CVE-2020-2696 – Local privilege escalation via CDE dtsession

During my recent audit of Oracle Solaris, undertaken as a weekend project, I inevitably had to review the Common Desktop Environment shipped with Solaris 10. CDE has a huge attack surface of legacy code. Not too surprisingly, I found my first exploitable bug pretty quickly. It’s a cute straight-out-of-the-manual memory corruption:

Why do my best catches always happen on Sunday mornings? But I digress… A couple of hours later I had a reliable exploit:

A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file.

Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is different from the CDE 2.x codebase that was later open sourced. Most notably, the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the open source version it is heap-based.

The following screenshot shows an example attack session:

Although all platforms shipping the Common Desktop Environment are potentially affected (and according to the CDE Wiki there is a huge list of supported platforms), I developed an exploit only for Oracle Solaris 10 1/13 (Update 11) Intel. If anybody is kind enough to give me access to a SPARC box able to run Solaris 10, I’d be happy to port my exploit to Solaris/SPARC as well.

The maintainers of the open source CDE 2.x version have issued the following patches for this vulnerability:

Oracle has assigned the tracking# S1231688 and has released a fix for all affected and supported versions of Solaris in their Critical Patch Update (CPU) of January 2020. Following Oracle’s patch, an advisory and a Proof of Concept exploit have been published and are now available for download.

One final recommendation. During my audit, many other potentially exploitable bugs have surfaced in dtsession and in the Common Desktop Environment in general. Therefore, regardless of patches released by vendors, you should really consider removing the setuid bit from all CDE binaries.

I would like to thank Alan Coopersmith, the Oracle Security team and Jon Trulson (maintainer of the open source CDE project) for handling my vulnerability report.