ID CVE-2006-3626
Summary Race condition in Linux kernel 2.6.17.4 and earlier allows local users to gain root privileges by using prctl with PR_SET_DUMPABLE in a way that causes /proc/self/environ to become setuid root.
References
Vulnerable Configurations
  • Linux Kernel 2.6.16
    cpe:2.3:o:linux:linux_kernel:2.6.16
  • Linux Kernel 2.6.16 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc1
  • Linux Kernel 2.6.16 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc2
  • Linux Kernel 2.6.16 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc3
  • Linux Kernel 2.6.16 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc4
  • Linux Kernel 2.6.16 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc5
  • Linux Kernel 2.6.16 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc6
  • Linux Kernel 2.6.16.1
    cpe:2.3:o:linux:linux_kernel:2.6.16.1
  • Linux Kernel 2.6.16.2
    cpe:2.3:o:linux:linux_kernel:2.6.16.2
  • Linux Kernel 2.6.16.3
    cpe:2.3:o:linux:linux_kernel:2.6.16.3
  • Linux Kernel 2.6.16.4
    cpe:2.3:o:linux:linux_kernel:2.6.16.4
  • Linux Kernel 2.6.16.5
    cpe:2.3:o:linux:linux_kernel:2.6.16.5
  • Linux Kernel 2.6.16.6
    cpe:2.3:o:linux:linux_kernel:2.6.16.6
  • Linux Kernel 2.6.16.7
    cpe:2.3:o:linux:linux_kernel:2.6.16.7
  • Linux Kernel 2.6.16.8
    cpe:2.3:o:linux:linux_kernel:2.6.16.8
  • Linux Kernel 2.6.16.9
    cpe:2.3:o:linux:linux_kernel:2.6.16.9
  • Linux Kernel 2.6.16.10
    cpe:2.3:o:linux:linux_kernel:2.6.16.10
  • Linux Kernel 2.6.16.11
    cpe:2.3:o:linux:linux_kernel:2.6.16.11
  • Linux Kernel 2.6.16.12
    cpe:2.3:o:linux:linux_kernel:2.6.16.12
  • Linux Kernel 2.6.16.13
    cpe:2.3:o:linux:linux_kernel:2.6.16.13
  • Linux Kernel 2.6.16.14
    cpe:2.3:o:linux:linux_kernel:2.6.16.14
  • Linux Kernel 2.6.16.15
    cpe:2.3:o:linux:linux_kernel:2.6.16.15
  • Linux Kernel 2.6.16.16
    cpe:2.3:o:linux:linux_kernel:2.6.16.16
  • Linux Kernel 2.6.16.17
    cpe:2.3:o:linux:linux_kernel:2.6.16.17
  • Linux Kernel 2.6.16.18
    cpe:2.3:o:linux:linux_kernel:2.6.16.18
  • Linux Kernel 2.6.16.19
    cpe:2.3:o:linux:linux_kernel:2.6.16.19
  • Linux Kernel 2.6.16.20
    cpe:2.3:o:linux:linux_kernel:2.6.16.20
  • Linux Kernel 2.6.16.21
    cpe:2.3:o:linux:linux_kernel:2.6.16.21
  • Linux Kernel 2.6.16.22
    cpe:2.3:o:linux:linux_kernel:2.6.16.22
  • Linux Kernel 2.6.16.23
    cpe:2.3:o:linux:linux_kernel:2.6.16.23
  • Linux Kernel 2.6.16.24
    cpe:2.3:o:linux:linux_kernel:2.6.16.24
  • Linux Kernel 2.6.17
    cpe:2.3:o:linux:linux_kernel:2.6.17
  • Linux Kernel 2.6.17 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc1
  • Linux Kernel 2.6.17 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc2
  • Linux Kernel 2.6.17 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc3
  • Linux Kernel 2.6.17 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc4
  • Linux Kernel 2.6.17 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc5
  • Linux Kernel 2.6.17 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc6
  • Linux Kernel 2.6.17.1
    cpe:2.3:o:linux:linux_kernel:2.6.17.1
  • Linux Kernel 2.6.17.2
    cpe:2.3:o:linux:linux_kernel:2.6.17.2
  • Linux Kernel 2.6.17.3
    cpe:2.3:o:linux:linux_kernel:2.6.17.3
  • Linux Kernel 2.6.17.4
    cpe:2.3:o:linux:linux_kernel:2.6.17.4
CVSS
Base: 6.2 (as of 19-07-2006 - 15:27)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1111.NASL
    description It was discovered that a race condition in the process filesystem can lead to privilege escalation. The following matrix explains which kernel version for which architecture fixes the problem mentioned above : Debian 3.1 (sarge) Source 2.6.8-16sarge4 Alpha architecture 2.6.8-16sarge4 AMD64 architecture 2.6.8-16sarge4 Intel IA-32 architecture 2.6.8-16sarge4 Intel IA-64 architecture 2.6.8-14sarge4 PowerPC architecture 2.6.8-12sarge4 Sun Sparc architecture 2.6.8-15sarge4 IBM S/390 2.6.8-5sarge4 Motorola 680x0 2.6.8-4sarge4 HP Precision 2.6.8-6sarge3 FAI 1.9.1sarge3 The initial advisory lacked builds for the IBM S/390, Motorola 680x0 and HP Precision architectures, which are now provided. Also, the kernels for the FAI installer have been updated.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22653
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22653
    title Debian DSA-1111-2 : kernel-source-2.6.8 - race condition
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-124.NASL
    description A race condition in the Linux kernel 2.6.17.4 and earlier allows local users to obtain root privileges due to a race condition in the /proc filesystem. The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 23875
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23875
    title Mandrake Linux Security Advisory : kernel (MDKSA-2006:124)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-319-1.NASL
    description A race condition has been discovered in the file permission handling of the /proc file system. A local attacker could exploit this to execute arbitrary code with full root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27895
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27895
    title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerability (USN-319-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-319-2.NASL
    description USN-319-1 fixed a Linux kernel vulnerability in Ubuntu 6.06 LTS. This followup advisory provides the corresponding updates for Ubuntu 5.04 and 5.10. For reference, these are the details of the original USN : A race condition has been discovered in the file permission handling of the /proc file system. A local attacker could exploit this to execute arbitrary code with full root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 27896
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27896
    title Ubuntu 5.04 / 5.10 : linux-source-2.6.10, linux-source-2.6.12 vulnerability (USN-319-2)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0617.NASL
    description Updated kernel packages that fix security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : From Red Hat Security Advisory 2006-0617 : * a flaw in the proc file system that allowed a local user to use a suid-wrapper for scripts to gain root privileges (CVE-2006-3626, Important) * a flaw in the SCTP implementation that allowed a local user to cause a denial of service (panic) or to possibly gain root privileges (CVE-2006-3745, Important) * a flaw in NFS exported ext2/ext3 partitions when handling invalid inodes that allowed a remote authenticated user to cause a denial of service (filesystem panic) (CVE-2006-3468, Important) * a flaw in the restore_all code path of the 4/4GB split support of non-hugemem kernels that allowed a local user to cause a denial of service (panic) (CVE-2006-2932, Important) * a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, Moderate) * a flaw in the DVD handling of the CDROM driver that could be used together with a custom built USB device to gain root privileges (CVE-2006-2935, Moderate) * a flaw in the handling of O_DIRECT writes that allowed a local user to cause a denial of service (memory consumption) (CVE-2004-2660, Low) * a flaw in the SCTP chunk length handling that allowed a remote user to cause a denial of service (crash) (CVE-2006-1858, Low) * a flaw in the input handling of the ftdi_sio driver that allowed a local user to cause a denial of service (memory consumption) (CVE-2006-2936, Low) In addition a bugfix was added to enable a clean reboot for the IBM Pizzaro machines. Red Hat would like to thank Wei Wang of McAfee Avert Labs and Kirill Korotaev for reporting issues fixed in this erratum. From Red Hat Security Advisory ELSA-2006-0689 : * a flaw in the SCTP support that allowed a local user to cause a denial of service (crash) with a specific SO_LINGER value. (CVE-2006-4535, Important) * a flaw in the hugepage table support that allowed a local user to cause a denial of service (crash). (CVE-2005-4811, Important) * a flaw in the mprotect system call that allowed setting write permission for a read-only attachment of shared memory. (CVE-2006-2071, Moderate) * a flaw in HID0[31] (en_attn) register handling on PowerPC 970 systems that allowed a local user to cause a denial of service. (crash) (CVE-2006-4093, Moderate) * a flaw in the perfmon support of Itanium systems that allowed a local user to cause a denial of service by consuming all file descriptors. (CVE-2006-3741, Moderate) * a flaw in the ATM subsystem. On systems with installed ATM hardware and configured ATM support, a remote user could cause a denial of service (panic) by accessing socket buffers memory after freeing them. (CVE-2006-4997, Moderate) * a flaw in the DVB subsystem. On systems with installed DVB hardware and configured DVB support, a remote user could cause a denial of service (panic) by sending a ULE SNDU packet with length of 0. (CVE-2006-4623, Low) * an information leak in the network subsystem that possibly allowed a local user to read sensitive data from kernel memory. (CVE-2006-0039, Low) In addition, two bugfixes for the IPW-2200 wireless driver were included. The first one ensures that wireless management applications correctly identify IPW-2200 controlled devices, while the second fix ensures that DHCP requests using the IPW-2200 operate correctly. Red Hat would like to thank Olof Johansson, Stephane Eranian and Solar Designer for reporting issues fixed in this erratum.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67401
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67401
    title Oracle Linux 4 : kernel (ELSA-2006-0617 / ELSA-2006-0689)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0617.NASL
    description Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the proc file system that allowed a local user to use a suid-wrapper for scripts to gain root privileges (CVE-2006-3626, Important) * a flaw in the SCTP implementation that allowed a local user to cause a denial of service (panic) or to possibly gain root privileges (CVE-2006-3745, Important) * a flaw in NFS exported ext2/ext3 partitions when handling invalid inodes that allowed a remote authenticated user to cause a denial of service (filesystem panic) (CVE-2006-3468, Important) * a flaw in the restore_all code path of the 4/4GB split support of non-hugemem kernels that allowed a local user to cause a denial of service (panic) (CVE-2006-2932, Important) * a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, Moderate) * a flaw in the DVD handling of the CDROM driver that could be used together with a custom built USB device to gain root privileges (CVE-2006-2935, Moderate) * a flaw in the handling of O_DIRECT writes that allowed a local user to cause a denial of service (memory consumption) (CVE-2004-2660, Low) * a flaw in the SCTP chunk length handling that allowed a remote user to cause a denial of service (crash) (CVE-2006-1858, Low) * a flaw in the input handling of the ftdi_sio driver that allowed a local user to cause a denial of service (memory consumption) (CVE-2006-2936, Low) In addition a bugfix was added to enable a clean reboot for the IBM Pizzaro machines. Red Hat would like to thank Wei Wang of McAfee Avert Labs and Kirill Korotaev for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22264
    published 2006-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22264
    title RHEL 4 : kernel (RHSA-2006:0617)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0617.NASL
    description Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the proc file system that allowed a local user to use a suid-wrapper for scripts to gain root privileges (CVE-2006-3626, Important) * a flaw in the SCTP implementation that allowed a local user to cause a denial of service (panic) or to possibly gain root privileges (CVE-2006-3745, Important) * a flaw in NFS exported ext2/ext3 partitions when handling invalid inodes that allowed a remote authenticated user to cause a denial of service (filesystem panic) (CVE-2006-3468, Important) * a flaw in the restore_all code path of the 4/4GB split support of non-hugemem kernels that allowed a local user to cause a denial of service (panic) (CVE-2006-2932, Important) * a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, Moderate) * a flaw in the DVD handling of the CDROM driver that could be used together with a custom built USB device to gain root privileges (CVE-2006-2935, Moderate) * a flaw in the handling of O_DIRECT writes that allowed a local user to cause a denial of service (memory consumption) (CVE-2004-2660, Low) * a flaw in the SCTP chunk length handling that allowed a remote user to cause a denial of service (crash) (CVE-2006-1858, Low) * a flaw in the input handling of the ftdi_sio driver that allowed a local user to cause a denial of service (memory consumption) (CVE-2006-2936, Low) In addition a bugfix was added to enable a clean reboot for the IBM Pizzaro machines. Red Hat would like to thank Wei Wang of McAfee Avert Labs and Kirill Korotaev for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22279
    published 2006-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22279
    title CentOS 4 : kernel (CESA-2006:0617)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-1900.NASL
    description This kernel update fixes the following security problems : - A race condition allows local users to gain root privileges by changing the file mode of /proc/self/ files in a way that causes those files (for instance /proc/self/environ) to become setuid root. [#192688]. (CVE-2006-3626) - A stack-based buffer overflow in CDROM / DVD handling was fixed which could be used by a physical local attacker to crash the kernel or execute code within kernel context, depending on presence of automatic DVD handling in the system. [#190396]. (CVE-2006-2935) - Due to an argument validation error in prctl(PR_SET_DUMPABLE) a local attacker can easily gain administrator (root) privileges. [#186980]. (CVE-2006-2451) and the following non security bugs : - Limit the maximum number of LUNs to 16384 [#185164] - LSI 1030/MPT Fusion driver hang during error recovery -- Optionally disable QAS [#180100] - advance buffer pointers in h_copy_rdma() to avoid data corruption [#186444]
    last seen 2019-02-21
    modified 2016-01-14
    plugin id 59120
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59120
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 1900)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-1896.NASL
    description This kernel update fixes the following security problems : - A race condition allows local users to gain root privileges by changing the file mode of /proc/self/ files in a way that causes those files (for instance /proc/self/environ) to become setuid root. [#192688]. (CVE-2006-3626) - A stack-based buffer overflow in CDROM / DVD handling was fixed which could be used by a physical local attacker to crash the kernel or execute code within kernel context, depending on presence of automatic DVD handling in the system. [#190396]. (CVE-2006-2935) - Due to an argument validation error in prctl(PR_SET_DUMPABLE) a local attacker can easily gain administrator (root) privileges. [#186980]. (CVE-2006-2451) and the following non security bugs : - Limit the maximum number of LUNs to 16384 [#185164] - LSI 1030/MPT Fusion driver hang during error recovery -- Optionally disable QAS [#180100] - advance buffer pointers in h_copy_rdma() to avoid data corruption [#186444]
    last seen 2019-02-21
    modified 2016-01-14
    plugin id 29484
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29484
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 1896)
oval via4
accepted 2013-04-29T04:01:02.294-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Race condition in Linux kernel 2.6.17.4 and earlier allows local users to gain root privileges by using prctl with PR_SET_DUMPABLE in a way that causes /proc/self/environ to become setuid root.
family unix
id oval:org.mitre.oval:def:10060
status accepted
submitted 2010-07-09T03:56:16-04:00
title Race condition in Linux kernel 2.6.17.4 and earlier allows local users to gain root privileges by using prctl with PR_SET_DUMPABLE in a way that causes /proc/self/environ to become setuid root.
version 23
redhat via4
advisories
rhsa
id RHSA-2006:0617
refmap via4
bid 18992
bugtraq 20060717 rPSA-2006-0130-1 kernel
confirm
debian DSA-1111
fulldisc 20060714 Linux kernel 0day - dynamite inside, don't burn your fingers
mandriva MDKSA-2006:124
osvdb 27120
secunia
  • 21041
  • 21057
  • 21073
  • 21119
  • 21123
  • 21179
  • 21498
  • 21605
  • 22174
suse
  • SUSE-SA:2006:042
  • SUSE-SA:2006:047
  • SUSE-SA:2006:049
  • SUSE-SR:2006:017
ubuntu
  • USN-319-1
  • USN-319-2
vupen ADV-2006-2816
xf linux-proc-race-condition(27790)
statements via4
contributor Mark J Cox
lastmodified 2006-07-19
organization Red Hat
statement This vulnerability does not affect Red Hat Enterprise Linux 2.1 or 3 as they are based on 2.4 kernels. The exploit relies on the kernel supporting the a.out binary format. Red Hat Enterprise Linux 4, Fedora Core 4, and Fedora Core 5 do not support the a.out binary format, causing the exploit to fail. We are not currently aware of any way to exploit this vulnerability if a.out binary format is not enabled. In addition, a default installation of these OS enables SELinux in enforcing mode. SELinux also completely blocks attempts to exploit this issue. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198973#c10
Last major update 07-03-2011 - 21:39
Published 18-07-2006 - 11:46
Last modified 18-10-2018 - 12:48
Back to Top