Vulnerabilities > CVE-2009-1185 - Origin Validation Error vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN udev-project
opensuse
suse
debian
canonical
fedoraproject
juniper
CWE-346
nessus
exploit available
metasploit
Summary
udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- JSON Hijacking (aka JavaScript Hijacking) An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website. An attacker gets the victim to visit his or her malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.
- Cache Poisoning An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
- DNS Cache Poisoning A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An attacker modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the attacker specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Attackers can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
- Exploitation of Session Variables, Resource IDs and other Trusted Credentials Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.
- Application API Message Manipulation via Man-in-the-Middle An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system. Despite the use of MITM software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Man-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
Exploit-Db
description Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit. CVE-2009-1185. Local exploit for linux platform file exploits/linux/local/8572.c id EDB-ID:8572 last seen 2016-02-01 modified 2009-04-30 platform linux port published 2009-04-30 reporter Jon Oberheide source https://www.exploit-db.com/download/8572/ title Linux Kernel 2.6 UDEV < 141 - Local Privilege Escalation Exploit type local description Linux udev Netlink Local Privilege Escalation. CVE-2009-1185. Local exploit for linux platform id EDB-ID:21848 last seen 2016-02-02 modified 2012-10-10 published 2012-10-10 reporter metasploit source https://www.exploit-db.com/download/21848/ title Linux udev - Netlink Local Privilege Escalation
Metasploit
| description | Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland. |
| id | MSF:EXPLOIT/LINUX/LOCAL/UDEV_NETLINK |
| last seen | 2020-06-10 |
| modified | 2018-10-10 |
| published | 2012-09-10 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/udev_netlink.rb |
| title | Linux udev Netlink Local Privilege Escalation |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-758-1.NASL description Sebastian Krahmer discovered that udev did not correctly validate netlink message senders. A local attacker could send specially crafted messages to udev in order to gain root privileges. (CVE-2009-1185) Sebastian Krahmer discovered a buffer overflow in the path encoding routines in udev. A local attacker could exploit this to crash udev, leading to a denial of service. (CVE-2009-1186). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36530 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36530 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : udev vulnerabilities (USN-758-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-758-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(36530); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:33:02"); script_cve_id("CVE-2009-1185", "CVE-2009-1186"); script_xref(name:"USN", value:"758-1"); script_name(english:"Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : udev vulnerabilities (USN-758-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Sebastian Krahmer discovered that udev did not correctly validate netlink message senders. A local attacker could send specially crafted messages to udev in order to gain root privileges. (CVE-2009-1185) Sebastian Krahmer discovered a buffer overflow in the path encoding routines in udev. A local attacker could exploit this to crash udev, leading to a denial of service. (CVE-2009-1186). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/758-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux udev Netlink Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvolume-id-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvolume-id0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:udev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:volumeid"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.06|7\.10|8\.04|8\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 7.10 / 8.04 / 8.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"udev", pkgver:"079-0ubuntu35.1")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"libvolume-id-dev", pkgver:"113-0ubuntu17.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"libvolume-id0", pkgver:"113-0ubuntu17.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"udev", pkgver:"113-0ubuntu17.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"volumeid", pkgver:"113-0ubuntu17.2")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libvolume-id-dev", pkgver:"117-8ubuntu0.2")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libvolume-id0", pkgver:"117-8ubuntu0.2")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"udev", pkgver:"117-8ubuntu0.2")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libvolume-id-dev", pkgver:"124-9ubuntu0.2")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libvolume-id0", pkgver:"124-9ubuntu0.2")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"udev", pkgver:"124-9ubuntu0.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvolume-id-dev / libvolume-id0 / udev / volumeid"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0427.NASL description Updated udev packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. udev provides a user-space API and implements a dynamic device directory, providing only the devices present on the system. udev replaces devfs in order to provide greater hot plug functionality. Netlink is a datagram oriented service, used to transfer information between kernel modules and user-space processes. It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world-writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for responsibly reporting this flaw. Users of udev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the udevd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 36177 published 2009-04-17 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36177 title RHEL 5 : udev (RHSA-2009:0427) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:0427. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(36177); script_version ("1.30"); script_cvs_date("Date: 2019/10/25 13:36:14"); script_cve_id("CVE-2009-1185"); script_bugtraq_id(34536); script_xref(name:"RHSA", value:"2009:0427"); script_name(english:"RHEL 5 : udev (RHSA-2009:0427)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated udev packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. udev provides a user-space API and implements a dynamic device directory, providing only the devices present on the system. udev replaces devfs in order to provide greater hot plug functionality. Netlink is a datagram oriented service, used to transfer information between kernel modules and user-space processes. It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world-writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for responsibly reporting this flaw. Users of udev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the udevd daemon will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2009-1185" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2009:0427" ); script_set_attribute( attribute:"solution", value: "Update the affected libvolume_id, libvolume_id-devel and / or udev packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux udev Netlink Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvolume_id"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvolume_id-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:udev"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.3"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/04/17"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2009:0427"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", reference:"libvolume_id-095-14.20.el5_3")) flag++; if (rpm_check(release:"RHEL5", reference:"libvolume_id-devel-095-14.20.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"udev-095-14.20.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"udev-095-14.20.el5_3")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"udev-095-14.20.el5_3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvolume_id / libvolume_id-devel / udev"); } }NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2009-0006.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : CVE-2009-1185 udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. - fix for CVE-2009-1185 (bug #495051) - Resolves: rhbz#495055 - removed zaptel rules (rhbz #294061) - fixed segfault for empty lines in passwd (rhbz#413831) - added patch for iscsi ids (Daniel Berrange) (rhbz#427640) - added /etc/sysconfig/udev-stw, which makes MODULES configurable (Jeff Bastian) (rhbz#437979) - added ext4 support to vol_id (rhbz#444528) - updated dasd_id from dasdinfo of s390-tools-1.6.2 (rhbz#430532) - Resolves: rhbz#294061, rhbz#413831, rhbz#427640 - Resolves: rhbz#437979, rhbz#444528, rhbz#430532 - scsi_id, retry open on EBUSY (rhbz#450279) - Resolves: rhbz#450279 - set selinux context for .udev dirs and symlinks (rhbz#442886) - fixed rule for hp iLO2 virtual mouse device (rhbz#429215) - Resolves: rhbz#429215, rhbz#442886 - fixed selinux context setting for symlinks (rhbz#441054) - Resolves: rhbz#441054 - fixed regression bug rhbz#430667 introduced by fix for rhbz#275441 - Resolves: rhbz#275441 - added rule for hp iLO2 virtual mouse device (rhbz#429215) - Resolves: rhbz#429215 - fix for looping vol_id, because of a malformed passwd (rhbz#425941) - revised fix for tape devices (rhbz#231990) - Resolves: rhbz#425941, rhbz#231990 - moved last seen 2020-06-01 modified 2020-06-02 plugin id 79454 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79454 title OracleVM 2.1 : udev (OVMSA-2009-0006) NASL family Misc. NASL id VMWARE_VMSA-2009-0009_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in sudo in file parse.c due to a failure to properly interpret a system group (%group) in the sudoers configuration file when handling authorization decisions for users belonging to that group. A local attacker can exploit this to gain root privileges via a crafted sudo command. (CVE-2009-0034) - A flaw exists in the redirect implementation in libcurl that allows arbitrary Location values to be accepted when CURLOPT_FOLLOWLOCATION is enabled. An attacker with control of a remote HTTP server can exploit this, via crafted redirect URLs, to trigger requests to intranet servers, to read or write arbitrary files, or to execute arbitrary commands. (CVE-2009-0037) - A flaw exists in udev due to a failure to verify that a NETLINK message originates from the kernel space. A local attacker can exploit this, via a crafted NETLINK message, to gain elevated privileges on the root file system. (CVE-2009-1185) last seen 2020-06-01 modified 2020-06-02 plugin id 89115 published 2016-03-03 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89115 title VMware ESX Multiple Vulnerabilities (VMSA-2009-0009) (remote check) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200904-18.NASL description The remote host is affected by the vulnerability described in GLSA-200904-18 (udev: Multiple vulnerabilities) Sebastian Krahmer of SUSE discovered the following two vulnerabilities: udev does not verify the origin of NETLINK messages properly (CVE-2009-1185). A buffer overflow exists in the util_path_encode() function in lib/libudev-util.c (CVE-2009-1186). Impact : A local attacker could gain root privileges by sending specially crafted NETLINK messages to udev or cause a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 36197 published 2009-04-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36197 title GLSA-200904-18 : udev: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_UDEV-6203.NASL description This update fixes a local privilege escalation in udev. - udev did not check the origin of the netlink messages. A local attacker could fake device create events and so gain root privileges. (CVE-2009-1185) The previous update did not apply the actual patch fixing this problem, as was reported to us by SGI. Please reboot the machine after installing the update, or run: /etc/init.d/boot.udev restart last seen 2020-06-01 modified 2020-06-02 plugin id 41594 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41594 title SuSE 10 Security Update : udev (ZYPP Patch Number 6203) NASL family SuSE Local Security Checks NASL id SUSE_11_LIBUDEV-DEVEL-090414.NASL description This update fixes a local privilege escalation in udev. - udev did not check the origin of the netlink messages. A local attacker could fake device create events and so gain root privileges. (CVE-2009-1185) last seen 2020-06-01 modified 2020-06-02 plugin id 41432 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41432 title SuSE 11 Security Update : udev (SAT Patch Number 766) NASL family Scientific Linux Local Security Checks NASL id SL_20090416_UDEV_ON_SL5_X.NASL description It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world-writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) After installing the update, the udevd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 60570 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60570 title Scientific Linux Security Update : udev on SL5.x i386/x86_64 NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-103.NASL description Security vulnerabilities have been identified and fixed in udev. udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space (CVE-2009-1185). Buffer overflow in the util_path_encode function in udev/lib/libudev-util.c in udev before 1.4.1 allows local users to cause a denial of service (service outage) via vectors that trigger a call with crafted arguments (CVE-2009-1186). The updated packages have been patched to prevent this. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers last seen 2020-06-01 modified 2020-06-02 plugin id 38658 published 2009-05-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38658 title Mandriva Linux Security Advisory : udev (MDVSA-2009:103-1) NASL family SuSE Local Security Checks NASL id SUSE_LIBUDEV-DEVEL-6158.NASL description This update fixes a local privilege escalation in udev. CVE-2009-1185: udev did not check the origin of the netlink messages. A local attacker could fake device create events and so gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 36182 published 2009-04-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36182 title openSUSE 10 Security Update : libudev-devel (libudev-devel-6158) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0427.NASL description From Red Hat Security Advisory 2009:0427 : Updated udev packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. udev provides a user-space API and implements a dynamic device directory, providing only the devices present on the system. udev replaces devfs in order to provide greater hot plug functionality. Netlink is a datagram oriented service, used to transfer information between kernel modules and user-space processes. It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world-writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for responsibly reporting this flaw. Users of udev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the udevd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 67842 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67842 title Oracle Linux 5 : udev (ELSA-2009-0427) NASL family SuSE Local Security Checks NASL id SUSE_UDEV-6153.NASL description This update fixes a local privilege escalation in udev. - udev did not check the origin of the netlink messages. A local attacker could fake device create events and so gain root privileges. (CVE-2009-1185) It also fixes three bugs : - Fixup persistent symlinks for tapes. (bnc#446534) - Fixup broken ATA compability links. (bnc#447995) - Add by-path links for tapes (bnc#478132) last seen 2020-06-01 modified 2020-06-02 plugin id 41593 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41593 title SuSE 10 Security Update : udev (ZYPP Patch Number 6153) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1772.NASL description Sebastian Kramer discovered two vulnerabilities in udev, the /dev and hotplug management daemon. - CVE-2009-1185 udev does not check the origin of NETLINK messages, allowing local users to gain root privileges. - CVE-2009-1186 udev suffers from a buffer overflow condition in path encoding, potentially allowing arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 36172 published 2009-04-17 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36172 title Debian DSA-1772-1 : udev - several vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2009-3712.NASL description udev provides a user-space API and implements a dynamic device directory, providing only the devices present on the system. udev replaces devfs in order to provide greater hot plug functionality. Netlink is a datagram oriented service, used to transfer information between kernel modules and user-space processes. It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world- writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) An integer overflow flaw, potentially leading to heap-based buffer overflow was found in one of the utilities providing functionality of the udev device information interface. An attacker could use this flaw to cause a denial of service, or possibly, to execute arbitrary code by providing a specially crafted arguments as input to this utility. (CVE-2009-1186) Thanks to Sebastian Krahmer of the SUSE Security Team for responsibly reporting this flaw. Users of udev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the udevd daemon will be restarted automatically. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36175 published 2009-04-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36175 title Fedora 9 : udev-124-4.fc9 (2009-3712) NASL family SuSE Local Security Checks NASL id SUSE_11_1_LIBUDEV-DEVEL-090414.NASL description This update fixes a local privilege escalation in udev. CVE-2009-1185: udev did not check the origin of the netlink messages. A local attacker could fake device create events and so gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 40271 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40271 title openSUSE Security Update : libudev-devel (libudev-devel-768) NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBUDEV-DEVEL-090414.NASL description This update fixes a local privilege escalation in udev. CVE-2009-1185: udev did not check the origin of the netlink messages. A local attacker could fake device create events and so gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 40050 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40050 title openSUSE Security Update : libudev-devel (libudev-devel-768) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2009-0009.NASL description a. Service Console package udev A vulnerability in the udev program did not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1185 to this issue. Please see http://kb.vmware.com/kb/1011786 for details. b. Service Console package sudo Service Console package for sudo has been updated to version sudo-1.6.9p17-3. This fixes the following issue: Sudo versions 1.6.9p17 through 1.6.9p19 do not properly interpret a system group in the sudoers file during authorization decisions for a user who belongs to that group, which might allow local users to leverage an applicable sudoers file and gain root privileges by using a sudo command. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0034 to this issue. Please see http://kb.vmware.com/kb/1011781 for more details c. Service Console package curl Service Console package for curl has been updated to version curl-7.15.5-2.1. This fixes the following issue: The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to trigger arbitrary requests to intranet servers, read or overwrite arbitrary files by using a redirect to a file: URL, or execute arbitrary commands by using a redirect to an scp: URL. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0037 to this issue. Please see http://kb.vmware.com/kb/1011782 for details last seen 2020-06-01 modified 2020-06-02 plugin id 52011 published 2011-02-17 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/52011 title VMSA-2009-0009 : ESX Service Console updates for udev, sudo, and curl NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-111-01.NASL description New udev packages are available for Slackware 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. The udev packages in Slackware 10.2, 11.0, 12.0, 12.1, 12.2, and -current contained a local root hole vulnerability: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 The udev packages in Slackware 12.0, 12.1, 12.2, and -current had an integer overflow which could result in a denial of service: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1186 Note that udev is only used with 2.6 kernels, which are not used by default with Slackware 10.2 and 11.0. last seen 2020-06-01 modified 2020-06-02 plugin id 36186 published 2009-04-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36186 title Slackware 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / current : udev (SSA:2009-111-01) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0427.NASL description Updated udev packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. udev provides a user-space API and implements a dynamic device directory, providing only the devices present on the system. udev replaces devfs in order to provide greater hot plug functionality. Netlink is a datagram oriented service, used to transfer information between kernel modules and user-space processes. It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world-writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for responsibly reporting this flaw. Users of udev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the udevd daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 43742 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43742 title CentOS 5 : udev (CESA-2009:0427) NASL family Fedora Local Security Checks NASL id FEDORA_2009-3711.NASL description udev provides a user-space API and implements a dynamic device directory, providing only the devices present on the system. udev replaces devfs in order to provide greater hot plug functionality. Netlink is a datagram oriented service, used to transfer information between kernel modules and user-space processes. It was discovered that udev did not properly check the origin of Netlink messages. A local attacker could use this flaw to gain root privileges via a crafted Netlink message sent to udev, causing it to create a world- writable block device file for an existing system block device (for example, the root file system). (CVE-2009-1185) An integer overflow flaw, potentially leading to heap-based buffer overflow was found in one of the utilities providing functionality of the udev device information interface. An attacker could use this flaw to cause a denial of service, or possibly, to execute arbitrary code by providing a specially crafted arguments as input to this utility. (CVE-2009-1186) Thanks to Sebastian Krahmer of the SUSE Security Team for responsibly reporting this flaw. Users of udev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the udevd daemon will be restarted automatically. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36703 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36703 title Fedora 10 : udev-127-5.fc10 (2009-3711)
Oval
accepted 2013-04-29T04:10:00.557-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. family unix id oval:org.mitre.oval:def:10925 status accepted submitted 2010-07-09T03:56:16-04:00 title udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. version 18 accepted 2014-01-20T04:01:22.370-05:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard name Michael Wood organization Hewlett-Packard name J. Daniel Brown organization DTCC name Chris Coffin organization The MITRE Corporation
definition_extensions comment VMware ESX Server 4.0 is installed oval oval:org.mitre.oval:def:6293 description udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. family unix id oval:org.mitre.oval:def:5975 status accepted submitted 2009-09-22T15:10:44.000-05:00 title udev Netlink Message Validation Local Privilege Escalation Vulnerability version 10
Packetstorm
data source https://packetstormsecurity.com/files/download/116524/udev_netlink.rb.txt id PACKETSTORM:116524 last seen 2016-12-05 published 2012-09-14 reporter Kingcope source https://packetstormsecurity.com/files/116524/Linux-udev-Netlink-Local-Privilege-Escalation.html title Linux udev Netlink Local Privilege Escalation data source https://packetstormsecurity.com/files/download/76813/udev.txt id PACKETSTORM:76813 last seen 2016-12-05 published 2009-04-20 reporter Kingcope source https://packetstormsecurity.com/files/76813/Linux-2.6-Kernel-UDEV-Exploit.html title Linux 2.6 Kernel UDEV Exploit
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:11156 last seen 2017-11-19 modified 2009-05-01 published 2009-05-01 reporter Root source https://www.seebug.org/vuldb/ssvid-11156 title Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit bulletinFamily exploit description No description provided by source. id SSV:66499 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-66499 title Linux Kernel 2.6 UDEV < 141 - Local Privilege Escalation Exploit
Statements
| contributor | Tomas Hoger |
| lastmodified | 2009-04-20 |
| organization | Red Hat |
| statement | This issue has been fixed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2009-0427.html . udev packages as shipped in Red Hat Enterprise Linux 4 were not affected by this flaw, as they do not use netlink sockets for communication. udev is not shipped in Red Hat Enterprise Linux 2.1 and 3. |
References
- http://secunia.com/advisories/34731
- https://bugzilla.redhat.com/show_bug.cgi?id=495051
- http://www.securityfocus.com/bid/34536
- https://launchpad.net/bugs/cve/2009-1185
- http://www.ubuntu.com/usn/usn-758-1
- http://secunia.com/advisories/34753
- http://secunia.com/advisories/34750
- http://www.debian.org/security/2009/dsa-1772
- http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.446399
- http://www.vupen.com/english/advisories/2009/1053
- http://www.securitytracker.com/id?1022067
- http://www.gentoo.org/security/en/glsa/glsa-200904-18.xml
- http://secunia.com/advisories/34785
- http://secunia.com/advisories/34771
- https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00462.html
- https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00463.html
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00012.html
- http://wiki.rpath.com/Advisories:rPSA-2009-0063
- http://secunia.com/advisories/34801
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00006.html
- http://secunia.com/advisories/34787
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:104
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:103
- http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0063
- http://secunia.com/advisories/34776
- http://www.redhat.com/support/errata/RHSA-2009-0427.html
- http://www.vmware.com/security/advisories/VMSA-2009-0009.html
- http://www.vupen.com/english/advisories/2009/1865
- http://lists.vmware.com/pipermail/security-announce/2009/000060.html
- http://secunia.com/advisories/35766
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10691
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- https://www.exploit-db.com/exploits/8572
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5975
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10925
- http://www.securityfocus.com/archive/1/504849/100/0/threaded
- http://www.securityfocus.com/archive/1/502752/100/0/threaded
- http://git.kernel.org/?p=linux/hotplug/udev.git%3Ba=commitdiff%3Bh=e2b362d9f23d4c63018709ab5f81a02f72b91e75
- http://git.kernel.org/?p=linux/hotplug/udev.git%3Ba=commitdiff%3Bh=e86a923d508c2aed371cdd958ce82489cf2ab615