cbcvebase.
CVE-2013-2595
published 2014-08-31

CVE-2013-2595: The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android…

PriorityP275high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.89%
54.8th percentile
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which allows attackers to gain privileges via a crafted application.

Affected

141 ranges· showing 25
VendorProductVersion rangeFixed in
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm

Detection & IOCsextracted from sources · hover to see the quote

hash70a937b2504b3ad6c623581424c7e53d
domainurl.plus
port5223
urlurl.plus/app/pro/
filenameupdate_dev.zip
path/lib/
  • The CVE-2013-2595 exploit is triggered via the MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl call against the MSM camera driver; monitor for unexpected ioctl calls to this interface from unprivileged processes.
  • The Skygofree exploit payload (exploiting CVE-2013-2595 among others) drops and executes ELF binaries named 'run_root_shell', 'arrs_put_user.o', 'arrs_put_user', or 'poc'; detect execution of these filenames on Android devices.
  • ·Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2 are NOT affected by CVE-2013-2595; the MSM camera driver is specific to Qualcomm MSM/Android kernels and is not shipped in RHEL kernel packages.
  • ·The exploit payload targets only specific device models listed in device.db (205 devices); if a device is not listed, the exploit attempts to discover required memory addresses programmatically, so detection should not rely solely on device model matching.
  • ·CVE-2013-2595 is only one of five CVEs exploited by the Skygofree exploit payload; successful privilege escalation may occur via any of the other four vulnerabilities even if CVE-2013-2595 is patched.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.