-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               Sun Solaris SIOCSIPMSFILTER Kernel Integer Overflow
Advisory ID:            TKADV2008-003
Revision:               1.0              
Release Date:           2008/06/13 
Last Modified:          2008/06/13 
Date Reported:          2007/08/20
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      Solaris 10 without patch 137111-01 (SPARC)         
                        Solaris 10 without patch 137112-01 (x86)
                        OpenSolaris based upon builds <= snv_91 
                        (SPARC, x86)
Remotely Exploitable:   No
Locally Exploitable:    Yes  
Vendor URL:             http://www.sun.com 
Vendor Status:          Vendor has released an updated version         
Patch development time: 298 days


======================
Vulnerability details: 
======================

The kernel of Solaris contains a vulnerability in the code that handles
SIOCSIPMSFILTER IOCTL requests. Exploitation of this vulnerability can
result in:

1) local denial of service attacks (system crash due to a kernel panic), or

   [ As all Solaris Zones (Containers) share the same kernel it is possible
   to crash the whole system (all Zones) even if the vulnerability is
   triggered in an unprivileged non-global zone. ]

2) local execution of arbitrary code at the kernel level (complete system 
   compromise)

   [ As all Solaris Zones (Containers) share the same kernel it is possible
   to escape from unprivileged non-global zones and compromise other non-
   global zones or the global zone. ]

The issue can be triggered by sending a specially crafted IOCTL request.


======================
Technical description:
======================

The following source code references are based on the kernel source code
available from http://www.opensolaris.org.

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
inet/ip/ip_multi.c:

static int
ip_set_srcfilter(conn_t *connp, struct group_filter *gf,
   struct ip_msfilter *imsf, ipaddr_t grp, ipif_t *ipif, 
   boolean_t isv4mapped)
{
[...]
 int i, err, insrcs, infmode, new_fmode;   <-- [1]
[...]
 insrcs = imsf->imsf_numsrc;   <-- [2]
[...]
 /* Make sure we can handle the source list */
 if (insrcs > MAX_FILTER_SIZE)   <-- [3] 
   return (ENOBUFS);
[...]
 fp->sl_numsrc = insrcs;    <-- [4]
 ilg->ilg_filter = fp;    <-- [5]
[...]
 l_copy(ilg->ilg_filter, new_filter);   <-- [6]
[...]
   
At [2] the user supplied value of "imsf->imsf_numsrc" gets assigned to 
"insrcs". The "imsf->imsf_numsrc" variable is of the type unsigned int 
(see [7] below) and "insrcs" is of the type signed int (see [1]). If 
the user supplied value of "imsf->imsf_numsrc" is a large integer 
"insrcs" gets a negative value.

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
netinet/in.h:

struct ip_msfilter {
 struct in_addr imsf_multiaddr;     
 struct in_addr imsf_interface;     
 uint32_t imsf_fmode;              
 uint32_t imsf_numsrc;  <-- [7]   
 struct in_addr imsf_slist[1];    
 };

If "insrcs" is negative the check at [3] can be bypassed. Later on the user
supplied data is used as a value for "ilg->ilg_filter" (see [4] and [5]). 
This "ilg->ilg_filter" value is then used as an argument for "l_copy" (see
[6]). This leads to a kernel memory corruption vulnerability because of an 
out-of-bounds write in "l_copy".      


========= 
Solution: 
=========
 
  This issue is addressed in the following patch releases from Sun:
  
   SPARC Platform
     - Solaris 10 with patch 137111-01 or later
     - OpenSolaris based upon builds snv_92 or later

   x86 Platform
     - Solaris 10 with patch 137112-01 or later
     - OpenSolaris based upon builds snv_92 or later


======== 
History: 
========

  2007/08/20 - Vendor notified
  2007/08/27 - Vendor notified a 2nd time
  2007/08/27 - Vendor confirms the vulnerability
  2008/05/21 - Vendor status update
  2008/05/26 - Request for more information
  2008/05/26 - Vendor provides the information 
  2008/06/12 - SunAlert and patches released by Sun
  2008/06/13 - Full technical details released to general public


======== 
Credits: 
========

  Vulnerability found and advisory written by Tobias Klein.


=========== 
References: 
===========

  [1] http://sunsolve.sun.com/search/document.do?assetkey=1-26-237965-1
  [2] http://www.trapkit.de/advisories/TKADV2008-003.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release
  

===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2008 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----

wj8DBQFIUZ8okXxgcAIbhEERAhqEAKCTbIVOEzpwKKOXJBPKTrAqqbFFgACgxK4x
61jGcpBp/EhdbYp6Oe3mEHY=
=Xegh
-----END PGP SIGNATURE-----