Security expert discovered Kernel Level Privilege Escalation vulnerability in the Availability Suite Service component of Oracle Solaris 10 and 11.3
Security researchers from Trustwave have discovered a new high severity vulnerability, tracked as CVE-2018-2892, that affected the Availability Suite Service component in Oracle Solaris 10 and 11.3.
The flaw could be exploited by a remote authenticated attacker to execute code with elevated privileges.
“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation.” reads the security advisory published by the company.
“The issue is the result of a signedness bug in the bounds checking of the ‘SDBC_TEST_INIT’ ioctlcode sent to the ‘/dev/sdbc‘ device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”
The experts discovered that the flaw was first discovered in 2007 and it was publicly disclosed in 2009 during the CanSecWest security conference.
The vulnerability is the result of a combination of several arbitrary memory dereference issued and an unbounded memory write vulnerability.
“The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html).” reads the analysis published by Trustwave. “The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin().”
Oracle also rolled out a security patch after the issue was disclosed, but evidently the problem was not totally addressed.
“Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.” continues Trustwave.
According to the experts, the flaw is still present in the solution due to the introduction of additional code used for testing purposes.
Oracle addressed this flaw as a part of the July CPU security updates