Vulnerabilities > CVE-2004-0077 - Local Privilege Escalation vulnerability in Linux Kernel do_mremap Function VMA Limit
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.
Vulnerable Configurations
Exploit-Db
description Linux Kernel "mremap()"#2 Local Proof-of-concept. CVE-2004-0077. Local exploit for linux platform id EDB-ID:154 last seen 2016-01-31 modified 2004-02-18 published 2004-02-18 reporter Christophe Devine source https://www.exploit-db.com/download/154/ title Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - "mremap" Local Proof-of-Concept 2 description Linux Kernel 2.x mremap missing do_munmap Exploit. CVE-2004-0077. Local exploit for linux platform id EDB-ID:160 last seen 2016-01-31 modified 2004-03-01 published 2004-03-01 reporter Paul Starzetz source https://www.exploit-db.com/download/160/ title Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - "mremap" Missing "do_munmap" Exploit
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-069.NASL description Updated kernel packages that fix a security vulnerability which may allow local users to gain root privileges are now available. [Updated 5 March 2004] Added kernel-headers packages The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0077 to this issue. Arjan van de Ven discovered a flaw in ncp_lookup() in ncpfs that could allow local privilege escalation. ncpfs is only used to allow a system to mount volumes of NetWare servers or print to NetWare printers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0010 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting this issue CVE-2004-0077. last seen 2020-06-01 modified 2020-06-02 plugin id 12469 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12469 title RHEL 2.1 : kernel (RHSA-2004:069) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:069. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12469); script_version ("1.34"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-1040", "CVE-2004-0010", "CVE-2004-0077"); script_xref(name:"RHSA", value:"2004:069"); script_name(english:"RHEL 2.1 : kernel (RHSA-2004:069)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix a security vulnerability which may allow local users to gain root privileges are now available. [Updated 5 March 2004] Added kernel-headers packages The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0077 to this issue. Arjan van de Ven discovered a flaw in ncp_lookup() in ncpfs that could allow local privilege escalation. ncpfs is only used to allow a system to mount volumes of NetWare servers or print to NetWare printers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0010 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting this issue CVE-2004-0077." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-1040" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0010" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0077" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:069" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-enterprise"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-summit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/03/03"); script_set_attribute(attribute:"patch_publication_date", value:"2004/03/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2003-1040", "CVE-2004-0010", "CVE-2004-0077"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2004:069"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:069"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-2.4.9-e.38")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-BOOT-2.4.9-e.38")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-debug-2.4.9-e.38")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-doc-2.4.9-e.38")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-enterprise-2.4.9-e.38")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-headers-2.4.9-e.38")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-smp-2.4.9-e.38")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-source-2.4.9-e.38")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-summit-2.4.9-e.38")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-debug / kernel-doc / etc"); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-015.NASL description Paul Staretz discovered a flaw in return value checking in the mremap() function in the Linux kernel, versions 2.4.24 and previous that could allow a local user to obtain root privileges. A vulnerability was found in the R128 DRI driver by Alan Cox. This could allow local privilege escalation. A flaw in the ncp_lookup() function in the ncpfs code (which is used to mount NetWare volumes or print to NetWare printers) was found by Arjen van de Ven that could allow local privilege escalation. The Vicam USB driver in Linux kernel versions prior to 2.4.25 does not use the copy_from_user function to access userspace, which crosses security boundaries. This problem does not affect the Mandrake Linux 9.2 kernel. Additionally, a ptrace hole that only affects the amd64/x86_64 platform has been corrected. The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandrakesecure.net/en/kernelupdate.php last seen 2020-06-01 modified 2020-06-02 plugin id 14115 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14115 title Mandrake Linux Security Advisory : kernel (MDKSA-2004:015) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:015. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14115); script_version ("1.22"); script_cvs_date("Date: 2019/10/16 10:34:21"); script_cve_id("CVE-2004-0003", "CVE-2004-0010", "CVE-2004-0075", "CVE-2004-0077"); script_xref(name:"MDKSA", value:"2004:015"); script_name(english:"Mandrake Linux Security Advisory : kernel (MDKSA-2004:015)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Paul Staretz discovered a flaw in return value checking in the mremap() function in the Linux kernel, versions 2.4.24 and previous that could allow a local user to obtain root privileges. A vulnerability was found in the R128 DRI driver by Alan Cox. This could allow local privilege escalation. A flaw in the ncp_lookup() function in the ncpfs code (which is used to mount NetWare volumes or print to NetWare printers) was found by Arjen van de Ven that could allow local privilege escalation. The Vicam USB driver in Linux kernel versions prior to 2.4.25 does not use the copy_from_user function to access userspace, which crosses security boundaries. This problem does not affect the Mandrake Linux 9.2 kernel. Additionally, a ptrace hole that only affects the amd64/x86_64 platform has been corrected. The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandrakesecure.net/en/kernelupdate.php" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.19.38mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.21.0.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.22.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.19.38mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.21.0.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.22.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.22.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.22.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.4.19.38mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.4.21.0.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.4.22.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.19.38mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.21.0.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.22.28mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/02/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"kernel-2.4.19.38mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"kernel-enterprise-2.4.19.38mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"kernel-secure-2.4.19.38mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"kernel-smp-2.4.19.38mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"kernel-source-2.4.19-38mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-2.4.21.0.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-enterprise-2.4.21.0.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-secure-2.4.21.0.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-smp-2.4.21.0.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-source-2.4.21-0.28mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-2.4.22.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-enterprise-2.4.22.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-i686-up-4GB-2.4.22.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-p3-smp-64GB-2.4.22.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-secure-2.4.22.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-smp-2.4.22.28mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-source-2.4.22-28mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-450.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the mips kernel 2.4.19 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. last seen 2020-06-01 modified 2020-06-02 plugin id 15287 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15287 title Debian DSA-450-1 : linux-kernel-2.4.19-mips - several vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-066.NASL description Updated kernel packages that fix a security vulnerability that may allow local users to gain root privileges are now available. These packages also resolve other minor issues. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0077 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting this issue. For the IBM S/390 and IBM eServer zSeries architectures, the upstream version of the s390utils package (which fixes a bug in the zipl bootloader) is also included. last seen 2020-06-01 modified 2020-06-02 plugin id 12468 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12468 title RHEL 3 : kernel (RHSA-2004:066) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-442.NASL description Several security related problems have been fixed in the Linux kernel 2.4.17 used for the S/390 architecture, mostly by backporting fixes from 2.4.18 and incorporating recent security fixes. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project : - CVE-2002-0429 : The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall). - CAN-2003-0001 : Multiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. - CAN-2003-0244 : The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain. - CAN-2003-0246 : The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. - CAN-2003-0247 : A vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ( last seen 2020-06-01 modified 2020-06-02 plugin id 15279 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15279 title Debian DSA-442-1 : linux-kernel-2.4.17-s390 - several vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2004-079.NASL description Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0077 to this issue. Arjan van de Ven discovered a flaw in ncp_lookup() in ncpfs that could allow local privilege escalation. ncpfs is only used to allow a system to mount volumes of NetWare servers or print to NetWare printers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0010 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting the issue CVE-2004-0077. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13679 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13679 title Fedora Core 1 : kernel-2.4.22-1.2173.nptl (2004-079) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-514.NASL description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. last seen 2020-06-01 modified 2020-06-02 plugin id 15351 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15351 title Debian DSA-514-1 : kernel-image-sparc-2.2 - failing function and TLB flush NASL family Debian Local Security Checks NASL id DEBIAN_DSA-470.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the hppa kernel 2.4.17 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. last seen 2020-06-01 modified 2020-06-02 plugin id 15307 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15307 title Debian DSA-470-1 : linux-kernel-2.4.17-hppa - several vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-049-01.NASL description New kernels are available for Slackware 9.1 and -current to fix a bounds-checking problem in the kernel last seen 2020-06-01 modified 2020-06-02 plugin id 18789 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18789 title Slackware 9.1 / current : Kernel security update (SSA:2004-049-01) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-444.NASL description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 15281 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15281 title Debian DSA-444-1 : linux-kernel-2.4.17-ia64 - missing function return value check NASL family Debian Local Security Checks NASL id DEBIAN_DSA-454.NASL description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. last seen 2020-06-01 modified 2020-06-02 plugin id 15291 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15291 title Debian DSA-454-1 : linux-kernel-2.2.22-alpha - failing function and TLB flush NASL family Debian Local Security Checks NASL id DEBIAN_DSA-440.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PowerPC/Apus kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. last seen 2020-06-01 modified 2020-06-02 plugin id 15277 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15277 title Debian DSA-440-1 : linux-kernel-2.4.17-powerpc-apus - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-439.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the ARM kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. last seen 2020-06-01 modified 2020-06-02 plugin id 15276 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15276 title Debian DSA-439-1 : linux-kernel-2.4.16-arm - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-456.NASL description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. last seen 2020-06-01 modified 2020-06-02 plugin id 15293 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15293 title Debian DSA-456-1 : linux-kernel-2.2.19-arm - failing function and TLB flush NASL family Debian Local Security Checks NASL id DEBIAN_DSA-438.NASL description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 15275 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15275 title Debian DSA-438-1 : linux-kernel-2.4.18-alpha+i386+powerpc - missing function return value check NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200403-02.NASL description The remote host is affected by the vulnerability described in GLSA-200403-02 (Linux kernel do_mremap local privilege escalation vulnerability) The memory subsystem allows for shrinking, growing, and moving of chunks of memory along any of the allocated memory areas which the kernel possesses. To accomplish this, the do_mremap code calls the do_munmap() kernel function to remove any old memory mappings in the new location - but, the code doesn last seen 2020-06-01 modified 2020-06-02 plugin id 14453 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14453 title GLSA-200403-02 : Linux kernel do_mremap local privilege escalation vulnerability NASL family Debian Local Security Checks NASL id DEBIAN_DSA-453.NASL description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. last seen 2020-06-01 modified 2020-06-02 plugin id 15290 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15290 title Debian DSA-453-1 : linux-kernel-2.2.20-i386+m68k+powerpc - failing function and TLB flush NASL family Debian Local Security Checks NASL id DEBIAN_DSA-466.NASL description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course. last seen 2020-06-01 modified 2020-06-02 plugin id 15303 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15303 title Debian DSA-466-1 : linux-kernel-2.2.10-powerpc-apus - failing function and TLB flush NASL family Debian Local Security Checks NASL id DEBIAN_DSA-475.NASL description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PA-RISC kernel 2.4.18 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Please note that the source package has to include a lot of updates in order to compile the package, which wasn last seen 2020-06-01 modified 2020-06-02 plugin id 15312 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15312 title Debian DSA-475-1 : linux-kernel-2.4.18-hppa - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-441.NASL description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 15278 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15278 title Debian DSA-441-1 : linux-kernel-2.4.17-mips+mipsel - missing function return value check NASL family SuSE Local Security Checks NASL id SUSE_SA_2004_005.NASL description The remote host is missing the patch for the advisory SuSE-SA:2004:005 (Linux Kernel). Another bug in the Kernel last seen 2020-06-01 modified 2020-06-02 plugin id 13823 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13823 title SuSE-SA:2004:005: Linux Kernel
Oval
accepted 2007-04-25T19:52:56.836-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux name Matt Busby organization The MITRE Corporation name Thomas R. Jones organization Maitreya Security
description The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. family unix id oval:org.mitre.oval:def:825 status accepted submitted 2004-03-20T12:00:00.000-04:00 title Red Hat Enterprise 3 Linux Kernel do_mremap Privilege Escalation Vulnerability version 38 accepted 2007-04-25T19:52:59.044-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux name Matt Busby organization The MITRE Corporation name Thomas R. Jones organization Maitreya Security
description The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. family unix id oval:org.mitre.oval:def:837 status accepted submitted 2004-03-20T12:00:00.000-04:00 title Red Hat Linux Kernel do_mremap Privilege Escalation Vulnerability version 40
Packetstorm
| data source | https://packetstormsecurity.com/files/download/32797/isec-0014-mremap-unmap.v2.txt |
| id | PACKETSTORM:32797 |
| last seen | 2016-12-05 |
| published | 2004-03-02 |
| reporter | Paul Starzetz |
| source | https://packetstormsecurity.com/files/32797/isec-0014-mremap-unmap.v2.txt.html |
| title | isec-0014-mremap-unmap.v2.txt |
Redhat
| advisories |
| ||||||||||||||||
| rpms |
|
References
- http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0040.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000820
- http://fedoranews.org/updates/FEDORA-2004-079.shtml
- http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:015
- http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
- http://marc.info/?l=bugtraq&m=107711762014175&w=2
- http://marc.info/?l=bugtraq&m=107712137732553&w=2
- http://marc.info/?l=bugtraq&m=107755871932680&w=2
- http://security.gentoo.org/glsa/glsa-200403-02.xml
- http://www.ciac.org/ciac/bulletins/o-082.shtml
- http://www.debian.org/security/2004/dsa-438
- http://www.debian.org/security/2004/dsa-439
- http://www.debian.org/security/2004/dsa-440
- http://www.debian.org/security/2004/dsa-441
- http://www.debian.org/security/2004/dsa-442
- http://www.debian.org/security/2004/dsa-444
- http://www.debian.org/security/2004/dsa-450
- http://www.debian.org/security/2004/dsa-453
- http://www.debian.org/security/2004/dsa-454
- http://www.debian.org/security/2004/dsa-456
- http://www.debian.org/security/2004/dsa-466
- http://www.debian.org/security/2004/dsa-470
- http://www.debian.org/security/2004/dsa-475
- http://www.debian.org/security/2004/dsa-514
- http://www.kb.cert.org/vuls/id/981222
- http://www.novell.com/linux/security/advisories/2004_05_linux_kernel.html
- http://www.osvdb.org/3986
- http://www.redhat.com/support/errata/RHSA-2004-065.html
- http://www.redhat.com/support/errata/RHSA-2004-066.html
- http://www.redhat.com/support/errata/RHSA-2004-069.html
- http://www.redhat.com/support/errata/RHSA-2004-106.html
- http://www.securityfocus.com/bid/9686
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.404734
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15244
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A825
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A837