CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
25.7%
The Sun Solaris priocntl(2)
function does not adequately validate a memory structure that specifies the name of a kernel module. As a result, a local attacker could execute arbitrary code with superuser privileges on a vulnerable system.
The Sun Solaris priocntl(2)
function provides the ability to control the scheduling of lightweight processes (LWPs). LWPs are grouped into several classes, each class having a different scheduling policy. The priocntl(2)
command PC_GETCID
can be used to get the class ID and attributes for a class of LWPs. The PC_GETCID
command can take as an argument a pointer to a structure of type pcinfo_t
that contains information about the class. A pcinfo_t
structure includes a member called pc_clname
that specifies the name of the class, and in certain cases, the name of a kernel module that implements the process scheduling policy for the class. priocntl(2)
searches for the kernel module specified by pc_clname
in /kernel/sched
and /usr/kernel/sched
.
priocntl(2)
does not adequately validate the data in pc_clname
. As demonstrated by the exploit code posted to the BugTraq mailing list, an attacker with local user privileges can:
/tmp/module
for instance),pcinfo_t
structure with pc_clname
set to the location of the kernel module relative to /usr/kernel/sched
(../../../tmp/module
), andpriocntl(2)
call using the PC_GETCID
command and a pointer to the pcinfo_t
structure created by the attacker.priocntl(2)
accepts the relative path operators (../
) in pc_clname
, the attacker-supplied module will be loaded by the kernel, and the attacker can act with superuser privileges.priocntl(2)
does not validate or authenticate the kernel module that is being loaded. A message posted to BugTraq suggests checking the permissions ownership of the module and its parent directories. Another option could be to check a cryptographic hash or signature before loading a module.A local attacker could execute code with superuser privileges.
Apply Patch or Upgrade
Sun Alert ID 49131 states that “A final resolution is pending completion.”
Change Location of**/sched**
** Directories**
Sun Alert ID 49131 includes a workaround that involves nesting the /sched
directories deeply enough that they cannot be traversed in the space available in pc_clname
.
683673
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: December 02, 2002 Updated: December 05, 2002
Affected
Sun confirms that the priocntl(2) vulnerability does affect all currently supported versions of Solaris:
Solaris 2.6, 7, 8, and 9
Sun has released a Sun Alert which describes a workaround until patches are available at:
<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49131>
The Sun Alert will be updated with the patch information once it becomes available. Sun patches are available from:
<http://sunsolve.sun.com/securitypatch>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23683673 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was publicly reported by CatDog.
This document was written by Art Manion.
CVE IDs: | CVE-2002-1296 |
---|---|
Severity Metric: | 20.48 Date Public: |