ID CVE-2004-0077
Summary The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:bigmem_kernel:2.4.20-8:-:i686
    cpe:2.3:a:redhat:bigmem_kernel:2.4.20-8:-:i686
  • cpe:2.3:a:redhat:kernel:2.4.20-8:-:athlon_smp
    cpe:2.3:a:redhat:kernel:2.4.20-8:-:athlon_smp
  • cpe:2.3:a:redhat:kernel:2.4.20-8:-:i386
    cpe:2.3:a:redhat:kernel:2.4.20-8:-:i386
  • cpe:2.3:a:redhat:kernel:2.4.20-8:-:i686_smp
    cpe:2.3:a:redhat:kernel:2.4.20-8:-:i686_smp
  • cpe:2.3:a:redhat:kernel_doc:2.4.20-8:-:i386
    cpe:2.3:a:redhat:kernel_doc:2.4.20-8:-:i386
  • cpe:2.3:a:redhat:kernel_source:2.4.20-8:-:i386_src
    cpe:2.3:a:redhat:kernel_source:2.4.20-8:-:i386_src
  • Linux Kernel 2.2
    cpe:2.3:o:linux:linux_kernel:2.2.0
  • Linux Kernel 2.2.1
    cpe:2.3:o:linux:linux_kernel:2.2.1
  • Linux Kernel 2.2.2
    cpe:2.3:o:linux:linux_kernel:2.2.2
  • Linux Kernel 2.2.3
    cpe:2.3:o:linux:linux_kernel:2.2.3
  • Linux Kernel 2.2.4
    cpe:2.3:o:linux:linux_kernel:2.2.4
  • Linux Kernel 2.2.5
    cpe:2.3:o:linux:linux_kernel:2.2.5
  • Linux Kernel 2.2.6
    cpe:2.3:o:linux:linux_kernel:2.2.6
  • Linux Kernel 2.2.7
    cpe:2.3:o:linux:linux_kernel:2.2.7
  • Linux Kernel 2.2.8
    cpe:2.3:o:linux:linux_kernel:2.2.8
  • Linux Kernel 2.2.9
    cpe:2.3:o:linux:linux_kernel:2.2.9
  • Linux Kernel 2.2.10
    cpe:2.3:o:linux:linux_kernel:2.2.10
  • Linux Kernel 2.2.11
    cpe:2.3:o:linux:linux_kernel:2.2.11
  • Linux Kernel 2.2.12
    cpe:2.3:o:linux:linux_kernel:2.2.12
  • Linux Kernel 2.2.13
    cpe:2.3:o:linux:linux_kernel:2.2.13
  • Linux Kernel 2.2.14
    cpe:2.3:o:linux:linux_kernel:2.2.14
  • Linux Kernel 2.2.15
    cpe:2.3:o:linux:linux_kernel:2.2.15
  • Linux Kernel 2.2.15 pre16
    cpe:2.3:o:linux:linux_kernel:2.2.15:pre16
  • cpe:2.3:o:linux:linux_kernel:2.2.15_pre20
    cpe:2.3:o:linux:linux_kernel:2.2.15_pre20
  • Linux Kernel 2.2.16
    cpe:2.3:o:linux:linux_kernel:2.2.16
  • Linux Kernel 2.2.16 pre6
    cpe:2.3:o:linux:linux_kernel:2.2.16:pre6
  • Linux Kernel 2.2.17
    cpe:2.3:o:linux:linux_kernel:2.2.17
  • Linux Kernel 2.2.18
    cpe:2.3:o:linux:linux_kernel:2.2.18
  • Linux Kernel 2.2.19
    cpe:2.3:o:linux:linux_kernel:2.2.19
  • Linux Kernel 2.2.20
    cpe:2.3:o:linux:linux_kernel:2.2.20
  • Linux Kernel 2.2.21
    cpe:2.3:o:linux:linux_kernel:2.2.21
  • Linux Kernel 2.2.22
    cpe:2.3:o:linux:linux_kernel:2.2.22
  • Linux Kernel 2.2.23
    cpe:2.3:o:linux:linux_kernel:2.2.23
  • Linux Kernel 2.2.24
    cpe:2.3:o:linux:linux_kernel:2.2.24
  • Linux Kernel 2.4.0
    cpe:2.3:o:linux:linux_kernel:2.4.0
  • Linux Kernel 2.4.0 test1
    cpe:2.3:o:linux:linux_kernel:2.4.0:test1
  • Linux Kernel 2.4.0 test10
    cpe:2.3:o:linux:linux_kernel:2.4.0:test10
  • Linux Kernel 2.4.0 test11
    cpe:2.3:o:linux:linux_kernel:2.4.0:test11
  • Linux Kernel 2.4.0 test12
    cpe:2.3:o:linux:linux_kernel:2.4.0:test12
  • Linux Kernel 2.4.0 test2
    cpe:2.3:o:linux:linux_kernel:2.4.0:test2
  • Linux Kernel 2.4.0 test3
    cpe:2.3:o:linux:linux_kernel:2.4.0:test3
  • Linux Kernel 2.4.0 test4
    cpe:2.3:o:linux:linux_kernel:2.4.0:test4
  • Linux Kernel 2.4.0 test5
    cpe:2.3:o:linux:linux_kernel:2.4.0:test5
  • Linux Kernel 2.4.0 test6
    cpe:2.3:o:linux:linux_kernel:2.4.0:test6
  • Linux Kernel 2.4.0 test7
    cpe:2.3:o:linux:linux_kernel:2.4.0:test7
  • Linux Kernel 2.4.0 test8
    cpe:2.3:o:linux:linux_kernel:2.4.0:test8
  • Linux Kernel 2.4.0 test9
    cpe:2.3:o:linux:linux_kernel:2.4.0:test9
  • Linux Kernel 2.4.1
    cpe:2.3:o:linux:linux_kernel:2.4.1
  • Linux Kernel 2.4.2
    cpe:2.3:o:linux:linux_kernel:2.4.2
  • Linux Kernel 2.4.3
    cpe:2.3:o:linux:linux_kernel:2.4.3
  • Linux Kernel 2.4.4
    cpe:2.3:o:linux:linux_kernel:2.4.4
  • Linux Kernel 2.4.5
    cpe:2.3:o:linux:linux_kernel:2.4.5
  • Linux Kernel 2.4.6
    cpe:2.3:o:linux:linux_kernel:2.4.6
  • Linux Kernel 2.4.7
    cpe:2.3:o:linux:linux_kernel:2.4.7
  • Linux Kernel 2.4.8
    cpe:2.3:o:linux:linux_kernel:2.4.8
  • Linux Kernel 2.4.9
    cpe:2.3:o:linux:linux_kernel:2.4.9
  • Linux Kernel 2.4.10
    cpe:2.3:o:linux:linux_kernel:2.4.10
  • Linux Kernel 2.4.11
    cpe:2.3:o:linux:linux_kernel:2.4.11
  • Linux Kernel 2.4.12
    cpe:2.3:o:linux:linux_kernel:2.4.12
  • Linux Kernel 2.4.13
    cpe:2.3:o:linux:linux_kernel:2.4.13
  • Linux Kernel 2.4.14
    cpe:2.3:o:linux:linux_kernel:2.4.14
  • Linux Kernel 2.4.15
    cpe:2.3:o:linux:linux_kernel:2.4.15
  • Linux Kernel 2.4.16
    cpe:2.3:o:linux:linux_kernel:2.4.16
  • Linux Kernel 2.4.17
    cpe:2.3:o:linux:linux_kernel:2.4.17
  • Linux Kernel 2.4.18
    cpe:2.3:o:linux:linux_kernel:2.4.18
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
  • Linux Kernel 2.4.18 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre1
  • Linux Kernel 2.4.18 pre2
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre2
  • Linux Kernel 2.4.18 pre3
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre3
  • Linux Kernel 2.4.18 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre4
  • Linux Kernel 2.4.18 pre5
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre5
  • Linux Kernel 2.4.18 pre6
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre6
  • Linux Kernel 2.4.18 pre7
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre7
  • Linux Kernel 2.4.18 pre8
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre8
  • Linux Kernel 2.4.19
    cpe:2.3:o:linux:linux_kernel:2.4.19
  • Linux Kernel 2.4.19 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre1
  • Linux Kernel 2.4.19 pre2
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre2
  • Linux Kernel 2.4.19 pre3
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre3
  • Linux Kernel 2.4.19 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre4
  • Linux Kernel 2.4.19 pre5
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre5
  • Linux Kernel 2.4.19 pre6
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre6
  • Linux Kernel 2.4.20
    cpe:2.3:o:linux:linux_kernel:2.4.20
  • Linux Kernel 2.4.21
    cpe:2.3:o:linux:linux_kernel:2.4.21
  • Linux Kernel 2.4.21 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.21:pre1
  • Linux Kernel 2.4.21 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.21:pre4
  • Linux Kernel 2.4.21 pre7
    cpe:2.3:o:linux:linux_kernel:2.4.21:pre7
  • Linux Kernel 2.4.22
    cpe:2.3:o:linux:linux_kernel:2.4.22
  • Linux Kernel 2.4.23
    cpe:2.3:o:linux:linux_kernel:2.4.23
  • Linux Kernel 2.4.23 pre9
    cpe:2.3:o:linux:linux_kernel:2.4.23:pre9
  • Linux Kernel 2.4.24
    cpe:2.3:o:linux:linux_kernel:2.4.24
  • Linux Kernel 2.6.0
    cpe:2.3:o:linux:linux_kernel:2.6.0
  • Linux Kernel 2.6 test1
    cpe:2.3:o:linux:linux_kernel:2.6.0:test1
  • Linux Kernel 2.6 test10
    cpe:2.3:o:linux:linux_kernel:2.6.0:test10
  • Linux Kernel 2.6 test11
    cpe:2.3:o:linux:linux_kernel:2.6.0:test11
  • Linux Kernel 2.6 test2
    cpe:2.3:o:linux:linux_kernel:2.6.0:test2
  • Linux Kernel 2.6 test3
    cpe:2.3:o:linux:linux_kernel:2.6.0:test3
  • Linux Kernel 2.6 test4
    cpe:2.3:o:linux:linux_kernel:2.6.0:test4
  • Linux Kernel 2.6 test5
    cpe:2.3:o:linux:linux_kernel:2.6.0:test5
  • Linux Kernel 2.6 test6
    cpe:2.3:o:linux:linux_kernel:2.6.0:test6
  • Linux Kernel 2.6 test7
    cpe:2.3:o:linux:linux_kernel:2.6.0:test7
  • Linux Kernel 2.6 test8
    cpe:2.3:o:linux:linux_kernel:2.6.0:test8
  • Linux Kernel 2.6 test9
    cpe:2.3:o:linux:linux_kernel:2.6.0:test9
  • Linux Kernel 2.6.1 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.1:rc1
  • Linux Kernel 2.6.1 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.1:rc2
  • Linux Kernel 2.6.2
    cpe:2.3:o:linux:linux_kernel:2.6.2
  • cpe:2.3:o:linux:linux_kernel:2.6_test9_cvs
    cpe:2.3:o:linux:linux_kernel:2.6_test9_cvs
  • cpe:2.3:o:netwosix:netwosix_linux:1.0
    cpe:2.3:o:netwosix:netwosix_linux:1.0
  • Trustix Secure Linux 1.5
    cpe:2.3:o:trustix:secure_linux:1.5
  • Trustix Secure Linux 2.0
    cpe:2.3:o:trustix:secure_linux:2.0
  • cpe:2.3:a:redhat:kernel:2.4.20-8:-:athlon
    cpe:2.3:a:redhat:kernel:2.4.20-8:-:athlon
  • cpe:2.3:a:redhat:kernel:2.4.20-8:-:i386
    cpe:2.3:a:redhat:kernel:2.4.20-8:-:i386
  • cpe:2.3:a:redhat:kernel:2.4.20-8:-:i686
    cpe:2.3:a:redhat:kernel:2.4.20-8:-:i686
CVSS
Base: 7.2 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Linux Kernel "mremap()"#2 Local Proof-of-concept. CVE-2004-0077. Local exploit for linux platform
    id EDB-ID:154
    last seen 2016-01-31
    modified 2004-02-18
    published 2004-02-18
    reporter Christophe Devine
    source https://www.exploit-db.com/download/154/
    title Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - "mremap" Local Proof-of-Concept 2
  • description Linux Kernel 2.x mremap missing do_munmap Exploit. CVE-2004-0077. Local exploit for linux platform
    id EDB-ID:160
    last seen 2016-01-31
    modified 2004-03-01
    published 2004-03-01
    reporter Paul Starzetz
    source https://www.exploit-db.com/download/160/
    title Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - "mremap" Missing "do_munmap" Exploit
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-069.NASL
    description Updated kernel packages that fix a security vulnerability which may allow local users to gain root privileges are now available. [Updated 5 March 2004] Added kernel-headers packages The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0077 to this issue. Arjan van de Ven discovered a flaw in ncp_lookup() in ncpfs that could allow local privilege escalation. ncpfs is only used to allow a system to mount volumes of NetWare servers or print to NetWare printers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0010 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting this issue CVE-2004-0077.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12469
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12469
    title RHEL 2.1 : kernel (RHSA-2004:069)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200403-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-200403-02 (Linux kernel do_mremap local privilege escalation vulnerability) The memory subsystem allows for shrinking, growing, and moving of chunks of memory along any of the allocated memory areas which the kernel possesses. To accomplish this, the do_mremap code calls the do_munmap() kernel function to remove any old memory mappings in the new location - but, the code doesn't check the return value of the do_munmap() function which may fail if the maximum number of available virtual memory area descriptors has been exceeded. Due to the missing return value check after trying to unmap the middle of the first memory area, the corresponding page table entries from the second new area are inserted into the page table locations described by the first old one, thus they are subject to page protection flags of the first area. As a result, arbitrary code can be executed. Impact : Arbitrary code with normal non-super-user privileges may be able to exploit this vulnerability and may disrupt the operation of other parts of the kernel memory management subroutines finally leading to unexpected behavior. Since no special privileges are required to use the mremap() and munmap() system calls any process may misuse this unexpected behavior to disrupt the kernel memory management subsystem. Proper exploitation of this vulnerability may lead to local privilege escalation allowing for the execution of arbitrary code with kernel level root access. Proof-of-concept exploit code has been created and successfully tested, permitting root escalation on vulnerable systems. As a result, all users should upgrade their kernels to new or patched versions. Workaround : Users who are unable to upgrade their kernels may attempt to use 'sysctl -w vm.max_map_count=1000000', however, this is a temporary fix which only solves the problem by increasing the number of memory areas that can be created by each process. Because of the static nature of this workaround, it is not recommended and users are urged to upgrade their systems to the latest available patched sources.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 14453
    published 2004-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14453
    title GLSA-200403-02 : Linux kernel do_mremap local privilege escalation vulnerability
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-015.NASL
    description Paul Staretz discovered a flaw in return value checking in the mremap() function in the Linux kernel, versions 2.4.24 and previous that could allow a local user to obtain root privileges. A vulnerability was found in the R128 DRI driver by Alan Cox. This could allow local privilege escalation. A flaw in the ncp_lookup() function in the ncpfs code (which is used to mount NetWare volumes or print to NetWare printers) was found by Arjen van de Ven that could allow local privilege escalation. The Vicam USB driver in Linux kernel versions prior to 2.4.25 does not use the copy_from_user function to access userspace, which crosses security boundaries. This problem does not affect the Mandrake Linux 9.2 kernel. Additionally, a ptrace hole that only affects the amd64/x86_64 platform has been corrected. The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandrakesecure.net/en/kernelupdate.php
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14115
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14115
    title Mandrake Linux Security Advisory : kernel (MDKSA-2004:015)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-079.NASL
    description Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0077 to this issue. Arjan van de Ven discovered a flaw in ncp_lookup() in ncpfs that could allow local privilege escalation. ncpfs is only used to allow a system to mount volumes of NetWare servers or print to NetWare printers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0010 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting the issue CVE-2004-0077. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 13679
    published 2004-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13679
    title Fedora Core 1 : kernel-2.4.22-1.2173.nptl (2004-079)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2004-049-01.NASL
    description New kernels are available for Slackware 9.1 and -current to fix a bounds-checking problem in the kernel's mremap() call which could be used by a local attacker to gain root privileges. Please note that this is not the same issue as CAN-2003-0985 which was fixed in early January. The kernels in Slackware 8.1 and 9.0 that were updated in January are not vulnerable to this new issue because the patch from Solar Designer that was used to fix the CAN-2003-0985 bugs also happened to fix the problem that was discovered later. Sites running Slackware 9.1 or -current should upgrade to a new kernel. After installing the new kernel, be sure to run 'lilo'.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 18789
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18789
    title Slackware 9.1 / current : Kernel security update (SSA:2004-049-01)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-066.NASL
    description Updated kernel packages that fix a security vulnerability that may allow local users to gain root privileges are now available. These packages also resolve other minor issues. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0077 to this issue. All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Red Hat would like to thank Paul Starzetz from ISEC for reporting this issue. For the IBM S/390 and IBM eServer zSeries architectures, the upstream version of the s390utils package (which fixes a bug in the zipl bootloader) is also included.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 12468
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12468
    title RHEL 3 : kernel (RHSA-2004:066)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-466.NASL
    description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15303
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15303
    title Debian DSA-466-1 : linux-kernel-2.2.10-powerpc-apus - failing function and TLB flush
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-456.NASL
    description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15293
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15293
    title Debian DSA-456-1 : linux-kernel-2.2.19-arm - failing function and TLB flush
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2004_005.NASL
    description The remote host is missing the patch for the advisory SuSE-SA:2004:005 (Linux Kernel). Another bug in the Kernel's do_mremap() function, which is unrelated to the bug fixed in SuSE-SA:2004:001, was found by Paul Starzetz. The do_mremap() function of the Linux Kernel is used to manage Virtual Memory Areas (VMAs) which includes moving, removing and resizing of memory areas. To remove old memory areas do_mremap() uses the function du_munmap() without checking the return value. By forcing do_munmap() to return an error the memory management of a process can be tricked into moving page table entries from one VMA to another. The destination VMA may be protected by a different ACL which enables a local attacker to gain write access to previous read-only pages. The result will be local root access to the system. Additionally to the bug mentioned above some other bugs were fixed (depending on architecture) that can cause local denial-of-service conditions: - Vicam USB driver: CVE-2004-0075 + denial-of-service due to problem while copying data from user to kernel space - Direct Render Infrastructure: CVE-2004-0003 + denial-of-service due to integer overflow + needs r128 card and console to be exploited - ncpfs/ncp_lookup: CVE-2004-0010 + buffer overflow with the probability to gain root - execve(): + malformed elf binaries can lead to a local denial-of-service attack
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 13823
    published 2004-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13823
    title SuSE-SA:2004:005: Linux Kernel
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-453.NASL
    description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15290
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15290
    title Debian DSA-453-1 : linux-kernel-2.2.20-i386+m68k+powerpc - failing function and TLB flush
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-514.NASL
    description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15351
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15351
    title Debian DSA-514-1 : kernel-image-sparc-2.2 - failing function and TLB flush
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-444.NASL
    description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15281
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15281
    title Debian DSA-444-1 : linux-kernel-2.4.17-ia64 - missing function return value check
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-454.NASL
    description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit. The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15291
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15291
    title Debian DSA-454-1 : linux-kernel-2.2.22-alpha - failing function and TLB flush
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-441.NASL
    description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15278
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15278
    title Debian DSA-441-1 : linux-kernel-2.4.17-mips+mipsel - missing function return value check
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-450.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the mips kernel 2.4.19 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15287
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15287
    title Debian DSA-450-1 : linux-kernel-2.4.19-mips - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-438.NASL
    description Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15275
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15275
    title Debian DSA-438-1 : linux-kernel-2.4.18-alpha+i386+powerpc - missing function return value check
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-440.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PowerPC/Apus kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15277
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15277
    title Debian DSA-440-1 : linux-kernel-2.4.17-powerpc-apus - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-439.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the ARM kernel for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15276
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15276
    title Debian DSA-439-1 : linux-kernel-2.4.16-arm - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-475.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the PA-RISC kernel 2.4.18 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3. Please note that the source package has to include a lot of updates in order to compile the package, which wasn't possible with the old source package.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15312
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15312
    title Debian DSA-475-1 : linux-kernel-2.4.18-hppa - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-442.NASL
    description Several security related problems have been fixed in the Linux kernel 2.4.17 used for the S/390 architecture, mostly by backporting fixes from 2.4.18 and incorporating recent security fixes. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project : - CVE-2002-0429 : The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall). - CAN-2003-0001 : Multiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. - CAN-2003-0244 : The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain. - CAN-2003-0246 : The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. - CAN-2003-0247 : A vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ('kernel oops'). - CAN-2003-0248 : The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. - CAN-2003-0364 : The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions. - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15279
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15279
    title Debian DSA-442-1 : linux-kernel-2.4.17-s390 - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-470.NASL
    description Several local root exploits have been discovered recently in the Linux kernel. This security advisory updates the hppa kernel 2.4.17 for Debian GNU/Linux. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2003-0961 : An integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23. - CAN-2003-0985 : Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24. - CAN-2004-0077 : Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15307
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15307
    title Debian DSA-470-1 : linux-kernel-2.4.17-hppa - several vulnerabilities
oval via4
  • accepted 2007-04-25T19:52:56.836-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Matt Busby
      organization The MITRE Corporation
    • name Thomas R. Jones
      organization Maitreya Security
    description The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.
    family unix
    id oval:org.mitre.oval:def:825
    status accepted
    submitted 2004-03-20T12:00:00.000-04:00
    title Red Hat Enterprise 3 Linux Kernel do_mremap Privilege Escalation Vulnerability
    version 34
  • accepted 2007-04-25T19:52:59.044-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Matt Busby
      organization The MITRE Corporation
    • name Thomas R. Jones
      organization Maitreya Security
    description The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.
    family unix
    id oval:org.mitre.oval:def:837
    status accepted
    submitted 2004-03-20T12:00:00.000-04:00
    title Red Hat Linux Kernel do_mremap Privilege Escalation Vulnerability
    version 36
packetstorm via4
data source https://packetstormsecurity.com/files/download/32797/isec-0014-mremap-unmap.v2.txt
id PACKETSTORM:32797
last seen 2016-12-05
published 2004-03-02
reporter Paul Starzetz
source https://packetstormsecurity.com/files/32797/isec-0014-mremap-unmap.v2.txt.html
title isec-0014-mremap-unmap.v2.txt
redhat via4
advisories
  • rhsa
    id RHSA-2004:065
  • rhsa
    id RHSA-2004:066
  • rhsa
    id RHSA-2004:069
  • rhsa
    id RHSA-2004:106
refmap via4
bid 9686
bugtraq 20040218 Second critical mremap() bug found in all Linux kernels
cert-vn VU#981222
ciac O-082
conectiva CLA-2004:820
debian
  • DSA-438
  • DSA-439
  • DSA-440
  • DSA-441
  • DSA-442
  • DSA-444
  • DSA-450
  • DSA-453
  • DSA-454
  • DSA-456
  • DSA-466
  • DSA-470
  • DSA-475
  • DSA-514
fedora FEDORA-2004-079
fulldisc 20040218 Second critical mremap() bug found in all Linux kernels
gentoo GLSA-200403-02
mandrake MDKSA-2004:015
misc http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
osvdb 3986
slackware SSA:2004-049
suse SuSE-SA:2004:005
trustix
  • 2004-0007
  • 2004-0008
turbo TLSA-2004-7
vulnwatch 20040218 Second critical mremap() bug found in all Linux kernels
xf linux-mremap-gain-privileges(15244)
Last major update 17-10-2016 - 22:40
Published 03-03-2004 - 00:00
Last modified 02-05-2018 - 21:29
Back to Top