Bugtraq mailing list archives
Re: Solaris priocntl exploit
From: Casper Dik <Casper.Dik () Sun COM>
Date: Thu, 28 Nov 2002 01:26:40 +0100
The module's name is a relative path, priocntl will search the module file in only /kernel/sched and /usr/kernel/sched/ dirs. but unfortunately, priocntl() never check '../' in pc_clname arg we can use '../../../tmp/module' to make priocntl() load a module from anywhereThe "pc_clname[]" argument is limited in size; to prevent this particular bug from being exploited you could: for dir in /kernel /usr/kernel do cd $dir mkdir -p a/b/c/d/e/f/g/h mv sched a/b/c/d/e/f/g/h ln -s a/b/c/d/e/f/g/h/sched . done
Just a small amendment; the code also doesn't add a trailing NUL to the pathname copied from user space, so we actually need to take care about the rest of the size of the structure. (16 + 32 bytes; i.e., 16 levels of ../) So this should really keep the bad kernel module out: for dir in /kernel /usr/kernel do cd $dir mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched . done Casper
Current thread:
- Solaris priocntl exploit 蔺毅�� (Nov 27)
- Re: Solaris priocntl exploit Casper Dik (Nov 27)
- <Possible follow-ups>
- Re: Solaris priocntl exploit Casper Dik (Nov 28)
- re: Solaris priocntl exploit Jeff Damens (Nov 29)