cbcvebase.
CVE-2013-2596
published 2013-04-13

CVE-2013-2596: Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and…

PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-10-06
Exploited in the wild
EPSS
3.37%
87.2th percentile
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 3.9-1 (bookworm)linux 3.9-1 (bookworm)
linuxlinux_kernel>= 0 < 3.9-13.9-1
linuxlinux_kernel>= 0 < 3.9-13.9-1
linuxlinux_kernel>= 0 < 3.9-13.9-1
linuxlinux_kernel>= 0 < 3.9-13.9-1
linuxlinux_kernel>= 2.6.12 < 3.0.753.0.75
linuxlinux_kernel>= 3.1 < 3.2.453.2.45
linuxlinux_kernel>= 3.3 < 3.4.423.4.42
linuxlinux_kernel>= 3.5 < 3.8.93.8.9
motorolaandroid

Detection & IOCsextracted from sources · hover to see the quote

path/dev/graphics/fb0
urlhttp://api.jaxfire.mobi/app/getTabsResBin
urlhttp://cdn.applight.mobi/applight/2015/1442824462res.bin
domainapplight.mobi
domainjaxfire.mobi
domainsuperflashlight.mobi
domainshenmeapp.info
filenamelog_sdk.dex
filenameAndroidSettings.apk
filenameBluetoothProviders.apk
filenameWifiProviders.apk
filenameVirusSecurityHunter.apk
filenamelibabm.so
filenamepsneuter.script_bak
filenameinstall-recovery.sh
path.opt_log
commandmmap2 on /dev/graphics/fb0
  • Rootnik drops four static-named APKs (AndroidSettings.apk, BluetoothProviders.apk, WifiProviders.apk, VirusSecurityHunter.apk) to the system partition; presence of these filenames on the system partition is a strong post-exploitation indicator.
  • Rootnik uses a hidden directory named .opt_log as the DEX optimization directory during dynamic loading of a.dex; presence of this hidden folder in an app's data directory is suspicious.
  • Rootnik's payload (res.bin) is fetched via a Base64-encoded URL and decrypted with AES/CBC/PKCS5Padding; network traffic to api.jaxfire.mobi path /app/getTabsResBin should be flagged.
  • The exploit method for CVE-2013-2596 within Rootnik's root toolkit is identified as 'fb_mem'; look for ELF executables named realroot, newrealroot, miroot, or onekeyroot on Android devices, which embed this and other exploits.
  • ·Rootnik is configured to skip rooting attempts inside China (as specified in AndroidManifest.xml), meaning geo-based filtering is built into the malware's targeting logic.
  • ·CVE-2013-2596 does not affect Red Hat Enterprise MRG 2 realtime-kernel or RHEL 7 kernel packages; patched upstream in Linux kernel 3.8.9.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.