exploit the possibilities

Solaris 11 USB Hub Class Descriptor Kernel Stack Overflow

Solaris 11 USB Hub Class Descriptor Kernel Stack Overflow
Posted Nov 2, 2011
Authored by Andy Davis | Site ngssecure.com

It was discovered that a local attacker can send a malformed USB hub class descriptor via a malicious USB device and trigger a kernel stack overflow in Solaris versions 8, 9, 10, and 11 Express.

tags | advisory, overflow, kernel, local
systems | solaris
MD5 | 2dfd7fe080a5502e934ad75a3a6b7405

Solaris 11 USB Hub Class Descriptor Kernel Stack Overflow

Change Mirror Download
=======
Summary
=======
Name: Solaris 11 USB hub class descriptor kernel stack overflow
Release Date: 2 November 2011
Reference: NGS00042
Discoverer: Andy Davis <andy.davis@ngssecure.com>
Vendor: Oracle
Vendor Reference:
Systems Affected: Solaris 8, 9, 10, and 11 Express
Risk: High
Status: Published

========
TimeLine
========
Discovered: 27 January 2011
Released: 27 January 2011
Approved: 27 January 2011
Reported: 27 January 2011
Fixed: 19 July 2011
Published: 2 November 2011

===========
Description
===========
A local attacker can send a malformed USB hub class descriptor via a malicious USB device and trigger a kernel stack overflow

=================
Technical Details
=================
If the wMaxPacketSize field within a USB hub class Endpoint descriptor is set to a value >= 0x1125, it causes a kernel stack overflow

Jan 27 13:36:59 solaris ^Mpanic[cpu1]/thread=d742ada0:
Jan 27 13:36:59 solaris genunix: [ID 549817 kern.notice] segkp_fault: accessing redzone
Jan 27 13:36:59 solaris unix: [ID 100000 kern.notice] Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a540
genunix:segkp_fault+238 (d1061f68, fec24c20,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a590 unix:segkmem_fault+8e (d1061f68,
fec24c60,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a630
genunix:as_fault+4c1 (d1061f68, fec23da0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a690 unix:pagefault+1ac (d23bd000, 0, 1, 1) Jan
27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a740 unix:trap+136f (d742a754, d23bd000,) Jan 27 13:36:59 solaris genunix: [ID 353471
kern.notice] d742a754 unix:_cmntrap+7c (fea501b0, d1010000,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a7c8
ehci:ehci_calculate_bw_availability_mask+48 (d2089000, 2892, 0, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a838
ehci:ehci_find_bestfit_hs_mask+c8 (d2089000, d742a8fa,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a888
ehci:ehci_allocate_high_speed_bandwidth+126 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a8b8
ehci:ehci_allocate_bandwidth+21 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a918 ehci:ehci_hcdi_pipe_open+dd
(d6c84be0, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a968
usba:usb_pipe_open+260 (d1d01cf0, d851ec70,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a998
usba:hubd_open_intr_pipe+37 (d851ec40, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a9c8
usba:hubd_check_ports+f0 (d851ec40, d1d01cf0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa38 usba:usba_hubdi_attach+43a (d1d01cf0,
0, 0, 0) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa68
genunix:devi_attach+a5 (d1d01cf0)
Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa88 genunix:attach_node+9a (d1d01cf0, 1, d2076c) Jan 27 13:36:59 solaris genunix: [ID
353471 kern.notice] d742aab8
genunix:i_ndi_config_node+c1 (d1d01cf0, 6, 0, d1d) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aad8 genunix:i_ddi_attachchild+3d
(d1d01cf0, 0, d742aa) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aaf8 genunix:devi_attach_node+bb (d1d01cf0, 1020008, ) Jan 27
13:36:59 solaris genunix: [ID 353471 kern.notice] d742ab38
genunix:config_immediate_children+e6 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ab78
genunix:ndi_busop_bus_config+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac18 usba:hubd_bus_config+dc
(d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac48
genunix:devi_config_common+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac68
genunix:ndi_devi_config+13 (d17f3340, 1020008) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aca8 genunix:ndi_devi_online+fc (d17f3340,
0, 0, f8a) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad18 usba:hubd_hotplug_thread+52b (e0553c50, d1db8b9c,) Jan 27 13:36:59 solaris
genunix: [ID 353471 kern.notice] d742ad88
genunix:taskq_d_thread+a3 (d3b94410, 0)
Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad98
unix:thread_start+8 ()

===============
Fix Information
===============
This issue is addressed in the Oracle Critical Patch Update Advisory - July 2011, which is available at the following URL:
http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

NGS Secure Research
http://www.ngssecure.com
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close