Vigil@nce: Solaris, covert channel creation
September 2008 by Vigil@nce
A local attacker can exchange information between two processes,
even if an isolation policy is setup (Solaris Trusted Extensions
or zone).
– Gravity: 1/4
– Consequences: data flow
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 28/08/2008
– Identifier: VIGILANCE-VUL-8072
IMPACTED PRODUCTS
– OpenSolaris [confidential versions]
– Sun Solaris [confidential versions]
– Sun Trusted Solaris [confidential versions]
DESCRIPTION
The administrator can isolate the system via Solaris Trusted
Extensions, zones or a chroot.
The usr/src/uts/common/syscall/lwp_sobj.c file implements
Synchronization Objects for LWP (Light Weight Process).
However, the lock implementation is invalid. Two isolated
processes can share information.
A local attacker can therefore exchange information between two
processes, even if an isolation policy is setup.
CHARACTERISTICS
– Identifiers: 240706, 6696072, BID-30880, VIGILANCE-VUL-8072
– Url: https://vigilance.aql.fr/tree/1/8072