Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability
8 Oct. 2007
Summary
Solaris is a UNIX operating system developed by Sun Microsystems. Local exploitation of an integer signedness error in Sun Microsystem's Solaris could allow attackers to disclose sensitive information from memory.
Vulnerable Systems:
* Solaris version 10 on x86 and SPARC (It is suspected that earlier versions are also affected)
The FIFO FS (First In First Out File System) is a service provided by the kernel that is commonly used for IPC (InterProcess Communication). A FIFO is represented as a node in the file system, and is similar to the concept of named pipes in Windows.
The vulnerability exists in the kernel ioctl() handler for FIFOs. The I_PEEK ioctl is used to peek at a number of bytes contained in the FIFO without actually removing them from the queue. One of the arguments to this command, which represents the number of bytes to peek, is a signed integer value. Since this parameter is not properly validated, a negative value can cause large amounts of kernel memory contents to be disclosed.
Exploitation allows an attacker to view potentially sensitive information belonging to the kernel or other users. For example, the root password hash or encryption keys might be disclosed.
