Vulnerabilities > CVE-2006-2451 - Resource Management Errors vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description Linux Kernel 2.6.13. CVE-2006-2451. Local exploit for linux platform id EDB-ID:2031 last seen 2016-01-31 modified 2006-07-18 published 2006-07-18 reporter Marco Ivaldi source https://www.exploit-db.com/download/2031/ title Linux Kernel 2.6.13 <= 2.6.17.4 - prctl Local Root Exploit logrotate description Linux Kernel 2.6.13. CVE-2006-2451. Local exploit for linux platform id EDB-ID:2004 last seen 2016-01-31 modified 2006-07-11 published 2006-07-11 reporter dreyer & RoMaNSoFt source https://www.exploit-db.com/download/2004/ title Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl Local Root Exploit 1 description Linux Kernel 2.6.13. CVE-2006-2451. Local exploit for linux platform id EDB-ID:2006 last seen 2016-01-31 modified 2006-07-13 published 2006-07-13 reporter Marco Ivaldi source https://www.exploit-db.com/download/2006/ title Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl Local Root Exploit 3
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-1896.NASL description This kernel update fixes the following security problems : - A race condition allows local users to gain root privileges by changing the file mode of /proc/self/ files in a way that causes those files (for instance /proc/self/environ) to become setuid root. [#192688]. (CVE-2006-3626) - A stack-based buffer overflow in CDROM / DVD handling was fixed which could be used by a physical local attacker to crash the kernel or execute code within kernel context, depending on presence of automatic DVD handling in the system. [#190396]. (CVE-2006-2935) - Due to an argument validation error in prctl(PR_SET_DUMPABLE) a local attacker can easily gain administrator (root) privileges. [#186980]. (CVE-2006-2451) and the following non security bugs : - Limit the maximum number of LUNs to 16384 [#185164] - LSI 1030/MPT Fusion driver hang during error recovery -- Optionally disable QAS [#180100] - advance buffer pointers in h_copy_rdma() to avoid data corruption [#186444] last seen 2020-06-01 modified 2020-06-02 plugin id 29484 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29484 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 1896) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(29484); script_version ("1.18"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-2451", "CVE-2006-2935", "CVE-2006-3626"); script_name(english:"SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 1896)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This kernel update fixes the following security problems : - A race condition allows local users to gain root privileges by changing the file mode of /proc/self/ files in a way that causes those files (for instance /proc/self/environ) to become setuid root. [#192688]. (CVE-2006-3626) - A stack-based buffer overflow in CDROM / DVD handling was fixed which could be used by a physical local attacker to crash the kernel or execute code within kernel context, depending on presence of automatic DVD handling in the system. [#190396]. (CVE-2006-2935) - Due to an argument validation error in prctl(PR_SET_DUMPABLE) a local attacker can easily gain administrator (root) privileges. [#186980]. (CVE-2006-2451) and the following non security bugs : - Limit the maximum number of LUNs to 16384 [#185164] - LSI 1030/MPT Fusion driver hang during error recovery -- Optionally disable QAS [#180100] - advance buffer pointers in h_copy_rdma() to avoid data corruption [#186444]" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-2451.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-2935.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-3626.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 1896."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:0, cpu:"i586", reference:"kernel-bigsmp-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLED10", sp:0, cpu:"i586", reference:"kernel-default-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLED10", sp:0, cpu:"i586", reference:"kernel-smp-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLED10", sp:0, cpu:"i586", reference:"kernel-source-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLED10", sp:0, cpu:"i586", reference:"kernel-syms-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLES10", sp:0, cpu:"i586", reference:"kernel-bigsmp-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLES10", sp:0, cpu:"i586", reference:"kernel-debug-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLES10", sp:0, cpu:"i586", reference:"kernel-default-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLES10", sp:0, cpu:"i586", reference:"kernel-smp-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLES10", sp:0, cpu:"i586", reference:"kernel-source-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLES10", sp:0, cpu:"i586", reference:"kernel-syms-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLES10", sp:0, cpu:"i586", reference:"kernel-xen-2.6.16.21-0.15")) flag++; if (rpm_check(release:"SLES10", sp:0, cpu:"i586", reference:"kernel-xenpae-2.6.16.21-0.15")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0574.NASL description Updated kernel packages that fix a privilege escalation security issue in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. During security research, Red Hat discovered a behavioral flaw in core dump handling. A local user could create a program that would cause a core file to be dumped into a directory they would not normally have permissions to write to. This could lead to a denial of service (disk consumption), or allow the local user to gain root privileges. (CVE-2006-2451) Prior to applying this update, users can remove the ability to escalate privileges using this flaw by configuring core files to dump to an absolute location. By default, core files are created in the working directory of the faulting application, but this can be overridden by specifying an absolute location for core files in /proc/sys/kernel/core_pattern. To avoid a potential denial of service, a separate partition for the core files should be used. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. last seen 2020-06-01 modified 2020-06-02 plugin id 22038 published 2006-07-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22038 title CentOS 4 : kernel (CESA-2006:0574) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-311-1.NASL description A race condition was discovered in the do_add_counters() functions. Processes which do not run with full root privileges, but have the CAP_NET_ADMIN capability can exploit this to crash the machine or read a random piece of kernel memory. In Ubuntu there are no packages that are affected by this, so this can only be an issue for you if you use third-party software that uses Linux capabilities. (CVE-2006-0039) John Stultz discovered a faulty BUG_ON trigger in the handling of POSIX timers. A local attacker could exploit this to trigger a kernel oops and crash the machine. (CVE-2006-2445) Dave Jones discovered that the PowerPC kernel did not perform certain required access_ok() checks. A local user could exploit this to read arbitrary kernel memory and crash the kernel on 64-bit systems, and possibly read arbitrary kernel memory on 32-bit systems. (CVE-2006-2448) A design flaw was discovered in the prctl(PR_SET_DUMPABLE, ...) system call, which allowed a local user to have core dumps created in a directory he could not normally write to. This could be exploited to drain available disk space on system partitions, or, under some circumstances, to execute arbitrary code with full root privileges. This flaw only affects Ubuntu 6.06 LTS. (CVE-2006-2451) In addition, the Ubuntu 6.06 LTS update fixes a range of bugs. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27886 published 2007-11-10 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27886 title Ubuntu 5.04 / 5.10 / 6.06 LTS : linux-source-2.6.10/-2.6.12/-2.6.15 vulnerabilities (USN-311-1) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-1900.NASL description This kernel update fixes the following security problems : - A race condition allows local users to gain root privileges by changing the file mode of /proc/self/ files in a way that causes those files (for instance /proc/self/environ) to become setuid root. [#192688]. (CVE-2006-3626) - A stack-based buffer overflow in CDROM / DVD handling was fixed which could be used by a physical local attacker to crash the kernel or execute code within kernel context, depending on presence of automatic DVD handling in the system. [#190396]. (CVE-2006-2935) - Due to an argument validation error in prctl(PR_SET_DUMPABLE) a local attacker can easily gain administrator (root) privileges. [#186980]. (CVE-2006-2451) and the following non security bugs : - Limit the maximum number of LUNs to 16384 [#185164] - LSI 1030/MPT Fusion driver hang during error recovery -- Optionally disable QAS [#180100] - advance buffer pointers in h_copy_rdma() to avoid data corruption [#186444] last seen 2020-06-01 modified 2020-06-02 plugin id 59120 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59120 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 1900) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0574.NASL description Updated kernel packages that fix a privilege escalation security issue in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. During security research, Red Hat discovered a behavioral flaw in core dump handling. A local user could create a program that would cause a core file to be dumped into a directory they would not normally have permissions to write to. This could lead to a denial of service (disk consumption), or allow the local user to gain root privileges. (CVE-2006-2451) Prior to applying this update, users can remove the ability to escalate privileges using this flaw by configuring core files to dump to an absolute location. By default, core files are created in the working directory of the faulting application, but this can be overridden by specifying an absolute location for core files in /proc/sys/kernel/core_pattern. To avoid a potential denial of service, a separate partition for the core files should be used. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. last seen 2020-06-01 modified 2020-06-02 plugin id 22015 published 2006-07-10 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22015 title RHEL 4 : kernel (RHSA-2006:0574)
Oval
| accepted | 2013-04-29T04:13:20.485-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:11336 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions. | ||||||||||||
| version | 26 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/48253/prctl.sh.txt |
| id | PACKETSTORM:48253 |
| last seen | 2016-12-05 |
| published | 2006-07-14 |
| reporter | Sunix |
| source | https://packetstormsecurity.com/files/48253/prctl.sh.txt.html |
| title | prctl.sh.txt |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:16262 last seen 2017-11-19 modified 2006-07-11 published 2006-07-11 reporter Root source https://www.seebug.org/vuldb/ssvid-16262 title Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit bulletinFamily exploit description No description provided by source. id SSV:63702 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-63702 title Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit bulletinFamily exploit description No description provided by source. id SSV:16288 last seen 2017-11-19 modified 2006-07-18 published 2006-07-18 reporter Root source https://www.seebug.org/vuldb/ssvid-16288 title Linux Kernel 2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate) bulletinFamily exploit description No description provided by source. id SSV:63704 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-63704 title Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (3) bulletinFamily exploit description No description provided by source. id SSV:16264 last seen 2017-11-19 modified 2006-07-13 published 2006-07-13 reporter Root source https://www.seebug.org/vuldb/ssvid-16264 title Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3) bulletinFamily exploit description No description provided by source. id SSV:63726 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-63726 title Linux Kernel 2.6.13 <= 2.6.17.4 - prctl() Local Root Exploit (logrotate)
References
- http://www.redhat.com/support/errata/RHSA-2006-0574.html
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195902
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.24
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.4
- http://www.ubuntu.com/usn/usn-311-1
- http://www.securityfocus.com/bid/18874
- http://secunia.com/advisories/20953
- https://issues.rpath.com/browse/RPL-488
- http://www.osvdb.org/27030
- http://securitytracker.com/id?1016451
- http://secunia.com/advisories/20965
- http://secunia.com/advisories/20986
- http://secunia.com/advisories/20991
- http://www.securityfocus.com/archive/1/439610/100/100/threaded
- http://www.novell.com/linux/security/advisories/2006_16_sr.html
- http://www.novell.com/linux/security/advisories/2006_17_sr.html
- http://www.novell.com/linux/security/advisories/2006_42_kernel.html
- http://secunia.com/advisories/21179
- http://www.novell.com/linux/security/advisories/2006_47_kernel.html
- http://www.novell.com/linux/security/advisories/2006_49_kernel.html
- http://support.avaya.com/elmodocs2/security/ASA-2006-162.htm
- http://secunia.com/advisories/21966
- http://secunia.com/advisories/20960
- http://secunia.com/advisories/21498
- http://www.vupen.com/english/advisories/2006/2699
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11336
- http://www.securityfocus.com/archive/1/440379/100/0/threaded
- http://www.securityfocus.com/archive/1/440118/100/0/threaded
- http://www.securityfocus.com/archive/1/440117/100/0/threaded
- http://www.securityfocus.com/archive/1/440057/100/0/threaded
- http://www.securityfocus.com/archive/1/439869/100/0/threaded
- http://www.securityfocus.com/archive/1/439483/100/100/threaded
- http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git%3Ba=commit%3Bh=0af184bb9f80edfbb94de46cb52e9592e5a547b0