CVE-2019-3010 – Local privilege escalation on Solaris 11.x via xscreensaver

As previously mentioned, INFILTRATE left me with the will to hack stuff and enjoy it like it was 1999. That’s why I decided to take a closer look at Solaris 11.4 and search for potential vulnerabilities. So one Sunday morning I started researching setuid root binaries in the default configuration and this happened…

Exploitation of a design error vulnerability in xscreensaver, as distributed with Solaris 11.x, allows local attackers to create (or append to) arbitrary files on the system, by abusing the -log command line switch introduced in version 5.06. This flaw can be leveraged to cause a denial of service condition or to escalate privileges to root, as shown in the following screenshot.

Example attack session

This vulnerability was confirmed on Oracle Solaris 11.4 and 11.3 (X86 and SPARC). Previous Oracle Solaris 11 versions are also likely vulnerable.

Based on my analysis and on feedback kindly provided by Alan Coopersmith of Oracle, we concluded that this is a Solaris-specific vulnerability, caused by the fact that Oracle maintains a slightly different codebase from the upstream one. Alan explained this as follows:

“The problem in question here appears to be inherited from the long-ago fork Sun & Ximian did to add a gtk-based unlock dialog with accessibility support to replace the non-accessible Xlib unlock dialog that upstream provides, which moves the uid reset to after where the log file opening was later added.”

Specifically, the problem arises because of this bit of Solaris patches. As an interesting side note, it appears Red Hat dropped this code back in 2002.

Oracle has assigned the tracking# S1182608 and has released a fix for all affected and supported versions of Solaris in their Critical Patch Update (CPU) of October 2019. Following Oracle’s patch, an advisory and a Proof of Concept exploit have been published and are now available for download.

I would like to thank Alan Coopersmith and Ritwik Ghoshal of the Oracle Security team for their handling of my vulnerability report.