CVE-2004-1073
published 2005-01-10CVE-2004-1073: The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable…
PriorityP411low2.1CVSS 2.0
AVLACLAuNCPINAN
EXPLOIT
EPSS
0.81%
52.3th percentile
The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.
Affected
171 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
core-dumping unreadable binaries via PT_INTERP
vendor_redhat·2007-01-26·CVSS 2.1
CVE-2007-0958 [LOW] core-dumping unreadable binaries via PT_INTERP
core-dumping unreadable binaries via PT_INTERP
Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.
Red Hat
security flaw
vendor_redhat·2004-11-10·CVSS 2.1
CVE-2004-1073 [LOW] security flaw
security flaw
The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.
GHSA
GHSA-gvfc-g9f3-p63j: Linux kernel 2
ghsa_unreviewed·2022-05-01·CVSS 2.1
CVE-2007-0958 [LOW] GHSA-gvfc-g9f3-p63j: Linux kernel 2
Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.
GHSA
GHSA-g2v4-66wh-fj69: The open_exec function in the execve functionality (exec
ghsa_unreviewed·2022-04-29
CVE-2004-1073 [LOW] GHSA-g2v4-66wh-fj69: The open_exec function in the execve functionality (exec
The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.
No detection rules found.
Bugzilla
CVE-2004-1073 security flaw
bugzilla·2018-08-16·CVSS 2.1
CVE-2004-1073 [LOW] CVE-2004-1073 security flaw
CVE-2004-1073 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.
Bugzilla
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
bugzilla·2007-06-08·CVSS 2.1
CVE-2007-0958 [LOW] CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
CVE-2004-1073 is still an issue -- a patched PoC can still cause a
coredump of a non-readable binary such as /usr/bin/sudo; PoC attached;
the tweak is question is adding:
eph.p_memsz = 4097;
Run "./poc /usr/bin/sudo" and a "core" spits out -- WFM on a 2.6.17.x
kernel.
To reproduce, do
* grab poc at the end of advisory.
* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
where first "4096" is something equal to or greater than 4096.
* ./poc /usr/bin/sudo && ls -l
Here I get:
-rw------- 1 ad ad 102400 2007-01-15 19:17 core
---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
Check for MAY_READ as binfmt_misc.c does.
Discussion:
committed in stream rhel‑4.5.z build 55.0.1
---
An advisory has been issued
Bugzilla
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
bugzilla·2007-02-23·CVSS 2.1
CVE-2007-0958 [LOW] CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP
+++ This bug was initially created as a clone of Bug #228886 +++
CVE-2004-1073 is still an issue -- PoC can still cause a coredump of a
non-readable binary such as /usr/bin/sudo; PoC attached; the tweak is question
is adding:
eph.p_memsz = 4097;
Run "./poc /usr/bin/sudo" and a "core" spits out -- WFM on a 2.6.17.x kernel.
-- Additional comment from [email protected] on 2007-02-15 14:07 EST --
Created an attachment (id=148136)
Proposed upstream patch
-- Additional comment from [email protected] on 2007-02-23 14:04 EST --
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engine
Bugzilla
CVE-2004-1073 looks unfixed in RHEL2.1-ia64
bugzilla·2005-03-30·CVSS 2.1
CVE-2004-1073 [LOW] CVE-2004-1073 looks unfixed in RHEL2.1-ia64
CVE-2004-1073 looks unfixed in RHEL2.1-ia64
http://groups-beta.google.com/group/n3td3v/browse_thread/thread/5fa871731d6481e1/10cfb419f8ed37cb
In RHSA-2004:549 we say we fix CAN-2004-1073 however it looks like we didn't
include one of the fixes, even though it appears to be part of the -ac11 fixes.
This therefore affects RHEL3, RHEL2.1 but not RHEL4 or FC.
Discussion:
A patch for this issue has been applied to kernel 2.4.18-e.59.
http://porkchop.devel.redhat.com/dist/2.1AS-ia64-errata-candidate/kernel/2.4.18-e.59/
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may r
Bugzilla
CVE-2004-1073 looks unfixed in RHEL2.1
bugzilla·2005-03-30·CVSS 2.1
CVE-2004-1073 [LOW] CVE-2004-1073 looks unfixed in RHEL2.1
CVE-2004-1073 looks unfixed in RHEL2.1
http://groups-beta.google.com/group/n3td3v/browse_thread/thread/5fa871731d6481e1/10cfb419f8ed37cb
In RHSA-2004:549 we say we fix CAN-2004-1073 however it looks like we didn't
include one of the fixes, even though it appears to be part of the -ac11 fixes.
This therefore affects RHEL3, RHEL2.1 but not RHEL4 or FC.
Discussion:
MCP can't process this bug's status whiteboard, is the public= field correct?
(was it 1st November or 11th January?)
---
Created attachment 119622
Avoid dumping exec-only binarys. Prevent malicious binaries from overflowing task size.
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solut
Bugzilla
CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
bugzilla·2004-10-06
[MEDIUM] CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
Paul Starzetz has repoted to vendor-sec an issue in the Linux ELF
binary loader while handling setuid binaries. This could lead to
local privilege escalation.
This issue is fairly complicated, the advisory is attachment 104867
with the current patch being investigated as attachment 104868
This issue is currently embargoed with no date set.
Discussion:
moving to needinfo, as per Dave Anderson's comments in the
corresponding rhel3 bug, 134874.
---
Removing embargo.
---
Here is the CVE information for this issue.
>>20040920 binfmt_elf loader vulnerabilities
>>
>> 2.4.27 and earlier, 2.6.9 and earlier are vulnerable
>>
>> http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
>>
>> 1&3 Mi
Bugzilla
CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
bugzilla·2004-10-06
[MEDIUM] CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
CAN-2004-1070 binfmt_elf loader vulnerabilities (CAN-2004-1071 CAN-2004-1072 CAN-2004-1073)
Paul Starzetz has repoted to vendor-sec an issue in the Linux ELF
binary loader while handling setuid binaries. This could lead to
local privilege escalation.
This issue is fairly complicated, the advisory is attachment 104867
with the current patch being investigated as attachment 104868
This issue is currently embargoed with no date set.
Discussion:
moving to needinfo, as per Dave Anderson's comments in the
corresponding rhel3 bug, 134874.
---
Removing embargo.
---
A patch to fix this issue has been committed to the RHEL2.1 U6 (pensacola) tree
for release 2.4.9-e.56
---
Here is the CVE information for this issue.
>>20040920 binfmt_elf loader vulnerabilities
>>
>> 2.4.27 and earlier, 2.
http://secunia.com/advisories/18684http://secunia.com/advisories/20162http://secunia.com/advisories/20163http://secunia.com/advisories/20202http://secunia.com/advisories/20338http://www.debian.org/security/2006/dsa-1067http://www.debian.org/security/2006/dsa-1069http://www.debian.org/security/2006/dsa-1070http://www.debian.org/security/2006/dsa-1082http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2005:022http://www.redhat.com/support/errata/RHSA-2004-504.htmlhttp://www.redhat.com/support/errata/RHSA-2004-505.htmlhttp://www.redhat.com/support/errata/RHSA-2004-549.htmlhttp://www.redhat.com/support/errata/RHSA-2005-293.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0190.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0191.htmlhttp://www.securityfocus.com/bid/11646https://bugzilla.fedora.us/show_bug.cgi?id=2336https://exchange.xforce.ibmcloud.com/vulnerabilities/18025https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11503http://secunia.com/advisories/18684http://secunia.com/advisories/20162http://secunia.com/advisories/20163http://secunia.com/advisories/20202http://secunia.com/advisories/20338http://www.debian.org/security/2006/dsa-1067http://www.debian.org/security/2006/dsa-1069http://www.debian.org/security/2006/dsa-1070http://www.debian.org/security/2006/dsa-1082http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2005:022http://www.redhat.com/support/errata/RHSA-2004-504.htmlhttp://www.redhat.com/support/errata/RHSA-2004-505.htmlhttp://www.redhat.com/support/errata/RHSA-2004-549.htmlhttp://www.redhat.com/support/errata/RHSA-2005-293.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0190.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0191.htmlhttp://www.securityfocus.com/bid/11646https://bugzilla.fedora.us/show_bug.cgi?id=2336https://exchange.xforce.ibmcloud.com/vulnerabilities/18025https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11503
2005-01-10
Published