The Sun Solaris priocntl(2) function does not adequately validate a memory structure that specifies the name of a kernel module. As a result, a local attacker could execute arbitrary code with superuser privileges on a vulnerable system.
The Sun Solaris priocntl(2) function provides the ability to control the scheduling of lightweight processes (LWPs). LWPs are grouped into several classes, each class having a different scheduling policy. The priocntl(2) command PC_GETCID can be used to get the class ID and attributes for a class of LWPs. The PC_GETCID command can take as an argument a pointer to a structure of type pcinfo_t that contains information about the class. A pcinfo_t structure includes a member called pc_clname that specifies the name of the class, and in certain cases, the name of a kernel module that implements the process scheduling policy for the class. priocntl(2) searches for the kernel module specified by pc_clname in /kernel/sched and /usr/kernel/sched.
priocntl(2) does not adequately validate the data in pc_clname. As demonstrated by the exploit code posted to the BugTraq mailing list, an attacker with local user privileges can:
A different aspect of this vulnerability is that priocntl(2) does not validate or authenticate the kernel module that is being loaded. A message posted to BugTraq suggests checking the permissions ownership of the module and its parent directories. Another option could be to check a cryptographic hash or signature before loading a module.
A local attacker could execute code with superuser privileges.
This vulnerability was publicly reported by CatDog.
This document was written by Art Manion.
|Date First Published:||2002-12-05|
|Date Last Updated:||2002-12-06 17:12 UTC|