Vigil@nce: Solaris, denial of service via Auditing
July 2009 by Vigil@nce
When Solaris Auditing is enabled, a local attacker can call the
fchownat() function in order to panic the system.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 24/07/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
Actions are audited when Solaris Auditing (c2audit) is enabled.
The fchownat() function changes the uid and the gid of a file
(path argument), which can be relative to a directory indicated by
fd (if fd is not FDCWD):
fchownat(fd, path, uid, gid, flag);
The fchownat() function is defined in usr/src/uts/common/syscall/chown.c.
When auditing is enabled, it calls the audit_setfsat_path()
function defined in usr/src/uts/common/c2/audit.c. However, if the
fd file descriptor of fchownat() is invalid, a NULL pointer is
dereferenced in audit_setfsat_path().
When Solaris Auditing is enabled, a local attacker can therefore
call the fchownat() function in order to panic the system. The
openat(), unlinkat(), faccessat() and fstatat() functions can also
be called.
CHARACTERISTICS
Identifiers: 264428, 6795688, VIGILANCE-VUL-8883
http://vigilance.fr/vulnerability/Solaris-denial-of-service-via-Auditing-8883