-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL pointer
dereference
Advisory ID: TKADV2008-015
Revision: 1.0
Release Date: 2008/12/17
Last Modified: 2008/12/17
Date Reported: 2007/09/04
Author: Tobias Klein (tk at trapkit.de)
Affected Software: Solaris 10 without patch 138888-01 (SPARC)
Solaris 10 without patch 138889-01 (x86)
OpenSolaris < snv_77 (SPARC)
OpenSolaris < snv_77 (x86)
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.sun.com
Vendor Status: Vendor has released an updated version
Patch development time: 471 days

======================
Vulnerability Details:

The kernel of Solaris contains a vulnerability in the code that handles
SIOCGTUNPARAM IOCTL requests. Exploitation of this vulnerability can
result in:

1) local denial of service attacks (system crash due to a kernel panic), or

[ As all Solaris Zones (Containers) share the same kernel it is possible
to crash the whole system (all Zones) even if the vulnerability is
triggered in an unprivileged non-global zone. ]

2) local execution of arbitrary code at the kernel level (complete system
compromise) on x86 platforms

[ As all Solaris Zones (Containers) share the same kernel it is possible
to escape from unprivileged non-global zones and compromise other non-
global zones or the global zone. ]

The issue can be triggered by sending a specially crafted IOCTL request to
the kernel.

==================
Technical Details:

The following source code references are based on the kernel source code
available from http://www.opensolaris.org.

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
inet/ip/ip.c:

[…]
26692 void
26693 ip_process_ioctl(ipsq_t *ipsq, queue_t *q, mblk_t *mp, void *arg)
26694 {
[…]
26717 [1] ci.ci_ipif = NULL
[…]
26735 case TUN_CMD:
[…]
26740 [2] err = ip_extract_tunreq(q, mp, &ci.ci_ipif, ip_process_ioctl);
26741 if (err != 0) {
26742 ip_ioctl_finish(q, mp, err, IPI2MODE(ipip), NULL);
26743 return;
26744 }
[…]
26782 if (!(ipip->ipi_flags & IPI_WR)) {
[…]
26788 [3] err = (*ipip->ipi_func)(ci.ci_ipif, ci.ci_sin, q, mp, ipip,
26789 ci.ci_lifr);
[…]

[1] The value of "ci.ci_ipif" is set to "NULL".
[2] When a SIOCGTUNPARAM IOCTL is called the switch case "TUN_CMD" is
chosen and the "ip_extract_tunreq()" function gets called.
[3] If the return value of the "ip_extract_tunreq()" function is 0 the
"ci.ci_ipif" variable is later on used as the first parameter for the
"ip_sioctl_tunparam()" function.

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/
inet/ip/ip_if.c:

[…]
9468 int
9469 ip_sioctl_tunparam(ipif_t *ipif, sin_t *dummy_sin, queue_t *q, mblk_t
*mp,
9470 ip_ioctl_cmd_t *ipip, void *dummy_ifreq)
9471 {
…
9499 [4] ill = ipif->ipif_ill;
[…]

In the "ip_sioctl_tunparam()" function the first parameter "ipif" is used
to reference some data (see [4]).

It is possible to return from the "ip_extract_tunreq()" function (see [2])
with a return value of 0 while "ci.ci_ipif" is also still set to NULL. As
"ipif" has the same value as "ci.ci_ipif", which is set to NULL, this leads
to a NULL pointer dereference (see [4]).

On x86 (32/64bit) platforms this Null pointer dereference can be exploited
to execute arbitrary code at the kernel level. On SPARC platforms the
vulnerability can "only" be used for a denial of service.

=========
Solution:

This issue is addressed in the following patch releases from Sun:

SPARC Platform
- Solaris 10 with patch 138888-01 or later
- OpenSolaris based upon builds snv_77 or later

x86 Platform
- Solaris 10 with patch 138889-01 or later
- OpenSolaris based upon builds snv_77 or later

========
History:

2007/09/04 - Vendor notified
2007/09/05 - Vendor confirms the vulnerability
2008/12/17 - Public disclosure of vulnerability details by Sun
2008/12/17 - Release date of this security advisory

========
Credits:

Vulnerability found and advisory written by Tobias Klein.

===========
References:

[1] http://sunsolve.sun.com/search/document.do?assetkey=1-26-242266-1
[2] http://www.trapkit.de/advisories/TKADV2008-015.txt

========
Changes:

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release

===========
Disclaimer:

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

==================
PGP Signature Key:

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

Copyright 2008 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJSjEGkXxgcAIbhEERAi9/AKC7pVzL/0HdfX192GmPk/sE86g2IQCg8+uE
8Ln0ZHQUdP3wjFrI+NHYwJw=
=Ubd3
-----END PGP SIGNATURE-----