Tuesday, December 13, 2016

Vulnerability Spotlight: Joyent SmartOS

Vulnerability discovered by Tyler Bohan

Overview

Talos is disclosing a series of vulnerabilities in Joyent SmartOS, specifically in the Hyprlofs filesystem. SmartOS is an open source hypervisor that is based on a branch of Opensolaris. Hyperlofs is a SmartOS in-memory filesystem that allows users to map files from various different locations under a single namespace. Additionally, hyperlofs allows the creation of new virtual file systems quickly and easily. There are three core vulnerabilities that are being disclosed. However, since they are found in both the 32 and 64-bit versions there are a total of six CVE related to six Talos reports. For all of the vulnerabilities discussed an attacker would need the PRIV_HYPRLOFS_CONTROL privilege in order for them to be exploitable.



Details

TALOS-2016-0248 & TALOS-2016-0249

This is a privilege escalation vulnerability that results from an integer overflow in the IOCTL function. This is specifically related to the HYPRLOFS_ADD_ENTRIES command and can be exploited if an attacker crafts a specific input. The resulting attack will result in Kernel Panic or in the case where the attacker has mapped the NULL page to userspace, privilege escalation. For full details see the reports below.
TALOS-2016-0248 / CVE-2016-8733
TALOS-2016-0249 / CVE-2016-9031 (32-Bit)

TALOS-2016-0250 & TALOS-2016-0252

This is another privilege escalation vulnerability that results from a buffer overflow in the IOCTL function. This is specifically related to the HYPRLOFS_ADD_ENTRIES command and can be exploited when an attacker crafts specific input that causes a buffer overflow in the NM variable which leads to an out of bounds memory access, resulting in privilege escalation. For full details see the reports below.
TALOS-2016-0250 / CVE-2016-9032
TALOS-2016-0252 / CVE-2016-9034 (32-Bit)

TALOS-2016-0251 & TALOS-2016-0253

This is another privilege escalation vulnerability that results from a buffer overflow in the IOCTL function. This is specifically related to the HYPRLOFS_ADD_ENTRIES command and can be exploited when an attacker crafts specific input that causes a buffer overflow in the PATH variable which leads to an out of bounds memory access, resulting in privilege escalation. For full details see the reports below.
TALOS-2106-0251 / CVE-2016-9033
TALOS-2016-0253 / CVE-2016-9035 (32-Bit)

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rule: 40898-40903

No comments:

Post a Comment