About IOCTL handlers (Buffer Copy without Checking Size of Input (Classic Buffer Overflow)) – 7th Dec 2021

Preface: If it is a integer, just use it directly. If it is a pointer, need to check for valid user address:
int access_ok(int type, const void *addr, unsigned long size);

Background: IOCTL is referred as Input and Output Control, which is used to talk with device drivers. IOCTL is a system call where system call is the programmatic way in which a computer program in user space
requests a service from the kernel space of the operating system.

According to Oracle Solaris 11 Information Library article. So called Well Known ioctl Interfaces. Many ioctl(9E) operations are common to a class of device drivers. For example, most disk drivers implement many of the dkio(7I) family of ioctls. Many of these interfaces copy in or copy out data structures from the kernel, and some of these data structures have changed size in the LP64 data model.

Perhaps the vulnerability this time not related to Oracle 11. Since Oracle is outdated and end-of-life.

Vulnerability details: SentinelLabs has discovered a number of high severity flaws in driver software affecting numerous cloud services. These vulnerabilities originated from a library developed and provided by Eltima, which is in use by several cloud providers. These vulnerabilities affect multiple products. Attacker choose the code deals with a user buffer of type METHOD_NEITHER (Type3InputBuffer), if it IOCTL handler do not have validating. It will trigger the vulnerability of the IOCTL handlers 0x22001B. If you are interested, please refer to the link – https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.