exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Solaris 11 USB Hub Class Descriptor Kernel Stack Overflow

Solaris 11 USB Hub Class Descriptor Kernel Stack Overflow
Posted Nov 2, 2011
Authored by Andy Davis | Site ngssecure.com

It was discovered that a local attacker can send a malformed USB hub class descriptor via a malicious USB device and trigger a kernel stack overflow in Solaris versions 8, 9, 10, and 11 Express.

tags | advisory, overflow, kernel, local
systems | solaris
SHA-256 | a80d1f9f52f13b9e8415d9d58079861c76c46a4c8467e2a7cfa25f5c7369fe03

Solaris 11 USB Hub Class Descriptor Kernel Stack Overflow

Change Mirror Download
=======
Summary
=======
Name: Solaris 11 USB hub class descriptor kernel stack overflow
Release Date: 2 November 2011
Reference: NGS00042
Discoverer: Andy Davis <andy.davis@ngssecure.com>
Vendor: Oracle
Vendor Reference:
Systems Affected: Solaris 8, 9, 10, and 11 Express
Risk: High
Status: Published

========
TimeLine
========
Discovered: 27 January 2011
Released: 27 January 2011
Approved: 27 January 2011
Reported: 27 January 2011
Fixed: 19 July 2011
Published: 2 November 2011

===========
Description
===========
A local attacker can send a malformed USB hub class descriptor via a malicious USB device and trigger a kernel stack overflow

=================
Technical Details
=================
If the wMaxPacketSize field within a USB hub class Endpoint descriptor is set to a value >= 0x1125, it causes a kernel stack overflow

Jan 27 13:36:59 solaris ^Mpanic[cpu1]/thread=d742ada0:
Jan 27 13:36:59 solaris genunix: [ID 549817 kern.notice] segkp_fault: accessing redzone
Jan 27 13:36:59 solaris unix: [ID 100000 kern.notice] Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a540
genunix:segkp_fault+238 (d1061f68, fec24c20,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a590 unix:segkmem_fault+8e (d1061f68,
fec24c60,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a630
genunix:as_fault+4c1 (d1061f68, fec23da0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a690 unix:pagefault+1ac (d23bd000, 0, 1, 1) Jan
27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a740 unix:trap+136f (d742a754, d23bd000,) Jan 27 13:36:59 solaris genunix: [ID 353471
kern.notice] d742a754 unix:_cmntrap+7c (fea501b0, d1010000,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a7c8
ehci:ehci_calculate_bw_availability_mask+48 (d2089000, 2892, 0, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a838
ehci:ehci_find_bestfit_hs_mask+c8 (d2089000, d742a8fa,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a888
ehci:ehci_allocate_high_speed_bandwidth+126 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a8b8
ehci:ehci_allocate_bandwidth+21 (d2089000, d6c84be0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a918 ehci:ehci_hcdi_pipe_open+dd
(d6c84be0, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a968
usba:usb_pipe_open+260 (d1d01cf0, d851ec70,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a998
usba:hubd_open_intr_pipe+37 (d851ec40, 0, d742a9) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742a9c8
usba:hubd_check_ports+f0 (d851ec40, d1d01cf0,) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa38 usba:usba_hubdi_attach+43a (d1d01cf0,
0, 0, 0) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa68
genunix:devi_attach+a5 (d1d01cf0)
Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aa88 genunix:attach_node+9a (d1d01cf0, 1, d2076c) Jan 27 13:36:59 solaris genunix: [ID
353471 kern.notice] d742aab8
genunix:i_ndi_config_node+c1 (d1d01cf0, 6, 0, d1d) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aad8 genunix:i_ddi_attachchild+3d
(d1d01cf0, 0, d742aa) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aaf8 genunix:devi_attach_node+bb (d1d01cf0, 1020008, ) Jan 27
13:36:59 solaris genunix: [ID 353471 kern.notice] d742ab38
genunix:config_immediate_children+e6 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ab78
genunix:ndi_busop_bus_config+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac18 usba:hubd_bus_config+dc
(d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac48
genunix:devi_config_common+74 (d17f3340, 1020008, ) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ac68
genunix:ndi_devi_config+13 (d17f3340, 1020008) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742aca8 genunix:ndi_devi_online+fc (d17f3340,
0, 0, f8a) Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad18 usba:hubd_hotplug_thread+52b (e0553c50, d1db8b9c,) Jan 27 13:36:59 solaris
genunix: [ID 353471 kern.notice] d742ad88
genunix:taskq_d_thread+a3 (d3b94410, 0)
Jan 27 13:36:59 solaris genunix: [ID 353471 kern.notice] d742ad98
unix:thread_start+8 ()

===============
Fix Information
===============
This issue is addressed in the Oracle Critical Patch Update Advisory - July 2011, which is available at the following URL:
https://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

NGS Secure Research
https://www.ngssecure.com
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close