Sun Solaris vfs_getvfssw function Local Privilege Escalation Vulnerability
BID:9962
Info
Sun Solaris vfs_getvfssw function Local Privilege Escalation Vulnerability
| Bugtraq ID: | 9962 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 23 2004 12:00AM |
| Updated: | Mar 23 2004 12:00AM |
| Credit: | Discovery is credited to Sinan Eren. |
| Vulnerable: |
Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 7.0_x86 Sun Solaris 7.0 Sun Solaris 2.6_x86 Sun Solaris 2.6 |
| Not Vulnerable: | |
Discussion
Sun Solaris vfs_getvfssw function Local Privilege Escalation Vulnerability
It has been reported that Sun Solaris may be prone to a local privilege escalation vulnerability that may allow an attacker to gain root access to a vulnerable system. The issue exists due to insufficient sanitization of user-supplied data via the vfs_getvfssw() function in the Solaris kernel. An attacker can load a user-specified kernel module by using directory traversal sequences and employing the mount() or sysfs() system calls.
It has been reported that Sun Solaris may be prone to a local privilege escalation vulnerability that may allow an attacker to gain root access to a vulnerable system. The issue exists due to insufficient sanitization of user-supplied data via the vfs_getvfssw() function in the Solaris kernel. An attacker can load a user-specified kernel module by using directory traversal sequences and employing the mount() or sysfs() system calls.
Exploit / POC
Sun Solaris vfs_getvfssw function Local Privilege Escalation Vulnerability
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
The following exploit has been submitted by Sam <Sam#0x557.org>; further details regarding exploitation of this issue can be found in the references section (getvfssw-howto.txt):
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
The following exploit has been submitted by Sam <Sam#0x557.org>; further details regarding exploitation of this issue can be found in the references section (getvfssw-howto.txt):
Solution / Fix
Sun Solaris vfs_getvfssw function Local Privilege Escalation Vulnerability
Solution:
Sun has released a patch to address this issue:
Sun Solaris 2.6
Sun Solaris 7.0
Sun Solaris 8_x86
Sun Solaris 2.6_x86
Sun Solaris 8_sparc
Sun Solaris 9
Sun Solaris 9_x86
Sun Solaris 7.0_x86
Solution:
Sun has released a patch to address this issue:
Sun Solaris 2.6
Sun Solaris 7.0
Sun Solaris 8_x86
Sun Solaris 2.6_x86
Sun Solaris 8_sparc
Sun Solaris 9
Sun Solaris 9_x86
Sun Solaris 7.0_x86
References
Sun Solaris vfs_getvfssw function Local Privilege Escalation Vulnerability
References:
References:
- Solaris (Immunity, Inc)
- Solaris vfs_getvfssw() exploit (CORE Security)
- Solaris' vfs_getvfssw() vulnerability howto (Christophe Devine
- Sun Alert ID: 57479 (Sun)