-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Sun Solaris SIOCSIPMSFILTER Kernel Integer Overflow Advisory ID: TKADV2008-003 Revision: 1.1 Release Date: 2008/06/13 Last Modified: 2008/12/20 Date Reported: 2007/08/20 Author: Tobias Klein (tk at trapkit.de) Affected Software: Solaris 10 without patch 137111-01 (SPARC) Solaris 10 without patch 137112-01 (x86) OpenSolaris based upon builds <= snv_91 (SPARC, x86) Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.sun.com Vendor Status: Vendor has released an updated version CVE-ID: CVE-2008-2710 Patch development time: 298 days ====================== Vulnerability details: ====================== The kernel of Solaris contains a vulnerability in the code that handles SIOCSIPMSFILTER IOCTL requests. Exploitation of this vulnerability can result in: 1) local denial of service attacks (system crash due to a kernel panic), or [ As all Solaris Zones (Containers) share the same kernel it is possible to crash the whole system (all Zones) even if the vulnerability is triggered in an unprivileged non-global zone. ] 2) local execution of arbitrary code at the kernel level (complete system compromise) [ As all Solaris Zones (Containers) share the same kernel it is possible to escape from unprivileged non-global zones and compromise other non- global zones or the global zone. ] The issue can be triggered by sending a specially crafted IOCTL request. ====================== Technical description: ====================== The following source code references are based on the kernel source code available from http://www.opensolaris.org. http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/ inet/ip/ip_multi.c: static int ip_set_srcfilter(conn_t *connp, struct group_filter *gf, struct ip_msfilter *imsf, ipaddr_t grp, ipif_t *ipif, boolean_t isv4mapped) { [...] int i, err, insrcs, infmode, new_fmode; <-- [1] [...] insrcs = imsf->imsf_numsrc; <-- [2] [...] /* Make sure we can handle the source list */ if (insrcs > MAX_FILTER_SIZE) <-- [3] return (ENOBUFS); [...] fp->sl_numsrc = insrcs; <-- [4] ilg->ilg_filter = fp; <-- [5] [...] l_copy(ilg->ilg_filter, new_filter); <-- [6] [...] At [2] the user supplied value of "imsf->imsf_numsrc" gets assigned to "insrcs". The "imsf->imsf_numsrc" variable is of the type unsigned int (see [7] below) and "insrcs" is of the type signed int (see [1]). If the user supplied value of "imsf->imsf_numsrc" is a large integer "insrcs" gets a negative value. http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/ netinet/in.h: struct ip_msfilter { struct in_addr imsf_multiaddr; struct in_addr imsf_interface; uint32_t imsf_fmode; uint32_t imsf_numsrc; <-- [7] struct in_addr imsf_slist[1]; }; If "insrcs" is negative the check at [3] can be bypassed. Later on the user supplied data is used as a value for "ilg->ilg_filter" (see [4] and [5]). This "ilg->ilg_filter" value is then used as an argument for "l_copy" (see [6]). This leads to a kernel memory corruption vulnerability because of an out-of-bounds write in "l_copy". ========= Solution: ========= This issue is addressed in the following patch releases from Sun: SPARC Platform - Solaris 10 with patch 137111-01 or later - OpenSolaris based upon builds snv_92 or later x86 Platform - Solaris 10 with patch 137112-01 or later - OpenSolaris based upon builds snv_92 or later ======== History: ======== 2007/08/20 - Vendor notified 2007/08/27 - Vendor notified a 2nd time 2007/08/27 - Vendor confirms the vulnerability 2008/05/21 - Vendor status update 2008/05/26 - Request for more information 2008/05/26 - Vendor provides the information 2008/06/12 - SunAlert and patches released by Sun 2008/06/13 - Full technical details released to general public ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://sunsolve.sun.com/search/document.do?assetkey=1-26-237965-1 [2] http://www.trapkit.de/advisories/TKADV2008-003.txt [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2710 ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release Revision 1.1 - CVE-ID added =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFJTQv7kXxgcAIbhEERAh4fAJ4vqAEg8Tr0SzMG/kQryRPl+wJu4ACfelHf 36JFtFxBKYGusQH54cY1X4A= =M1+D -----END PGP SIGNATURE-----