Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 20 Jan 2020 10:35:26 +0000
From: Marco Ivaldi <marco.ivaldi@...iaservice.net>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2020-2656, CVE-2020-2696 - Multiple vulnerabilities in Oracle
 Solaris

Dear oss-security,

As suggested by Solar Designer, I’m cross-posting two recent advisories for the following vulnerabilities, fixed in Oracle's Critical Patch Update (CPU) of January 2020:

CVE-2020-2656 - Low impact information disclosure via Solaris xlock
"A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely."

CVE-2020-2696 - Local privilege escalation via CDE dtsession
"A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file."

Please find the advisories attached to this email.

For further details and some background information on my recent vulnerability research project focused on Oracle Solaris, please refer to:
https://techblog.mediaservice.net/2020/01/local-privilege-escalation-via-cde-dtsession/
https://techblog.mediaservice.net/2019/10/local-privilege-escalation-on-solaris-11-x-via-xscreensaver/
https://techblog.mediaservice.net/2019/05/raptor-at-infiltrate-2019/

Regards,

-- 
Marco Ivaldi, Offensive Security Manager
CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
@Mediaservice.net S.r.l. con Socio Unico
https://www.mediaservice.net/
Tel: +39 011 19016595 | Fax: +39 011 3246497


View attachment "2020-01-solaris-xlock.txt" of type "text/plain" (5327 bytes)

View attachment "2020-02-cde-dtsession.txt" of type "text/plain" (4331 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.