• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor Call Gate Creation Input Validation Vulnerability

Severity: HIGH

Description:

One of the ways that system calls (execution of kernel-level code by userland programs) can be implemented on the Intel platform is by using call gates.

Call gates are entries in a process' local descriptor table for 'far' procedures that userland programs wish to execute. The gate descriptors contain a gate target, a segment selector and an offset. When the function executes, the code segment and the offset tell the kernel where the instructions for the desired program begin. The gate target indicates the privilege mode.

When system calls are executed, the privilege mode in the gate descriptor is set to 0. Like other procedures, the kernel uses the other information in the gate descriptor to find the beginning of the procedure. It is important that this information is validated, because the kernel will attempt to execute instructions at the address it corresponds to.

In some i386 operating systems, the mechanisms for setting LDT entries contain an input validation error that can be exploited when creating call gates. By default on NetBSD and Solaris systems, it may be possible for users to create malicious LDT entries resulting in kernel code at arbitrary addresses being executed when the procedure is called.

It is likely that this vulnerability can be exploited to gain root privileges. A user may be able to, for example, change the user-id of an arbitrary process on the system by forcing the execution of the appropriate kernel function if the proper arguments can be obtained and passed.

Affected Products:

• NetBSD NetBSD 1.4.0 x86
• NetBSD NetBSD 1.4.1 x86
• NetBSD NetBSD 1.4.2 x86
• OpenBSD OpenBSD 2.4.0
• OpenBSD OpenBSD 2.5.0
• OpenBSD OpenBSD 2.6.0
• OpenBSD OpenBSD 2.7.0
• OpenBSD OpenBSD 2.8.0
• Sun Solaris 2.6_x86
• Sun Solaris 7.0_x86
• Sun Solaris 8_x86
• Sun Trusted Solaris 7.0.0 x86
• Sun Trusted Solaris 8.0.0 x86

References:

• NetBSD: NetBSD Security Page
• OpenBSD: OpenBSD Security Information
• Sun Microsystems: Security Patch Downloads
• Sun Microsystems: Sunsolve Online(tm)

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.