> Solaris's Got Big problem on System Call priocntl()
> syscall priocntl(2) is used as process scheduler control
> ...
> as it said, pc_clname points to a string specify the module.
> priocntl() will load the module without any privilege check.
> The module's name is a relative path, priocntl will search the module file
> in only /kernel/sched and /usr/kernel/sched/ dirs.
> but unfortunately, priocntl() never check '../' in pc_clname arg
The supplied exploits definitely work (with a little fiddling) on a
patched Solaris 7 system running a 32-bit kernel.
The following will disable the offending syscall (priocntl) entirely;
this does break nice/renice and the priocntl command.
> Solaris's Got Big problem on System Call priocntl()
> syscall priocntl(2) is used as process scheduler control
> ...
> as it said, pc_clname points to a string specify the module.
> priocntl() will load the module without any privilege check.
> The module's name is a relative path, priocntl will search the module file
> in only /kernel/sched and /usr/kernel/sched/ dirs.
> but unfortunately, priocntl() never check '../' in pc_clname arg
The supplied exploits definitely work (with a little fiddling) on a
patched Solaris 7 system running a 32-bit kernel.
The following will disable the offending syscall (priocntl) entirely;
this does break nice/renice and the priocntl command.
b=`isainfo -b`
if [ "$b" = 32 ]; then
echo 'sysent+0x70c/W nosys' | adb -k -w /dev/ksyms /dev/mem
elif [ "$b" = 64 ]; then
echo 'sysent+0xe1c/W nosys' | adb -k -w /dev/ksyms /dev/mem
echo 'sysent32+0xe1c/W nosys' | adb -k -w /dev/ksyms /dev/mem
fi
(Note that isainfo wasn't available before Solaris 7).
This has NOT been heavily tested; no warranty is expressed or
implied.
Happy Thanksgiving.
Regards,
Jeff Damens
----------------------------------------------------------------
Jeff Damens Unix Systems Administrator
Polytechnic University jdamens (at) poly (dot) edu [email concealed]
[ reply ]