Oracle Re-Patches 11 Year Old Solaris Hole That Survived First Patch

In an episode reminiscent of the frequently revived Windows USB hole which propagated Stuxnet, Oracle has re-patched a kernel level hole in the "Solaris Availability Suite Service" which survived its initial patching 11 years ago largely intact. The vulnerability affects all versions of Solaris 10 and 11 allowing1 locally logged in users to esclate their priviledge to their heart's content. Continue reading


  1. Text preserved below for the lulz as traditional archiving tools failed:

    CVE-2018-2892 – Kernel Level Privilege Escalation in Oracle Solaris

    July 24, 2018
    Posted By Neil Kettle
    Comments (0)

    Trustwave recently discovered a locally exploitable issue in all current versions of Oracle Solaris 10/11 as detailed in the recently posted Trustwave advisory. The issue is present in the kernel and is locally exploitable as an unprivileged user provided the local system has the Sun StorageTek Availability Suite (AVS) configured.
    The Vulnerability

    The vulnerability has an interesting history dating back to 2007 when the underlying issue was originally discovered and exploited. The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html). The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin(). The vulnerability itself is present in the ioctl handler for the '/dev/sdbc' device, the vulnerable code path passes through the following code with a 'cmd' value of 'SDBC_TEST_INIT ':

    common/avs/ns/sdbc/sd_misc.c:

    922 static int
    923 sdbcioctl(dev_t dev, int cmd, void *arg, int mode, cred_t *crp, int *rvp)
    924 {

    953 switch (cmd) {

    966 case SDBC_TEST_INIT:
    967 rc = _sd_test_init(&args);
    968 break;

    The code passes through the call to _sd_testing_init(&args) to the function definition given below:

    common/avs/ns/sdbc/sd_tdaemon.c:

    613 int
    614 _sd_test_init(void *args)
    615 {
    616 register struct a {
    617 caddr_t addr;
    618 long ar;
    619 long len;
    620 long tsize;
    621 long flag;
    622 } *uap = (struct a *)args;
    623
    624 if (copyin(uap->addr, devarray[uap->ar]1, uap->len2) ) {
    625 return (EFAULT);
    626 }
    627 dev_tsize[uap->ar]3 = (uap->tsize < 48) ? 48 : uap->tsize;
    628 dev_flag[uap->ar]4 = uap->flag;
    629 return (0);
    630 }

    There are at least 4 different vulnerabilities in this small code fragment! We summarise these below:

    arbitrary memory dereference resulting in an arbitrary destination pointer being passed to copyin(),
    arbitrary user-controlled length in the call to copyin() resulting in an unbounded memory write,
    arbitrary memory dereference and thus a user controllable write,
    arbitrary memory dereference and thus a user controllable write.

    However, the history of this particular vulnerability does not end there, sometime between 2009 and 2017 Oracle/Sun attempted to fix the issue by adding a bounds check on the value of uap->ar. The following disassembly illustrates the bounds checking Oracle/Sun applied:

    Screen Shot 2018-07-17 at 08.24.03

    As can be seen, the value of uap->ar should not be greater or equal to 128. However, we can also observer than Oracle/Sun did not modify the underlying type os uap->ar which is a signed long and as such a signedness issue exists since the value of uap->ar is not checked for a value < 0. As such an attacker could specify a value with the top most bit set (and thus negative) and pass the bounds check thereby dereferencing arbitrary memory once again. The remainder of the patch was to the limit the uap->len parameter to a signed value less than 256 (but also potentially negative).
    Exploitation

    Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.

    Image001
    Final Thoughts

    In case you were wondering why there would be such an obviously exploitable issue in a common configuration of Oracle Solaris, well the following might provide some hints:

    common/avs/ns/sdbc/sdbc_ioctl.h:

    93 #define SDBC_TEST_INIT _SDBC_(5) /* TESTING – tdaemon parameters */
    94 /*
    95 * char * device_name;
    96 * int index;
    97 * int len;
    98 * int track_size;
    99 * int flags;
    100 */

    The code in question may well be for testing purposes.

    This vulnerability has been issued CVE-2018-2892.
    Oracle has patched this vulnerability as a part of their July CPU patch cycle: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
    More information is available in our advisory here: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-007

     

US Kangaroo Court Issues Conviction For Kidnapped Antivirus Operator

On May 16, 2018, A USG kangaroo court convicted one Mr. Ruslan Bondars, a "non-citizen"1 of USG marionette state Latvia, of "one count of conspiracy to violate the Computer Fraud and Abuse Act, one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage".

Mr. Bondars was brutally kidnapped under colour of law by USG.FBI thugs, with the cooperation of local quislings;2 held incommunicado and flown in secret to USA; brought to "trial" — and summarily convicted of all charges — for operating a WWW site called Scan4you. This appears to have been a service essentially-identical to more well-known items like VirusTotal (the latter — acquired by Google in 2012, reputedly for $0.5B USD); visitors could submit executables and view results from testing their submissions against popular MS-Windows antivirus programs.

However, unlike VirusTotal and other USG properties, Scan4you did not forward all user submissions to USG agents (Microsoft, alphabet-soup agencies, et al). In the words of the prosecuting Freisler:

"Scan4you differed from legitimate antivirus scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community and notify their users that they will do so, Scan4you instead informed its users that they could upload files anonymously and promised not to share information about the uploaded files with the antivirus community."

Mr. Bondars now faces a 35-year sentence, "…as a warning to those who aid and abet criminal hackers".

The "Newton's Laws" governing this type of witch trial are, of course, quite well-known:

"Practically speaking, understand that one does not get to exist in the US sphere without being a tool of the USG.

You can't have a bank that does banking : either it does policing work for the USG or it gets burned down. You can't be an investor : either you push the USG agenda ad idem or else they come take your shit." —
"On how the factored 4096 RSA keys story was handled, and what it means to you." (Mircea Popescu)

It appears that the NATO Reich is moving ahead with its long-term plan to add vulnerability research to the list (already occupied by, e.g., banking) of formally declared Reich monopolies.


  1. Mr. Bondars is a citizen of the USSR, and appears to have been, along with millions of others, "unpersoned" by the USG Baltic Bantustan formed after the May 1990 destruction of the Latvian Soviet Socialist Republic. Citizenship under the new regime was not granted to all persons lawfully residing there under the old one, but was contingent on demonstrating knowledge of the local monkey language (about a fifth of the population qualified) and taking a loyalty oath to the new quisling government. 

  2. Explicitly credited by USG: "The Government of Latvia, including the Latvia State Police International Cooperation Department, the Latvia State Police Cybercrime Unit, and the General Prosecutor’s Office of the Republic of Latvia – International Cooperation Division, provided assistance and support during the investigation." 

Pantsuit Media Tries To Dethrone #WOKE Voice of a Generation Kanye West With Forced Meme

With Kanye West, the #WOKE voice of a generation flying a Make America Great Again banner, mainstream Pantsuit outlets have launched an all out forced meme campaign to replace Kanye with a more obedient representative of Black America. For this pupose Pantsuit has settled on Donald Glover, a former NBC sitcom writer thoroughly indoctrinated in Pantsuit dogma. Continue reading

Kanye Makes Pantsuit Media Headlines While Outlets Refuse To Acknowledge Growing Hotep Movement

Recently the mainstream Pantsuit media has been making a lot of noise about the "Dragon Energy" Kim Kardashian's husband Kanye West1 shares with US President Donald Trump. While Pantsuit has been casting Kanye's latest barrage of support for Trump as anomalous or a harbringer of a personal breakdown, they have been ignoring the existence of the larger black nationalist conservative Hotep movement of which Kanye is a part (archived).

The hotep ideology is a shiv to the "everybody but white men" diversity dream of the pantsuits. Patriarchical, anti-immigrant, afro-supremacist, and memeable. Claiming Alexander Crummel, Marcus Garvey, and others as intellectual forerunners while melding Nation of Islam mythos with comic book history; hotep ideas are common in black US prison graduates and the black American working class.

Why won't pantsuit media talk about their own goal? The one where USG.Disney released a blockbuster film two months ago based on a comic soaked in Hotep ideology than two months later released a blockbuster morality tale where the Hotep "We iz kangz" paradise is devastated for their choice to trust and stand with white "allies" in favor of the pantsuit agenda?


  1. During B Hussein Obama's first term Kanye published a rap with the following, clearly reactionary and Hotep aligned lyrics:

    Us living as we do upside down
    And the new word to have is revolution
    People don't even want to hear the preacher
    Spill or spiel because God's whole card has been thoroughly piqued
    And America is now blood and tears instead of milk and honey
    The youngsters who were programmed to continue
    Fucking up woke up one night digging
    Paul Revere and Nat Turner as the good guys
    America stripped for bed and we had not all yet closed our eyes
    The signs of truth were tattooed across her often entered vagina
    We learned to our amazement untold tale of scandal
    Two long centuries buried in the musty vault
    Hosed down daily with a gagging perfume
    America was a bastard, the illegitimate daughter of the mother country
    Whose legs were then spread around the world
    And a rapist known as freedom, free doom
    Democracy, liberty, and justice were revolutionary code names that preceded
    The bubbling bubbling bubbling bubbling bubbling
    In the mother country's crotch
    What does Webster say about soul?
    All I want is a good home and a wife
    And a children and some food to feed them every night
    After all is said and done build a new route to China if they'll have you
    Who will survive in America?
    Who will survive in America?
    Who will survive in America?
    Who will survive in America?