{"id":700,"date":"2023-01-18T08:53:07","date_gmt":"2023-01-18T07:53:07","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=700"},"modified":"2025-10-21T09:23:54","modified_gmt":"2025-10-21T09:23:54","slug":"nothing-new-under-the-sun","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/","title":{"rendered":"Nothing new under the Sun &#8211; Discovering and exploiting a CDE bug chain"},"content":{"rendered":"<blockquote><p><em>&#8220;What has been will be again,<\/em><br \/>\n<em>what has been done will be done again;<\/em><br \/>\n<em>there is nothing new under the Sun.&#8221;<\/em><br \/>\n<em>&#8212; Ecclesiastes 1:9<\/em><\/p><\/blockquote>\n<h3>TL;DR<\/h3>\n<p>We have identified multiple security vulnerabilities that are exploitable via the the setuid-root <strong>dtprintinfo<\/strong> binary from the Common Desktop Environment (CDE) distributed with <strong>Oracle Solaris 10<\/strong>:<\/p>\n<ul>\n<li>A bug in the parser of the lpstat external command invoked by dtprintinfo to list the names of available printers allows low-privileged local users to <strong>inject arbitrary printer names<\/strong>.<\/li>\n<li>This printer name injection allows low-privileged local users to manipulate the control flow of the target program and <strong>disclose memory contents<\/strong>.<\/li>\n<li>The ability to inject arbitrary printer names opens other attack vectors: as an example, we discovered <strong>multiple icon parsing bugs <\/strong>in the Motif library libXm that cause memory corruption.<\/li>\n<\/ul>\n<p>We demonstrated the possibility to chain together the printer name injection bug and a stack-based buffer overflow in libXm to achieve <strong>local privilege escalation to root on a fully-patched Solaris 10 system<\/strong>.<\/p>\n<p>Our detailed <strong>advisory<\/strong> is available here: <a href=\"https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2022-01-dtprintinfo.txt\">https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2022-01-dtprintinfo.txt<\/a><\/p>\n<p>Our proof-of-concept <strong>exploit<\/strong> is here: <a href=\"https:\/\/github.com\/0xdea\/exploits\/blob\/master\/solaris\/raptor_dtprintlibXmas.c\">https:\/\/github.com\/0xdea\/exploits\/blob\/master\/solaris\/raptor_dtprintlibXmas.c<\/a><\/p>\n<h3>Discovery<\/h3>\n<p>Following our last CDE <a href=\"https:\/\/github.com\/0xdea\/raptor_infiltrate20\">vulnerability disclosures<\/a>, Oracle kindly shared with us a copy of their then current <strong>Solaris 10 security patch set<\/strong> (CPU January 2021), so that we could install it in our lab and verify the fixes for the bugs we had reported.<\/p>\n<p>In addition to verifying these fixes, we decided to take a closer look at the <strong>dtprintinfo<\/strong> program distributed with CDE, because of its complexity and its impressive <a href=\"https:\/\/www.exploit-db.com\/search?q=dtprintinfo\">historical record<\/a> of high-impact vulnerabilities.<\/p>\n<p>After fruitlessly spending a few days reversing and auditing the patched version of dtprintinfo, we came up with the idea of using the <strong>poor man&#8217;s fuzzer<\/strong> below to quickly check for the presence of flaws in the parsing of the $HOME\/.printers file:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"minimal\" data-enlighter-linenumbers=\"false\">$ cat \/dev\/urandom &gt; ~\/.printers\r\n^C<\/pre>\n<p>Indeed, this led to immediate results. It turns out that it is possible to <strong>inject fake printers<\/strong> to be displayed by dtprintinfo. In addition, by manipulating the injected printer names, we were able to trigger an out-of-bound read and <strong>disclose partial heap memory contents<\/strong> of our target setuid-root binary. Check out the <a href=\"https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2022-01-dtprintinfo.txt\">advisory<\/a> for a detailed analysis of these two bugs.<\/p>\n<p>Being able to inject arbitrary printer names is significant also because it opens other attack vectors that otherwise would not be available on systems without configured printers. One such vector we thought that was worth exploring is the <strong>parsing of printer icons<\/strong> in the <a href=\"https:\/\/www.xfree86.org\/current\/xpm.pdf\">XPM format<\/a>. A low-privileged local user can supply his or her own icons for dtprintinfo to show by placing them in the $HOME\/.dt\/icons directory and selecting them in the X11 GUI. A bug in the XPM parser could easily lead to memory corruption and privilege escalation. To prove our point, we built a rudimentary <strong>mutation fuzzer<\/strong> written in Python and we unearthed a few icon parsing bugs in the <strong>libXm library<\/strong> used by CDE, originally part of the <a href=\"http:\/\/www.opengroup.org\/desktop\/motif.html\">Motif toolkit<\/a>. Check out the <a href=\"https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2022-01-dtprintinfo.txt\">advisory<\/a> for additional details.<\/p>\n<p>After our brief but intense artisanal fuzzing experience, it was time to go back to<strong> static analysis<\/strong> for a short while, specifically targeting the apparently weak libXm library parser. We fired up our <a href=\"https:\/\/github.com\/0xdea\/ghidra-scripts\/blob\/main\/Rhabdomancer.java\">Rhabdomancer<\/a> Ghidra script to quickly find locations in the library where dangerous API functions are called, using them as starting points for our binary audit. Among some interesting candidate points, the following one stood up, in the familiar <strong>ParseColors()<\/strong> function that we had already encountered while analyzing the crashes produced by our XPM fuzzer:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"minimal\">int ParseColors(int *data, uint ncolors, uint cpp, undefined4\r\n        *colorTablePtr, undefined4 hashtable)\r\n{\r\n    ...\r\n    char local_83c[1024];\r\n    char local_43c[1024];\r\n    ...\r\n    local_c = _XmxpmNextWord(local_34, local_83c, 0x400);\r\n    ...\r\n    local_83c[local_c] = '\\0';\r\n    strcat(local_43c, local_83c); \/* VULN *\/\r\n}<\/pre>\n<p>A perfect specimen of <strong>stack-based buffer overflow<\/strong>, caused by the reckless use of the insecure API function strcat(). This vulnerability can be triggered via a specially crafted XPM icon with long color strings.<\/p>\n<h3>Exploitation<\/h3>\n<p>We have created a <strong>proof-of-concept exploit<\/strong> that chains together the printer name injection bug and the stack-based buffer overflow we have identified in libXm. It allows a low-privileged local user to escalate his or her privileges to those of the root user on Intel-based Solaris 10 systems with the latest patches installed (tested on CPU January 2021).<\/p>\n<p>The <a href=\"https:\/\/github.com\/0xdea\/exploits\/blob\/master\/solaris\/raptor_dtprintlibXmas.c\">exploit code<\/a> is extensively commented and should be self-explanatory. Here it is in action.<\/p>\n<p><a href=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2022\/01\/dtprintlibXmas-1.gif\"><img decoding=\"async\" class=\"alignnone wp-image-739 size-full\" src=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2022\/01\/dtprintlibXmas-1.gif\" alt=\"\" width=\"2089\" height=\"1304\" \/><\/a><\/p>\n<h3>Disclosure and Fix<\/h3>\n<p>The disclosure timeline spans exactly one year:<\/p>\n<ul>\n<li><strong>2022-01-18<\/strong>: Oracle was notified via &lt;secalert_us@oracle.com&gt;.<\/li>\n<li><strong>2022-01-19<\/strong>: Oracle acknowledged our vulnerability reports.<\/li>\n<li><strong>2022-04-20<\/strong>: Asked Oracle to provide an update on the patch release date.<\/li>\n<li><strong>2022-04-21<\/strong>: Oracle replied they could not comment on the patch release date.<\/li>\n<li><strong>2022-09-03<\/strong>: Asked Oracle for an update and informed them of our plan to publish a detailed advisory and a blog post before the end of 2022.<\/li>\n<li><strong>2022-09-12<\/strong>: Oracle replied they are working on the bugs and will be able to give an update closer to the next CPU, scheduled for October.<\/li>\n<li><strong>2022-10-18<\/strong>: Oracle informed us that the vulnerabilities will be fixed in their CPU of January 2023.<\/li>\n<li><strong>2022-12-20<\/strong>: With a surprise move, Oracle informed us that Solaris 10 desktop components have reached EOL and are no longer supported. Therefore, Oracle will not be releasing patches for bugs affecting Solaris 10. They will work with X.Org to get a fix and an advisory released upstream for the first crash we identified in libXm, which also affects X.Org libXpm. This denial of service bug will be fixed in Solaris 11.4. As a final note, it appears that the buffer overflows we discovered in ParsePixels() and ParseColors() were already <a href=\"https:\/\/security.appspot.com\/security\/CESA-2004-003.txt\">reported<\/a> by Chris Evans in 2004 and tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2004-0687\">CVE-2004-0687<\/a>. Due to an incomplete fix, they were not patched in Solaris 10 and have survived in the code for 19 years! Since no patches for Solaris 10 will be released, these issues have officially become <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2012\/04\/forever-day_bug.html\">#ForeverDay<\/a> bugs.<\/li>\n<li><strong>2023-01-17<\/strong>: X.Org released libXpm 3.5.15, which fixes <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-46285\">CVE-2022-46285<\/a> (infinite loop on unclosed comments in X.Org libXpm). Oracle published their CPU January 2023, which unfortunately does not include fixes for our bugs that affect Solaris 10.<\/li>\n<li><strong>2023-01-18<\/strong>: Oracle informed us that Solaris 10 desktop components have reached EOL at the end of 2019. EOL is documented in <a href=\"https:\/\/support.oracle.com\/knowledge\/Sun%20Microsystems\/1400676_1.html\">support note 1400676.1<\/a>, behind the paywall for Oracle&#8217;s customers with current support contracts. <a href=\"https:\/\/hnsecurity.it\/\">HN Security<\/a> published this <a href=\"https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2022-01-dtprintinfo.txt\">advisory<\/a> and a local privilege escalation <a href=\"https:\/\/github.com\/0xdea\/exploits\/blob\/master\/solaris\/raptor_dtprintlibXmas.c\">exploit<\/a>.<\/li>\n<li><strong>2023-01-20<\/strong>: Mitre has assigned <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-24039\">CVE-2023-24039<\/a> to the buffer overflow in libXm and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-24040\">CVE-2023-24040<\/a> to the printer name injection and heap memory disclosure bugs.<\/li>\n<\/ul>\n<p>See the <a href=\"https:\/\/github.com\/hnsecurity\/vulns\/blob\/main\/HNS-2022-01-dtprintinfo.txt\">advisory<\/a> for remediation advice, including a partial workaround.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;What has been will be again, what has been done will be done again; there is nothing new under the [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":159939,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[563,565],"tags":[74,552,75,77,80,137,138,139,140],"class_list":["post-700","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exploits","category-vulnerabilities","tag-0day","tag-network","tag-advisory","tag-exploit","tag-solaris","tag-cve-2022-46285","tag-cve-2023-24039","tag-cve-2023-24040","tag-foreverday"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HN Security - Nothing new under the Sun - Discovering and exploiting a CDE bug chain -<\/title>\n<meta name=\"description\" content=\"Coordinated disclosure writeup about Solaris, CDE, and X.Org vulnerabilities (CVE-2022-46285, CVE-2023-24039, CVE-2023-24040).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HN Security - Nothing new under the Sun - Discovering and exploiting a CDE bug chain -\" \/>\n<meta property=\"og:description\" content=\"Coordinated disclosure writeup about Solaris, CDE, and X.Org vulnerabilities (CVE-2022-46285, CVE-2023-24039, CVE-2023-24040).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/\" \/>\n<meta property=\"og:site_name\" content=\"HN Security\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-18T07:53:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-21T09:23:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ORACLE.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"836\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Marco Ivaldi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@hnsec\" \/>\n<meta name=\"twitter:site\" content=\"@hnsec\" \/>\n<meta name=\"twitter:label1\" content=\"Scritto da\" \/>\n\t<meta name=\"twitter:data1\" content=\"Marco Ivaldi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minuti\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/\"},\"author\":{\"name\":\"Marco Ivaldi\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/person\\\/89a4174c275f05d6148fb0fdedc8de4f\"},\"headline\":\"Nothing new under the Sun &#8211; Discovering and exploiting a CDE bug chain\",\"datePublished\":\"2023-01-18T07:53:07+00:00\",\"dateModified\":\"2025-10-21T09:23:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/\"},\"wordCount\":1082,\"publisher\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/ORACLE.jpg\",\"keywords\":[\"0day\",\"network\",\"advisory\",\"exploit\",\"solaris\",\"cve-2022-46285\",\"cve-2023-24039\",\"cve-2023-24040\",\"foreverday\"],\"articleSection\":[\"Exploits\",\"Vulnerabilities\"],\"inLanguage\":\"it-IT\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/\",\"name\":\"HN Security - Nothing new under the Sun - Discovering and exploiting a CDE bug chain -\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/ORACLE.jpg\",\"datePublished\":\"2023-01-18T07:53:07+00:00\",\"dateModified\":\"2025-10-21T09:23:54+00:00\",\"description\":\"Coordinated disclosure writeup about Solaris, CDE, and X.Org vulnerabilities (CVE-2022-46285, CVE-2023-24039, CVE-2023-24040).\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/#primaryimage\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/ORACLE.jpg\",\"contentUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/ORACLE.jpg\",\"width\":1600,\"height\":836,\"caption\":\"Oracle logo\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/nothing-new-under-the-sun\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Nothing new under the Sun &#8211; Discovering and exploiting a CDE bug chain\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#website\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\",\"name\":\"HN Security\",\"description\":\"Offensive Security Specialists\",\"publisher\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#organization\",\"name\":\"HN Security\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/hn-libellula.jpg\",\"contentUrl\":\"https:\\\/\\\/hnsecurity.it\\\/wp-content\\\/uploads\\\/2026\\\/01\\\/hn-libellula.jpg\",\"width\":696,\"height\":696,\"caption\":\"HN Security\"},\"image\":{\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/hnsec\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/hnsecurity\\\/\",\"https:\\\/\\\/github.com\\\/hnsecurity\",\"https:\\\/\\\/infosec.exchange\\\/@hnsec\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/#\\\/schema\\\/person\\\/89a4174c275f05d6148fb0fdedc8de4f\",\"name\":\"Marco Ivaldi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g\",\"caption\":\"Marco Ivaldi\"},\"url\":\"https:\\\/\\\/hnsecurity.it\\\/it\\\/blog\\\/author\\\/marco-ivaldi\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HN Security - Nothing new under the Sun - Discovering and exploiting a CDE bug chain -","description":"Coordinated disclosure writeup about Solaris, CDE, and X.Org vulnerabilities (CVE-2022-46285, CVE-2023-24039, CVE-2023-24040).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/","og_locale":"it_IT","og_type":"article","og_title":"HN Security - Nothing new under the Sun - Discovering and exploiting a CDE bug chain -","og_description":"Coordinated disclosure writeup about Solaris, CDE, and X.Org vulnerabilities (CVE-2022-46285, CVE-2023-24039, CVE-2023-24040).","og_url":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/","og_site_name":"HN Security","article_published_time":"2023-01-18T07:53:07+00:00","article_modified_time":"2025-10-21T09:23:54+00:00","og_image":[{"width":1600,"height":836,"url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ORACLE.jpg","type":"image\/jpeg"}],"author":"Marco Ivaldi","twitter_card":"summary_large_image","twitter_creator":"@hnsec","twitter_site":"@hnsec","twitter_misc":{"Scritto da":"Marco Ivaldi","Tempo di lettura stimato":"5 minuti"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/#article","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/"},"author":{"name":"Marco Ivaldi","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/89a4174c275f05d6148fb0fdedc8de4f"},"headline":"Nothing new under the Sun &#8211; Discovering and exploiting a CDE bug chain","datePublished":"2023-01-18T07:53:07+00:00","dateModified":"2025-10-21T09:23:54+00:00","mainEntityOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/"},"wordCount":1082,"publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ORACLE.jpg","keywords":["0day","network","advisory","exploit","solaris","cve-2022-46285","cve-2023-24039","cve-2023-24040","foreverday"],"articleSection":["Exploits","Vulnerabilities"],"inLanguage":"it-IT"},{"@type":"WebPage","@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/","url":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/","name":"HN Security - Nothing new under the Sun - Discovering and exploiting a CDE bug chain -","isPartOf":{"@id":"https:\/\/hnsecurity.it\/it\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/#primaryimage"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/#primaryimage"},"thumbnailUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ORACLE.jpg","datePublished":"2023-01-18T07:53:07+00:00","dateModified":"2025-10-21T09:23:54+00:00","description":"Coordinated disclosure writeup about Solaris, CDE, and X.Org vulnerabilities (CVE-2022-46285, CVE-2023-24039, CVE-2023-24040).","breadcrumb":{"@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/#primaryimage","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ORACLE.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ORACLE.jpg","width":1600,"height":836,"caption":"Oracle logo"},{"@type":"BreadcrumbList","@id":"https:\/\/hnsecurity.it\/it\/blog\/nothing-new-under-the-sun\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hnsecurity.it\/it\/"},{"@type":"ListItem","position":2,"name":"Nothing new under the Sun &#8211; Discovering and exploiting a CDE bug chain"}]},{"@type":"WebSite","@id":"https:\/\/hnsecurity.it\/it\/#website","url":"https:\/\/hnsecurity.it\/it\/","name":"HN Security","description":"Offensive Security Specialists","publisher":{"@id":"https:\/\/hnsecurity.it\/it\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hnsecurity.it\/it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https:\/\/hnsecurity.it\/it\/#organization","name":"HN Security","url":"https:\/\/hnsecurity.it\/it\/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/","url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","contentUrl":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2026\/01\/hn-libellula.jpg","width":696,"height":696,"caption":"HN Security"},"image":{"@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/hnsec","https:\/\/www.linkedin.com\/company\/hnsecurity\/","https:\/\/github.com\/hnsecurity","https:\/\/infosec.exchange\/@hnsec"]},{"@type":"Person","@id":"https:\/\/hnsecurity.it\/it\/#\/schema\/person\/89a4174c275f05d6148fb0fdedc8de4f","name":"Marco Ivaldi","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/secure.gravatar.com\/avatar\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a8a96db06e7315a061d28b320ee7bb4c9d0f1535c58bf0f54218bf8a7569bea0?s=96&d=mm&r=g","caption":"Marco Ivaldi"},"url":"https:\/\/hnsecurity.it\/it\/blog\/author\/marco-ivaldi\/"}]}},"jetpack_featured_media_url":"https:\/\/hnsecurity.it\/wp-content\/uploads\/2025\/09\/ORACLE.jpg","_links":{"self":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/comments?post=700"}],"version-history":[{"count":2,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/700\/revisions"}],"predecessor-version":[{"id":161120,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/posts\/700\/revisions\/161120"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media\/159939"}],"wp:attachment":[{"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/media?parent=700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/categories?post=700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hnsecurity.it\/it\/wp-json\/wp\/v2\/tags?post=700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}