Vulnerabilities > CVE-2004-0415
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory.
Vulnerable Configurations
Exploit-Db
| description | Linux Kernel File Offset Pointer Handling Memory Disclosure Exploit. CVE-2004-0415. Local exploit for linux platform |
| id | EDB-ID:375 |
| last seen | 2016-01-31 |
| modified | 2004-08-04 |
| published | 2004-08-04 |
| reporter | Paul Starzetz |
| source | https://www.exploit-db.com/download/375/ |
| title | Linux Kernel File Offset Pointer Handling Memory Disclosure Exploit |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-418.NASL description Updated kernel packages that fix potential information leaks and a incorrect driver permission for Red Hat Enterprise Linux 2.1 are now available. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct two minor issues : An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CVE-2004-0535). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CVE-2004-0587). All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to these erratum packages which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14240 published 2004-08-09 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14240 title RHEL 2.1 : kernel (RHSA-2004:418) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:418. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(14240); script_version ("1.28"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0415", "CVE-2004-0535", "CVE-2004-0587"); script_xref(name:"RHSA", value:"2004:418"); script_name(english:"RHEL 2.1 : kernel (RHSA-2004:418)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix potential information leaks and a incorrect driver permission for Red Hat Enterprise Linux 2.1 are now available. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct two minor issues : An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CVE-2004-0535). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CVE-2004-0587). All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to these erratum packages which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0415" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0535" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0587" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:418" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-enterprise"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-summit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/06"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/09"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2004-0415", "CVE-2004-0535", "CVE-2004-0587"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2004:418"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:418"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-2.4.9-e.48")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-BOOT-2.4.9-e.48")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-debug-2.4.9-e.48")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-doc-2.4.9-e.48")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-enterprise-2.4.9-e.48")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-headers-2.4.9-e.48")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-smp-2.4.9-e.48")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-source-2.4.9-e.48")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-summit-2.4.9-e.48")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-debug / kernel-doc / etc"); } }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-413.NASL description Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct a number of minor security issues : An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CVE-2004-0535). A bug in the SoundBlaster 16 code which does not properly handle certain sample sizes. This flaw could be used by local users to crash a system (CVE-2004-0178). A possible NULL pointer dereference in the Linux kernel prior to 2.4.26 on the Itanium platform could allow a local user to crash a system (CVE-2004-0447). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CVE-2004-0587). All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. last seen 2020-06-01 modified 2020-06-02 plugin id 14239 published 2004-08-09 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14239 title RHEL 3 : kernel (RHSA-2004:413) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200408-24.NASL description The remote host is affected by the vulnerability described in GLSA-200408-24 (Linux Kernel: Multiple information leaks) The Linux kernel allows a local attacker to obtain sensitive kernel information by gaining access to kernel memory via several leaks in the /proc interfaces. These vulnerabilities exist in various drivers which make up a working Linux kernel, some of which are present across all architectures and configurations. CAN-2004-0415 deals with addressing invalid 32 to 64 bit conversions in the kernel, as well as insecure direct access to file offset pointers in kernel code which can be modified by the open(...), lseek(...) and other core system I/O functions by an attacker. CAN-2004-0685 deals with certain USB drivers using uninitialized structures and then using the copy_to_user(...) kernel call to copy these structures. This may leak uninitialized kernel memory, which can contain sensitive information from user applications. Finally, a race condition with the /proc/.../cmdline node was found, allowing environment variables to be read while the process was still spawning. If the race is won, environment variables of the process, which might not be owned by the attacker, can be read. Impact : These vulnerabilities allow a local unprivileged attacker to access segments of kernel memory or environment variables which may contain sensitive information. Kernel memory may contain passwords, data transferred between processes and any memory which applications did not clear upon exiting as well as the kernel cache and kernel buffers. This information may be used to read sensitive data, open other attack vectors for further exploitation or cause a Denial of Service if the attacker can gain superuser access via the leaked information. Workaround : There is no temporary workaround for any of these information leaks other than totally disabling /proc support - otherwise, a kernel upgrade is required. A list of unaffected kernels is provided along with this announcement. last seen 2020-06-01 modified 2020-06-02 plugin id 14580 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14580 title GLSA-200408-24 : Linux Kernel: Multiple information leaks NASL family Fedora Local Security Checks NASL id FEDORA_2004-251.NASL description Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. Additionally, a number of issues were fixed in the USB serial code. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14252 published 2004-08-10 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14252 title Fedora Core 1 : kernel-2.4.22-1.2199.nptl (2004-251) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-087.NASL description A race condition was discovered in the 64bit file offset handling by Paul Starzetz from iSEC. The file offset pointer (f_pos) is changed during reading, writing, and seeking through a file in order to point to the current position of a file. The value conversion between both the 32bit and 64bit API in the kernel, as well as access to the f_pos pointer, is defective. As a result, a local attacker can abuse this vulnerability to gain access to uninitialized kernel memory, mostly via entries in the /proc filesystem. This kernel memory can possibly contain information like the root password, and other sensitive data. The updated kernel packages provided are patched to protect against this vulnerability, and all users are encouraged to upgrade immediately. last seen 2020-06-01 modified 2020-06-02 plugin id 14387 published 2004-08-27 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14387 title Mandrake Linux Security Advisory : kernel (MDKSA-2004:087) NASL family SuSE Local Security Checks NASL id SUSE_SA_2004_024.NASL description The remote host is missing the patch for the advisory SUSE-SA:2004:024 (kernel). This kernel is vulnerable to a race condition in the 64-bit file offset handling code. The file offset pointer (f_pos) is changed during reading, writing, and seeking through a file to point to the current position in a file. The Linux kernel offers a 32bit and a 64bit API. Unfortunately the value conversion between this two APIs as well as the access to the f_pos pointer is defective. An attacker, exploiting this flaw, would need local access to the machine. Upon successful exploitation, an attacker would be able to read potentially confidential kernel memory. Additionally a bug in the implementation of chown(2) for updating inode times, and a denial-of-service condition that can occur while handling signals was fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 14231 published 2004-08-09 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14231 title SUSE-SA:2004:024: kernel
Oval
| accepted | 2013-04-29T04:23:42.638-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:9965 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory. | ||||||||
| version | 26 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/33965/isec-0016-procleaks.txt |
| id | PACKETSTORM:33965 |
| last seen | 2016-12-05 |
| published | 2004-08-05 |
| reporter | Paul Starzetz |
| source | https://packetstormsecurity.com/files/33965/isec-0016-procleaks.txt.html |
| title | isec-0016-procleaks.txt |
Redhat
| advisories |
| ||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | No description provided by source. |
| id | SSV:9085 |
| last seen | 2017-11-19 |
| modified | 2008-07-16 |
| published | 2008-07-16 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-9085 |
| title | Linux Kernel File Offset Pointer Handling Memory Disclosure Exploit |
References
- ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000879
- http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml
- http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:087
- http://www.redhat.com/support/errata/RHSA-2004-413.html
- http://www.redhat.com/support/errata/RHSA-2004-418.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16877
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9965