cbcvebase.
CVE-2003-0961
published 2003-12-15

CVE-2003-0961: Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.

PriorityP272high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.32%
87.1th percentile
Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel<= 2.4.22

Detection & IOCsextracted from sources · hover to see the quote

filenamehatorihanzo.c
other0xBFFF0000
other0xC0500000
commandlcall $GATE,$0x0
  • Monitor for local processes invoking the brk syscall (syscall 45) with a high virtual address argument near 0xC0500000, which is characteristic of the do_brk integer overflow exploit triggering kernel memory expansion.
  • Detect use of modify_ldt(1, ...) to set up custom LDT call gate entries (ENTRY_GATE, ENTRY_CS, ENTRY_DS), which is used by the exploit to escalate privileges via a far call into kernel space.
  • Detect processes using mremap (syscall 163) to relocate the stack away from high virtual addresses (near 0xBFFF0000) as a precursor step in the do_brk exploit.
  • Look for the magic constant 0xdefaced in LDT memory pages or process memory maps, used by the hatorihanzo exploit to validate its injected LDT entry before executing the call gate.
  • Detect a process spawning multiple child processes via fork() in rapid succession (loop of 4 forks) followed by nanosleep, a pattern used by the exploit to race kernel state.
  • ·The exploit targets Linux kernel 2.4.22 and earlier only; kernels beyond this version are not affected by this specific do_brk integer overflow.
  • ·The exploit is local privilege escalation only; it requires an existing local user account on the target system.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.