Vigil@nce: Solaris, memory corruption via sdhost
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can use a SD memory card in order to corrupt the
memory of the Solaris kernel.
Severity: 2/4
Consequences: administrator access/rights, denial of service of
service
Provenance: user console
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: low (1/3)
Creation date: 22/05/2009
IMPACTED PRODUCTS
– OpenSolaris
DESCRIPTION OF THE VULNERABILITY
A SD memory card is for example used in a camera. Some x86
computers have a SD slot to connect these cards. The sdhost driver
of Solaris (usr/src/uts/common/io/sdcard/adapters/sdhost/sdhost.c)
implements the support of these memory cards.
The Ricoh R5C822 adapter requires non standard DMA (Direct Memory
Access) parameters. Parameters used in sdhost.c incorrectly define
the memory area. An attacker can then directly access to the
kernel memory.
A local attacker can thus alter a memory area in order to elevate
his privileges.
CHARACTERISTICS
Identifiers: 259408, 6797937, BID-35069, CVE-2009-1763,
VIGILANCE-VUL-8731
http://vigilance.fr/vulnerability/Solaris-memory-corruption-via-sdhost-8731