Solaris vntsd LDoms Unauthorized Access to Guest Domain Console

Another vulnerability disclosed by Sun on 25 June 2009 which affects Solaris 10 and OpenSolaris based upon builds snv_41 through snv_108. vntsd (Virtual Network Terminal Server Daemon for Logical Domains (LDoms)) is a utility provided by Sun to support connections to Logical Domains console using common telnet.
The buggy code can be found at usr/src/cmd/vntsd/ where the vntsd implementation is located. Function vntsd_listen_thread() was lacking a critical check. There was no authorization check and a user was able to simply access any console regardless of his privileges. To fix this, they added the following code into vntsd_listen_thread():

+
+ 		/* Check authorization if enabled */
+ 		if ((vntsdp->options & VNTSD_OPT_AUTH_CHECK) != 0) {
+ 			rv = auth_check_fd(newsockfd, groupp->group_name);
+ 			if (rv != B_TRUE) {
+ 				D3(stderr, "t@%d listen@%lld group@%s: "
+ 				    "authorization failure\n", thr_self(),
+ 				    groupp->tcp_port, groupp->group_name);
+ 				(void) close(newsockfd);
+ 				continue;
+ 			}
+ 		}
+

~ by xorl on July 3, 2009.