[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Solaris 2.5/2.6 DoS
From:       Andrea Costantino <costan () COMM2000 ! IT>
Date:       1999-06-26 0:29:41
[Download RAW message or body]

Hi all,
while playing around with Solaris/SPARC audio device (/dev/audio, linked
to CS4231 hardware on /devices/sbus etc.etc.) i mistyped playing and
recording buffer, in a simple full duplex phone emulator program i wa
testing.
While the program was running on an Ultra/1 with Solaris 2.5.1 installed,
after a short time the machine rebooted with a kernel panic.
Please note that i was running program as a non privileged user (UID!=0).

The programming error was a very short buffer, 2 bytes instead of 64 for
recording and playing buffer.

I've done nothing special in this program, and all system calls i made
were standard system calls, as documented in "man audio".

I did't repeated the experiment, as Solaris box was used by other people,
but i'm pretty sure that with short buffer the machine ran out of some
type of resource. In fact, in a short time the X server stopped working.
After less than 5 secs it dumped a kernel panic, that rebooted.
Nothing happened with a longer buffer (i tried 64 and more bytes).
I was sampling 2 bytes for sample, 22050 Hz, Mono, Linear Encoding.

As far as I know the /dev/audio permission are 600, with device owned by
root, with no user logged on console. When a user logs in console, the
login process assign him/her the audio device (with audioctl device also),
so any user logging in console has the opportunity to crash the machine,
even if a Stop-A -> sync procedure is much simpler if a malicious user has
gained access to console :)

Anyway, if a user (or the root itself) changes audio permissions to 666,
any logged user could easily crash the workstation.

Thanks to Sun Microsystem for their wonderful, useless LOTTO random
generator called audio device :) .


Greetings
Andrea Costantino
System Operator ( on too much system to fit this signature :) )

[prev in list] [next in list] [prev in thread] [next in thread]