new_fmode;   <-- [1]
 insrcs = imsf->imsf_numsrc;   <-- [2]
 /* Make sure we can handle the source list */
 if (insrcs > MAX_FILTER_SIZE)   <-- [3] 
   return (ENOBUFS);
 fp->sl_numsrc = insrcs;                <-- [4]
 ilg->ilg_filter = fp;          <-- [5]
 l_copy(ilg->ilg_filter, new_filter);   <-- [6]
At [2] the user supplied value of "imsf->imsf_numsrc" gets assigned to 
"insrcs". The "imsf->imsf_numsrc" variable is of the type unsigned int 
(see [7] below) and "insrcs" is of the type signed int (see [1]). If 
the user supplied value of "imsf->imsf_numsrc" is a large integer 
"insrcs" gets a negative value.


struct ip_msfilter {
 struct in_addr imsf_multiaddr;    
 struct in_addr imsf_interface;    
 uint32_t imsf_fmode;              
 uint32_t imsf_numsrc;  <-- [7]   
 struct in_addr imsf_slist[1];    

If "insrcs" is negative the check at [3] can be bypassed. Later on the user
supplied data is used as a value for "ilg->ilg_filter" (see [4] and [5]). 
This "ilg->ilg_filter" value is then used as an argument for "l_copy" (see
[6]). This leads to a kernel memory corruption vulnerability because of an 
out-of-bounds write in "l_copy".      

  This issue is addressed in the following patch releases from Sun:
   SPARC Platform
     - Solaris 10 with patch 137111-01 or later
     - OpenSolaris based upon builds snv_92 or later

   x86 Platform
     - Solaris 10 with patch 137112-01 or later
     - OpenSolaris based upon builds snv_92 or later


  2007/08/20 - Vendor notified
  2007/08/27 - Vendor notified a 2nd time
  2007/08/27 - Vendor confirms the vulnerability
  2008/05/21 - Vendor status update
  2008/05/26 - Request for more information
  2008/05/26 - Vendor provides the information 
  2008/06/12 - SunAlert and patches released by Sun
  2008/06/13 - Full technical details released to general public


  Vulnerability found and advisory written by Tobias Klein.


  [1] http://sunsolve.sun.com/search/document.do?assetkey=1-26-237965-1
  [2] http://www.trapkit.de/advisories/TKADV2008-003.txt


  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

PGP Signature Key: 


Copyright 2008 Tobias Klein. All rights reserved.



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [TKADV2008-003] Sun Solaris SIOCSIPMSFILTER Kernel Integer Overflow Tobias Klein (Jun 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]