ID CVE-2006-2451
Summary The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.
References
Vulnerable Configurations
  • Linux Kernel 2.6.13
    cpe:2.3:o:linux:linux_kernel:2.6.13
  • Linux Kernel 2.6.13.1
    cpe:2.3:o:linux:linux_kernel:2.6.13.1
  • Linux Kernel 2.6.13.2
    cpe:2.3:o:linux:linux_kernel:2.6.13.2
  • Linux Kernel 2.6.13.3
    cpe:2.3:o:linux:linux_kernel:2.6.13.3
  • Linux Kernel 2.6.13.4
    cpe:2.3:o:linux:linux_kernel:2.6.13.4
  • Linux Kernel 2.6.13.5
    cpe:2.3:o:linux:linux_kernel:2.6.13.5
  • Linux Kernel 2.6.14
    cpe:2.3:o:linux:linux_kernel:2.6.14
  • Linux Kernel 2.6.14 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.14:rc1
  • Linux Kernel 2.6.14 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.14:rc2
  • Linux Kernel 2.6.14 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.14:rc3
  • Linux Kernel 2.6.14 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.14:rc4
  • Linux Kernel 2.6.14 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.14:rc5
  • Linux Kernel 2.6.14.1
    cpe:2.3:o:linux:linux_kernel:2.6.14.1
  • Linux Kernel 2.6.14.2
    cpe:2.3:o:linux:linux_kernel:2.6.14.2
  • Linux Kernel 2.6.14.3
    cpe:2.3:o:linux:linux_kernel:2.6.14.3
  • Linux Kernel 2.6.14.4
    cpe:2.3:o:linux:linux_kernel:2.6.14.4
  • Linux Kernel 2.6.14.5
    cpe:2.3:o:linux:linux_kernel:2.6.14.5
  • Linux Kernel 2.6.14.6
    cpe:2.3:o:linux:linux_kernel:2.6.14.6
  • Linux Kernel 2.6.14.7
    cpe:2.3:o:linux:linux_kernel:2.6.14.7
  • Linux Kernel 2.6.15
    cpe:2.3:o:linux:linux_kernel:2.6.15
  • Linux Kernel 2.6.15 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc1
  • Linux Kernel 2.6.15 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc2
  • Linux Kernel 2.6.15 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc3
  • Linux Kernel 2.6.15 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc4
  • Linux Kernel 2.6.15 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc5
  • Linux Kernel 2.6.15 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc6
  • Linux Kernel 2.6.15 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc7
  • Linux Kernel 2.6.15.1
    cpe:2.3:o:linux:linux_kernel:2.6.15.1
  • Linux Kernel 2.6.15.2
    cpe:2.3:o:linux:linux_kernel:2.6.15.2
  • Linux Kernel 2.6.15.3
    cpe:2.3:o:linux:linux_kernel:2.6.15.3
  • Linux Kernel 2.6.15.4
    cpe:2.3:o:linux:linux_kernel:2.6.15.4
  • Linux Kernel 2.6.15.5
    cpe:2.3:o:linux:linux_kernel:2.6.15.5
  • Linux Kernel 2.6.15.6
    cpe:2.3:o:linux:linux_kernel:2.6.15.6
  • Linux Kernel 2.6.15.7
    cpe:2.3:o:linux:linux_kernel:2.6.15.7
  • Linux Kernel 2.6.16
    cpe:2.3:o:linux:linux_kernel:2.6.16
  • Linux Kernel 2.6.16 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc1
  • Linux Kernel 2.6.16 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc2
  • Linux Kernel 2.6.16 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc3
  • Linux Kernel 2.6.16 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc4
  • Linux Kernel 2.6.16 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc5
  • Linux Kernel 2.6.16 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc6
  • Linux Kernel 2.6.16.1
    cpe:2.3:o:linux:linux_kernel:2.6.16.1
  • Linux Kernel 2.6.16.2
    cpe:2.3:o:linux:linux_kernel:2.6.16.2
  • Linux Kernel 2.6.16.3
    cpe:2.3:o:linux:linux_kernel:2.6.16.3
  • Linux Kernel 2.6.16.4
    cpe:2.3:o:linux:linux_kernel:2.6.16.4
  • Linux Kernel 2.6.16.5
    cpe:2.3:o:linux:linux_kernel:2.6.16.5
  • Linux Kernel 2.6.16.6
    cpe:2.3:o:linux:linux_kernel:2.6.16.6
  • Linux Kernel 2.6.16.7
    cpe:2.3:o:linux:linux_kernel:2.6.16.7
  • Linux Kernel 2.6.16.8
    cpe:2.3:o:linux:linux_kernel:2.6.16.8
  • Linux Kernel 2.6.16.9
    cpe:2.3:o:linux:linux_kernel:2.6.16.9
  • Linux Kernel 2.6.16.10
    cpe:2.3:o:linux:linux_kernel:2.6.16.10
  • Linux Kernel 2.6.16.11
    cpe:2.3:o:linux:linux_kernel:2.6.16.11
  • Linux Kernel 2.6.16.12
    cpe:2.3:o:linux:linux_kernel:2.6.16.12
  • Linux Kernel 2.6.16.13
    cpe:2.3:o:linux:linux_kernel:2.6.16.13
  • Linux Kernel 2.6.16.14
    cpe:2.3:o:linux:linux_kernel:2.6.16.14
  • Linux Kernel 2.6.16.15
    cpe:2.3:o:linux:linux_kernel:2.6.16.15
  • Linux Kernel 2.6.16.16
    cpe:2.3:o:linux:linux_kernel:2.6.16.16
  • Linux Kernel 2.6.16.17
    cpe:2.3:o:linux:linux_kernel:2.6.16.17
  • Linux Kernel 2.6.16.18
    cpe:2.3:o:linux:linux_kernel:2.6.16.18
  • Linux Kernel 2.6.16.19
    cpe:2.3:o:linux:linux_kernel:2.6.16.19
  • Linux Kernel 2.6.16.20
    cpe:2.3:o:linux:linux_kernel:2.6.16.20
  • Linux Kernel 2.6.16.21
    cpe:2.3:o:linux:linux_kernel:2.6.16.21
  • Linux Kernel 2.6.16.22
    cpe:2.3:o:linux:linux_kernel:2.6.16.22
  • Linux Kernel 2.6.16.23
    cpe:2.3:o:linux:linux_kernel:2.6.16.23
  • Linux Kernel 2.6.17
    cpe:2.3:o:linux:linux_kernel:2.6.17
  • Linux Kernel 2.6.17 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc1
  • Linux Kernel 2.6.17 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc2
  • Linux Kernel 2.6.17 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc3
  • Linux Kernel 2.6.17 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc4
  • Linux Kernel 2.6.17 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc5
  • Linux Kernel 2.6.17 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc6
  • Linux Kernel 2.6.17.1
    cpe:2.3:o:linux:linux_kernel:2.6.17.1
  • Linux Kernel 2.6.17.2
    cpe:2.3:o:linux:linux_kernel:2.6.17.2
  • Linux Kernel 2.6.17.3
    cpe:2.3:o:linux:linux_kernel:2.6.17.3
CVSS
Base: 4.6 (as of 10-07-2006 - 23:44)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description Linux Kernel 2.6.13. CVE-2006-2451. Local exploit for linux platform
    id EDB-ID:2031
    last seen 2016-01-31
    modified 2006-07-18
    published 2006-07-18
    reporter Marco Ivaldi
    source https://www.exploit-db.com/download/2031/
    title Linux Kernel 2.6.13 <= 2.6.17.4 - prctl Local Root Exploit logrotate
  • description Linux Kernel 2.6.13. CVE-2006-2451. Local exploit for linux platform
    id EDB-ID:2006
    last seen 2016-01-31
    modified 2006-07-13
    published 2006-07-13
    reporter Marco Ivaldi
    source https://www.exploit-db.com/download/2006/
    title Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl Local Root Exploit 3
  • description Linux Kernel 2.6.13. CVE-2006-2451. Local exploit for linux platform
    id EDB-ID:2004
    last seen 2016-01-31
    modified 2006-07-11
    published 2006-07-11
    reporter dreyer & RoMaNSoFt
    source https://www.exploit-db.com/download/2004/
    title Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl Local Root Exploit 1
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0574.NASL
    description Updated kernel packages that fix a privilege escalation security issue in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. During security research, Red Hat discovered a behavioral flaw in core dump handling. A local user could create a program that would cause a core file to be dumped into a directory they would not normally have permissions to write to. This could lead to a denial of service (disk consumption), or allow the local user to gain root privileges. (CVE-2006-2451) Prior to applying this update, users can remove the ability to escalate privileges using this flaw by configuring core files to dump to an absolute location. By default, core files are created in the working directory of the faulting application, but this can be overridden by specifying an absolute location for core files in /proc/sys/kernel/core_pattern. To avoid a potential denial of service, a separate partition for the core files should be used. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22038
    published 2006-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22038
    title CentOS 4 : kernel (CESA-2006:0574)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-311-1.NASL
    description A race condition was discovered in the do_add_counters() functions. Processes which do not run with full root privileges, but have the CAP_NET_ADMIN capability can exploit this to crash the machine or read a random piece of kernel memory. In Ubuntu there are no packages that are affected by this, so this can only be an issue for you if you use third-party software that uses Linux capabilities. (CVE-2006-0039) John Stultz discovered a faulty BUG_ON trigger in the handling of POSIX timers. A local attacker could exploit this to trigger a kernel oops and crash the machine. (CVE-2006-2445) Dave Jones discovered that the PowerPC kernel did not perform certain required access_ok() checks. A local user could exploit this to read arbitrary kernel memory and crash the kernel on 64-bit systems, and possibly read arbitrary kernel memory on 32-bit systems. (CVE-2006-2448) A design flaw was discovered in the prctl(PR_SET_DUMPABLE, ...) system call, which allowed a local user to have core dumps created in a directory he could not normally write to. This could be exploited to drain available disk space on system partitions, or, under some circumstances, to execute arbitrary code with full root privileges. This flaw only affects Ubuntu 6.06 LTS. (CVE-2006-2451) In addition, the Ubuntu 6.06 LTS update fixes a range of bugs. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27886
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27886
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : linux-source-2.6.10/-2.6.12/-2.6.15 vulnerabilities (USN-311-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0574.NASL
    description Updated kernel packages that fix a privilege escalation security issue in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. During security research, Red Hat discovered a behavioral flaw in core dump handling. A local user could create a program that would cause a core file to be dumped into a directory they would not normally have permissions to write to. This could lead to a denial of service (disk consumption), or allow the local user to gain root privileges. (CVE-2006-2451) Prior to applying this update, users can remove the ability to escalate privileges using this flaw by configuring core files to dump to an absolute location. By default, core files are created in the working directory of the faulting application, but this can be overridden by specifying an absolute location for core files in /proc/sys/kernel/core_pattern. To avoid a potential denial of service, a separate partition for the core files should be used. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 22015
    published 2006-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22015
    title RHEL 4 : kernel (RHSA-2006:0574)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-1900.NASL
    description This kernel update fixes the following security problems : - A race condition allows local users to gain root privileges by changing the file mode of /proc/self/ files in a way that causes those files (for instance /proc/self/environ) to become setuid root. [#192688]. (CVE-2006-3626) - A stack-based buffer overflow in CDROM / DVD handling was fixed which could be used by a physical local attacker to crash the kernel or execute code within kernel context, depending on presence of automatic DVD handling in the system. [#190396]. (CVE-2006-2935) - Due to an argument validation error in prctl(PR_SET_DUMPABLE) a local attacker can easily gain administrator (root) privileges. [#186980]. (CVE-2006-2451) and the following non security bugs : - Limit the maximum number of LUNs to 16384 [#185164] - LSI 1030/MPT Fusion driver hang during error recovery -- Optionally disable QAS [#180100] - advance buffer pointers in h_copy_rdma() to avoid data corruption [#186444]
    last seen 2019-02-21
    modified 2016-01-14
    plugin id 59120
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59120
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 1900)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-1896.NASL
    description This kernel update fixes the following security problems : - A race condition allows local users to gain root privileges by changing the file mode of /proc/self/ files in a way that causes those files (for instance /proc/self/environ) to become setuid root. [#192688]. (CVE-2006-3626) - A stack-based buffer overflow in CDROM / DVD handling was fixed which could be used by a physical local attacker to crash the kernel or execute code within kernel context, depending on presence of automatic DVD handling in the system. [#190396]. (CVE-2006-2935) - Due to an argument validation error in prctl(PR_SET_DUMPABLE) a local attacker can easily gain administrator (root) privileges. [#186980]. (CVE-2006-2451) and the following non security bugs : - Limit the maximum number of LUNs to 16384 [#185164] - LSI 1030/MPT Fusion driver hang during error recovery -- Optionally disable QAS [#180100] - advance buffer pointers in h_copy_rdma() to avoid data corruption [#186444]
    last seen 2019-02-21
    modified 2016-01-14
    plugin id 29484
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29484
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 1896)
oval via4
accepted 2013-04-29T04:13:20.485-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.
family unix
id oval:org.mitre.oval:def:11336
status accepted
submitted 2010-07-09T03:56:16-04:00
title The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.
version 23
packetstorm via4
data source https://packetstormsecurity.com/files/download/48253/prctl.sh.txt
id PACKETSTORM:48253
last seen 2016-12-05
published 2006-07-14
reporter Sunix
source https://packetstormsecurity.com/files/48253/prctl.sh.txt.html
title prctl.sh.txt
redhat via4
advisories
bugzilla
id 195902
title CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable
oval
AND
comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304001
rhsa
id RHSA-2006:0574
released 2006-07-07
severity Important
title RHSA-2006:0574: kernel security update (Important)
refmap via4
bid 18874
bugtraq
  • 20060707 rPSA-2006-0122-1 kernel
  • 20060710 Re: rPSA-2006-0122-1 kernel
  • 20060712 Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
  • 20060713 Linux sys_prctl LKM based hotfix
  • 20060713 Re: [Full-disclosure] Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
  • 20060714 Linux Kernel 2.6.x PRCTL Core Dump Handling -- Simple workaround
  • 20060716 Re: Linux Kernel 2.6.x PRCTL Core Dump Handling -- Simple workaround
confirm
misc http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195902
osvdb 27030
sectrack 1016451
secunia
  • 20953
  • 20960
  • 20965
  • 20986
  • 20991
  • 21179
  • 21498
  • 21966
suse
  • SUSE-SA:2006:042
  • SUSE-SA:2006:047
  • SUSE-SA:2006:049
  • SUSE-SR:2006:016
  • SUSE-SR:2006:017
ubuntu USN-311-1
vupen ADV-2006-2699
Last major update 19-03-2012 - 00:00
Published 07-07-2006 - 14:05
Last modified 18-10-2018 - 12:40
Back to Top