Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL Pointer Dereference
21 Dec. 2008
Summary
The kernel of Solaris contains a vulnerability in the code that handles SIOCGTUNPARAM IOCTL requests. Exploitation of this vulnerability can result in:
1) Local denial of service attacks (system crash due to a kernel panic), or
[ As all Solaris Zones (Containers) share the same kernel it is possible to crash the whole system (all Zones) even if the vulnerability is triggered in an unprivileged non-global zone. ]
2) Local execution of arbitrary code at the kernel level (complete system compromise) on x86 platforms
[ As all Solaris Zones (Containers) share the same kernel it is possible to escape from unprivileged non-global zones and compromise other non-global zones or the global zone. ]
The issue can be triggered by sending a specially crafted IOCTL request to the kernel.
Vulnerable Systems:
* Solaris 10 without patch 138888-01 (SPARC)
* Solaris 10 without patch 138889-01 (x86)
* OpenSolaris versions prior to snv_77 (SPARC)
* OpenSolaris versions prior to snv_77 (x86)
Immune Systems:
* Solaris 10 with patch 138888-01 or later (SPARC)
* OpenSolaris based upon builds snv_77 or later (SPARC)
* Solaris 10 with patch 138889-01 or later (x86)
* OpenSolaris based upon builds snv_77 or later (x86)
[1] The value of "ci.ci_ipif" is set to "NULL".
[2] When a SIOCGTUNPARAM IOCTL is called the switch case "TUN_CMD" is chosen and the "ip_extract_tunreq()" function gets called.
[3] If the return value of the "ip_extract_tunreq()" function is 0 the "ci.ci_ipif" variable is later on used as the first parameter for the "ip_sioctl_tunparam()" function.
In the "ip_sioctl_tunparam()" function the first parameter "ipif" is used to reference some data (see [4]).
It is possible to return from the "ip_extract_tunreq()" function (see [2]) with a return value of 0 while "ci.ci_ipif" is also still set to NULL. As "ipif" has the same value as "ci.ci_ipif", which is set to NULL, this leads to a NULL pointer dereference (see [4]).
On x86 (32/64bit) platforms this Null pointer dereference can be exploited to execute arbitrary code at the kernel level. On SPARC platforms the vulnerability can "only" be used for a denial of service.
Solution:
This issue is addressed in the following patch releases from Sun:
SPARC Platform
- Solaris 10 with patch 138888-01 or later
- OpenSolaris based upon builds snv_77 or later
x86 Platform
- Solaris 10 with patch 138889-01 or later
- OpenSolaris based upon builds snv_77 or later
Disclosure Timeline:
2007/09/04 - Vendor notified
2007/09/05 - Vendor confirms the vulnerability
2008/12/17 - Public disclosure of vulnerability details by Sun
2008/12/17 - Release date of this security advisory
