oss-sec mailing list archives
CVE-2020-2656, CVE-2020-2696 - Multiple vulnerabilities in Oracle Solaris
From: Marco Ivaldi <marco.ivaldi () mediaservice net>
Date: Mon, 20 Jan 2020 10:35:26 +0000
Dear oss-security, As suggested by Solar Designer, I’m cross-posting two recent advisories for the following vulnerabilities, fixed in Oracle's Critical Patch Update (CPU) of January 2020: CVE-2020-2656 - Low impact information disclosure via Solaris xlock "A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely." CVE-2020-2696 - Local privilege escalation via CDE dtsession "A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file." Please find the advisories attached to this email. For further details and some background information on my recent vulnerability research project focused on Oracle Solaris, please refer to: https://techblog.mediaservice.net/2020/01/local-privilege-escalation-via-cde-dtsession/ https://techblog.mediaservice.net/2019/10/local-privilege-escalation-on-solaris-11-x-via-xscreensaver/ https://techblog.mediaservice.net/2019/05/raptor-at-infiltrate-2019/ Regards, -- Marco Ivaldi, Offensive Security Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ Tel: +39 011 19016595 | Fax: +39 011 3246497
Attachment:
2020-01-solaris-xlock.txt
Description: 2020-01-solaris-xlock.txt
Attachment:
2020-02-cde-dtsession.txt
Description: 2020-02-cde-dtsession.txt
Current thread:
- CVE-2020-2656, CVE-2020-2696 - Multiple vulnerabilities in Oracle Solaris Marco Ivaldi (Jan 20)