Vulnerabilities > CVE-2016-9033 - Classic Buffer Overflow vulnerability in Joyent Smartos 20161110T013148Z
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An exploitable buffer overflow exists in the Joyent SmartOS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS_ADD_ENTRIES when dealing with native file systems. An attacker can craft an input that can cause a buffer overflow in the path variable leading to an out of bounds memory access and could result in potential privilege escalation. This vulnerability is distinct from CVE-2016-9035.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Seebug
bulletinFamily exploit description ### Summary An exploitable buffer overflow exists in the the Joyent SmartOS OS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFSADDENTRIES when dealing with native file systems. An attacker can craft an input that can cause a buffer overflow in the path variable leading to an out of bounds memory access and could result in potential privilege escalation. This vulnerability is distinct from CVE-2016-9035. ### Tested Versions Joyent SmartOS 20161110T013148Z ### Product URLs https://www.joyent.com/smartos ### CVSSv3 Score 7.0 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-121: Stack-based Buffer Overflow ### Details Joyent SmartOS is an operating system deployed by Joyent to be used as a hypervisor like solution meaning virtual machines will run on top of the system itself. SmartOS is unique in the fact that it is based on a fork of Opensolaris. This leaves many vulnerabilities in the kernel due to the fact that it is not as actively developed as other operating systems. Hyprlofs is a file system specifically designed for SmartOS which allows the creation of new virtual file systems quickly and easily. This was developed and designed to help make their product, Manta, possible. Most of the controls for Hyprlofs go through the Ioctl calls. An Ioctl is a control function that operates on various streams in this case a file descriptor to the file system. Looking further into that code we can spot the vulnerability. The beginning of the function is shown below. ``` illumos-joyent-master/usr/src/uts/common/fs/hyprlofs/hyprlofs_vnops.c 134 static int hyprlofs_ioctl(vnode_t *vp, int cmd, intptr_t data, int flag, cred_t *cr, int *rvalp, caller_context_t *ct) { int len, cnt, error; char path[MAXPATHLEN]; char nm[MAXPATHLEN]; [1] ... if (secpolicy_hyprlofs_control(cr) != 0) return (EPERM); if (cmd == HYPRLOFS_ADD_ENTRIES || cmd == HYPRLOFS_RM_ENTRIES) { [2] if (model == DATAMODEL_NATIVE) { ... } e = kmem_alloc(len, KM_SLEEP); if (copyin((void *)(ebuf.hle_entries), e, len)) { [3] kmem_free(e, len); return (EFAULT); } for (i = 0; i < cnt; i++) { ... if (cmd == HYPRLOFS_ADD_ENTRIES) { if (e[i].hle_plen == 0 || e[i].hle_plen > MAXPATHLEN) [4] return (EINVAL); 190 if (copyin(e[i].hle_path, path, e[i].hle_plen) != 0) { kmem_free(e, len); return (EFAULT); } 195 path[e[i].hle_plen] = '\0'; [5] ``` The code at [1] shows the declaration of the vulnerable stack buffer of size MAXPATHLEN, 1024. We see at [2] that if our command is HYPRLOFSADDENTRIES we continue into the vulnerable code path. Our data is first copied in at [3], and is then used for some set up. Later we see the user supplied name length is validated to ensure it is not too large for the buffer at [4]. The vulnerability is present because the check says greater than MAXPATHLEN instead of greater than or equal, resulting in a length that is one too large to be allowed. This results in a null byte out of bounds write at [5]. This vulnerability may be leveraged by an attacker to potentially increase privileges or as a denial of service. ### Timeline * 2016-12-01 - Vendor Disclosure * 2016-12-12 - Public Release id SSV:96636 last seen 2017-11-19 modified 2017-10-10 published 2017-10-10 reporter Root title Joyent SmartOS Hyprlofs FS IOCTL Native File System path Buffer Overflow Privilege Escalation Vulnerability(CVE-2016-9033) bulletinFamily exploit description ### Summary An exploitable buffer overflow exists in the the Joyent SmartOS OS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFSADDENTRIES when dealing with native file systems. An attacker can craft an input that can cause a buffer overflow in the path variable leading to an out of bounds memory access and could result in potential privilege escalation. This vulnerability is distinct from CVE-2016-9033. ### Tested Versions Joyent SmartOS 20161110T013148Z ### Product URLs https://www.joyent.com/smartos ### CVSSv3 Score 7.0 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-121: Stack-based Buffer Overflow ### Details Joyent SmartOS is an operating system deployed by Joyent to be used as a hypervisor like solution meaning virtual machines will run on top of the system itself. SmartOS is unique in the fact that it is based on a fork of Opensolaris. This leaves many vulnerabilities in the kernel due to the fact that it is not as actively developed as other operating systems. Hyprlofs is a file system specifically designed for SmartOS which allows the creation of new virtual file systems quickly and easily. This was developed and designed to help make their product, Manta, possible. Most of the controls for Hyprlofs go through the Ioctl calls. An Ioctl is a control function that operates on various streams in this case a file descriptor to the file system. Looking further into that code we can spot the vulnerability. The beginning of the function is shown below. ``` illumos-joyent-master/usr/src/uts/common/fs/hyprlofs/hyprlofs_vnops.c static int 134 hyprlofs_ioctl(vnode_t *vp, int cmd, intptr_t data, int flag, cred_t *cr, int *rvalp, caller_context_t *ct) { int len, cnt, error; char path[MAXPATHLEN]; char nm[MAXPATHLEN]; [1] ... if (secpolicy_hyprlofs_control(cr) != 0) return (EPERM); if (cmd == HYPRLOFS_ADD_ENTRIES || cmd == HYPRLOFS_RM_ENTRIES) { [2] if (model == DATAMODEL_NATIVE) { ... } else { hyprlofs_entries32_t ebuf32; hyprlofs_entry32_t *e32; e32 = kmem_alloc(len, KM_SLEEP); [3] for (i = 0; i < cnt; i++) { ... if (cmd == HYPRLOFS_ADD_ENTRIES) { if (e32[i].hle_plen == 0 || e32[i].hle_plen > MAXPATHLEN) [4] return (EINVAL); 251 if (copyin((void *)(unsigned long) e32[i].hle_path, path, e32[i].hle_plen) != 0) { kmem_free(e32, len); return (EFAULT); } 257 path[e32[i].hle_plen] = '\0'; [5] ``` The code at [1] shows the declaration of the vulnerable stack buffer of size MAXPATHLEN, 1024. We see at [2] that if our command is HYPRLOFSADDENTRIES we continue into the vulnerable code path. Our data is first copied in at [3], and is then used for some set up. Later we see the user supplied name length is validated to ensure it is not too large for the buffer at [4]. The vulnerability is present because the check says greater than MAXPATHLEN instead of greater than or equal, resulting in a length that is one too large to be allowed. This results in a null byte out of bounds write at [5]. This vulnerability may be leveraged by an attacker to potentially increase privileges or as a denial of service. ### Timeline * 2016-12-01 - Vendor Disclosure * 2016-12-12 - Public Release id SSV:96639 last seen 2017-11-19 modified 2017-10-10 published 2017-10-10 reporter Root title Joyent SmartOS Hyprlofs FS IOCTL 32-bit File System path Buffer Overflow Privilege Escalation Vulnerability(CVE-2016-9035)
Talos
id TALOS-2016-0253 last seen 2019-05-29 published 2016-12-12 reporter Talos Intelligence source http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0253 title Joyent SmartOS Hyprlofs FS IOCTL 32-bit File System path Buffer Overflow Privilege Escalation Vulnerability id TALOS-2016-0251 last seen 2019-05-29 published 2016-12-12 reporter Talos Intelligence source http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0251 title Joyent SmartOS Hyprlofs FS IOCTL Native File System path Buffer Overflow Privilege Escalation Vulnerability