Vulnerabilities > CVE-2003-0961 - Unspecified vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.
Vulnerable Configurations
Exploit-Db
description Linux Kernel <= 2.4.22 (do_brk) Local Root Exploit (working). CVE-2003-0961. Local exploit for linux platform id EDB-ID:131 last seen 2016-01-31 modified 2003-12-05 published 2003-12-05 reporter Wojciech Purczynski source https://www.exploit-db.com/download/131/ title Linux Kernel <= 2.4.22 - do_brk Local Root Exploit working description Linux Kernel 2.4.22 "do_brk()" local Root Exploit (PoC). CVE-2003-0961. Local exploit for linux platform id EDB-ID:129 last seen 2016-01-31 modified 2003-12-02 published 2003-12-02 reporter Christophe Devine source https://www.exploit-db.com/download/129/ title Linux Kernel 2.4.22 - "do_brk" Local Root Exploit PoC
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-450.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the mips kernel 2.4.19 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. last seen 2020-06-01 modified 2020-06-02 plugin id 15287 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15287 title Debian DSA-450-1 : linux-kernel-2.4.19-mips - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-403.NASL description Recently multiple servers of the Debian project were compromised using a Debian developers account and an unknown root exploit. Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the Red Hat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space. This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release. This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and 2.6.0-test6 kernel tree. For Debian it has been fixed in version 2.4.18-14 of the kernel source packages, version 2.4.18-12 of the i386 kernel images and version 2.4.18-11 of the alpha kernel images. last seen 2020-06-01 modified 2020-06-02 plugin id 15240 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15240 title Debian DSA-403-1 : kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-source-2.4.18 - local root exploit NASL family Debian Local Security Checks NASL id DEBIAN_DSA-442.NASL description Several security related problems have been fixed in the Linux kernel 2.4.17 used for the S/390 architecture, mostly by backporting fixes from 2.4.18 and incorporating recent security fixes. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project : - CVE-2002-0429 : The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall). - CAN-2003-0001 : Multiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. - CAN-2003-0244 : The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain. - CAN-2003-0246 : The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. - CAN-2003-0247 : A vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ( last seen 2020-06-01 modified 2020-06-02 plugin id 15279 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15279 title Debian DSA-442-1 : linux-kernel-2.4.17-s390 - several vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-389.NASL description Updated kernel packages are now available that fix a security vulnerability allowing local users to gain root privileges. The Linux kernel handles the basic functions of the operating system. A flaw in bounds checking in the do_brk() function in the Linux kernel versions 2.4.22 and previous can allow a local attacker to gain root privileges. This issue is known to be exploitable; an exploit has been seen in the wild that takes advantage of this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0961 to this issue. All users of Red Hat Enterprise Linux 2.1 are advised to upgrade to these errata packages, which contain a backported security patch that corrects this vulnerability. Users of Red Hat Enterprise Linux 3 should upgrade to the kernel packages provided by RHBA-2003:308 (released on 30 October 2003), which already contained a patch correcting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 12438 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12438 title RHEL 2.1 : kernel (RHSA-2003:389) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2003-336-01.NASL description New kernels are available for Slackware 9.1 and -current. These have been upgraded to Linux kernel version 2.4.23, which fixes a bug in the kernel last seen 2020-06-01 modified 2020-06-02 plugin id 18743 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18743 title Slackware 9.1 / current : Kernel security update (SSA:2003-336-01) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-417.NASL description Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Andrew Morton discovered a missing boundary check for the brk system call which can be used to craft a local root exploit. last seen 2020-06-01 modified 2020-06-02 plugin id 15254 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15254 title Debian DSA-417-1 : linux-kernel-2.4.18-powerpc+alpha - missing boundary check NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-110.NASL description A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable; an exploit is in the wild at this time. The Mandrake Linux 9.2 kernels are not vulnerable to this problem as the fix for it is already present in kernel version 2.4.22-21mdk (provided in MDKA-2003:021). MandrakeSoft encourages all users to upgrade their systems immediately. To upgrade your kernel, please use the documentation available online : http://www.mandrakesecure.net/en/kernelupdate.php last seen 2020-06-01 modified 2020-06-02 plugin id 14092 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14092 title Mandrake Linux Security Advisory : kernel (MDKSA-2003:110) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-433.NASL description Red Hat and SuSE kernel and security teams revealed an integer overflow in the do_brk() function of the Linux kernel allows local users to gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 15270 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15270 title Debian DSA-433-1 : kernel-patch-2.4.17-mips - integer overflow NASL family Debian Local Security Checks NASL id DEBIAN_DSA-470.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the hppa kernel 2.4.17 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. last seen 2020-06-01 modified 2020-06-02 plugin id 15307 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15307 title Debian DSA-470-1 : linux-kernel-2.4.17-hppa - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-440.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PowerPC/Apus kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. last seen 2020-06-01 modified 2020-06-02 plugin id 15277 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15277 title Debian DSA-440-1 : linux-kernel-2.4.17-powerpc-apus - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-439.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the ARM kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. last seen 2020-06-01 modified 2020-06-02 plugin id 15276 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15276 title Debian DSA-439-1 : linux-kernel-2.4.16-arm - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-423.NASL description The IA-64 maintainers fixed several security related bugs in the Linux kernel 2.4.17 used for the IA-64 architecture, mostly by backporting fixes from 2.4.18. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project : - CAN-2003-0001 : Multiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. - CAN-2003-0018 : Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption. - CAN-2003-0127 : The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process which is spawned by the kernel. - CAN-2003-0461 : The virtual file /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. - CAN-2003-0462 : A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). - CAN-2003-0476 : The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors. - CAN-2003-0501 : The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries. - CAN-2003-0550 : The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology. - CAN-2003-0551 : The STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service. - CAN-2003-0552 : Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target. - CAN-2003-0961 : An integer overflow in brk system call (do_brk function) for Linux kernel 2.4.22 and earlier allows local users to gain root privileges. - CAN-2003-0985 : The mremap system call (do_mremap) in Linux kernel 2.4 and 2.6 does not properly perform boundary checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA. last seen 2020-06-01 modified 2020-06-02 plugin id 15260 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15260 title Debian DSA-423-1 : linux-kernel-2.4.17-ia64 - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-475.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PA-RISC kernel 2.4.18 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Please note that the source package has to include a lot of updates in order to compile the package, which wasn last seen 2020-06-01 modified 2020-06-02 plugin id 15312 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15312 title Debian DSA-475-1 : linux-kernel-2.4.18-hppa - several vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SA_2003_049.NASL description The remote host is missing the patch for the advisory SuSE-SA:2003:049 (Linux Kernel). This security update fixes a serious vulnerability in the Linux kernel. A missing bounds check in the brk() system call allowed processes to request memory beyond the maximum size allowed for tasks, causing kernel memory to be mapped into the process last seen 2020-06-01 modified 2020-06-02 plugin id 13817 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13817 title SuSE-SA:2003:049: Linux Kernel
Packetstorm
| data source | https://packetstormsecurity.com/files/download/32282/_BSSADV-0000.txt |
| id | PACKETSTORM:32282 |
| last seen | 2016-12-05 |
| published | 2003-12-01 |
| reporter | The Bugtraq Team |
| source | https://packetstormsecurity.com/files/32282/_BSSADV-0000.txt.html |
| title | _BSSADV-0000.txt |
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000796
- http://isec.pl/papers/linux_kernel_do_brk.pdf
- http://marc.info/?l=bugtraq&m=107064798706473&w=2
- http://marc.info/?l=bugtraq&m=107064830206816&w=2
- http://marc.info/?l=bugtraq&m=107394143105081&w=2
- http://secunia.com/advisories/10328
- http://secunia.com/advisories/10329
- http://secunia.com/advisories/10330
- http://secunia.com/advisories/10333
- http://secunia.com/advisories/10338
- http://www.debian.org/security/2003/dsa-403
- http://www.debian.org/security/2004/dsa-417
- http://www.debian.org/security/2004/dsa-423
- http://www.debian.org/security/2004/dsa-433
- http://www.debian.org/security/2004/dsa-439
- http://www.debian.org/security/2004/dsa-440
- http://www.debian.org/security/2004/dsa-442
- http://www.debian.org/security/2004/dsa-450
- http://www.debian.org/security/2004/dsa-470
- http://www.debian.org/security/2004/dsa-475
- http://www.kb.cert.org/vuls/id/301156
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:110
- http://www.novell.com/linux/security/advisories/2003_049_kernel.html
- http://www.redhat.com/support/errata/RHSA-2003-368.html
- http://www.redhat.com/support/errata/RHSA-2003-389.html