-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Oracle Solaris Zones RPCSEC_GSS Denial of Service Vulnerability Advisory ID: TKADV2010-005 Revision: 1.0 Release Date: 15-Jul-2010 Last Modified: 15-Jul-2010 Date Reported: 11-Jun-2009 Author: Tobias Klein (tk at trapkit.de) Affected Software: Solaris 10 without Oracle Critical Patch Update July 2010 and OpenSolaris Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.oracle.com Vendor Status: Vendor has released an updated version Patch development time: 398 days CVE-ID: CVE-2010-2393 ========================== Vulnerability Description: ========================== The kernel of Solaris contains a vulnerability in the code that handles RPCSEC_GSS requests on systems in 32 bit mode. If a privileged user in an unprivileged non-global zone exploits this vulnerability it is possible to crash the whole system (all unprivileged zones as well as the global zone) due to a kernel panic (denial of service). ================== Technical Details: ================== The following source code references are based on the kernel source code available from http://www.opensolaris.org. http://src.opensolaris.org/source/xref/onnv/onnv- gate/usr/src/uts/common/rpc/rpcsys.c: .. 45 int 46 rpcsys(enum rpcsys_op opcode, void *arg) 47 { 48 switch (opcode) { 49 case KRPC_REVAUTH: 50 /* revoke the cached credentials for the given uid */ 51 { 52 STRUCT_DECL(krpc_revauth, nra); 53 int result; 54 55 STRUCT_INIT(nra, get_udatamodel()); 56 [1] if (copyin(arg, STRUCT_BUF(nra), STRUCT_SIZE(nra))) 57 return (set_errno(EFAULT)); 58 59 [2] result = sec_clnt_revoke(STRUCT_FGET(nra, rpcsec_flavor_1), 60 STRUCT_FGET(nra, uid_1), CRED(), 61 STRUCT_FGETP(nra, flavor_data_1), 62 get_udatamodel()); .. [1] The nra structure is filled with user controlled data [2] The sec_clnt_revoke() function gets called (the parameters 1, 2 and 4 are user controlled) http://src.opensolaris.org/source/xref/onnv/onnv- gate/usr/src/uts/common/rpc/sec/sec_clnt.c: ... 684 int 685 sec_clnt_revoke(int rpcflavor, uid_t uid, cred_t *cr, void *mechanism, 686 model_t model) 687 { 688 struct desauthent *da; 689 int error = 0; 690 zoneid_t zoneid = getzoneid(); 691 692 if (uid != crgetuid(cr) && secpolicy_nfs(cr) != 0) 693 return (EPERM); 694 695 switch (rpcflavor) { 696 case AUTH_DES: ... 709 case RPCSEC_GSS: { 710 rpc_gss_OID mech; 711 caddr_t elements; 712 713 if (!mechanism) 714 return (EINVAL); 715 716 /* copyin the gss mechanism type */ 717 mech = kmem_alloc(sizeof (rpc_gss_OID_desc), KM_SLEEP); 718 #ifdef _SYSCALL32_IMPL 719 if (model != DATAMODEL_NATIVE) { 720 gss_OID_desc32 mech32; 721 722 [3] if (copyin(mechanism, &mech32, 723 sizeof (gss_OID_desc32))) { 724 kmem_free(mech, sizeof (rpc_gss_OID_desc)); 725 return (EFAULT); 726 } 727 mech->length = mech32.length; 728 mech->elements = (caddr_t)(uintptr_t)mech32.elements; 729 } else 730 #endif /* _SYSCALL32_IMPL */ 731 [4] if (copyin(mechanism, mech, sizeof (rpc_gss_OID_desc))) { 732 kmem_free(mech, sizeof (rpc_gss_OID_desc)); 733 return (EFAULT); 734 } 735 736 [5] elements = kmem_alloc(mech->length, KM_SLEEP); ... [3] + [4] The user controlled data of mechanism is copied into mech/mech32 [5] The kmem_alloc() function is called with a user controlled size value If a large size value is passed to the kmem_alloc() function the kernel will panic. ========= Solution: ========= This issue is addressed with Oracle Critical Patch Update July 2010 (see [REF1]) ==================== Disclosure Timeline: ==================== 11-Jun-2009 - Initial vendor notification 11-Jun-2009 - Initial response from Sun 06-Nov-2009 - Status update by Sun 25-Jun-2010 - Status update by Oracle 09-Jul-2010 - Status update by Oracle 13-Jul-2010 - Critical Patch Update July 2010 released by Oracle 15-Jul-2010 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [REF1] http://www.oracle.com/technology/deploy/security/critical-patch- updates/cpujul2010.html [REF2] http://www.trapkit.de/advisories/TKADV2010-005.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2010 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFMP2EokXxgcAIbhEERAtu8AJ98kDTJvhRjzQmccxOcD8WU0Mvk6gCgpitq MizzquBu8CHBS3UVm83vVY8= =wBsJ -----END PGP SIGNATURE-----