Vigil@nce: Solaris, denial of service via pty
January 2009 by Vigil@nce
A local attacker can execute a program using pseudo-terminals in
order to panic the kernel.
– Gravity: 1/4
– Consequences: denial of service of computer
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 23/01/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
– Sun Trusted Solaris
DESCRIPTION OF THE VULNERABILITY
A pseudo-terminal is used in text interfaces, such as telnet, ssh
or xterm. A pseudo-terminal uses a master (/dev/ptyx) and a slave
(/dev/ttyx) device.
The ptsclose() function of the usr/src/uts/common/io/tty_pts.c
file handles the closure of the slave device (Pseudo Terminal
SLave close). This function uses a lock. However, if an ioctl was
requested on the master (ptcioctl - Pseudo Terminal Controller
ioctl) before the closure, a variable is not protected by the
lock. A NULL pointer is then dereferenced.
A local attacker can therefore execute a program using
pseudo-terminals in order to panic the kernel.
CHARACTERISTICS
– Identifiers: 249586, 6433954, VIGILANCE-VUL-8415
– Url: http://vigilance.fr/vulnerability/Solaris-denial-of-service-via-pty-8415