Sun Solaris vfs_getvfssw函数本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107816 漏洞类型 路径遍历
发布时间 2004-03-23 更新时间 2007-09-24
CVE编号 CVE-2004-2686 CNNVD-ID CNNVD-200412-819
漏洞平台 Solaris CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/23874
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-819
|漏洞详情
Solaris2.6,7,8,以及9版本的vfs_getvfssw函数存在目录遍历漏洞。本地用户可以借助畸形的(1)安装,或者(2)sysfs系统调用装载任意内核模块。
|漏洞EXP
source: http://www.securityfocus.com/bid/9962/info

It has been reported that Sun Solaris may be prone to a local privilege escalation vulnerability that may allow an attacker to gain root access to a vulnerable system. The issue exists due to insufficient sanitization of user-supplied data via the vfs_getvfssw() function in the Solaris kernel. An attacker can load a user-specified kernel module by using directory traversal sequences and employing the mount() or sysfs() system calls.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/23874.tar
|参考资料

来源:BID
名称:9962
链接:http://www.securityfocus.com/bid/9962
来源:SECTRACK
名称:1008833
链接:http://securitytracker.com/id?1008833
来源:www.immunitysec.com
链接:http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
来源:FULLDISC
名称:20040407Solarisvfs_getvfssw()localkernelexploit
链接:http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-04/0297.html
来源:BUGTRAQ
名称:20040407Solarisvfs_getvfssw()localkernelexploit
链接:http://seclists.org/bugtraq/2004/Apr/0081.html
来源:USGovernmentResource:oval:org.mitre.oval:def:1381
名称:oval:org.mitre.oval:def:1381
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1381