Vigil@nce: Solaris, denial of service on Intel 64 bits
September 2009 by Vigil@nce
When the system is based on an Intel 64 bits processor, and has a
lx zone, a local attacker can stop the system.
– Severity: 1/4
– Consequences: denial of service of computer
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 10/09/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The Solaris system can have a "lx-zone" zone, in order to execute
Linux applications.
Recent Intel processors support sysenter/sysexit instructions to
implement system calls.
On an Intel 64 bits processor, with a lx zone, a local attacker
can use a "single step" in the mdb debugger, before a sysenter
instruction. In this case, the %rip register is not checked in the
usr/src/uts/intel/ia32/ml/exception.s file, and the kernel panics.
When the system is based on an Intel 64 bits processor, and has a
lx zone, a local attacker can thus stop the system.
CHARACTERISTICS
– Identifiers: 266228, 6818191, BID-36340, VIGILANCE-VUL-9019
– Url: http://vigilance.fr/vulnerability/Solaris-denial-of-service-on-Intel-64-bits-9019