ID CVE-2009-2692
Summary The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
References
Vulnerable Configurations
  • cpe:2.3:a:linux:kernel:2.6.24.7
    cpe:2.3:a:linux:kernel:2.6.24.7
  • cpe:2.3:a:linux:kernel:2.6.25.15
    cpe:2.3:a:linux:kernel:2.6.25.15
  • Linux Kernel 2.4.4
    cpe:2.3:o:linux:linux_kernel:2.4.4
  • Linux Kernel 2.4.5
    cpe:2.3:o:linux:linux_kernel:2.4.5
  • Linux Kernel 2.4.6
    cpe:2.3:o:linux:linux_kernel:2.4.6
  • Linux Kernel 2.4.7
    cpe:2.3:o:linux:linux_kernel:2.4.7
  • Linux Kernel 2.4.8
    cpe:2.3:o:linux:linux_kernel:2.4.8
  • Linux Kernel 2.4.9
    cpe:2.3:o:linux:linux_kernel:2.4.9
  • Linux Kernel 2.4.10
    cpe:2.3:o:linux:linux_kernel:2.4.10
  • Linux Kernel 2.4.11
    cpe:2.3:o:linux:linux_kernel:2.4.11
  • Linux Kernel 2.4.12
    cpe:2.3:o:linux:linux_kernel:2.4.12
  • Linux Kernel 2.4.13
    cpe:2.3:o:linux:linux_kernel:2.4.13
  • Linux Kernel 2.4.14
    cpe:2.3:o:linux:linux_kernel:2.4.14
  • Linux Kernel 2.4.15
    cpe:2.3:o:linux:linux_kernel:2.4.15
  • Linux Kernel 2.4.16
    cpe:2.3:o:linux:linux_kernel:2.4.16
  • Linux Kernel 2.4.17
    cpe:2.3:o:linux:linux_kernel:2.4.17
  • Linux Kernel 2.4.18
    cpe:2.3:o:linux:linux_kernel:2.4.18
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-1
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-1
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-2
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-2
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-3
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-3
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-4
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-4
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-5
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-5
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-6
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-6
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-7
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-7
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-8
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:pre-8
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
  • Linux Kernel 2.4.19
    cpe:2.3:o:linux:linux_kernel:2.4.19
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre1
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre2
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre2
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre3
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre3
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre4
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre4
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre5
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre5
  • cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre6
    cpe:2.3:o:linux:linux_kernel:2.4.19:-:-pre6
  • Linux Kernel 2.4.20
    cpe:2.3:o:linux:linux_kernel:2.4.20
  • Linux Kernel 2.4.21
    cpe:2.3:o:linux:linux_kernel:2.4.21
  • cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre1
  • cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre4
    cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre4
  • cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre7
    cpe:2.3:o:linux:linux_kernel:2.4.21:-:-pre7
  • Linux Kernel 2.4.22
    cpe:2.3:o:linux:linux_kernel:2.4.22
  • Linux Kernel 2.4.23
    cpe:2.3:o:linux:linux_kernel:2.4.23
  • cpe:2.3:o:linux:linux_kernel:2.4.23:-:-ow2
    cpe:2.3:o:linux:linux_kernel:2.4.23:-:-ow2
  • cpe:2.3:o:linux:linux_kernel:2.4.23:-:-pre9
    cpe:2.3:o:linux:linux_kernel:2.4.23:-:-pre9
  • cpe:2.3:o:linux:linux_kernel:2.4.24:-:-ow1
    cpe:2.3:o:linux:linux_kernel:2.4.24:-:-ow1
  • Linux Kernel 2.4.25
    cpe:2.3:o:linux:linux_kernel:2.4.25
  • Linux Kernel 2.4.26
    cpe:2.3:o:linux:linux_kernel:2.4.26
  • Linux Kernel 2.4.27
    cpe:2.3:o:linux:linux_kernel:2.4.27
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre1
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre2
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre2
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre3
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre3
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre4
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre4
  • cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre5
    cpe:2.3:o:linux:linux_kernel:2.4.27:-:-pre5
  • Linux Kernel 2.4.28
    cpe:2.3:o:linux:linux_kernel:2.4.28
  • Linux Kernel 2.4.29
    cpe:2.3:o:linux:linux_kernel:2.4.29
  • cpe:2.3:o:linux:linux_kernel:2.4.29:-rc1
    cpe:2.3:o:linux:linux_kernel:2.4.29:-rc1
  • cpe:2.3:o:linux:linux_kernel:2.4.29:-rc2
    cpe:2.3:o:linux:linux_kernel:2.4.29:-rc2
  • Linux Kernel 2.4.30
    cpe:2.3:o:linux:linux_kernel:2.4.30
  • Linux Kernel 2.4.30 rc2
    cpe:2.3:o:linux:linux_kernel:2.4.30:rc2
  • Linux Kernel 2.4.30 rc3
    cpe:2.3:o:linux:linux_kernel:2.4.30:rc3
  • cpe:2.3:o:linux:linux_kernel:2.4.31:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.31:-pre1
  • Linux Kernel 2.4.32
    cpe:2.3:o:linux:linux_kernel:2.4.32
  • cpe:2.3:o:linux:linux_kernel:2.4.32:-pre1
    cpe:2.3:o:linux:linux_kernel:2.4.32:-pre1
  • cpe:2.3:o:linux:linux_kernel:2.4.32:-pre2
    cpe:2.3:o:linux:linux_kernel:2.4.32:-pre2
  • Linux Kernel 2.4.33
    cpe:2.3:o:linux:linux_kernel:2.4.33
  • cpe:2.3:o:linux:linux_kernel:2.4.33:p-re1
    cpe:2.3:o:linux:linux_kernel:2.4.33:p-re1
  • Linux Kernel 2.4.33.2
    cpe:2.3:o:linux:linux_kernel:2.4.33.2
  • Linux Kernel 2.4.33.3
    cpe:2.3:o:linux:linux_kernel:2.4.33.3
  • Linux Kernel 2.4.33.4
    cpe:2.3:o:linux:linux_kernel:2.4.33.4
  • Linux Kernel 2.4.33.5
    cpe:2.3:o:linux:linux_kernel:2.4.33.5
  • cpe:2.3:o:linux:linux_kernel:2.4.33.7
    cpe:2.3:o:linux:linux_kernel:2.4.33.7
  • Linux Kernel 2.4.34
    cpe:2.3:o:linux:linux_kernel:2.4.34
  • cpe:2.3:o:linux:linux_kernel:2.4.35.3
    cpe:2.3:o:linux:linux_kernel:2.4.35.3
  • cpe:2.3:o:linux:linux_kernel:2.4.36
    cpe:2.3:o:linux:linux_kernel:2.4.36
  • cpe:2.3:o:linux:linux_kernel:2.4.36.1
    cpe:2.3:o:linux:linux_kernel:2.4.36.1
  • cpe:2.3:o:linux:linux_kernel:2.4.36.2
    cpe:2.3:o:linux:linux_kernel:2.4.36.2
  • cpe:2.3:o:linux:linux_kernel:2.4.36.3
    cpe:2.3:o:linux:linux_kernel:2.4.36.3
  • cpe:2.3:o:linux:linux_kernel:2.4.36.4
    cpe:2.3:o:linux:linux_kernel:2.4.36.4
  • cpe:2.3:o:linux:linux_kernel:2.4.36.5
    cpe:2.3:o:linux:linux_kernel:2.4.36.5
  • cpe:2.3:o:linux:linux_kernel:2.4.36.6
    cpe:2.3:o:linux:linux_kernel:2.4.36.6
  • cpe:2.3:o:linux:linux_kernel:2.4.36.7
    cpe:2.3:o:linux:linux_kernel:2.4.36.7
  • cpe:2.3:o:linux:linux_kernel:2.4.36.8
    cpe:2.3:o:linux:linux_kernel:2.4.36.8
  • cpe:2.3:o:linux:linux_kernel:2.4.37:-rc1
    cpe:2.3:o:linux:linux_kernel:2.4.37:-rc1
  • cpe:2.3:o:linux:linux_kernel:2.4.37.1
    cpe:2.3:o:linux:linux_kernel:2.4.37.1
  • cpe:2.3:o:linux:linux_kernel:2.6
    cpe:2.3:o:linux:linux_kernel:2.6
  • Linux Kernel 2.6.0
    cpe:2.3:o:linux:linux_kernel:2.6.0
  • Linux Kernel 2.6.1
    cpe:2.3:o:linux:linux_kernel:2.6.1
  • Linux Kernel 2.6.10
    cpe:2.3:o:linux:linux_kernel:2.6.10
  • Linux Kernel 2.6.11
    cpe:2.3:o:linux:linux_kernel:2.6.11
  • Linux Kernel 2.6.11.1
    cpe:2.3:o:linux:linux_kernel:2.6.11.1
  • Linux Kernel 2.6.11.2
    cpe:2.3:o:linux:linux_kernel:2.6.11.2
  • Linux Kernel 2.6.11.3
    cpe:2.3:o:linux:linux_kernel:2.6.11.3
  • Linux Kernel 2.6.11.4
    cpe:2.3:o:linux:linux_kernel:2.6.11.4
  • Linux Kernel 2.6.11.5
    cpe:2.3:o:linux:linux_kernel:2.6.11.5
  • Linux Kernel 2.6.11.6
    cpe:2.3:o:linux:linux_kernel:2.6.11.6
  • Linux Kernel 2.6.11.7
    cpe:2.3:o:linux:linux_kernel:2.6.11.7
  • Linux Kernel 2.6.11.8
    cpe:2.3:o:linux:linux_kernel:2.6.11.8
  • Linux Kernel 2.6.11.9
    cpe:2.3:o:linux:linux_kernel:2.6.11.9
  • Linux Kernel 2.6.11.10
    cpe:2.3:o:linux:linux_kernel:2.6.11.10
  • Linux Kernel 2.6.11.11
    cpe:2.3:o:linux:linux_kernel:2.6.11.11
  • Linux Kernel 2.6.11.12
    cpe:2.3:o:linux:linux_kernel:2.6.11.12
  • Linux Kernel 2.6.12
    cpe:2.3:o:linux:linux_kernel:2.6.12
  • Linux Kernel 2.6.12.1
    cpe:2.3:o:linux:linux_kernel:2.6.12.1
  • Linux Kernel 2.6.12.2
    cpe:2.3:o:linux:linux_kernel:2.6.12.2
  • Linux Kernel 2.6.12.3
    cpe:2.3:o:linux:linux_kernel:2.6.12.3
  • Linux Kernel 2.6.12.4
    cpe:2.3:o:linux:linux_kernel:2.6.12.4
  • Linux Kernel 2.6.12.5
    cpe:2.3:o:linux:linux_kernel:2.6.12.5
  • Linux Kernel 2.6.12.6
    cpe:2.3:o:linux:linux_kernel:2.6.12.6
  • Linux Kernel 2.6.13
    cpe:2.3:o:linux:linux_kernel:2.6.13
  • Linux Kernel 2.6.13.1
    cpe:2.3:o:linux:linux_kernel:2.6.13.1
  • Linux Kernel 2.6.13.2
    cpe:2.3:o:linux:linux_kernel:2.6.13.2
  • Linux Kernel 2.6.13.3
    cpe:2.3:o:linux:linux_kernel:2.6.13.3
  • Linux Kernel 2.6.13.4
    cpe:2.3:o:linux:linux_kernel:2.6.13.4
  • Linux Kernel 2.6.13.5
    cpe:2.3:o:linux:linux_kernel:2.6.13.5
  • Linux Kernel 2.6.14
    cpe:2.3:o:linux:linux_kernel:2.6.14
  • Linux Kernel 2.6.14.1
    cpe:2.3:o:linux:linux_kernel:2.6.14.1
  • Linux Kernel 2.6.14.2
    cpe:2.3:o:linux:linux_kernel:2.6.14.2
  • Linux Kernel 2.6.14.3
    cpe:2.3:o:linux:linux_kernel:2.6.14.3
  • Linux Kernel 2.6.14.4
    cpe:2.3:o:linux:linux_kernel:2.6.14.4
  • Linux Kernel 2.6.14.5
    cpe:2.3:o:linux:linux_kernel:2.6.14.5
  • Linux Kernel 2.6.14.6
    cpe:2.3:o:linux:linux_kernel:2.6.14.6
  • Linux Kernel 2.6.14.7
    cpe:2.3:o:linux:linux_kernel:2.6.14.7
  • Linux Kernel 2.6.15
    cpe:2.3:o:linux:linux_kernel:2.6.15
  • Linux Kernel 2.6.15.1
    cpe:2.3:o:linux:linux_kernel:2.6.15.1
  • Linux Kernel 2.6.15.2
    cpe:2.3:o:linux:linux_kernel:2.6.15.2
  • Linux Kernel 2.6.15.3
    cpe:2.3:o:linux:linux_kernel:2.6.15.3
  • Linux Kernel 2.6.15.4
    cpe:2.3:o:linux:linux_kernel:2.6.15.4
  • Linux Kernel 2.6.15.5
    cpe:2.3:o:linux:linux_kernel:2.6.15.5
  • Linux Kernel 2.6.15.6
    cpe:2.3:o:linux:linux_kernel:2.6.15.6
  • Linux Kernel 2.6.15.7
    cpe:2.3:o:linux:linux_kernel:2.6.15.7
  • Linux Kernel 2.6.16
    cpe:2.3:o:linux:linux_kernel:2.6.16
  • Linux Kernel 2.6.16.1
    cpe:2.3:o:linux:linux_kernel:2.6.16.1
  • Linux Kernel 2.6.16.2
    cpe:2.3:o:linux:linux_kernel:2.6.16.2
  • Linux Kernel 2.6.16.10
    cpe:2.3:o:linux:linux_kernel:2.6.16.10
  • Linux Kernel 2.6.16.11
    cpe:2.3:o:linux:linux_kernel:2.6.16.11
  • Linux Kernel 2.6.16.12
    cpe:2.3:o:linux:linux_kernel:2.6.16.12
  • Linux Kernel 2.6.16.13
    cpe:2.3:o:linux:linux_kernel:2.6.16.13
  • Linux Kernel 2.6.16.14
    cpe:2.3:o:linux:linux_kernel:2.6.16.14
  • Linux Kernel 2.6.16.15
    cpe:2.3:o:linux:linux_kernel:2.6.16.15
  • Linux Kernel 2.6.16.16
    cpe:2.3:o:linux:linux_kernel:2.6.16.16
  • Linux Kernel 2.6.16.17
    cpe:2.3:o:linux:linux_kernel:2.6.16.17
  • Linux Kernel 2.6.16.18
    cpe:2.3:o:linux:linux_kernel:2.6.16.18
  • Linux Kernel 2.6.16.19
    cpe:2.3:o:linux:linux_kernel:2.6.16.19
  • Linux Kernel 2.6.16.20
    cpe:2.3:o:linux:linux_kernel:2.6.16.20
  • Linux Kernel 2.6.16.21
    cpe:2.3:o:linux:linux_kernel:2.6.16.21
  • Linux Kernel 2.6.16.22
    cpe:2.3:o:linux:linux_kernel:2.6.16.22
  • Linux Kernel 2.6.16.23
    cpe:2.3:o:linux:linux_kernel:2.6.16.23
  • Linux Kernel 2.6.16.24
    cpe:2.3:o:linux:linux_kernel:2.6.16.24
  • Linux Kernel 2.6.16.25
    cpe:2.3:o:linux:linux_kernel:2.6.16.25
  • Linux Kernel 2.6.16.26
    cpe:2.3:o:linux:linux_kernel:2.6.16.26
  • Linux Kernel 2.6.16.27
    cpe:2.3:o:linux:linux_kernel:2.6.16.27
  • Linux Kernel 2.6.16.28
    cpe:2.3:o:linux:linux_kernel:2.6.16.28
  • Linux Kernel 2.6.30
    cpe:2.3:o:linux:linux_kernel:2.6.30
  • Linux Kernel 2.6.30 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.30:rc1
  • Linux Kernel 2.6.30 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.30:rc2
  • Linux Kernel 2.6.30 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.30:rc3
  • Linux Kernel 2.6.30 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.30:rc5
  • Linux Kernel 2.6.30 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.30:rc6
  • cpe:2.3:o:linux:linux_kernel:2.6.30:rc7-git6
    cpe:2.3:o:linux:linux_kernel:2.6.30:rc7-git6
  • Linux Kernel 2.6.30.1
    cpe:2.3:o:linux:linux_kernel:2.6.30.1
  • Linux Kernel 2.6.30.2
    cpe:2.3:o:linux:linux_kernel:2.6.30.2
  • Linux Kernel 2.6.30.4
    cpe:2.3:o:linux:linux_kernel:2.6.30.4
CVSS
Base: 7.2 (as of 17-08-2009 - 09:11)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Linux Kernel Sendpage Local Privilege Escalation. CVE-2009-2692. Local exploit for linux platform
    file exploits/linux/local/19933.rb
    id EDB-ID:19933
    last seen 2016-02-02
    modified 2012-07-19
    platform linux
    port
    published 2012-07-19
    reporter metasploit
    source https://www.exploit-db.com/download/19933/
    title Linux Kernel - Sendpage Local Privilege Escalation
    type local
  • description Linux Kernel 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver). CVE-2009-2692. Local exploit for linux platform
    id EDB-ID:9479
    last seen 2016-02-01
    modified 2009-08-24
    published 2009-08-24
    reporter INetCop Security
    source https://www.exploit-db.com/download/9479/
    title Linux Kernel 2.4 / 2.6 - sock_sendpage ring0 Root Exploit 1
  • description Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit (ppc). CVE-2009-2692. Local exploit for linux platform
    id EDB-ID:9545
    last seen 2016-02-01
    modified 2009-08-31
    published 2009-08-31
    reporter Ramon Valle
    source https://www.exploit-db.com/download/9545/
    title Linux Kernel 2.4 / 2.6 - sock_sendpage Local Root Exploit PPC Edition
  • description Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit. CVE-2009-2692. Local exploit for linux platform
    id EDB-ID:9435
    last seen 2016-02-01
    modified 2009-08-14
    published 2009-08-14
    reporter spender
    source https://www.exploit-db.com/download/9435/
    title Linux Kernel 2.x - sock_sendpage Local Ring0 Root Exploit 1
  • description Linux Kernel 2.x sock_sendpage() Local Root Exploit (Android Edition). CVE-2009-2692. Local exploit for android platform
    file exploits/android/local/9477.txt
    id EDB-ID:9477
    last seen 2016-02-01
    modified 2009-08-18
    platform android
    port
    published 2009-08-18
    reporter Zinx
    source https://www.exploit-db.com/download/9477/
    title Linux Kernel 2.x - sock_sendpage Local Root Exploit Android Edition
    type local
  • description Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [3]. CVE-2009-2692. Local exploit for linux platform
    id EDB-ID:9641
    last seen 2016-02-01
    modified 2009-09-11
    published 2009-09-11
    reporter Ramon Valle
    source https://www.exploit-db.com/download/9641/
    title Linux Kernel 2.4 / 2.6 - sock_sendpage Local Root Exploit 3
  • description Linux Kernel 2.x sock_sendpage() Local Root Exploit #2. CVE-2009-2692. Local exploit for linux platform
    id EDB-ID:9436
    last seen 2016-02-01
    modified 2009-08-14
    published 2009-08-14
    reporter Przemyslaw Frasunek
    source https://www.exploit-db.com/download/9436/
    title Linux Kernel 2.x - sock_sendpage Local Root Exploit 2
  • description Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [2]. CVE-2009-2692. Local exploit for linux platform
    id EDB-ID:9598
    last seen 2016-02-01
    modified 2009-09-09
    published 2009-09-09
    reporter Ramon Valle
    source https://www.exploit-db.com/download/9598/
    title Linux Kernel 2.4 / 2.6 - sock_sendpage Local Root Exploit 2
metasploit via4
description The Linux kernel failed to properly initialize some entries in the proto_ops struct for several protocols, leading to NULL being dereferenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4 This module has been tested successfully on CentOS 5.0 (i386) with kernel version 2.6.18-8.1.1.tl5; and Debian 3.1r8 Sarge (i686) with kernel version 2.4.27-3-386.
id MSF:EXPLOIT/LINUX/LOCAL/SOCK_SENDPAGE
last seen 2018-11-27
modified 2018-11-11
published 2012-10-23
reliability Great
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb
title Linux Kernel Sendpage Local Privilege Escalation
nessus via4
  • NASL family Misc.
    NASL id VMWARE_VMSA-2009-0016_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Apache Geronimo - Apache Tomcat - Apache Xerces2 - cURL/libcURL - ISC BIND - Libxml2 - Linux kernel - Linux kernel 64-bit - Linux kernel Common Internet File System - Linux kernel eCryptfs - NTP - Python - Java Runtime Environment (JRE) - Java SE Development Kit (JDK) - Java SE Abstract Window Toolkit (AWT) - Java SE Plugin - Java SE Provider - Java SE Swing - Java SE Web Start
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 89117
    published 2016-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89117
    title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2013-0039.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0039 for details.
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 79507
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79507
    title OracleVM 2.2 : kernel (OVMSA-2013-0039)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2009-0016.NASL
    description a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. b. Update Apache Tomcat version Update for VirtualCenter and ESX patch update the Tomcat package to version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5) which addresses multiple security issues that existed in the previous version of Apache Tomcat. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286, CVE-2008-0002. c. Third-party library update for ntp. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the following security issue. Note that the same security issue is present in the ESX Service Console as described in section d. of this advisory. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. The NTP security issue identified by CVE-2009-0159 is not relevant for ESXi 3.5 and ESXi 4.0. d. Service Console update for ntp Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. The Service Console present in ESX is affected by the following security issues. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the 'ntp' user. NTP authentication is not enabled by default on the Service Console. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0159 to this issue. e. Updated Service Console package kernel Updated Service Console package kernel addresses the security issues listed below. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028, CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676, CVE-2009-0778 to the security issues fixed in kernel 2.6.18-128.1.6. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337, CVE-2009-0787, CVE-2009-1336 to the security issues fixed in kernel 2.6.18-128.1.10. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072, CVE-2009-1630, CVE-2009-1192 to the security issues fixed in kernel 2.6.18-128.1.14. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388, CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the security issues fixed in kernel 2.6.18-128.4.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2692, CVE-2009-2698 to the security issues fixed in kernel 2.6.18-128.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747, CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues fixed in kernel 2.6.18-164. f. Updated Service Console package python Service Console package Python update to version 2.4.3-24.el5. When the assert() system call was disabled, an input sanitization flaw was revealed in the Python string object implementation that led to a buffer overflow. The missing check for negative size values meant the Python memory allocator could allocate less memory than expected. This could result in arbitrary code execution with the Python interpreter's privileges. Multiple buffer and integer overflow flaws were found in the Python Unicode string processing and in the Python Unicode and string object implementations. An attacker could use these flaws to cause a denial of service. Multiple integer overflow flaws were found in the Python imageop module. If a Python application used the imageop module to process untrusted images, it could cause the application to disclose sensitive information, crash or, potentially, execute arbitrary code with the Python interpreter's privileges. Multiple integer underflow and overflow flaws were found in the Python snprintf() wrapper implementation. An attacker could use these flaws to cause a denial of service (memory corruption). Multiple integer overflow flaws were found in various Python modules. An attacker could use these flaws to cause a denial of service. An integer signedness error, leading to a buffer overflow, was found in the Python zlib extension module. If a Python application requested the negative byte count be flushed for a decompression stream, it could cause the application to crash or, potentially, execute arbitrary code with the Python interpreter's privileges. A flaw was discovered in the strxfrm() function of the Python locale module. Strings generated by this function were not properly NULL-terminated, which could possibly cause disclosure of data stored in the memory of a Python application using this function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues. g. Updated Service Console package bind Service Console package bind updated to version 9.3.6-4.P1.el5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handles dynamic update message packets containing the 'ANY' record type. A remote attacker could use this flaw to send a specially crafted dynamic update packet that could cause named to exit with an assertion failure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0696 to this issue. h. Updated Service Console package libxml2 Service Console package libxml2 updated to version 2.6.26-2.1.2.8. libxml is a library for parsing and manipulating XML files. A Document Type Definition (DTD) defines the legal syntax (and also which elements can be used) for certain types of files, such as XML files. A stack overflow flaw was found in the way libxml processes the root XML document element definition in a DTD. A remote attacker could provide a specially crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. Multiple use-after-free flaws were found in the way libxml parses the Notation and Enumeration attribute types. A remote attacker could provide a specially crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2414 and CVE-2009-2416 to these issues. i. Updated Service Console package curl Service Console package curl updated to version 7.15.5-2.1.el5_3.5 A cURL is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2417 to this issue j. Updated Service Console package gnutls Service Console package gnutil updated to version 1.4.1-3.el5_3.5 A flaw was discovered in the way GnuTLS handles NULL characters in certain fields of X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by an application using GnuTLS, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse the application into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2730 to this issue
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 42870
    published 2009-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42870
    title VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1469.NASL
    description Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4.7 Extended Update Support. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than what could be handled. This could lead to a remote denial of service or code execution. (CVE-2009-1389, Important) * Tavis Ormandy and Julien Tinnes of the Google Security Team reported a flaw in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * Tavis Ormandy and Julien Tinnes of the Google Security Team reported a flaw in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2017-01-10
    plugin id 63899
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63899
    title RHEL 4 : kernel (RHSA-2009:1469)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-6440.NASL
    description This kernel update for openSUSE 10.3 fixes some bugs and several security problems. The following security issues are fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use. CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use. The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively. CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network. CVE-2009-0676: A memory disclosure via the SO_BSDCOMPAT socket option was fixed. CVE-2009-1630: The nfs_permission function in fs/nfs/dir.c in the NFS client implementation when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. random: make get_random_int() was made more random to enhance ASLR protection.
    last seen 2019-01-16
    modified 2016-12-22
    plugin id 42009
    published 2009-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42009
    title openSUSE 10 Security Update : kernel (kernel-6440)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-8647.NASL
    description Fix sock_sendpage NULL pointer dereference. CVE-2009-2692. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2016-05-20
    plugin id 40605
    published 2009-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40605
    title Fedora 10 : kernel-2.6.27.29-170.2.79.fc10 (2009-8647)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1862.NASL
    description A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem : - CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 44727
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44727
    title Debian DSA-1862-1 : linux-2.6 - privilege escalation
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1222.NASL
    description Updated kernel packages that fix two security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. These updated packages also fix the following bug : * in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running 'cman_tool kill -n [nodename]'. (BZ#515432) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 43777
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43777
    title CentOS 5 : kernel (CESA-2009:1222)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-6437.NASL
    description This patch updates the SUSE Linux Enterprise 10 SP2 kernel to fix various bugs and some security issues. The following security issues were fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. (No cve yet) A information leak from using sigaltstack was fixed. Enabled -fno-delete-null-pointer-checks to avoid optimizing away NULL pointer checks and fixed Makefiles to make sure -fwrapv is used everywhere. CVE-2009-1758: The hypervisor_callback function in Xen allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in 'certain address ranges.' - A crash on r8169 network cards when receiving large packets was fixed. (CVE-2009-1389) - The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. (CVE-2009-1630)
    last seen 2019-01-16
    modified 2016-12-22
    plugin id 59138
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59138
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6437)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1457.NASL
    description Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 5.2 Extended Update Support. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than what could be handled. This could lead to a remote denial of service or code execution. (CVE-2009-1389, Important) * Tavis Ormandy and Julien Tinnes of the Google Security Team reported a flaw in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * Tavis Ormandy and Julien Tinnes of the Google Security Team reported a flaw in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2017-01-10
    plugin id 63896
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63896
    title RHEL 5 : kernel (RHSA-2009:1457)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-6439.NASL
    description This patch updates the SUSE Linux Enterprise 10 SP2 kernel to fix various bugs and some security issues. The following security issues were fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. (No cve yet) A information leak from using sigaltstack was fixed. Enabled -fno-delete-null-pointer-checks to avoid optimizing away NULL pointer checks and fixed Makefiles to make sure -fwrapv is used everywhere. CVE-2009-1758: The hypervisor_callback function in Xen allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in 'certain address ranges.' - A crash on r8169 network cards when receiving large packets was fixed. (CVE-2009-1389) - The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. (CVE-2009-1630)
    last seen 2019-01-16
    modified 2016-12-22
    plugin id 41540
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41540
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6439)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1233.NASL
    description From Red Hat Security Advisory 2009:1233 : Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. All Red Hat Enterprise Linux 3 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 67917
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67917
    title Oracle Linux 3 : kernel (ELSA-2009-1233)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090824_KERNEL_ON_SL5_X.NASL
    description CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc CVE-2009-2698 kernel: udp socket NULL ptr dereference These updated packages fix the following security issues : - a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) - a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) These updated packages also fix the following bug : - in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running 'cman_tool kill -n [nodename]'. (BZ#515432) The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 60646
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60646
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1222.NASL
    description From Red Hat Security Advisory 2009:1222 : Updated kernel packages that fix two security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. These updated packages also fix the following bug : * in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running 'cman_tool kill -n [nodename]'. (BZ#515432) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 67914
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67914
    title Oracle Linux 5 : kernel (ELSA-2009-1222)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_KERNEL-090816.NASL
    description The SUSE Linux Enterprise 11 Kernel was updated to 2.6.27.29 fixing various bugs and security issues. Following security issues were fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use. CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use. The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively. CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network. No CVE yet: A sigaltstack kernel memory disclosure was fixed. The NULL page protection using mmap_min_addr was enabled (was disabled before). This update also adds the Microsoft Hyper-V drivers from upstream.
    last seen 2019-01-16
    modified 2015-12-01
    plugin id 40789
    published 2009-08-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40789
    title openSUSE Security Update : kernel (kernel-1214)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1233.NASL
    description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. All Red Hat Enterprise Linux 3 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 40808
    published 2009-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40808
    title CentOS 3 : kernel (CESA-2009:1233)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KERNEL-090816.NASL
    description The SUSE Linux Enterprise 11 Kernel was updated to 2.6.27.29 fixing various bugs and security issues. The following security issues were fixed : - A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. (CVE-2009-2692) - A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use. (CVE-2009-2406) - A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use. (CVE-2009-2407) The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively. - A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network. (CVE-2009-1389) No CVE yet: A sigaltstack kernel memory disclosure was fixed. The NULL page protection using mmap_min_addr was enabled (was disabled before). This update also adds the Microsoft Hyper-V drivers from upstream. Additionaly a lot of bugs were fixed.
    last seen 2019-01-16
    modified 2016-12-21
    plugin id 41414
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41414
    title SuSE 11 Security Update : Linux kernel (SAT Patch Numbers 1212 / 1218 / 1219)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-819-1.NASL
    description Tavis Ormandy and Julien Tinnes discovered that Linux did not correctly initialize certain socket operation function pointers. A local attacker could exploit this to gain root privileges. By default, Ubuntu 8.04 and later with a non-zero /proc/sys/vm/mmap_min_addr setting were not vulnerable. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 40658
    published 2009-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40658
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerability (USN-819-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1233.NASL
    description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. All Red Hat Enterprise Linux 3 users should upgrade to these updated packages, which contain backported patches to resolve these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 40795
    published 2009-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40795
    title RHEL 3 : kernel (RHSA-2009:1233)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1864.NASL
    description A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem : - CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 44729
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44729
    title Debian DSA-1864-1 : linux-2.6.24 - privilege escalation
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_KERNEL-090814.NASL
    description This kernel update for openSUSE 11.0 fixes some bugs and several security problems. The following security issues are fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges. CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use. CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use. The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively. CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network. CVE-2009-1895: Personality flags on set*id were not cleared correctly, so ASLR and NULL page protection could be bypassed. CVE-2009-1046: A utf-8 console memory corruption that can be used for local privilege escalation was fixed. The NULL page protection using mmap_min_addr was enabled (was disabled before). No CVE yet: A sigaltstack kernel memory disclosure was fixed. CVE-2008-5033: A local denial of service (Oops) in video4linux tvaudio was fixed. CVE-2009-1385: A Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size.
    last seen 2019-01-16
    modified 2016-12-21
    plugin id 40783
    published 2009-08-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40783
    title openSUSE Security Update : kernel (kernel-1211)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1223.NASL
    description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 40753
    published 2009-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40753
    title CentOS 4 : kernel (CESA-2009:1223)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1223.NASL
    description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 40766
    published 2009-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40766
    title RHEL 4 : kernel (RHSA-2009:1223)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-233.NASL
    description A vulnerability was discovered and corrected in the Linux 2.6 kernel : The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation on a PF_PPPOX socket. (CVE-2009-2692) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 40980
    published 2009-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40980
    title Mandriva Linux Security Advisory : kernel (MDVSA-2009:233)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-205.NASL
    description A vulnerability was discovered and corrected in the Linux 2.6 kernel : The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation on a PF_PPPOX socket. (CVE-2009-2692) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 40637
    published 2009-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40637
    title Mandriva Linux Security Advisory : kernel (MDVSA-2009:205)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2009-0023.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - backport for online resize of blockdev [orabug 8585251] [rh bugz 444964] - CVE-2009-2692 - [net] make sock_sendpage use kernel_sendpage (Jiri Pirko) [517445 516955] - CVE-2009-2698 - [net] prevent null pointer dereference in udp_sendmsg (Vitaly Mayatskikh) [518047 518043] - Updated cciss module to 3.6.20 - update bnx2x 1.48.107 - update bnx2 1.8.8b - update bfa to 1.1.0.9-0 [bugz 9518] - Fix dom0 crash in loopback_start_xmit+0x107/0x2BD [bug 7634343]
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 79465
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79465
    title OracleVM 2.1 : kernel (OVMSA-2009-0023)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1223.NASL
    description From Red Hat Security Advisory 2009:1223 : Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 67915
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67915
    title Oracle Linux 4 : kernel (ELSA-2009-1223)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1865.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-1385 Neil Horman discovered a missing fix from the e1000 network driver. A remote user may cause a denial of service by way of a kernel panic triggered by specially crafted frame sizes. - CVE-2009-1389 Michael Tokarev discovered an issue in the r8169 network driver. Remote users on the same LAN may cause a denial of service by way of a kernel panic triggered by receiving a large size frame. - CVE-2009-1630 Frank Filz discovered that local users may be able to execute files without execute permission when accessed via an nfs4 mount. - CVE-2009-1633 Jeff Layton and Suresh Jayaraman fixed several buffer overflows in the CIFS filesystem which allow remote servers to cause memory corruption. - CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 44730
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44730
    title Debian DSA-1865-1 : linux-2.6 - denial of service/privilege escalation
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090827_KERNEL_ON_SL3_X.NASL
    description CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc CVE-2009-2698 kernel: udp socket NULL ptr dereference These updated packages fix the following security issues : - a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) - a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 60648
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60648
    title Scientific Linux Security Update : kernel on SL3.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-8649.NASL
    description Fix sock_sendpage NULL pointer dereference. CVE-2009-2692. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2016-05-20
    plugin id 40606
    published 2009-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40606
    title Fedora 11 : kernel-2.6.29.6-217.2.7.fc11 (2009-8649)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2010-0010.NASL
    description a. Service Console update for COS kernel The service console package kernel is updated to version 2.4.21-63. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-5029, CVE-2008-5300, CVE-2009-1337, CVE-2009-1385, CVE-2009-1895, CVE-2009-2848, CVE-2009-3002, and CVE-2009-3547 to the security issues fixed in kernel-2.4.21-63. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2698, CVE-2009-2692 to the security issues fixed in kernel-2.4.21-60.
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 47150
    published 2010-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47150
    title VMSA-2010-0010 : ESX 3.5 third-party update for Service Console kernel
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1222.NASL
    description Updated kernel packages that fix two security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues : * a flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro did not initialize the sendpage operation in the proto_ops structure correctly. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2692, Important) * a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) Red Hat would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for responsibly reporting these flaws. These updated packages also fix the following bug : * in the dlm code, a socket was allocated in tcp_connect_to_sock(), but was not freed in the error exit path. This bug led to a memory leak and an unresponsive system. A reported case of this bug occurred after running 'cman_tool kill -n [nodename]'. (BZ#515432) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 40765
    published 2009-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40765
    title RHEL 5 : kernel (RHSA-2009:1222)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2009-230-01.NASL
    description New Linux kernel packages are available for Slackware 12.2 and -current to address a security issue. A kernel bug discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team could allow a local user to fill memory page zero with arbitrary code and then use the kernel sendpage operation to trigger a NULL pointer dereference, executing the code in the context of the kernel. If successfully exploited, this bug can be used to gain root access. At this time we have prepared fixed kernels for the stable version of Slackware (12.2), as well as for both 32-bit x86 and x86_64 -current versions. Additionally, we have added a package to the /patches directory for Slackware 12.1 and 12.2 that will set the minimum memory page that can be mmap()ed from userspace without additional privileges to 4096. The package will work with any kernel supporting the vm.mmap_min_addr tunable, and should significantly reduce the potential harm from this bug, as well as future similar bugs that might be found in the kernel. More updated kernels may follow.
    last seen 2019-01-16
    modified 2015-12-01
    plugin id 40622
    published 2009-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40622
    title Slackware 12.2 / current : kernel (SSA:2009-230-01)
oval via4
  • accepted 2010-08-23T04:00:08.690-04:00
    class vulnerability
    contributors
    name Chandan M C
    organization Hewlett-Packard
    definition_extensions
    comment VMware ESX Server 3.5.0 is installed
    oval oval:org.mitre.oval:def:5887
    description The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
    family unix
    id oval:org.mitre.oval:def:11526
    status accepted
    submitted 2010-07-10T10:25:06.000-05:00
    title Service Console update for COS kernel
    version 5
  • accepted 2013-04-29T04:14:50.572-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
    family unix
    id oval:org.mitre.oval:def:11591
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
    version 24
  • accepted 2014-01-20T04:01:41.398-05:00
    class vulnerability
    contributors
    • name Pai Peng
      organization Hewlett-Packard
    • name Chris Coffin
      organization The MITRE Corporation
    definition_extensions
    comment VMware ESX Server 4.0 is installed
    oval oval:org.mitre.oval:def:6293
    description The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
    family unix
    id oval:org.mitre.oval:def:8657
    status accepted
    submitted 2010-03-19T16:57:59.000-04:00
    title VMware kernel NULL pointer dereference vulnerability
    version 7
packetstorm via4
data source https://packetstormsecurity.com/files/download/114856/sock_sendpage.rb.txt
id PACKETSTORM:114856
last seen 2016-12-05
published 2012-07-19
reporter Brad Spengler
source https://packetstormsecurity.com/files/114856/Linux-Kernel-Sendpage-Local-Privilege-Escalation.html
title Linux Kernel Sendpage Local Privilege Escalation
redhat via4
advisories
  • rhsa
    id RHSA-2009:1222
  • rhsa
    id RHSA-2009:1223
  • rhsa
    id RHSA-2009:1233
rpms
  • kernel-0:2.6.18-128.7.1.el5
  • kernel-PAE-0:2.6.18-128.7.1.el5
  • kernel-PAE-devel-0:2.6.18-128.7.1.el5
  • kernel-debug-0:2.6.18-128.7.1.el5
  • kernel-debug-devel-0:2.6.18-128.7.1.el5
  • kernel-devel-0:2.6.18-128.7.1.el5
  • kernel-doc-0:2.6.18-128.7.1.el5
  • kernel-headers-0:2.6.18-128.7.1.el5
  • kernel-kdump-0:2.6.18-128.7.1.el5
  • kernel-kdump-devel-0:2.6.18-128.7.1.el5
  • kernel-xen-0:2.6.18-128.7.1.el5
  • kernel-xen-devel-0:2.6.18-128.7.1.el5
  • kernel-0:2.6.9-89.0.9.EL
  • kernel-devel-0:2.6.9-89.0.9.EL
  • kernel-doc-0:2.6.9-89.0.9.EL
  • kernel-hugemem-0:2.6.9-89.0.9.EL
  • kernel-hugemem-devel-0:2.6.9-89.0.9.EL
  • kernel-largesmp-0:2.6.9-89.0.9.EL
  • kernel-largesmp-devel-0:2.6.9-89.0.9.EL
  • kernel-smp-0:2.6.9-89.0.9.EL
  • kernel-smp-devel-0:2.6.9-89.0.9.EL
  • kernel-xenU-0:2.6.9-89.0.9.EL
  • kernel-xenU-devel-0:2.6.9-89.0.9.EL
  • kernel-0:2.4.21-60.EL
  • kernel-BOOT-0:2.4.21-60.EL
  • kernel-doc-0:2.4.21-60.EL
  • kernel-hugemem-0:2.4.21-60.EL
  • kernel-hugemem-unsupported-0:2.4.21-60.EL
  • kernel-smp-0:2.4.21-60.EL
  • kernel-smp-unsupported-0:2.4.21-60.EL
  • kernel-source-0:2.4.21-60.EL
  • kernel-unsupported-0:2.4.21-60.EL
refmap via4
bid 36038
bugtraq
  • 20090813 Linux NULL pointer dereference due to incorrect proto_ops initializations
  • 20090818 rPSA-2009-0121-1 kernel open-vm-tools
  • 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components
  • 20100625 VMSA-2010-0010 ESX 3.5 third party update for Service Console kernel
confirm
debian DSA-1865
fulldisc 20090813 Linux NULL pointer dereference due to incorrect proto_ops initializations
mandriva MDVSA-2009:233
misc
mlist [oss-security] 20090814 CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc
secunia
  • 36278
  • 36289
  • 36327
  • 36430
  • 37298
  • 37471
suse SUSE-SR:2009:015
vupen
  • ADV-2009-2272
  • ADV-2009-3316
statements via4
contributor Mark J Cox
lastmodified 2009-09-14
organization Red Hat
statement Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-18065. Updates for Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2692.html
Last major update 22-10-2012 - 23:09
Published 14-08-2009 - 11:16
Last modified 10-10-2018 - 15:41
Back to Top