[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Solaris priocntl exploit
From:       Casper Dik <Casper.Dik () Sun ! COM>
Date:       2002-11-28 0:26:40
[Download RAW message or body]


>
>>The module's name is a relative path, priocntl will search the module file
>>in only /kernel/sched and /usr/kernel/sched/ dirs.
>>but unfortunately, priocntl() never check '../' in pc_clname arg
>>we can use '../../../tmp/module' to make priocntl() load a module from anywhere
>
>
>The "pc_clname[]" argument is limited in size; to prevent this particular
>bug from being exploited you could:
>
>
>	for dir in /kernel /usr/kernel
>	do
>		cd $dir
>		mkdir -p a/b/c/d/e/f/g/h
>		mv sched a/b/c/d/e/f/g/h
>		ln -s a/b/c/d/e/f/g/h/sched .
>	done


Just a small amendment; the code also doesn't add a trailing NUL to the
pathname copied from user space, so we actually need to take care
about the rest of the size of the structure.  (16 + 32 bytes; i.e.,
16 levels of ../)

So this should really keep the bad kernel module out:

	for dir in /kernel /usr/kernel
	do
		cd $dir
		mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
		mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
		ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
	done

Casper
[prev in list] [next in list] [prev in thread] [next in thread]