Qntra | Herald Of The Most Serene Republic

Oracle Re-Patches 11 Year Old Solaris Hole That Survived First Patch

Posted on July 24, 2018 by Aaron 'BingoBoingo' Rogier

In an episode reminiscent of the frequently revived Windows USB hole which propagated Stuxnet, Oracle has re-patched a kernel level hole in the "Solaris Availability Suite Service" which survived its initial patching 11 years ago largely intact. The vulnerability affects all versions of Solaris 10 and 11 allowing¹ locally logged in users to esclate their priviledge to their heart's content. Continue reading →

Text preserved below for the lulz as traditional archiving tools failed:

CVE-2018-2892 – Kernel Level Privilege Escalation in Oracle Solaris

July 24, 2018
Posted By Neil Kettle
Comments (0)

Trustwave recently discovered a locally exploitable issue in all current versions of Oracle Solaris 10/11 as detailed in the recently posted Trustwave advisory. The issue is present in the kernel and is locally exploitable as an unprivileged user provided the local system has the Sun StorageTek Availability Suite (AVS) configured.
The Vulnerability

The vulnerability has an interesting history dating back to 2007 when the underlying issue was originally discovered and exploited. The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html). The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin(). The vulnerability itself is present in the ioctl handler for the '/dev/sdbc' device, the vulnerable code path passes through the following code with a 'cmd' value of 'SDBC_TEST_INIT ':

common/avs/ns/sdbc/sd_misc.c:

922 static int
923 sdbcioctl(dev_t dev, int cmd, void *arg, int mode, cred_t *crp, int *rvp)
924 {

…

953 switch (cmd) {

…

966 case SDBC_TEST_INIT:
967 rc = _sd_test_init(&args);
968 break;

The code passes through the call to _sd_testing_init(&args) to the function definition given below:

common/avs/ns/sdbc/sd_tdaemon.c:

613 int
614 _sd_test_init(void *args)
615 {
616 register struct a {
617 caddr_t addr;
618 long ar;
619 long len;
620 long tsize;
621 long flag;
622 } *uap = (struct a *)args;
623
624 if (copyin(uap->addr, devarray[uap->ar]1, uap->len2) ) {
625 return (EFAULT);
626 }
627 dev_tsize[uap->ar]3 = (uap->tsize < 48) ? 48 : uap->tsize;
628 dev_flag[uap->ar]4 = uap->flag;
629 return (0);
630 }

There are at least 4 different vulnerabilities in this small code fragment! We summarise these below:

arbitrary memory dereference resulting in an arbitrary destination pointer being passed to copyin(),
arbitrary user-controlled length in the call to copyin() resulting in an unbounded memory write,
arbitrary memory dereference and thus a user controllable write,
arbitrary memory dereference and thus a user controllable write.

However, the history of this particular vulnerability does not end there, sometime between 2009 and 2017 Oracle/Sun attempted to fix the issue by adding a bounds check on the value of uap->ar. The following disassembly illustrates the bounds checking Oracle/Sun applied:

Screen Shot 2018-07-17 at 08.24.03

As can be seen, the value of uap->ar should not be greater or equal to 128. However, we can also observer than Oracle/Sun did not modify the underlying type os uap->ar which is a signed long and as such a signedness issue exists since the value of uap->ar is not checked for a value < 0. As such an attacker could specify a value with the top most bit set (and thus negative) and pass the bounds check thereby dereferencing arbitrary memory once again. The remainder of the patch was to the limit the uap->len parameter to a signed value less than 256 (but also potentially negative).
Exploitation

Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.

Image001
Final Thoughts

In case you were wondering why there would be such an obviously exploitable issue in a common configuration of Oracle Solaris, well the following might provide some hints:

common/avs/ns/sdbc/sdbc_ioctl.h:

93 #define SDBC_TEST_INIT _SDBC_(5) /* TESTING – tdaemon parameters */
94 /*
95 * char * device_name;
96 * int index;
97 * int len;
98 * int track_size;
99 * int flags;
100 */

The code in question may well be for testing purposes.

This vulnerability has been issued CVE-2018-2892.
Oracle has patched this vulnerability as a part of their July CPU patch cycle: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
More information is available in our advisory here: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-007

↩

Remote Command Execution Vulnerability Found In Sony Webcam Firmware

Posted on July 24, 2018 by Aaron 'BingoBoingo' Rogier

It has been discovered that Sony IPELA series network cameras will execute commands issued through specially formed http GET requests (archived). The affected cameras are marketed for "monitoring and surveillance", but there is a chance that a number of the affected cameras may be in service within the camwhore industry.

UK Court Issues No Sanctions Over Gross Violations Of Surveillance Law

Posted on July 24, 2018 by Aaron 'BingoBoingo' Rogier

In Britain the Investagatory Powers Tribunal has found that MI5 and GCHQ have spent 15 years grossly violating section 94 of the local Telecommunications act through their cable tapping programs (archived). The tribunal's president Michael Burton however found no reason for anything to be done citing a word salad of bureaucratic wank.

Copyrasts Pushing For Prosecutions Over Vote Outcome

Posted on July 23, 2018 by Aaron 'BingoBoingo' Rogier

Texas based music industry lawyer Chris Castle is calling for criminal prosecutions over a "European Parliament" vote that failed to approve measures supported by his clients (archived). Expect application of the "prosecute votes we don't like" strategy to continue to grow in application after the unsuccessful "Russian interference" whining failed to gain anything other than so called mindshare in loyal subjects of the "our democracy". As in the failed attempt to delegitimize Trump's election, this effort is largely a case of foreigners attempting to change the outcome of a vote after the fact.

Israel Evacuating Members Of "Syrian" Opposition Group "White Helmets" To Jordan And Beyond!

Posted on July 22, 2018 by Aaron 'BingoBoingo' Rogier

Israel has begun evacuating members of the anti-Assad "White Helmets" organization from Syria to Jordan for further evacuation to Britain, Canada, and Germany (archived). Self described as "observers" members of the White Helmets have been conspicuously and conveniently situated for each of the alleged chemical weapons incidents during the proxy war in Syria.

South African Government Refusing Documents For Refugees Resettling Elsewhere

Posted on July 21, 2018 by Aaron 'BingoBoingo' Rogier

A white South African farmer's efforts to resettle permamently in Russia are being thwarted by South African bureaucrats refusing to provide documentation to allow him to complete an application for permanent residency (archived). The farmer has been spending the majority of his time in Paris while the plight of his people in their homeland continues.

Hollywood Pervert Purge Continues As Pantsuits Enact Gunn Control

Posted on July 20, 2018 by Aaron 'BingoBoingo' Rogier

As Hollywood's latest morality panic continues, Disney has sacked "Guardians of the Galaxy" director James Gunn over tweets labeled "pedophilic" (archived, archived). For months Hollywood has been gutting its ranks as decades of grudges have been aired all at once. Gunn was set to begin filming a third installment of the lucrative franchise for Disney before he was shamed over olds tweets about his love for a film titled 100 Pubescent Girls Touch Themselves among other things.

Cloud Mining Op Hashflare Runs Away From Bitcoin Mining Contracts

Posted on July 20, 2018 by Aaron 'BingoBoingo' Rogier

Cloud mining operation Hashflare has run away from their Bitcoin mining contracts and claimed they are powering down their SHA-256 capable mining equipment (archived). Sorry for you loss.

San Francisco Mayor Overwhelmed By Street Shitting In First Interview After Taking Office

Posted on July 19, 2018 by Aaron 'BingoBoingo' Rogier

San Francisco Mayor London Breed has expressed shock at the amount of human feces on the city's sidewalks during her first interview since taking office (archived, archived). Her proposed solution is pressuring non-profits organizations enabling the city's homeless population to educate their charges about hygiene and "cleaning up after themselves".

US Charges Chinese Man Outside Of US With Breaking US Law

Posted on July 19, 2018 by Aaron 'BingoBoingo' Rogier

The US Department of "Justice" has charged a Chinese man, Micheal Yin of Beijing, with 14 felony charges of securities fraud in the Southern District of New York. Yin is alleged to have traded shares of Lattice Semiconductor using non-public information. A second man, Benjamin Chow who worked for a private equity firm in Palo Alto is alleged to be the source of the information following Chow's own guilty plea. The full text is below: Continue reading →