|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=734 and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=735
|
| |
Vulnerable Systems:
* snoop for Solaris 10 8/07
Solaris snoop SMB Decoding Multiple Stack Buffer Overflow Vulnerabilities
Remote exploitation of multiple stack-based buffer overflow vulnerabilities in Sun Microsystems Inc.'s snoop could allow an attacker to execute arbitrary code with the privileges of the nobody user.
Multiple buffer overflow vulnerabilities exist within the code that parses and displays SMB traffic. In most cases, exploitation is trivial as an attacker has full control of the data copied.
Analysis:
Exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the nobody user. In addition, the attacker has access to the raw socket used by the snoop program. This allows them to capture any traffic visible to the network interface used.
Often in client-side vulnerabilities, an attacker only has a single chance to exploit the vulnerability. However, the snoop utility will handle any segmentation violations and attempt to continue capturing network traffic. This gives an attacker multiple opportunities to exploit a vulnerability, which increases the likelihood of successful exploitation.
Vendor response:
Sun Microsystems has addressed these vulnerabilities with the release of patches for Solaris 8, 9, and 10, as well as OpenSolaris. For more information, refer to Sun Alert 240101 at the following URL:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-240101-1
CVE Information:
CVE-2008-0964
Disclosure timeline:
01/24/2008 - Initial vendor notification
01/25/2008 - Initial vendor response
08/04/2008 - Coordinated public disclosure
Solaris snoop SMB Decoding Multiple Format String Vulnerabilities
Remote exploitation of multiple format string vulnerabilities in Sun Microsystems Inc.'s snoop could allow an attacker to execute arbitrary code with the privileges of the nobody user.
Multiple format string vulnerabilities exist within the code that parses and displays SMB traffic. All of the vulnerabilities are present due to unsanitized user input being passed to printf-style formatting function. This allows an attacker to overwrite arbitrary addresses with arbitrary data, which can result in the execution of arbitrary code.
Analysis:
Exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the nobody user. In addition, the attacker has access to the raw socket used by the snoop program. This allows them to capture any traffic visible to the network interface used.
Often in client-side vulnerabilities, an attacker only has a single chance to exploit the vulnerability. However, the snoop utility will handle any segmentation violations and attempt to continue capturing network traffic. This gives an attacker multiple opportunities to exploit a vulnerability, which increases the likelihood of successful exploitation.
Vendor response:
Sun Microsystems has addressed these vulnerabilities with the release of patches for Solaris 8, 9, and 10, as well as OpenSolaris. For more information, refer to Sun Alert 240101 at the following URL:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-240101-1
CVE Information:
CVE-2008-0965
Disclosure timeline:
01/24/2008 - Initial vendor notification
01/25/2008 - Initial vendor response
08/04/2008 - Coordinated public disclosure
|
|
|
|
|
