CVE-2006-3824
published 2006-07-25CVE-2006-3824: systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count argument to the sysinfo system call, which causes a -1 argument to…
PriorityP416medium4.9CVSS 2.0
AVLACLAuNCCINAN
EXPLOIT
EPSS
0.98%
58.0th percentile
systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count argument to the sysinfo system call, which causes a -1 argument to be used by the copyout function. NOTE: this issue has been referred to as an integer overflow, but it is probably more like a signedness error or integer underflow.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)
exploitdb·2006-08-22·CVSS 4.6
CVE-2006-3824 [MEDIUM] Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)
Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)
---
/*
* $Id: raptor_sysinfo.c,v 1.2 2006/08/22 13:47:54 raptor Exp $
*
* raptor_sysinfo.c - Solaris sysinfo(2) kernel memory leak
* Copyright (c) 2006 Marco Ivaldi
*
* systeminfo.c for Sun Solaris allows local users to read kernel memory via
* a 0 variable count argument to the sysinfo system call, which causes a -1
* argument to be used by the copyout function. NOTE: this issue has been
* referred to as an integer overflow, but it is probably more like a
* signedness error or integer underflow (CVE-2006-3824).
*
* http://en.wikipedia.org/wiki/Pitagora_Suicchi
*
* Greets to prdelka, who also exploited this vulnerability.
*
* I should also definitely investigate the old sysinfo(2) vulnerability
* described in CVE-2003-1062, affec
Exploit-DB
Solaris 10 - 'sysinfo()' Local Kernel Memory Disclosure (1)
exploitdb·2006-07-24
CVE-2006-3824 Solaris 10 - 'sysinfo()' Local Kernel Memory Disclosure (1)
Solaris 10 - 'sysinfo()' Local Kernel Memory Disclosure (1)
---
/* Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure exploit
* ===================================================================
* Local exploitation of an integer overflow vulnerability in Sun
* Microsystems Inc. Solaris allows attackers to read kernel memory from a
* non-privileged userspace process. The vulnerability specifically exists
* due to an integer overflow in /usr/src/uts/common/syscall/systeminfo.c
*
* Example Use.
* $ uname -a
* SunOS sunos 5.11 snv_30 sun4u sparc SUNW,Ultra-250
* $ ./prdelka-vs-SUN-sysinfo kbuf
* [ Solaris
#include
#include
#include
#define bufsize 1294967293
int main(int argc,char* argv[]){
int fd;
ssize_t out;
char* output_buffer;
if(argc \n");
exit(1);
}
printf("[ Solaris <= 1
http://secunia.com/advisories/21148http://securitytracker.com/id?1016555http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1http://www.idefense.com/intelligence/vulnerabilities/display.php?id=410http://www.securityfocus.com/archive/1/440849/100/100/threadedhttp://www.securityfocus.com/archive/1/440986/100/100/threadedhttp://www.securityfocus.com/bid/19104http://www.vupen.com/english/advisories/2006/2936https://exchange.xforce.ibmcloud.com/vulnerabilities/27901http://secunia.com/advisories/21148http://securitytracker.com/id?1016555http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1http://www.idefense.com/intelligence/vulnerabilities/display.php?id=410http://www.securityfocus.com/archive/1/440849/100/100/threadedhttp://www.securityfocus.com/archive/1/440986/100/100/threadedhttp://www.securityfocus.com/bid/19104http://www.vupen.com/english/advisories/2006/2936https://exchange.xforce.ibmcloud.com/vulnerabilities/27901
2006-07-25
Published