===============================ADVISORY=============================== Advisory: Silicon Graphics Inc (SGI) - IRIX - Local Kernel Memory Disclosure/Denial of Service Advisory ID: DSEC-2010-0001 Author: Neil Kettle, Digit Security Ltd Affected Software: Silicon Graphics (SGI) IRIX Vendor URL: http://www.sgi.com Vendor Status: patched Category: Denial of Service/Memory Disclosure/Privilege Escalation Date Reported: 2010/10/07 Last Modified: 2011/01/08 Release Date: 2011/01/08 ===============================ADVISORY=============================== Description ----------- A vulnerability has been discovered in the Silicon Graphics Inc (SGI) IRIX kernel, an attacker exploiting this vulnerability may access arbitrary kernel memory, or cause a Denial of Service attack via a page fault caused by an invalid pointer dereference resulting in a call to panic(). Analysis -------- The vulnerability exists due to a signedness condition in the validation of a user-supplied array index value in the syssgi system call. The vulnerable request value is SGI_XLV_ATTR_GET with a request attribute value of XLV_ATTR_STATS. Exploitation ------------ An exploit will be made available to the public in due course at the following URL, http://www.digit-labs.org/ http://www.digit-security.com/research.php Technologies Affected ------------------------------ Silicon Graphics Inc (SGI) - IRIX (6.5.X) Vendor Response ------------------------------ https://support.sgi.com/content_request/914341/index.html (requires a valid Supportfolio login) Disclosure Timeline ------------------------------ 7th September 2010 – Vendor Disclosure 8th January 2011 – Vendor Releases Patches Credits ------------------------------ Neil Kettle of Digit Security Ltd Thanks ------------------------------ Micheal O'Conner of SGI for a very prompt response which gave us hope that IRIX is not dead yet. About Digit Security Ltd ---------------------------------- Digit Security is a computer security consultancy based in the United Kingdom, albeit with a slight difference. The company is a co-operatively controlled entity comprised of professionals who are experts in their respective fields. Thus, as a corollary, nearly everyone at Digit Security is a both a Consultant, Developer and a Director (although we prefer the term 'equal'). Web: www.digit-security.com Email: research@digit-security.com