Advisory Details

February 18th, 2016

Joyent SmartOS Linux Zone Escape SS Exception Privilege Escalation Vulnerability

ZDI-16-170
ZDI-CAN-3364

CVE ID
CVSS SCORE 6.9, (AV:L/AC:M/Au:N/C:C/I:C/A:C)
AFFECTED VENDORS Joyent
AFFECTED PRODUCTS SmartOS
VULNERABILITY DETAILS


This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Joyent SmartOS. An attacker must be logged in as a user on the system in order to execute the attack.

The specific flaw exists within the handling of an SS Exception. The stack segment fault handling code allows for a GS register to be user controlled. This allows an attacker to elevate privileges to escape a Linux zone and achieve privileged execution on the global zone.

VENDOR RESPONSE Joyent has issued an update to correct this vulnerability. More details can be found at:
https://help.joyent.com/entries/98788667-Security-Advisory-ZDI-CAN-3263-ZDI-CAN-3284-and-ZDI-CAN-3364-Vulnerabilities
DISCLOSURE TIMELINE
  • 2015-11-04 - Vulnerability reported to vendor
  • 2016-02-18 - Coordinated public release of advisory
CREDIT Ben Murphy
BACK TO ADVISORIES