CVE-2003-0961
published 2003-12-15CVE-2003-0961: Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.
PriorityP272high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.32%
87.1th percentile
Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.4.22 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for local processes invoking the brk syscall (syscall 45) with a high virtual address argument near 0xC0500000, which is characteristic of the do_brk integer overflow exploit triggering kernel memory expansion. ↗
- →Detect use of modify_ldt(1, ...) to set up custom LDT call gate entries (ENTRY_GATE, ENTRY_CS, ENTRY_DS), which is used by the exploit to escalate privileges via a far call into kernel space. ↗
- →Detect processes using mremap (syscall 163) to relocate the stack away from high virtual addresses (near 0xBFFF0000) as a precursor step in the do_brk exploit. ↗
- →Look for the magic constant 0xdefaced in LDT memory pages or process memory maps, used by the hatorihanzo exploit to validate its injected LDT entry before executing the call gate. ↗
- →Detect a process spawning multiple child processes via fork() in rapid succession (loop of 4 forks) followed by nanosleep, a pattern used by the exploit to race kernel state. ↗
- ·The exploit targets Linux kernel 2.4.22 and earlier only; kernels beyond this version are not affected by this specific do_brk integer overflow. ↗
- ·The exploit is local privilege escalation only; it requires an existing local user account on the target system. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2003-12-01·CVSS 7.2
CVE-2003-0961 [HIGH] security flaw
security flaw
Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.
GHSA
GHSA-v5w6-5r75-rfr6: Integer overflow in the do_brk function for the brk system call in Linux kernel 2
ghsa_unreviewed·2022-04-29
CVE-2003-0961 [HIGH] GHSA-v5w6-5r75-rfr6: Integer overflow in the do_brk function for the brk system call in Linux kernel 2
Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.
VulnCheck
Linux Kernel Integer Overflow or Wraparound
vulncheck·2003·CVSS 7.2
CVE-2003-0961 [HIGH] Linux Kernel Integer Overflow or Wraparound
Linux Kernel Integer Overflow or Wraparound
Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.
Affected: Linux Kernel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://access.redhat.com/errata/RHSA-2003:368
No detection rules found.
Exploit-DB
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (2)
exploitdb·2003-12-05
CVE-2003-0961 Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (2)
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (2)
---
/*
* hatorihanzo.c
* Linux kernel do_brk vma overflow exploit.
*
* The bug was found by Paul (IhaQueR) Starzetz
*
* Further research and exploit development by
* Wojciech Purczynski and Paul Starzetz.
*
* (c) 2003 Copyright by IhaQueR and cliph. All Rights Reserved.
*
* COPYING, PRINTING, DISTRIBUTION, MODIFICATION, COMPILATION AND ANY USE
* OF PRESENTED CODE IS STRICTLY PROHIBITED.
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define kB * 1024
#define MB * 1024 kB
#define GB * 1024 MB
#define MAGIC 0xdefaced /* I should've patented this number -cliph */
#d
Exploit-DB
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (1)
exploitdb·2003-12-02
CVE-2003-0961 Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (1)
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (1)
---
; E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/131/
;
; Christophe Devine (devine at cr0.net) and Julien Tinnes (julien at cr0.org)
;
; This exploit uses sys_brk directly to expand his break and doesn't rely
; on the ELF loader to do it.
;
; To bypass a check in sys_brk against available memory, we use a high
; virtual address as base address
;
; In most case (let's say when no PaX w/ ASLR :) we have to move the stack
; so that we can expand our break
;
BITS 32
org 0xBFFF0000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1 ; e_ident
times 9 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e
Bugzilla
CVE-2003-0961 security flaw
bugzilla·2018-08-16·CVSS 7.2
CVE-2003-0961 [HIGH] CVE-2003-0961 security flaw
CVE-2003-0961 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.
Bugzilla
Local exploit: Userland can access full kernel memory
bugzilla·2003-12-01
[MEDIUM] Local exploit: Userland can access full kernel memory
Local exploit: Userland can access full kernel memory
Description of problem:
Vulnerability : userland can access full kernel memory
Problem type : local
Debian-specific: no
CVE Id(s) : CAN-2003-0961
Recently multiple servers of the Debian project were compromised
using a
Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed
to
decrypt the binary which revealed a kernel exploit. Study of the
exploit
by the RedHat and SuSE kernel and security teams quickly revealed
that
the exploit used an integer overflow in the brk system call. Using
this bug it is possible for a userland program to trick the kernel
into
giving access to the full kernel address space. This problem was
found
in September by Andrew Morton, but
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000796http://isec.pl/papers/linux_kernel_do_brk.pdfhttp://marc.info/?l=bugtraq&m=107064798706473&w=2http://marc.info/?l=bugtraq&m=107064830206816&w=2http://marc.info/?l=bugtraq&m=107394143105081&w=2http://secunia.com/advisories/10328http://secunia.com/advisories/10329http://secunia.com/advisories/10330http://secunia.com/advisories/10333http://secunia.com/advisories/10338http://www.debian.org/security/2003/dsa-403http://www.debian.org/security/2004/dsa-417http://www.debian.org/security/2004/dsa-423http://www.debian.org/security/2004/dsa-433http://www.debian.org/security/2004/dsa-439http://www.debian.org/security/2004/dsa-440http://www.debian.org/security/2004/dsa-442http://www.debian.org/security/2004/dsa-450http://www.debian.org/security/2004/dsa-470http://www.debian.org/security/2004/dsa-475http://www.kb.cert.org/vuls/id/301156http://www.mandriva.com/security/advisories?name=MDKSA-2003:110http://www.novell.com/linux/security/advisories/2003_049_kernel.htmlhttp://www.redhat.com/support/errata/RHSA-2003-368.htmlhttp://www.redhat.com/support/errata/RHSA-2003-389.htmlhttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000796http://isec.pl/papers/linux_kernel_do_brk.pdfhttp://marc.info/?l=bugtraq&m=107064798706473&w=2http://marc.info/?l=bugtraq&m=107064830206816&w=2http://marc.info/?l=bugtraq&m=107394143105081&w=2http://secunia.com/advisories/10328http://secunia.com/advisories/10329http://secunia.com/advisories/10330http://secunia.com/advisories/10333http://secunia.com/advisories/10338http://www.debian.org/security/2003/dsa-403http://www.debian.org/security/2004/dsa-417http://www.debian.org/security/2004/dsa-423http://www.debian.org/security/2004/dsa-433http://www.debian.org/security/2004/dsa-439http://www.debian.org/security/2004/dsa-440http://www.debian.org/security/2004/dsa-442http://www.debian.org/security/2004/dsa-450http://www.debian.org/security/2004/dsa-470http://www.debian.org/security/2004/dsa-475http://www.kb.cert.org/vuls/id/301156http://www.mandriva.com/security/advisories?name=MDKSA-2003:110http://www.novell.com/linux/security/advisories/2003_049_kernel.htmlhttp://www.redhat.com/support/errata/RHSA-2003-368.htmlhttp://www.redhat.com/support/errata/RHSA-2003-389.html
2003-12-15
Published
Exploited in the wild