Vulnerability discovered by Tyler Bohan
Overview Talos is disclosing a series of vulnerabilities in Joyent SmartOS, specifically in the Hyprlofs filesystem. SmartOS is an open source hypervisor that is based on a branch of Opensolaris. Hyperlofs is a SmartOS in-memory filesystem that allows users to map files from various different locations under a single namespace. Additionally, hyperlofs allows the creation of new virtual file systems quickly and easily. There are three core vulnerabilities that are being disclosed. However, since they are found in both the 32 and 64-bit versions there are a total of six CVE related to six Talos reports. For all of the vulnerabilities discussed an attacker would need the PRIV_HYPRLOFS_CONTROL privilege in order for them to be exploitable.
Details
TALOS-2016-0248 & TALOS-2016-0249 This is a privilege escalation vulnerability that results from an integer overflow in the IOCTL function. This is specifically related to the HYPRLOFS_ADD_ENTRIES command and can be exploited if an attacker crafts a specific input. The resulting attack will result in Kernel Panic or in the case where the attacker has mapped the NULL page to userspace, privilege escalation. For full details see the reports below.
TALOS-2016-0248 / CVE-2016-8733
TALOS-2016-0249 / CVE-2016-9031 (32-Bit)
TALOS-2016-0250 & TALOS-2016-0252 This is another privilege escalation vulnerability that results from a buffer overflow in the IOCTL function. This is specifically related to the HYPRLOFS_ADD_ENTRIES command and can be exploited when an attacker crafts specific input that causes a buffer overflow in the NM variable which leads to an out of bounds memory access, resulting in privilege escalation. For full details see the reports below.
TALOS-2016-0250 / CVE-2016-9032
TALOS-2016-0252 / CVE-2016-9034 (32-Bit)
TALOS-2016-0251 & TALOS-2016-0253 This is another privilege escalation vulnerability that results from a buffer overflow in the IOCTL function. This is specifically related to the HYPRLOFS_ADD_ENTRIES command and can be exploited when an attacker crafts specific input that causes a buffer overflow in the PATH variable which leads to an out of bounds memory access, resulting in privilege escalation. For full details see the reports below.
TALOS-2106-0251 / CVE-2016-9033
TALOS-2016-0253 / CVE-2016-9035 (32-Bit)
Coverage The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rule: 40898-40903