search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Sun Solaris priocntl(2) does not adequately validate path to kernel modules that implement lightweight process (LWP) scheduling policy

Vulnerability Note VU#683673

Original Release Date: 2002-12-05 | Last Revised: 2002-12-06


The Sun Solaris priocntl(2) function does not adequately validate a memory structure that specifies the name of a kernel module. As a result, a local attacker could execute arbitrary code with superuser privileges on a vulnerable system.


The Sun Solaris priocntl(2) function provides the ability to control the scheduling of lightweight processes (LWPs). LWPs are grouped into several classes, each class having a different scheduling policy. The priocntl(2) command PC_GETCID can be used to get the class ID and attributes for a class of LWPs. The PC_GETCID command can take as an argument a pointer to a structure of type pcinfo_t that contains information about the class. A pcinfo_t structure includes a member called pc_clname that specifies the name of the class, and in certain cases, the name of a kernel module that implements the process scheduling policy for the class. priocntl(2) searches for the kernel module specified by pc_clname in /kernel/sched and /usr/kernel/sched.

priocntl(2) does not adequately validate the data in pc_clname. As demonstrated by the exploit code posted to the BugTraq mailing list, an attacker with local user privileges can:

    1. create an arbitrary kernel module and place it in a writable location (/tmp/module for instance),
    2. create an arbitrary pcinfo_t structure with pc_clname set to the location of the kernel module relative to /usr/kernel/sched (../../../tmp/module), and
    3. issue a priocntl(2) call using the PC_GETCID command and a pointer to the pcinfo_t structure created by the attacker.
    Since priocntl(2) accepts the relative path operators (../) in pc_clname, the attacker-supplied module will be loaded by the kernel, and the attacker can act with superuser privileges.

    A different aspect of this vulnerability is that priocntl(2) does not validate or authenticate the kernel module that is being loaded. A message posted to BugTraq suggests checking the permissions ownership of the module and its parent directories. Another option could be to check a cryptographic hash or signature before loading a module.


    A local attacker could execute code with superuser privileges.


    Apply Patch or Upgrade

    Sun Alert ID 49131 states that "A final resolution is pending completion."

    Change Location of /sched Directories

    Sun Alert ID 49131 includes a workaround that involves nesting the /sched directories deeply enough that they cannot be traversed in the space available in pc_clname.

    Vendor Information


    Sun Microsystems Inc. Affected

    Notified:  December 02, 2002 Updated: December 05, 2002



    Vendor Statement

    Sun confirms that the priocntl(2) vulnerability does affect all currently supported versions of Solaris:

    Solaris 2.6, 7, 8, and 9

    Sun has released a Sun Alert which describes a workaround until patches are available at:


    The Sun Alert will be updated with the patch information once it becomes available. Sun patches are available from:

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.


    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    CVSS Metrics

    Group Score Vector



    This vulnerability was publicly reported by CatDog.

    This document was written by Art Manion.

    Other Information

    CVE IDs: CVE-2002-1296
    Severity Metric: 20.48
    Date Public: 2002-11-27
    Date First Published: 2002-12-05
    Date Last Updated: 2002-12-06 17:12 UTC
    Document Revision: 45

    Sponsored by CISA.