ID CVE-2004-1151
Summary Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local attackers to modify kernel memory and gain privileges.
Vulnerable Configurations
  • Linux Kernel 2.6.0
  • Linux Kernel 2.6 test1
  • Linux Kernel 2.6 test10
  • Linux Kernel 2.6 test11
  • Linux Kernel 2.6 test2
  • Linux Kernel 2.6 test3
  • Linux Kernel 2.6 test4
  • Linux Kernel 2.6 test5
  • Linux Kernel 2.6 test6
  • Linux Kernel 2.6 test7
  • Linux Kernel 2.6 test8
  • Linux Kernel 2.6 test9
  • Linux Kernel 2.6.1
  • Linux Kernel 2.6.1 Release Candidate 1
  • Linux Kernel 2.6.1 Release Candidate 2
  • Linux Kernel 2.6.10 Release Candidate 2
  • Linux Kernel 2.6.2
  • Linux Kernel 2.6.3
  • Linux Kernel 2.6.4
  • Linux Kernel 2.6.5
  • Linux Kernel 2.6.6
  • Linux Kernel 2.6.6 Release Candidate 1
  • Linux Kernel 2.6.7
  • Linux Kernel 2.6.7 Release Candidate 1
  • Linux Kernel 2.6.8
  • Linux Kernel 2.6.8 Release Candidate 1
  • Linux Kernel 2.6.8 Release Candidate 2
  • Linux Kernel 2.6.8 Release Candidate 3
  • cpe:2.3:o:linux:linux_kernel:2.6.9:2.6.20
  • cpe:2.3:o:linux:linux_kernel:2.6_test9_cvs
  • cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ia64
  • cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ppc
Base: 7.2 (as of 01-01-2004 - 00:00)
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2004_044.NASL
    description The remote host is missing the patch for the advisory SUSE-SA:2004:044 (kernel). Several vulnerabilities have been found and fixed in the Linux kernel.
    last seen 2018-09-02
    modified 2016-12-27
    plugin id 16303
    published 2005-02-03
    reporter Tenable
    title SUSE-SA:2004:044: kernel
  • NASL family Ubuntu Local Security Checks
    description CAN-2004-0814 : Vitaly V. Bursov discovered a Denial of Service vulnerability in the 'serio' code; opening the same tty device twice and doing some particular operations on it caused a kernel panic and/or a system lockup. Fixing this vulnerability required a change in the Application Binary Interface (ABI) of the kernel. This means that third-party user installed modules might not work any more with the new kernel, so this fixed kernel got a new ABI version number. You have to recompile and reinstall all third-party modules. CAN-2004-1016 : Paul Starzetz discovered a buffer overflow vulnerability in the '__scm_send' function which handles the sending of UDP network packets. A wrong validity check of the cmsghdr structure allowed a local attacker to modify kernel memory, thus causing an endless loop (Denial of Service) or possibly even root privilege escalation. CAN-2004-1056 : Thomas Hellstrom discovered a Denial of Service vulnerability in the Direct Rendering Manager (DRM) drivers. Due to an insufficient DMA lock checking, any authorized client could send arbitrary values to the video card, which could cause an X server crash or modification of the video output. CAN-2004-1058 : Rob Landley discovered a race condition in the handling of /proc/.../cmdline. Under very rare circumstances an user could read the environment variables of another process that was still spawning. Environment variables are often used to pass passwords and other private information to other processes. CAN-2004-1068 : A race condition was discovered in the handling of AF_UNIX network packets. This reportedly allowed local users to modify arbitrary kernel memory, facilitating privilege escalation, or possibly allowing code execution in the context of the kernel. CAN-2004-1069 : Ross Kendall Axe discovered a possible kernel panic (causing a Denial of Service) while sending AF_UNIX network packages if the kernel options CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX are enabled. This is not the case in the kernel packages shipped in Warty Warthog; however, if you recompiled the kernel using SELinux, you are affected by this flaw. CAN-2004-1137 : Paul Starzetz discovered several flaws in the IGMP handling code. This allowed users to provoke a Denial of Service, read kernel memory, and execute arbitrary code with root privileges. This flaw is also exploitable remotely if an application has bound a multicast socket. CAN-2004-1151 : Jeremy Fitzhardinge discovered two buffer overflows in the sys32_ni_syscall() and sys32_vm86_warning() functions. This could possibly be exploited to overwrite kernel memory with attacker-supplied code and cause root privilege escalation. This vulnerability only affects the amd64 architecture. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-27
    plugin id 20654
    published 2006-01-15
    reporter Tenable
    title Ubuntu 4.10 : linux-source- vulnerabilities (USN-38-1)
  • NASL family Mandriva Local Security Checks
    description A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with this advisory : - Multiple race conditions in the terminal layer of 2.4 and 2.6 kernels (prior to 2.6.9) can allow a local attacker to obtain portions of kernel data or allow remote attackers to cause a kernel panic by switching from console to PPP line discipline, then quickly sending data that is received during the switch (CVE-2004-0814) - Richard Hart found an integer underflow problem in the iptables firewall logging rules that can allow a remote attacker to crash the machine by using a specially crafted IP packet. This is only possible, however, if firewalling is enabled. The problem only affects 2.6 kernels and was fixed upstream in 2.6.8 (CVE-2004-0816) - Stefan Esser found several remote DoS confitions in the smbfs file system. This could be exploited by a hostile SMB server (or an attacker injecting packets into the network) to crash the client systems (CVE-2004-0883 and CVE-2004-0949) - Paul Starzetz and Georgi Guninski reported, independently, that bad argument handling and bad integer arithmetics in the IPv4 sendmsg handling of control messages could lead to a local attacker crashing the machine. The fixes were done by Herbert Xu (CVE-2004-1016) - Rob Landley discovered a race condition in the handling of /proc/.../cmdline where, under rare circumstances, a user could read the environment variables of another process that was still spawning leading to the potential disclosure of sensitive information such as passwords (CVE-2004-1058) - Paul Starzetz reported that the missing serialization in unix_dgram_recvmsg() which was added to kernel 2.4.28 can be used by a local attacker to gain elevated (root) privileges (CVE-2004-1068) - Ross Kendall Axe discovered a possible kernel panic (DoS) while sending AF_UNIX network packets if certain SELinux-related kernel options were enabled. By default the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX options are not enabled (CVE-2004-1069) - Paul Starzetz of discovered several issues with the error handling of the ELF loader routines in the kernel. The fixes were provided by Chris Wright (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072, CVE-2004-1073) - It was discovered that hand-crafted a.out binaries could be used to trigger a local DoS condition in both the 2.4 and 2.6 kernels. The fixes were done by Chris Wright (CVE-2004-1074) - Paul Starzetz found bad handling in the IGMP code which could lead to a local attacker being able to crash the machine. The fix was done by Chris Wright (CVE-2004-1137) - Jeremy Fitzhardinge discovered two buffer overflows in the sys32_ni_syscall() and sys32_vm86_warning() functions that could be used to overwrite kernel memory with attacker-supplied code resulting in privilege escalation (CVE-2004-1151) - Paul Starzetz found locally exploitable flaws in the binary format loader's uselib() function that could be abused to allow a local user to obtain root privileges (CVE-2004-1235) - Paul Starzetz found an exploitable flaw in the page fault handler when running on SMP machines (CVE-2005-0001) - A vulnerability in insert_vm_struct could allow a locla user to trigger BUG() when the user created a large vma that overlapped with arg pages during exec (CVE-2005-0003) - Paul Starzetz also found a number of vulnerabilities in the kernel binfmt_elf loader that could lead a local user to obtain elevated (root) privileges (isec-0017-binfmt_elf) The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : PLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the latest module-init-tools package prior to upgrading their kernel. Likewise, MNF8.2 users will need to upgrade to the latest modutils package prior to upgrading their kernel.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 16259
    published 2005-01-26
    reporter Tenable
    title Mandrake Linux Security Advisory : kernel (MDKSA-2005:022)
refmap via4
bugtraq 20041214 [USN-38-1] Linux kernel vulnerabilities
mandrake MDKSA-2005:022
mlist [linux-kernel] 20041130 Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()
suse SUSE-SA:2004:044
Last major update 17-10-2016 - 22:51
Published 10-01-2005 - 00:00
Back to Top