[28318] in bugtraq
Re: Solaris priocntl exploit - Sol8 patches available
daemon@ATHENA.MIT.EDU (Scott Howard)
Fri Dec 27 09:47:22 2002
Date: Sat, 28 Dec 2002 00:15:49 +1100
From: Scott Howard <scott@doc.net.au>
To: bugtraq@securityfocus.com
Message-ID: <20021227131549.GA2162@milliways.doc.net.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20021127024912.78C4A2F813@smtp.x263.net>
Patches are now available for Solaris 8 which resolve this bug.
This issue is addressed in the following releases:
SPARC
* Solaris 8 with patch 108528-18 or later
Intel
* Solaris 8 with patch 108529-18 or later
Both are available from http://sunsolve.sun.com/ for both contract and
non-contract customers.
Patches for Solaris 2.6, 7 and 9 will follow shortly.
Further details are available in Sun Alert 49131, available at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49131
Scott
On Wed, Nov 27, 2002 at 11:00:11AM +0800, ÝþÒãÁ? wrote:
> ** Moderator note:
>
> Messages with links to technical details outside of the message are not approved.
> Because of the potential delay waiting for another submission, the original message
> has been modified to include the details.
>
> Details follow:
>
> Solaris's Got Big problem on System Call priocntl()
>
> Description
> syscall priocntl(2) is used as process scheduler control
> it's declared as below:
>
> long priocntl(idtype_t idtype, id_t id, int cmd, /* arg */ ...);
>
> while set 'cmd' arg to PC_GETCID, priocntl()'s function is like below
> (see ManPage 'man -s 2 priocntl')
> "Get class ID and class attributes for a specific class
> given class name. The idtype and id arguments are
> ignored. If arg is non-null, it points to a structure
> of type pcinfo_t. The pc_clname buffer contains the
> name of the class whose attributes you are getting."
>
> as it said, pc_clname points to a string specify the module.
> priocntl() will load the module without any privilege check.
> The module's name is a relative path, priocntl will search the module file
> in only /kernel/sched and /usr/kernel/sched/ dirs.
> but unfortunately, priocntl() never check '../' in pc_clname arg
> we can use '../../../tmp/module' to make priocntl() load a module from anywhere
[..snip...]
