-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL pointer
                        dereference
Advisory ID:            TKADV2008-015
Revision:               1.0              
Release Date:           2008/12/17
Last Modified:          2008/12/17 
Date Reported:          2007/09/04
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      Solaris 10 without patch 138888-01 (SPARC)
                        Solaris 10 without patch 138889-01 (x86)
                        OpenSolaris < snv_77 (SPARC)
                        OpenSolaris < snv_77 (x86)   
Remotely Exploitable:   No
Locally Exploitable:    Yes
Vendor URL:             http://www.sun.com 
Vendor Status:          Vendor has released an updated version         
Patch development time: 471 days


======================
Vulnerability Details: 
======================

The kernel of Solaris contains a vulnerability in the code that handles 
SIOCGTUNPARAM IOCTL requests. Exploitation of this vulnerability can 
result in:

1) local denial of service attacks (system crash due to a kernel panic), or

   [ As all Solaris Zones (Containers) share the same kernel it is possible
   to crash the whole system (all Zones) even if the vulnerability is 
   triggered in an unprivileged non-global zone. ]

2) local execution of arbitrary code at the kernel level (complete system 
   compromise) on x86 platforms

   [ As all Solaris Zones (Containers) share the same kernel it is possible
   to escape from unprivileged non-global zones and compromise other non-
   global zones or the global zone. ]

The issue can be triggered by sending a specially crafted IOCTL request to 
the kernel.


==================
Technical Details:
==================

The following source code references are based on the kernel source code
available from http://www.opensolaris.org.

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
inet/ip/ip.c:

[...]
26692 void
26693 ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
26694 {
[...]
26717 [1] ci.ci_ipif = NULL
[...]
26735     case TUN_CMD:
[...]
26740 [2]  err = ip_extract_tunreq(q, mp, &ci.ci_ipif, ip_process_ioctl);
26741      if (err != 0) {
26742        ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
26743        return;
26744       }
[...]
26782      if (!(ipip->ipi_flags & IPI_WR)) {
[...]
26788 [3]     err = (*ipip->ipi_func)(ci.ci_ipif, ci.ci_sin, q, mp, ipip,
26789                             ci.ci_lifr);
[...]

[1] The value of "ci.ci_ipif" is set to "NULL".
[2] When a SIOCGTUNPARAM IOCTL is called the switch case "TUN_CMD" is 
    chosen and the "ip_extract_tunreq()" function gets called. 
[3] If the return value of the "ip_extract_tunreq()" function is 0 the 
    "ci.ci_ipif" variable is later on used as the first parameter for the  
    "ip_sioctl_tunparam()" function. 

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
inet/ip/ip_if.c:  

[...]
9468 int
9469 ip_sioctl_tunparam(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t 
           *mp,
9470       ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
9471 { 
...
9499  [4]  ill = ipif->ipif_ill;
[...]

In the "ip_sioctl_tunparam()" function the first parameter "ipif" is used 
to reference some data (see [4]). 

It is possible to return from the "ip_extract_tunreq()" function (see [2]) 
with a return value of 0 while "ci.ci_ipif" is also still set to NULL. As 
"ipif" has the same value as "ci.ci_ipif", which is set to NULL, this leads
to a NULL pointer dereference (see [4]).

On x86 (32/64bit) platforms this Null pointer dereference can be exploited 
to execute arbitrary code at the kernel level. On SPARC platforms the 
vulnerability can "only" be used for a denial of service.


========= 
Solution: 
=========

This issue is addressed in the following patch releases from Sun:

SPARC Platform
    - Solaris 10 with patch 138888-01 or later
    - OpenSolaris based upon builds snv_77 or later

x86 Platform
    - Solaris 10 with patch 138889-01 or later
    - OpenSolaris based upon builds snv_77 or later


======== 
History: 
========

  2007/09/04 - Vendor notified
  2007/09/05 - Vendor confirms the vulnerability
  2008/12/17 - Public disclosure of vulnerability details by Sun 
  2008/12/17 - Release date of this security advisory


======== 
Credits: 
========

  Vulnerability found and advisory written by Tobias Klein.


=========== 
References: 
===========

  [1] http://sunsolve.sun.com/search/document.do?assetkey=1-26-242266-1
  [2] http://www.trapkit.de/advisories/TKADV2008-015.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release
  

===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2008 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJSjEGkXxgcAIbhEERAi9/AKC7pVzL/0HdfX192GmPk/sE86g2IQCg8+uE
8Ln0ZHQUdP3wjFrI+NHYwJw=
=Ubd3
-----END PGP SIGNATURE-----