xorl %eax, %eax

Solaris vntsd LDoms Unauthorized Access to Guest Domain Console

leave a comment »

Another vulnerability disclosed by Sun on 25 June 2009 which affects Solaris 10 and OpenSolaris based upon builds snv_41 through snv_108. vntsd (Virtual Network Terminal Server Daemon for Logical Domains (LDoms)) is a utility provided by Sun to support connections to Logical Domains console using common telnet.
The buggy code can be found at usr/src/cmd/vntsd/ where the vntsd implementation is located. Function vntsd_listen_thread() was lacking a critical check. There was no authorization check and a user was able to simply access any console regardless of his privileges. To fix this, they added the following code into vntsd_listen_thread():

+ 
+ 		/* Check authorization if enabled */
+ 		if ((vntsdp->options & VNTSD_OPT_AUTH_CHECK) != 0) {
+ 			rv = auth_check_fd(newsockfd, groupp->group_name);
+ 			if (rv != B_TRUE) {
+ 				D3(stderr, "t@%d listen@%lld group@%s: "
+ 				    "authorization failure\n", thr_self(),
+ 				    groupp->tcp_port, groupp->group_name);
+ 				(void) close(newsockfd);
+ 				continue;
+ 			}
+ 		}
+ 

Written by xorl

July 3, 2009 at 14:57

Posted in bugs, solaris

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s