CVE-2013-2596
published 2013-04-13CVE-2013-2596: Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and…
PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-10-06
Exploited in the wild
EPSS
3.37%
87.2th percentile
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 3.9-1 (bookworm) | linux 3.9-1 (bookworm) |
| linux | linux_kernel | >= 0 < 3.9-1 | 3.9-1 |
| linux | linux_kernel | >= 0 < 3.9-1 | 3.9-1 |
| linux | linux_kernel | >= 0 < 3.9-1 | 3.9-1 |
| linux | linux_kernel | >= 0 < 3.9-1 | 3.9-1 |
| linux | linux_kernel | >= 2.6.12 < 3.0.75 | 3.0.75 |
| linux | linux_kernel | >= 3.1 < 3.2.45 | 3.2.45 |
| linux | linux_kernel | >= 3.3 < 3.4.42 | 3.4.42 |
| linux | linux_kernel | >= 3.5 < 3.8.9 | 3.8.9 |
| motorola | android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Rootnik drops four static-named APKs (AndroidSettings.apk, BluetoothProviders.apk, WifiProviders.apk, VirusSecurityHunter.apk) to the system partition; presence of these filenames on the system partition is a strong post-exploitation indicator. ↗
- →Rootnik uses a hidden directory named .opt_log as the DEX optimization directory during dynamic loading of a.dex; presence of this hidden folder in an app's data directory is suspicious. ↗
- →Rootnik's payload (res.bin) is fetched via a Base64-encoded URL and decrypted with AES/CBC/PKCS5Padding; network traffic to api.jaxfire.mobi path /app/getTabsResBin should be flagged. ↗
- →The exploit method for CVE-2013-2596 within Rootnik's root toolkit is identified as 'fb_mem'; look for ELF executables named realroot, newrealroot, miroot, or onekeyroot on Android devices, which embed this and other exploits. ↗
- ·Rootnik is configured to skip rooting attempts inside China (as specified in AndroidManifest.xml), meaning geo-based filtering is built into the malware's targeting logic. ↗
- ·CVE-2013-2596 does not affect Red Hat Enterprise MRG 2 realtime-kernel or RHEL 7 kernel packages; patched upstream in Linux kernel 3.8.9. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Linux Kernel Integer Overflow Vulnerability
cisa·2022-09-15·CVSS 7.8
CVE-2013-2596 [HIGH] CWE-189 Linux Kernel Integer Overflow Vulnerability
Vulnerability: Linux Kernel Integer Overflow Vulnerability
Affected: Linux Kernel
Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability that allows for privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc9bbca8f650e5f738af8806317c0a041a48ae4a; https://nvd.nist.gov/vuln/detail/CVE-2013-2596
Remediation Due Date: 2022-10-06
Red Hat
kernel: integer overflow in fb_mmap
vendor_redhat·2013-04-09·CVSS 7.8
CVE-2013-2596 [HIGH] CWE-190 kernel: integer overflow in fb_mmap
kernel: integer overflow in fb_mmap
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.
Statement: This issue does not affect the version of the kernel pack
Debian
CVE-2013-2596: linux - Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux k...
vendor_debian·2013·CVSS 7.8
CVE-2013-2596 [HIGH] CVE-2013-2596: linux - Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux k...
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
Scope: local
bookworm: resolved (fixed in 3.9-1)
bullseye: resolved (fixed in 3.9-1)
forky: resolved (fixed in 3.9-1)
sid: resolved (fixed in 3.9-1)
trixie: resolved (fixed in 3.9-1)
GHSA
GHSA-f77x-fv8h-f6jg: The TrustZone kernel, when used in conjunction with a certain Motorola build of Android 4
ghsa_unreviewed·2022-05-17·CVSS 7.8
CVE-2013-3051 [HIGH] GHSA-f77x-fv8h-f6jg: The TrustZone kernel, when used in conjunction with a certain Motorola build of Android 4
The TrustZone kernel, when used in conjunction with a certain Motorola build of Android 4.1.2, on Motorola Razr HD, Razr M, and Atrix HD devices with the Qualcomm MSM8960 chipset does not verify the association between a certain physical-address argument and a memory region, which allows local users to unlock the bootloader by using kernel mode to perform crafted 0x9 and 0x2 SMC operations, a different vulnerability than CVE-2013-2596.
GHSA
GHSA-xg37-4cgv-wc3c: Integer overflow in the fb_mmap function in drivers/video/fbmem
ghsa_unreviewed·2022-05-17
CVE-2013-2596 [MEDIUM] CWE-190 GHSA-xg37-4cgv-wc3c: Integer overflow in the fb_mmap function in drivers/video/fbmem
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
OSV
CVE-2013-2596: Integer overflow in the fb_mmap function in drivers/video/fbmem
osv·2013-04-13·CVSS 7.8
CVE-2013-2596 [HIGH] CVE-2013-2596: Integer overflow in the fb_mmap function in drivers/video/fbmem
Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.
VulnCheck
Linux Kernel Integer Overflow Vulnerability
vulncheck·2013·CVSS 7.8
CVE-2013-2596 [HIGH] CWE-189 Linux Kernel Integer Overflow Vulnerability
Linux Kernel Integer Overflow Vulnerability
Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability that allows for privilege escalation.
Affected: Linux Kernel
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/2cf915667038
Remediation Due: 2022-10-06
No detection rules found.
No public exploits indexed.
Unit42
Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
blogs_unit42·2015-12-04·CVSS 6.8
[MEDIUM] Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
We recently analyzed a Trojan named "Rootnik" which uses a customized commercial root tool named “Root Assistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators of Rootnik successfully stole at least five exploits that give them root access to Android devices that are running Android 4.3 and earlier. Root Assistant was developed by a Chinese company to help individuals gain root access to their own devices. However, Rootnik uses this tool to attack phones all over the world. Based on the data we have collected, Android users in United States, Malaysia, Thailand, Lebanon and Taiwan have been affected by the Trojan thus far.
Rootnik was able to spread by being embedded in copies of legitimate applications:
- WiFi Analyzer
- Open Camer
Unit42
Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
blogs_unit42·2015-12-04·CVSS 6.8
[MEDIUM] Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
## Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
Wenjun Hu
Claud Xiao
Zhi Xu
Published: December 4, 2015
Malware
Threat Research
Android
Google Play
Rootnik
We recently analyzed a Trojan named "Rootnik" which uses a customized commercial root tool named “Root Assistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators of Rootnik successfully stole at least five exploits that give them root access to Android devices that are running Android 4.3 and earlier. Root Assistant was developed by a Chinese company to help individuals gain root access to their own devices. However, Rootnik uses this tool to attack phones all over the world. Based on the data we have collected, Android users in Uni
Bugzilla
CVE-2013-2596 kernel: integer overflow in fb_mmap
bugzilla·2013-11-25·CVSS 7.8
CVE-2013-2596 [HIGH] CVE-2013-2596 kernel: integer overflow in fb_mmap
CVE-2013-2596 kernel: integer overflow in fb_mmap
Linux kernel built with the Frame Buffer devices support(CONFIG_FB) is
vulnerable to an integer overflow flaw. It could occur while mapping memory via
mmap2(2) call. User would need to have privileges to access the video device files /dev/fb* etc.
A user/program able to access the video device files could use this flaw to potentially escalate privileges on a system.
Upstream fix:
-> https://git.kernel.org/linus/b4cbb197c7e7a68dbad0d491242e3ca67420c13e
-> https://git.kernel.org/linus/fc9bbca8f650e5f738af8806317c0a041a48ae4a
References:
-> http://forum.xda-developers.com/showthread.php?t=2255491
-> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2596
Discussion:
Statement:
This issue does not affect the version of the kernel pa
http://forum.xda-developers.com/showthread.php?t=2255491http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b4cbb197c7e7a68dbad0d491242e3ca67420c13ehttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=fc9bbca8f650e5f738af8806317c0a041a48ae4ahttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761http://marc.info/?l=linux-kernel&m=136616837923938&w=2http://rhn.redhat.com/errata/RHSA-2015-0695.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0782.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0803.htmlhttp://www.droid-life.com/2013/04/09/root-method-released-for-droid-razr-hd-running-android-4-1-2-other-devices-too/http://www.droidrzr.com/index.php/topic/15208-root-motochopper-yet-another-android-root-exploit/http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.9http://www.mandriva.com/security/advisories?name=MDVSA-2013:176http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/59264https://github.com/torvalds/linux/commit/b4cbb197c7e7a68dbad0d491242e3ca67420c13ehttps://github.com/torvalds/linux/commit/fc9bbca8f650e5f738af8806317c0a041a48ae4ahttp://forum.xda-developers.com/showthread.php?t=2255491http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b4cbb197c7e7a68dbad0d491242e3ca67420c13ehttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=fc9bbca8f650e5f738af8806317c0a041a48ae4ahttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761http://marc.info/?l=linux-kernel&m=136616837923938&w=2http://rhn.redhat.com/errata/RHSA-2015-0695.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0782.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0803.htmlhttp://www.droid-life.com/2013/04/09/root-method-released-for-droid-razr-hd-running-android-4-1-2-other-devices-too/http://www.droidrzr.com/index.php/topic/15208-root-motochopper-yet-another-android-root-exploit/http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.9http://www.mandriva.com/security/advisories?name=MDVSA-2013:176http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/59264https://github.com/torvalds/linux/commit/b4cbb197c7e7a68dbad0d491242e3ca67420c13ehttps://github.com/torvalds/linux/commit/fc9bbca8f650e5f738af8806317c0a041a48ae4ahttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2596
2013-04-13
Published
2022-09-15
Added to CISA KEV
Exploited in the wild