Vigil@nce: Solaris, gain of file ownership on ZFS
October 2009 by Vigil@nce
On a ZFS filesystem, a local attacker can gain ownership of a file
that does not belong to him.
– Severity: 2/4
– Consequences: data reading, data creation/edition, data deletion
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 15/10/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The chown() function allows a user to assign the owner of one of
his files.
When the rstchown variable of /etc/system is set to 1, changing
ownership is forbidden. The absence of file_chown_self privilege
also forbids this ownership change.
However on ZFS filesystem, when rstchown is set to 0 or when
file_chown_self is present, a user can gain ownership on a file
that does not belong to him.
The source of this vulnerability seems to be related to a call to
zfs_zaccess() in zfs_setacl() of file usr/src/uts/common/fs/zfs/zfs_acl.c,
but this is not confirmed.
On a ZFS filesystem, a local attacker can therefore gain ownership
of a file that does not belong to him.
CHARACTERISTICS
– Identifiers: 265908, 6848431, BID-36702, CVE-2009-3706,
VIGILANCE-VUL-9097
– Url: http://vigilance.fr/vulnerability/Solaris-gain-of-file-ownership-on-ZFS-9097