Vigil@nce: OpenSolaris, privilege elevation via mdb
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An local attacker located in a non global Zone can execute code
with privileges of the user running mdb.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 30/03/2009
IMPACTED PRODUCTS
– OpenSolaris
DESCRIPTION OF THE VULNERABILITY
The mdb (Modular Debugger) program is a debugger for OpenSolaris.
This debugger can be attached to a process.
Under Solaris, a Zone is used to compartment processes.
A user located in the global Zone can use mdb to attach to a
process located in the non global Zone. However, in this case, the
thr_check() function of the usr/src/cmd/mdb/common/mdb/mdb_proc.c
file generates an invalid name for the thread handling library.
This error leads to code execution with privileges of the user
located in the global Zone.
An local attacker located in a non global Zone can therefore
execute code with privileges of the user located in the global
Zone and running mdb.
CHARACTERISTICS
Identifiers: 255608, 6756058, BID-34272, CVE-2009-1170,
VIGILANCE-VUL-8572
http://vigilance.fr/vulnerability/OpenSolaris-privilege-elevation-via-mdb-8572