Sun Solaris priocntl(2) does not adequately validate path to kernel modules that implement lightweight process (LWP) scheduling policy

Overview

The Sun Solaris priocntl(2) function does not adequately validate a memory structure that specifies the name of a kernel module. As a result, a local attacker could execute arbitrary code with superuser privileges on a vulnerable system.

Description

The Sun Solaris priocntl(2) function provides the ability to control the scheduling of lightweight processes (LWPs). LWPs are grouped into several classes, each class having a different scheduling policy. The priocntl(2) command PC_GETCID can be used to get the class ID and attributes for a class of LWPs. The PC_GETCID command can take as an argument a pointer to a structure of type pcinfo_t that contains information about the class. A pcinfo_t structure includes a member called pc_clname that specifies the name of the class, and in certain cases, the name of a kernel module that implements the process scheduling policy for the class. priocntl(2) searches for the kernel module specified by pc_clname in /kernel/sched and /usr/kernel/sched.

priocntl(2) does not adequately validate the data in pc_clname. As demonstrated by the exploit code posted to the BugTraq mailing list, an attacker with local user privileges can:

1. create an arbitrary kernel module and place it in a writable location (/tmp/module for instance),
2. create an arbitrary pcinfo_t structure with pc_clname set to the location of the kernel module relative to /usr/kernel/sched (../../../tmp/module), and
3. issue a priocntl(2) call using the PC_GETCID command and a pointer to the pcinfo_t structure created by the attacker.
   Since priocntl(2) accepts the relative path operators (../) in pc_clname, the attacker-supplied module will be loaded by the kernel, and the attacker can act with superuser privileges.

A different aspect of this vulnerability is that priocntl(2) does not validate or authenticate the kernel module that is being loaded. A message posted to BugTraq suggests checking the permissions ownership of the module and its parent directories. Another option could be to check a cryptographic hash or signature before loading a module.

Impact

A local attacker could execute code with superuser privileges.

---

Solution

Apply Patch or Upgrade

Sun Alert ID 49131 states that “A final resolution is pending completion.”

---

Change Location of**/sched**** Directories**

Sun Alert ID 49131 includes a workaround that involves nesting the /sched directories deeply enough that they cannot be traversed in the space available in pc_clname.

---

Vendor Information

683673

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Sun Microsystems Inc. __ Affected

Notified: December 02, 2002 Updated: December 05, 2002

Status

Affected

Vendor Statement

Sun confirms that the priocntl(2) vulnerability does affect all currently supported versions of Solaris:

Solaris 2.6, 7, 8, and 9

Sun has released a Sun Alert which describes a workaround until patches are available at:

<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49131&gt;

The Sun Alert will be updated with the patch information once it becomes available. Sun patches are available from:

<http://sunsolve.sun.com/securitypatch&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23683673 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49131&gt;
• <http://docs.sun.com/db/doc/816-0212/6m6nd4ncg?a=view&gt;
• <http://www.sun.com/security/blueprints/&gt;
• <http://online.securityfocus.com/bid/6262&gt;
• <http://online.securityfocus.com/archive/1/301400/2002-11-24/2002-11-30/0&gt;
• <http://www.iss.net/security_center/static/10717.php&gt;

Acknowledgements

This vulnerability was publicly reported by CatDog.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2002-1296
Severity Metric:	20.48 Date Public: