In association with heise online

14 December 2006, 16:54

Root privileges from vulnerabilities in Solaris loader

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Sun has fixed two vulnerabilities identified by security services provider iDefense. Both are in the dynamic linker/loader Id.so and can only be exploited in combination. Id.so uses the environment variable $LANG to deliver error messages in the appropriate language. Since $LANG can be specified by the user, it's possible, for example, by directory traversing, to divert this call to other files. Setting $LANG to ../../../../../home/user, for example, would be sufficient.

According to iDefense this permits arbitrary format strings to be passed to vulnerable print and formatting functions in Id.so. This is where the second vulnerability comes into play - a buffer overflow in the formatting function doprf which can be used to write code to the stack and execute this code with the privileges of Id.so, i.e. kernel privileges. Interestingly, the bug only occurs comes into play for non-root users - if the user has root privileges the function is not used. According to Sun, Solaris 8, 9 and 10 on SPARC and x86 are affected.

See also:

(trk)

Print Version | Send by email | Permalink: http://h-online.com/-731986
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit