SYNTHESIS OF THE VULNERABILITY

An attacker can use a SD memory card in order to corrupt the memory of the Solaris kernel.

Severity: 2/4

Consequences: administrator access/rights, denial of service of service

Provenance: user console

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: low (1/3)

Creation date: 22/05/2009

IMPACTED PRODUCTS

 OpenSolaris

DESCRIPTION OF THE VULNERABILITY

A SD memory card is for example used in a camera. Some x86 computers have a SD slot to connect these cards. The sdhost driver of Solaris (usr/src/uts/common/io/sdcard/adapters/sdhost/sdhost.c) implements the support of these memory cards.

The Ricoh R5C822 adapter requires non standard DMA (Direct Memory Access) parameters. Parameters used in sdhost.c incorrectly define the memory area. An attacker can then directly access to the kernel memory.

A local attacker can thus alter a memory area in order to elevate his privileges.

CHARACTERISTICS

Identifiers: 259408, 6797937, BID-35069, CVE-2009-1763, VIGILANCE-VUL-8731

http://vigilance.fr/vulnerability/Solaris-memory-corruption-via-sdhost-8731