Sun's snoop dogged by a buffer overflow
Sun Microsystems has released two security alerts for Solaris. One of the alerts affects Solaris 8, 9 and 10 and OpenSolaris, and closes a hole in the snoop network utility, which is normally used to monitor packets on the network. The other covers Solaris 10 and OpenSolaris and involves a way for an unprivileged user to crash the system.
It appears that when the snoop utility is run without the "
-o" option, which directs snoop's output to a file, it is possible to craft a malicious packet that can trigger a bug allowing arbitrary commands to be run as the user running snoop. The problem is slightly mitigated by the fact that snoop, when run as root, changes its effective user to "nobody", but that is the only user for which snoop changes effective user id. The problem is related to snoop's displaying of SMB traffic according to the Sun alert for this issue.
The other issue affects Solaris 10 and OpenSolaris only. In this case a local unprivileged user or application can manipulate the
pthread_mutex_reltimedlock_np in such a way as to cause the system to hang or panic. The Sun alert in this case notes there are no workarounds and directs the user to install one of two patches or update their OpenSolaris to a build later than snv_90.