Since I moved from Solaris 11 to audit Solaris 10, my weekend project has become much more fun… As you already know if you are a reader of this blog, at the beginning of November I started auditing the Common Desktop Environment. The results speak for themselves:

Another good catch on a Sunday morning! A pattern is starting to emerge… After finding this nice memory corruption, it took me about one hour to build a reliable exploit:

Aaaaand… we have the exploit ladies and gentlemen 👏 pic.twitter.com/rd0h1U7Ldl — raptor (@0xdea) November 17, 2019

A buffer overflow in the _SanityCheck() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier allows local users to gain root privileges via a long calendar name or calendar owner passed to sdtcm_convert in a malicious calendar file.

The open source version of CDE (based on the CDE 2.x codebase) is not affected, because it does not ship the vulnerable binary.

The following screenshot shows an example attack session:

Once again, I developed an exploit only for Oracle Solaris 10 1/13 (Update 11) Intel. If anybody is kind enough to give me access to a SPARC box able to run Solaris 10, I’d be happy to port my exploit to Solaris/SPARC as well.

Oracle has assigned the tracking# S1239395 and has released a fix for all affected and supported versions of Solaris in their Critical Patch Update (CPU) of April 2020. Following Oracle’s patch, an advisory and a Proof of Concept exploit have been published and are now available for download.

Yeah, we’re definitely not going to rewrite CDE now. I’m definitely glad you’re finding the bugs & telling us, instead of someone else finding them & attacking folks. (The desktop is not covered by Solaris 10 Extended Support, but externally found security bugs are an exception.) — Alan Coopersmith (@alanc) November 15, 2019

As usual, I would like to thank Alan Coopersmith and the Oracle Security team for handling my vulnerability report.