Sunday, December 21, 2008

[UNIX] Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL Pointer Dereference

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL Pointer Dereference
------------------------------------------------------------------------


SUMMARY

The kernel of Solaris contains a vulnerability in the code that handles
SIOCGTUNPARAM IOCTL requests. Exploitation of this vulnerability can
result in:
1) Local denial of service attacks (system crash due to a kernel panic),
or
[ As all Solaris Zones (Containers) share the same kernel it is possible
to crash the whole system (all Zones) even if the vulnerability is
triggered in an unprivileged non-global zone. ]

2) Local execution of arbitrary code at the kernel level (complete system
compromise) on x86 platforms
[ As all Solaris Zones (Containers) share the same kernel it is possible
to escape from unprivileged non-global zones and compromise other
non-global zones or the global zone. ]

The issue can be triggered by sending a specially crafted IOCTL request to
the kernel.

DETAILS

Vulnerable Systems:
* Solaris 10 without patch 138888-01 (SPARC)
* Solaris 10 without patch 138889-01 (x86)
* OpenSolaris versions prior to snv_77 (SPARC)
* OpenSolaris versions prior to snv_77 (x86)

Immune Systems:
* Solaris 10 with patch 138888-01 or later (SPARC)
* OpenSolaris based upon builds snv_77 or later (SPARC)
* Solaris 10 with patch 138889-01 or later (x86)
* OpenSolaris based upon builds snv_77 or later (x86)

Technical Details:
The following source code references are based on the kernel source code
available from http://www.opensolaris.org.

<http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip.c> http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip.c:

[...]
26692 void
26693 ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
26694 {
[...]
26717 [1] ci.ci_ipif = NULL
[...]
26735 case TUN_CMD:
[...]
26740 [2] err = ip_extract_tunreq(q, mp, &ci.ci_ipif, ip_process_ioctl);
26741 if (err != 0) {
26742 ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
26743 return;
26744 }
[...]
26782 if (!(ipip->ipi_flags & IPI_WR)) {
[...]
26788 [3] err = (*ipip->ipi_func)(ci.ci_ipif, ci.ci_sin, q, mp, ipip,
26789 ci.ci_lifr);
[...]

[1] The value of "ci.ci_ipif" is set to "NULL".
[2] When a SIOCGTUNPARAM IOCTL is called the switch case "TUN_CMD" is
chosen and the "ip_extract_tunreq()" function gets called.
[3] If the return value of the "ip_extract_tunreq()" function is 0 the
"ci.ci_ipif" variable is later on used as the first parameter for the
"ip_sioctl_tunparam()" function.


<http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip_if.c:> http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/inet/ip/ip_if.c:

[...]
9468 int
9469 ip_sioctl_tunparam(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t
*mp,
9470 ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
9471 {
..
9499 [4] ill = ipif->ipif_ill;
[...]

In the "ip_sioctl_tunparam()" function the first parameter "ipif" is used
to reference some data (see [4]).

It is possible to return from the "ip_extract_tunreq()" function (see [2])
with a return value of 0 while "ci.ci_ipif" is also still set to NULL. As
"ipif" has the same value as "ci.ci_ipif", which is set to NULL, this
leads to a NULL pointer dereference (see [4]).

On x86 (32/64bit) platforms this Null pointer dereference can be exploited
to execute arbitrary code at the kernel level. On SPARC platforms the
vulnerability can "only" be used for a denial of service.

Solution:
This issue is addressed in the following patch releases from Sun:

SPARC Platform
- Solaris 10 with patch 138888-01 or later
- OpenSolaris based upon builds snv_77 or later

x86 Platform
- Solaris 10 with patch 138889-01 or later
- OpenSolaris based upon builds snv_77 or later

Disclosure Timeline:
2007/09/04 - Vendor notified
2007/09/05 - Vendor confirms the vulnerability
2008/12/17 - Public disclosure of vulnerability details by Sun
2008/12/17 - Release date of this security advisory

References:
[1] <http://sunsolve.sun.com/search/document.do?assetkey=1-26-242266-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-242266-1
[2] <http://www.trapkit.de/advisories/TKADV2008-015.txt>
http://www.trapkit.de/advisories/TKADV2008-015.txt


ADDITIONAL INFORMATION

The information has been provided by <mailto:tk@trapkit.de> Tobias Klein.
The original article can be found at:
<http://www.trapkit.de/advisories/TKADV2008-015.txt>
http://www.trapkit.de/advisories/TKADV2008-015.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment