cbcvebase.
CVE-2008-0600
published 2008-02-12

CVE-2008-0600: The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local…

PriorityP276high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.54%
87.8th percentile
The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.

Affected

69 ranges· showing 25
VendorProductVersion rangeFixed in
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.milw0rm.com/exploits/5092
commandvmsplice syscall (__NR_vmsplice=316 i386 / 278 x86_64)
command_vmsplice(pi[1], &iov, 1, 0) with iov_len=ULONG_MAX
path/proc/kallsyms
bytes
\x8b\x5c\x24\x04\x8b\x4c\x24\x08\x81\xfb\x69\x7a\x00\x00\x75\x02\xff\xd1\xb8\xea\xff\xff\xff\xc3
  • Detect local privilege escalation via vmsplice syscall (NR 316 on i386, NR 278 on x86_64) with an iov_len of ULONG_MAX (0xffffffffffffffff), which is the key exploit primitive for CVE-2008-0600.
  • Monitor for unprivileged processes reading /proc/kallsyms to resolve kernel symbol addresses (sys_vm86old pattern used by exploit 5093 to locate syscall table entry for patching).
  • Alert on kernel log messages containing 'vmsplice: Bad address' which indicates a blocked exploit attempt against CVE-2008-0600.
  • Detect the trampoline shellcode byte sequence used by exploit 5093: cmp $31337,%ebx followed by indirect call, characteristic of the vmsplice kernel-code injection payload.
  • Look for MAP_FIXED anonymous mmap calls immediately followed by vmsplice syscall from the same process — the exploit uses MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS to set up controlled kernel page structures before triggering the vulnerability.
  • The exploit targets the vmsplice_to_pipe function in fs/splice.c; kernel versions 2.6.17 through 2.6.24.1 are affected. Patch adds access_ok(VERIFY_READ, base, len) check.
  • ·CVE-2008-0600 affects Linux kernel 2.6.17 through 2.6.24.1 only; Red Hat Enterprise Linux 2.1, 3, and 4 are NOT affected. Only RHEL5 (kernel 2.6.18 based) is affected.
  • ·The public exploit (milw0rm 5092) has bugs that cause it to segfault on some i386 architectures (e.g., athlon bare metal) but works reliably on XenU guests and some SMP systems; x86_64 exploitation requires modification of the exploit.
  • ·Running the exploit may cause kernel instability and system crashes even when exploitation is unsuccessful; do not use exploit reproduction in production environments.
  • ·CVE-2008-0009 and CVE-2008-0010 are distinct vmsplice vulnerabilities (vmsplice_to_user) affecting only kernels 2.6.22+; do not conflate detection signatures with CVE-2008-0600 (vmsplice_to_pipe, 2.6.17+).

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck2.1LOW
vendor_ubuntu7.2HIGH
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.