cbcvebase.
CVE-2012-0056
published 2012-01-27

CVE-2012-0056: The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows…

PriorityP179medium6.9CVSS 2.0
AVLACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.90%
95.3th percentile
The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc//mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.

Affected

5 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 0 < 3.11.0-12.193.11.0-12.19
linuxlinux_kernel>= 0 < 4.2.0-16.194.2.0-16.19
linuxlinux_kernel>= 2.6.39 < 3.0.183.0.18
linuxlinux_kernel>= 3.1 < 3.2.23.2.2
openstackneutron>= 2012.2 < 2013.2.32013.2.3

Detection & IOCsextracted from sources · hover to see the quote

path/proc/[pid]/mem
hashcf569647759e011ff31d8626cea65ed506e8d0ef1d26f3bbb7c02a4060ce58dc
path/proc/self/exe
bytes
31 db b0 17 cd 80 31 db b0 2e cd 80 31 c9 b3 06 b1 02 b0 3f cd 80 31 c0 50 68 6e 2f 73 68 68 2f 2f 62 69 89 e3 31 d2 66 ba 2d 69 52 89 e0 31 d2 52 50 53 89 e1 31 d2 31 c0 b0 0b cd 80
bytes
48 31 ff b0 69 0f 05 48 31 ff b0 6a 0f 05 40 b7 06 40 b6 02 b0 21 0f 05 48 bb 2f 2f 62 69 6e 2f 73 68 48 c1 eb 08 53 48 89 e7 48 31 db 66 bb 2d 69 53 48 89 e1 48 31 c0 50 51 57 48 89 e6 48 31 d2 b0 3b 0f 05
yara
rule Linux_Exploit_CVE_2012_0056_b39839f4 {
    meta:
        author = "Elastic Security"
        id = "b39839f4-e6f4-44bd-a636-ce355f3c5c6a"
        fingerprint = "f269c4aecbb55e24d9081d7a1e4bd6cfa9799409b3a3d7a6f9bf127f7468dedc"
        creation_date = "2021-01-12"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.CVE-2012-0056"
        reference_sample = "cf569647759e011ff31d8626cea65ed506e8d0ef1d26f3bbb7c02a4060ce58dc"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 08 02 7E 3E 8B 45 0C 83 C0 04 8B 00 0F B6 00 3C 2D 75 2F 8B }
    condition:
        all of them
}
  • Monitor for open() calls with O_RDWR on /proc/[pid]/mem by a process that is not the target process owner — this is the core exploitation primitive used by Mempodipper.
  • Detect creation of a Unix domain socket at /tmp/.sockpuppet, used by the exploit for parent-child file descriptor passing.
  • Alert on a process spawning /bin/su with a shellcode string as its first argument (argv[1] containing non-printable bytes), as the exploit passes shellcode directly to execl("/bin/su").
  • Detect use of ptrace (PTRACE_SYSCALL / PTRACE_SINGLESTEP) against a child /bin/su process to locate the exit@plt address — an unusual ptrace pattern for privilege escalation.
  • Scan process memory and files for the Elastic YARA byte signature { 08 02 7E 3E 8B 45 0C 83 C0 04 8B 00 0F B6 00 3C 2D 75 2F 8B } associated with the Mempodipper exploit binary.
  • Detect lseek64 followed by write on /proc/[ppid]/mem from a child process — the exploit seeks to the target offset in parent memory before writing shellcode.
  • ·The vulnerability is only exploitable when ASLR is disabled; systems with ASLR enabled are not affected by this specific attack path.
  • ·Red Hat Enterprise Linux 4 and 5 are not affected because they did not backport upstream commit 198214a7ee, which introduced the vulnerable code path.

CVSS provenance

nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vulncheck6.9MEDIUM
vendor_redhat6.9MEDIUM
vendor_ubuntu5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.