ID CVE-2003-0985
Summary The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.
References
Vulnerable Configurations
  • Linux Kernel 2.4.0
    cpe:2.3:o:linux:linux_kernel:2.4.0
  • Linux Kernel 2.4.0 test1
    cpe:2.3:o:linux:linux_kernel:2.4.0:test1
  • Linux Kernel 2.4.0 test10
    cpe:2.3:o:linux:linux_kernel:2.4.0:test10
  • Linux Kernel 2.4.0 test11
    cpe:2.3:o:linux:linux_kernel:2.4.0:test11
  • Linux Kernel 2.4.0 test12
    cpe:2.3:o:linux:linux_kernel:2.4.0:test12
  • Linux Kernel 2.4.0 test2
    cpe:2.3:o:linux:linux_kernel:2.4.0:test2
  • Linux Kernel 2.4.0 test3
    cpe:2.3:o:linux:linux_kernel:2.4.0:test3
  • Linux Kernel 2.4.0 test4
    cpe:2.3:o:linux:linux_kernel:2.4.0:test4
  • Linux Kernel 2.4.0 test5
    cpe:2.3:o:linux:linux_kernel:2.4.0:test5
  • Linux Kernel 2.4.0 test6
    cpe:2.3:o:linux:linux_kernel:2.4.0:test6
  • Linux Kernel 2.4.0 test7
    cpe:2.3:o:linux:linux_kernel:2.4.0:test7
  • Linux Kernel 2.4.0 test8
    cpe:2.3:o:linux:linux_kernel:2.4.0:test8
  • Linux Kernel 2.4.0 test9
    cpe:2.3:o:linux:linux_kernel:2.4.0:test9
  • Linux Kernel 2.4.1
    cpe:2.3:o:linux:linux_kernel:2.4.1
  • Linux Kernel 2.4.2
    cpe:2.3:o:linux:linux_kernel:2.4.2
  • Linux Kernel 2.4.3
    cpe:2.3:o:linux:linux_kernel:2.4.3
  • Linux Kernel 2.4.4
    cpe:2.3:o:linux:linux_kernel:2.4.4
  • Linux Kernel 2.4.5
    cpe:2.3:o:linux:linux_kernel:2.4.5
  • Linux Kernel 2.4.6
    cpe:2.3:o:linux:linux_kernel:2.4.6
  • Linux Kernel 2.4.7
    cpe:2.3:o:linux:linux_kernel:2.4.7
  • Linux Kernel 2.4.8
    cpe:2.3:o:linux:linux_kernel:2.4.8
  • Linux Kernel 2.4.9
    cpe:2.3:o:linux:linux_kernel:2.4.9
  • Linux Kernel 2.4.10
    cpe:2.3:o:linux:linux_kernel:2.4.10
  • Linux Kernel 2.4.11
    cpe:2.3:o:linux:linux_kernel:2.4.11
  • Linux Kernel 2.4.12
    cpe:2.3:o:linux:linux_kernel:2.4.12
  • Linux Kernel 2.4.13
    cpe:2.3:o:linux:linux_kernel:2.4.13
  • Linux Kernel 2.4.14
    cpe:2.3:o:linux:linux_kernel:2.4.14
  • Linux Kernel 2.4.15
    cpe:2.3:o:linux:linux_kernel:2.4.15
  • Linux Kernel 2.4.16
    cpe:2.3:o:linux:linux_kernel:2.4.16
  • Linux Kernel 2.4.17
    cpe:2.3:o:linux:linux_kernel:2.4.17
  • Linux Kernel 2.4.18
    cpe:2.3:o:linux:linux_kernel:2.4.18
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
  • Linux Kernel 2.4.18 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre1
  • Linux Kernel 2.4.18 pre2
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre2
  • Linux Kernel 2.4.18 pre3
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre3
  • Linux Kernel 2.4.18 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre4
  • Linux Kernel 2.4.18 pre5
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre5
  • Linux Kernel 2.4.18 pre6
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre6
  • Linux Kernel 2.4.18 pre7
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre7
  • Linux Kernel 2.4.18 pre8
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre8
  • Linux Kernel 2.4.19
    cpe:2.3:o:linux:linux_kernel:2.4.19
  • Linux Kernel 2.4.19 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre1
  • Linux Kernel 2.4.19 pre2
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre2
  • Linux Kernel 2.4.19 pre3
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre3
  • Linux Kernel 2.4.19 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre4
  • Linux Kernel 2.4.19 pre5
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre5
  • Linux Kernel 2.4.19 pre6
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre6
  • Linux Kernel 2.4.20
    cpe:2.3:o:linux:linux_kernel:2.4.20
  • Linux Kernel 2.4.21
    cpe:2.3:o:linux:linux_kernel:2.4.21
  • Linux Kernel 2.4.21 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.21:pre1
  • Linux Kernel 2.4.21 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.21:pre4
  • Linux Kernel 2.4.21 pre7
    cpe:2.3:o:linux:linux_kernel:2.4.21:pre7
  • Linux Kernel 2.4.22
    cpe:2.3:o:linux:linux_kernel:2.4.22
  • Linux Kernel 2.4.23
    cpe:2.3:o:linux:linux_kernel:2.4.23
CVSS
Base: 7.2 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Linux Kernel "do_mremap" Local Proof of Concept. CVE-2003-0985. Local exploit for linux platform
    id EDB-ID:141
    last seen 2016-01-31
    modified 2004-01-06
    published 2004-01-06
    reporter Christophe Devine
    source https://www.exploit-db.com/download/141/
    title Linux Kernel <= 2.4.23 / <= 2.6.0 - "do_mremap" Local Proof of Concept 1
  • description Linux Kernel "do_mremap" Local Proof of Concept II. CVE-2003-0985. Local exploit for linux platform
    id EDB-ID:142
    last seen 2016-01-31
    modified 2004-01-07
    published 2004-01-07
    reporter Christophe Devine
    source https://www.exploit-db.com/download/142/
    title Linux Kernel <= 2.4.23 / <= 2.6.0 - "do_mremap" Local Proof of Concept 2
  • description Linux Kernel 2.4.x mremap() bound checking Root Exploit. CVE-2003-0985. Local exploit for linux platform
    id EDB-ID:145
    last seen 2016-01-31
    modified 2004-01-15
    published 2004-01-15
    reporter Paul Starzetz
    source https://www.exploit-db.com/download/145/
    title Linux Kernel <= 2.4.23 / <= 2.6.0 - mremap Bound Checking Root Exploit
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2003-046.NASL
    description Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0985 to this issue. All users are advised to upgrade to these errata packages, which contain a backported security patch that corrects this issue. Red Hat would like to thank Paul Starzetz from ISEC for disclosing this issue as well as Andrea Arcangeli and Solar Designer for working on the patch. These packages also contain a fix for a minor information leak in the real time clock (rtc) routines. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0984 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 13669
    published 2004-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13669
    title Fedora Core 1 : kernel-2.4.22-1.2138.nptl (2003-046)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-001.NASL
    description A flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous was discovered by Paul Starzetz. This flaw may be used to allow a local attacker to obtain root privilege. Another minor information leak in the RTC (real time clock) routines was fixed as well. All Mandrake Linux users are encouraged to upgrade to these packages immediately. To update your kernel, please follow the directions located at : http://www.mandrakesecure.net/en/kernelupdate.php Mandrake Linux 9.1 and 9.2 users should upgrade the initscripts (9.1) and bootloader-utils (9.2) packages prior to upgrading the kernel as they contain a fixed installkernel script that fixes instances where the loop module was not being loaded and would cause mkinitrd to fail. Users requiring commercial NVIDIA drivers can find drivers for Mandrake Linux 9.2 at MandrakeClub.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14101
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14101
    title Mandrake Linux Security Advisory : kernel (MDKSA-2004:001)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-417.NASL
    description Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Andrew Morton discovered a missing boundary check for the brk system call which can be used to craft a local root exploit.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15254
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15254
    title Debian DSA-417-1 : linux-kernel-2.4.18-powerpc+alpha - missing boundary check
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-423.NASL
    description The IA-64 maintainers fixed several security related bugs in the Linux kernel 2.4.17 used for the IA-64 architecture, mostly by backporting fixes from 2.4.18. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project : - CAN-2003-0001 : Multiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. - CAN-2003-0018 : Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption. - CAN-2003-0127 : The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process which is spawned by the kernel. - CAN-2003-0461 : The virtual file /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. - CAN-2003-0462 : A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). - CAN-2003-0476 : The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors. - CAN-2003-0501 : The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries. - CAN-2003-0550 : The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology. - CAN-2003-0551 : The STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service. - CAN-2003-0552 : Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target. - CAN-2003-0961 : An integer overflow in brk system call (do_brk function) for Linux kernel 2.4.22 and earlier allows local users to gain root privileges. - CAN-2003-0985 : The mremap system call (do_mremap) in Linux kernel 2.4 and 2.6 does not properly perform boundary checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15260
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15260
    title Debian DSA-423-1 : linux-kernel-2.4.17-ia64 - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-450.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the mips kernel 2.4.19 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15287
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15287
    title Debian DSA-450-1 : linux-kernel-2.4.19-mips - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2003-416.NASL
    description Updated kernel packages are now available that fix a security vulnerability which may allow local users to gain root privileges. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0985 to this issue. All users of Red Hat Enterprise Linux 3 are advised to upgrade to these errata packages, which contain a backported security patch that corrects this issue. Red Hat would like to thank Paul Starzetz from ISEC for disclosing this issue as well as Andrea Arcangeli and Solar Designer for working on the patch.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 12443
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12443
    title RHEL 3 : kernel (RHSA-2003:416)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-440.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PowerPC/Apus kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15277
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15277
    title Debian DSA-440-1 : linux-kernel-2.4.17-powerpc-apus - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2003-419.NASL
    description Updated kernel packages are now available that fix a security vulnerability which may allow local users to gain root privileges. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0985 to this issue. All users are advised to upgrade to these errata packages, which contain a backported security patch that corrects this issue. Red Hat would like to thank Paul Starzetz from ISEC for disclosing this issue as well as Andrea Arcangeli and Solar Designer for working on the patch.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12444
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12444
    title RHEL 2.1 : kernel (RHSA-2003:419)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2004-008-01.NASL
    description New kernels are available for Slackware 8.1 containing a backported fix from a bounds-checking problem in the kernel's mremap() call which could be used by a local attacker to gain root privileges. This fix was previously issued for Slackware 9.0, 9.1, and -current (SSA:2004-006-01). Sites running Slackware 8.1 should upgrade to the new kernel. After installing the new kernel, be sure to run 'lilo'.
    last seen 2019-02-21
    modified 2013-06-01
    plugin id 18786
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18786
    title Slackware 8.1 : Slackware 8.1 kernel security update (SSA:2004-008-01)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-413.NASL
    description Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug, since it doesn't support the MREMAP_FIXED flag (as clarified later).
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15250
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15250
    title Debian DSA-413-2 : linux-kernel-2.4.18 - missing boundary check
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-439.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the ARM kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15276
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15276
    title Debian DSA-439-1 : linux-kernel-2.4.16-arm - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-475.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PA-RISC kernel 2.4.18 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Please note that the source package has to include a lot of updates in order to compile the package, which wasn't possible with the old source package.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15312
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15312
    title Debian DSA-475-1 : linux-kernel-2.4.18-hppa - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-442.NASL
    description Several security related problems have been fixed in the Linux kernel 2.4.17 used for the S/390 architecture, mostly by backporting fixes from 2.4.18 and incorporating recent security fixes. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project : - CVE-2002-0429 : The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall). - CAN-2003-0001 : Multiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. - CAN-2003-0244 : The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain. - CAN-2003-0246 : The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. - CAN-2003-0247 : A vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ('kernel oops'). - CAN-2003-0248 : The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. - CAN-2003-0364 : The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions. - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15279
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15279
    title Debian DSA-442-1 : linux-kernel-2.4.17-s390 - several vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2004-006-01.NASL
    description New kernels are available for Slackware 9.0, 9.1 and -current. The 9.1 and -current kernels have been upgraded to 2.4.24, and a fix has been backported to the 2.4.21 kernels in Slackware 9.0 to fix a bounds-checking problem in the kernel's mremap() call which could be used by a local attacker to gain root privileges. Sites should upgrade to the 2.4.24 kernel and kernel modules. After installing the new kernel, be sure to run 'lilo'.
    last seen 2019-02-21
    modified 2013-06-01
    plugin id 18795
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18795
    title Slackware 9.0 / 9.1 / current : Kernel security update (SSA:2004-006-01)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-470.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the hppa kernel 2.4.17 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15307
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15307
    title Debian DSA-470-1 : linux-kernel-2.4.17-hppa - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-427.NASL
    description Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15264
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15264
    title Debian DSA-427-1 : linux-kernel-2.4.17-mips+mipsel - missing boundary check
oval via4
  • accepted 2007-04-25T19:53:02.810-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Matt Busby
      organization The MITRE Corporation
    • name Thomas R. Jones
      organization Maitreya Security
    description The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.
    family unix
    id oval:org.mitre.oval:def:860
    status accepted
    submitted 2004-03-20T12:00:00.000-04:00
    title Red Hat Linux Kernel do_mremap Denial of Service Vulnerability
    version 36
  • accepted 2007-04-25T19:53:04.347-04:00
    class vulnerability
    contributors
    • name Matt Busby
      organization The MITRE Corporation
    • name Matt Busby
      organization The MITRE Corporation
    • name Thomas R. Jones
      organization Maitreya Security
    description The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.
    family unix
    id oval:org.mitre.oval:def:867
    status accepted
    submitted 2004-03-20T12:00:00.000-04:00
    title Red Hat Enterprise 3 Linux Kernel do_mremap Denial of Service Vulnerability
    version 35
redhat via4
advisories
  • rhsa
    id RHSA-2003:416
  • rhsa
    id RHSA-2003:417
  • rhsa
    id RHSA-2003:418
  • rhsa
    id RHSA-2003:419
refmap via4
bid 9356
bugtraq
  • 20040105 Linux kernel do_mremap() proof-of-concept exploit code
  • 20040105 Linux kernel mremap vulnerability
  • 20040106 Linux mremap bug correction
  • 20040107 [slackware-security] Kernel security update (SSA:2004-006-01)
  • 20040108 [slackware-security] Slackware 8.1 kernel security update (SSA:2004-008-01)
  • 20040112 SmoothWall Project Security Advisory SWP-2004:001
cert-vn VU#490620
ciac O-045
conectiva CLA-2004:799
confirm
debian
  • DSA-1067
  • DSA-1069
  • DSA-1070
  • DSA-1082
  • DSA-413
  • DSA-417
  • DSA-423
  • DSA-427
  • DSA-439
  • DSA-440
  • DSA-442
  • DSA-450
  • DSA-470
  • DSA-475
engarde ESA-20040105-001
immunix IMNX-2004-73-001-01
mandrake MDKSA-2004:001
misc http://isec.pl/vulnerabilities/isec-0013-mremap.txt
mlist [linux-kernel] 20040105 linux-2.4.24 released
osvdb 3315
secunia
  • 10532
  • 20163
  • 20202
  • 20338
sgi 20040102-01-U
suse
  • SuSE-SA:2004:001
  • SuSE-SA:2004:003
trustix 2004-0001
xf linux-domremap-gain-privileges(14135)
Last major update 17-10-2016 - 22:38
Published 20-01-2004 - 00:00
Last modified 02-05-2018 - 21:29
Back to Top