ID CVE-2006-6495
Summary Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if it is leveraged with other vulnerabilities such as CVE-2006-6494.
References
Vulnerable Configurations
  • cpe:2.3:o:sun:solaris:9.0:-:sparc
    cpe:2.3:o:sun:solaris:9.0:-:sparc
  • cpe:2.3:o:sun:solaris:10.0:-:sparc
    cpe:2.3:o:sun:solaris:10.0:-:sparc
  • Sun SunOS (Solaris 8) 5.8
    cpe:2.3:o:sun:sunos:5.8
CVSS
Base: 6.6 (as of 13-12-2006 - 14:08)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
oval via4
accepted 2007-09-27T08:57:42.313-04:00
class vulnerability
contributors
name Pai Peng
organization Opsware, Inc.
definition_extensions
  • comment Solaris 8 (SPARC) is installed
    oval oval:org.mitre.oval:def:1539
  • comment Solaris 9 (SPARC) is installed
    oval oval:org.mitre.oval:def:1457
  • comment Solaris 10 (SPARC) is installed
    oval oval:org.mitre.oval:def:1440
  • comment Solaris 8 (x86) is installed
    oval oval:org.mitre.oval:def:2059
  • comment Solaris 9 (x86) is installed
    oval oval:org.mitre.oval:def:1683
  • comment Solaris 10 (x86) is installed
    oval oval:org.mitre.oval:def:1926
description Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if it is leveraged with other vulnerabilities such as CVE-2006-6494.
family unix
id oval:org.mitre.oval:def:1909
status accepted
submitted 2007-08-10T12:25:21.000-04:00
title Security Vulnerabilities in Solaris ld.so.1(1) may Lead to Execution of Arbitrary Code with Elevated Privileges
version 31
refmap via4
bid 21564
confirm http://support.avaya.com/elmodocs2/security/ASA-2007-019.htm
idefense 20061212 Sun Microsystems Solaris ld.so 'doprf()' Buffer Overflow Vulnerability
sectrack 1017376
secunia
  • 23317
  • 23991
sunalert 102724
vupen ADV-2006-4979
xf solaris-ld-doprf-bo(30848)
Last major update 07-03-2011 - 21:46
Published 12-12-2006 - 20:28
Last modified 30-10-2018 - 12:25
Back to Top