cbcvebase.
CVE-2013-2597
published 2014-08-31

CVE-2013-2597: Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm…

PriorityP279high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-10-06
Exploited in the wild
EPSS
1.52%
71.4th percentile
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that leverages /dev/msm_acdb access and provides a large size value in an ioctl argument.

Affected

141 ranges· showing 25
VendorProductVersion rangeFixed in
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm
codeauroraandroid-msm

Detection & IOCsextracted from sources · hover to see the quote

path/dev/msm_acdb
  • Detect exploitation attempts targeting the /dev/msm_acdb device node via ioctl with an oversized size argument (CVE-2013-2597 acdb_ioctl stack-based buffer overflow).
  • Hunt for the exploit method name 'msm_acdb' in ELF executables (realroot, newrealroot, miroot, onekeyroot) dropped to device storage, as these embed the CVE-2013-2597 exploit.
  • Flag presence of static APK filenames AndroidSettings.apk, BluetoothProviders.apk, WifiProviders.apk, and VirusSecurityHunter.apk written to the system partition as indicators of Rootnik post-exploitation persistence.
  • Look for the hidden directory .opt_log created in the app data directory, used as the DEX optimization directory during dynamic loading of the malicious a.dex payload.
  • ·The C2 URL (http://api.jaxfire[.]mobi/app/getTabsResBin) is Base64-encoded in the Rootnik binary; static string searches will not find it in plaintext.
  • ·The secondary payload URL returned by the C2 is AES/CBC/PKCS5Padding encrypted; network-layer inspection of the initial C2 response will not reveal the payload URL in plaintext.
  • ·The malicious a.dex file is deleted from disk immediately after dynamic loading completes, limiting forensic recovery from live filesystem inspection.

CVSS provenance

nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck8.4HIGH
cisa8.4HIGH
vendor_redhat8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.