Recent Vulnerabilities Research Posts Trends Blog About Contact
Related Vulnerabilities: CVE-2019-2832
Source
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="18"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#19">By Date</a>
<a href="20"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="18"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#19">By Thread</a>
<a href="20"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Re: local privilege escalation via CDE dtprintinfo</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Marco Ivaldi &lt;marco.ivaldi () mediaservice net&gt;


<em>Date</em>: Wed, 17 Jul 2019 06:29:42 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Hi,

Just a quick follow-up to my original advisory. The CVE name CVE-2019-2832 has been assigned to the vulnerability and 
Oracle has released a patch in its July 2019 CPU. Further information is available at:

<a rel="nofollow" href="https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixSUNS">https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixSUNS</a> 
<a rel="nofollow" href="https://support.oracle.com/epmos/faces/DocContentDisplay?id=2560938.1">https://support.oracle.com/epmos/faces/DocContentDisplay?id=2560938.1</a> 

Once again, I would like to thank Jon Trulson (maintainer of the open source CDE project), Alan Coopersmith, and Ritwik 
Ghoshal (Oracle Security team) for their smooth and professional handling of my vulnerability report, especially given 
the unusual circumstances.

-- 
Marco Ivaldi, SAT Manager
CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
@Mediaservice.net S.r.l. con Socio Unico
<a rel="nofollow" href="https://www.mediaservice.net/">https://www.mediaservice.net/</a>

On 17/05/2019, 16:13, "Marco Ivaldi" &lt;marco.ivaldi () mediaservice net&gt; wrote:

    Dear Full Disclosure,
    
    Please find attached an advisory for the following vulnerability:
    
    A buffer overflow in the DtPrinterAction::PrintActionExists() function in the
    Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13
    (Update 11) and earlier, allows local users to gain root privileges via a long
    printer name passed to dtprintinfo by a malicious lpstat program.
    
    Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is
    different from the CDE 2.x codebase that was later open sourced. Most notably,
    the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the
    open source version it is heap-based.
    
    This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019 in
    the talk "A bug's life: story of a Solaris 0day".
    
    For further information, refer to the following links:
    <a rel="nofollow" href="https://vimeo.com/335197685">https://vimeo.com/335197685</a>
    <a rel="nofollow" href="https://github.com/0xdea/raptor_infiltrate19">https://github.com/0xdea/raptor_infiltrate19</a> 
    
    Regards,
    
    -- 
    Marco Ivaldi, SAT Manager
    CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
    @Mediaservice.net S.r.l. con Socio Unico
    <a rel="nofollow" href="https://www.mediaservice.net/">https://www.mediaservice.net/</a>
    


_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="18"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#19">By Date</a>
<a href="20"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="18"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#19">By Thread</a>
<a href="20"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Re: local privilege escalation via CDE dtprintinfo</strong> <em>Marco Ivaldi (Jul 18)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.
Home Recent Vulnerabilities Research Posts Trends Blog About Contact
Vulmon Search Vulmon Research Vulmon Alerts Vulmap
Twitter Reddit Linkedin Facebook
Re: local privilege escalation via CDE dtprintinfo

Vulmon Search

About

Products

Connect
