News
Vigil@nce: Solaris, access to vntsd
July 2009 by Vigil@nce
A local attacker can connect to vntsd in order to access to the console of a guest virtual system.
Severity: 2/4
Consequences: privileged access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 26/06/2009
IMPACTED PRODUCTS
OpenSolaris
Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The vntsd (Virtual Network Terminal Server Daemon for Logical Domains) daemon is used to access to guest system consoles via a telnet client.
Normally, only an authorised client can access to the console. However, the vntsd_listen_thread() function of the usr/src/cmd/vntsd/listen.c file does not check if the uid associated to the local socket is an allowed user. Every local user can therefore access to all consoles.
A local attacker can thus connect to vntsd in order to access to the console of a guest virtual system.
CHARACTERISTICS
Identifiers: 262708, 6781539, BID-35502, VIGILANCE-VUL-8827
http://vigilance.fr/vulnerability/Solaris-access-to-vntsd-8827
