{"vuid":"VU#683673","idnumber":"683673","name":"Sun Solaris priocntl(2) does not adequately validate path to kernel modules that implement lightweight process (LWP) scheduling policy","keywords":["Sun","Solaris","priocntl()","full path location","kernel","module","priocntl(2)","pc_clname","pc_getcid","lwp","privilege escalation"],"overview":"The Sun Solaris priocntl(2) function does not adequately validate a memory structure that specifies the name of a kernel module. As a result, a local attacker could execute arbitrary code with superuser privileges on a vulnerable system.","clean_desc":"The Sun Solaris priocntl(2) function provides the ability to control the scheduling of lightweight processes (LWPs). LWPs are grouped into several classes, each class having a different scheduling policy. The priocntl(2) command PC_GETCID can be used to get the class ID and attributes for a class of LWPs. The PC_GETCID command can take as an argument a pointer to a structure of type pcinfo_t that contains information about the class. A pcinfo_t structure includes a member called pc_clname that specifies the name of the class, and in certain cases, the name of a kernel module that implements the process scheduling policy for the class. priocntl(2) searches for the kernel module specified by pc_clname in /kernel/sched and /usr/kernel/sched. priocntl(2) does not adequately validate the data in pc_clname. As demonstrated by the exploit code posted to the BugTraq mailing list, an attacker with local user privileges can: create an arbitrary kernel module and place it in a writable location (/tmp/module for instance),\ncreate an arbitrary pcinfo_t structure with pc_clname set to the location of the kernel module relative to /usr/kernel/sched (../../../tmp/module), and\nissue a priocntl(2) call using the PC_GETCID command and a pointer to the pcinfo_t structure created by the attacker. Since priocntl(2) accepts the relative path operators (../) in pc_clname, the attacker-supplied module will be loaded by the kernel, and the attacker can act with superuser privileges. A different aspect of this vulnerability is that priocntl(2) does not validate or authenticate the kernel module that is being loaded. A message posted to BugTraq suggests checking the permissions ownership of the module and its parent directories. Another option could be to check a cryptographic hash or signature before loading a module.","impact":"A local attacker could execute code with superuser privileges.","resolution":"Apply Patch or Upgrade Sun Alert ID 49131 states that \"A final resolution is pending completion.\"","workarounds":"Change Location of /sched Directories Sun Alert ID 49131 includes a workaround that involves nesting the /sched directories deeply enough that they cannot be traversed in the space available in pc_clname.","sysaffected":"","thanks":"This vulnerability was publicly reported by CatDog.","author":"This document was written by Art Manion.","public":["http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49131","http://docs.sun.com/db/doc/816-0212/6m6nd4ncg?a=view","http://www.sun.com/security/blueprints/","http://online.securityfocus.com/bid/6262","http://online.securityfocus.com/archive/1/301400/2002-11-24/2002-11-30/0","http://www.iss.net/security_center/static/10717.php"],"cveids":["CVE-2002-1296"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-11-27T20:08:05Z","publicdate":"2002-11-27T00:00:00Z","datefirstpublished":"2002-12-05T00:40:35Z","dateupdated":"2002-12-06T17:12:13Z","revision":45,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"6","cam_population":"14","cam_impact":"20","cam_easeofexploitation":"15","cam_attackeraccessrequired":"10","cam_scorecurrent":"20.475","cam_scorecurrentwidelyknown":"20.475","cam_scorecurrentwidelyknownexploited":"36.225","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":20.475,"vulnote":null}