Several holes in dmispd daemon for Solaris 2.7 (SPARC and x86) allow malicious users to perform various DoS attacks against the system. These attacks are exploitable both remotely and locally.
Credit:
The information was provided by: Brock Tellier.
local/remote users can use up all of /var disk space
By using "dmi_cmd", any user on any other Solaris machine (or anyone who cares to port dmi_cmd) can use the "dmi_cmd -CI sp.mif" command to add the sp.mif files to the /var/dmi/db database. The user can repeat this process until all of /var's (or wherever the configuration file is placing these files) disk space has been used up. sp.mif appears to be installed by default and no user authentication is done. An attack of this sort could be a prelude to another, more serious attack, since most of Solaris's system logs reside on /var. The interaction with dmispd does not appear to be logged in any way.
local/remote users can crash the dmispd daemon
By using the same "dmi_cmd -CI" command, users can specify their own file to add. If this file contains enough bits on the first line, we can cause the daemon to segfault and crash. We can do this using the reverse directory transversal problem as shown:
# any more than 1024 characters in here and dmispd reports an error
# and exit()'s without segfaulting.
echo `perl -e "print 'A' x 1000"` > /usr/home/btellier/my.mif
dmi_cmd -CI ../../../usr/home/btellier/my.mif
The client hangs, and then reports an error (the daemon has segfaulted and has died). It is only possible to overwrite the %o4 register and nothing more. In addition to this, it seems that the daemon will only accept regular letters/numbers/symbols and all other characters are discarded, which greatly reduces our chances of making this exploit anything more than a DoS.
