[34226] in bugtraq
Re: Immunity Advisory: Solaris local kernel root
daemon@ATHENA.MIT.EDU (Casper Dik)
Wed Mar 24 13:38:11 2004
Message-Id: <200403241034.i2OAYSD03705@sunnl.Holland.Sun.COM>
To: Dave Aitel <dave@immunitysec.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <4060B2C0.2030907@immunitysec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 24 Mar 2004 11:34:28 +0100
From: Casper Dik <casper@holland.sun.com>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Immunity Research has released an Advisory from the Vulnerability
>Sharing Club into the public domain. This advisory can be found at
>http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
>
>Technical Summary: There is a vulnerability in Solaris that allows
>local users to load kernel modules without being root. This is handy
>for getting around things like Argus Pitbull (if it still existed) or
>Okena or Entercept or anything like that, or simply for just taking
>root. An exploit for this was released as part of the Shellcoder's
>Handbook.
>
>There is a Solaris patch that appears to make this exploit ineffective.
>http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57479&zone_32=category%3Asecurity
I wonder why you even bother publishing this; at the time the document
claims to have been written, half the listed Solaris revisions had already
patches out for them; Solaris 10, which technically doesn't exist yet, had
the bug already fixed in its most recent Solaris Express builds.
But thanks for including the reference to the Sun Alert; that should
prevent this from being to large a blip on the SunService radar screen.
Casper
