CVE-2004-2686 Detail

CVE-2004-2686

CVE Descriptions

Directory traversal vulnerability in the vfs_getvfssw function in Solaris 2.6, 7, 8, and 9 allows local users to load arbitrary kernel modules via crafted (1) mount or (2) sysfs system calls. NOTE: this might be the same issue as CVE-2004-1767, but there are insufficient details to be sure.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	7.2		AV:L/AC:L/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 23874

Publication date : 2004-03-22 23h00 +00:00
Author : Sinan Eren
EDB Verified : Yes

source: https://www.securityfocus.com/bid/9962/info It has been reported that Sun Solaris may be prone to a local privilege escalation vulnerability that may allow an attacker to gain root access to a vulnerable system. The issue exists due to insufficient sanitization of user-supplied data via the vfs_getvfssw() function in the Solaris kernel. An attacker can load a user-specified kernel module by using directory traversal sequences and employing the mount() or sysfs() system calls. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23874.tar

Products Mentioned

Configuraton 0

Sun>>Solaris >> Version 2.6

Sun>>Solaris >> Version 2.6 (Open CPE detail)
Sun>>Solaris >> Version 2.6 (Open CPE detail)
Sun>>Solaris >> Version 2.6 (Open CPE detail)
Sun>>Solaris >> Version 2.6 (Open CPE detail)
Sun>>Solaris >> Version 2.6 (Open CPE detail)

Sun>>Solaris >> Version 7.0

Sun>>Solaris >> Version 8.0

Sun>>Solaris >> Version 9.0

Sun>>Sunos >> Version -

Sun>>Sunos >> Version - (Open CPE detail)

Sun>>Sunos >> Version 5.7

Sun>>Sunos >> Version 5.7 (Open CPE detail)

Sun>>Sunos >> Version 5.8

Sun>>Sunos >> Version 5.8 (Open CPE detail)

Sun>>Sunos >> Version 5.9

Sun>>Sunos >> Version 5.9 (Open CPE detail)

References

http://www.securityfocus.com/bid/9962
Tags : vdb-entry, x_refsource_BID

http://seclists.org/bugtraq/2004/Apr/0081.html
Tags : mailing-list, x_refsource_BUGTRAQ

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-04/0297.html
Tags : mailing-list, x_refsource_FULLDISC

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1381
Tags : vdb-entry, signature, x_refsource_OVAL

http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
Tags : x_refsource_MISC

http://securitytracker.com/id?1008833
Tags : vdb-entry, x_refsource_SECTRACK

CVE-2004-2686 : Detail