CVE-2013-2597
published 2014-08-31CVE-2013-2597: Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm…
PriorityP279high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-10-06
Exploited in the wild
EPSS
1.52%
71.4th percentile
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that leverages /dev/msm_acdb access and provides a large size value in an ioctl argument.
Affected
141 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
| codeaurora | android-msm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts targeting the /dev/msm_acdb device node via ioctl with an oversized size argument (CVE-2013-2597 acdb_ioctl stack-based buffer overflow). ↗
- →Hunt for the exploit method name 'msm_acdb' in ELF executables (realroot, newrealroot, miroot, onekeyroot) dropped to device storage, as these embed the CVE-2013-2597 exploit. ↗
- →Flag presence of static APK filenames AndroidSettings.apk, BluetoothProviders.apk, WifiProviders.apk, and VirusSecurityHunter.apk written to the system partition as indicators of Rootnik post-exploitation persistence. ↗
- →Look for the hidden directory .opt_log created in the app data directory, used as the DEX optimization directory during dynamic loading of the malicious a.dex payload. ↗
- ·The C2 URL (http://api.jaxfire[.]mobi/app/getTabsResBin) is Base64-encoded in the Rootnik binary; static string searches will not find it in plaintext. ↗
- ·The secondary payload URL returned by the C2 is AES/CBC/PKCS5Padding encrypted; network-layer inspection of the initial C2 response will not reveal the payload URL in plaintext. ↗
- ·The malicious a.dex file is deleted from disk immediately after dynamic loading completes, limiting forensic recovery from live filesystem inspection. ↗
CVSS provenance
nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck8.4HIGH
cisa8.4HIGH
vendor_redhat8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xv7f-hrp6-5mhh: Stack-based buffer overflow in the acdb_ioctl function in audio_acdb
ghsa_unreviewed·2022-05-17
CVE-2013-2597 [HIGH] CWE-119 GHSA-xv7f-hrp6-5mhh: Stack-based buffer overflow in the acdb_ioctl function in audio_acdb
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that leverages /dev/msm_acdb access and provides a large size value in an ioctl argument.
VulnCheck
Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability
vulncheck·2013·CVSS 8.4
CVE-2013-2597 [HIGH] CWE-119 Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability
Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability
The Code Aurora audio calibration database (acdb) audio driver contains a stack-based buffer overflow vulnerability that allows for privilege escalation. Code Aurora is used in third-party products such as Qualcomm and Android.
Affected: Code Aurora ACDB Audio Driver
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/e2481250668c
Remediation Due: 2022-10-06
CISA
Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability
cisa·2022-09-15·CVSS 8.4
CVE-2013-2597 [HIGH] CWE-119 Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability
Vulnerability: Code Aurora ACDB Audio Driver Stack-based Buffer Overflow Vulnerability
Affected: Code Aurora ACDB Audio Driver
The Code Aurora audio calibration database (acdb) audio driver contains a stack-based buffer overflow vulnerability that allows for privilege escalation. Code Aurora is used in third-party products such as Qualcomm and Android.
Required Action: Apply updates per vendor instructions.
Notes: https://web.archive.org/web/20161226013354/https:/www.codeaurora.org/news/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597; https://nvd.nist.gov/vuln/detail/CVE-2013-2597
Remediation Due Date: 2022-10-06
Red Hat
CVE-2013-2597: Stack-based buffer overflow in the acdb_ioctl function in audio_acdb
vendor_redhat·CVSS 8.4
CVE-2013-2597 [HIGH] CVE-2013-2597: Stack-based buffer overflow in the acdb_ioctl function in audio_acdb
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that leverages /dev/msm_acdb access and provides a large size value in an ioctl argument.
Statement: Not vulnerable. This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.
No detection rules found.
No public exploits indexed.
Unit42
Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
blogs_unit42·2015-12-04·CVSS 6.8
[MEDIUM] Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
We recently analyzed a Trojan named "Rootnik" which uses a customized commercial root tool named “Root Assistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators of Rootnik successfully stole at least five exploits that give them root access to Android devices that are running Android 4.3 and earlier. Root Assistant was developed by a Chinese company to help individuals gain root access to their own devices. However, Rootnik uses this tool to attack phones all over the world. Based on the data we have collected, Android users in United States, Malaysia, Thailand, Lebanon and Taiwan have been affected by the Trojan thus far.
Rootnik was able to spread by being embedded in copies of legitimate applications:
- WiFi Analyzer
- Open Camer
Unit42
Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
blogs_unit42·2015-12-04·CVSS 6.8
[MEDIUM] Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
## Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
Wenjun Hu
Claud Xiao
Zhi Xu
Published: December 4, 2015
Malware
Threat Research
Android
Google Play
Rootnik
We recently analyzed a Trojan named "Rootnik" which uses a customized commercial root tool named “Root Assistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators of Rootnik successfully stole at least five exploits that give them root access to Android devices that are running Android 4.3 and earlier. Root Assistant was developed by a Chinese company to help individuals gain root access to their own devices. However, Rootnik uses this tool to attack phones all over the world. Based on the data we have collected, Android users in Uni
Bugzilla
CVE kernel non-issue statements
bugzilla·2010-05-13·CVSS 5.0
[MEDIUM] CVE kernel non-issue statements
CVE kernel non-issue statements
This bug is to collect statements for Linux kernel-related CVE's that do not have their own top-level CVE SRT bug because it did not affect any of our supported kernels. These statements were also referred to as NVD statements and are noted on the NVD web site.
(From bug 589808) Do not change the bug alias, it needs to have "CVE" in the title. You can add extra statements in new comments or editing existing comments and they will be picked up correctly.
Discussion:
Statement CVE-2010-0747:
Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not backport an out-of-tree drbd module (drbd8).
Statement CVE-2010-1446:
Not vulnerable. This issue di
https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2597
2014-08-31
Published
2022-09-15
Added to CISA KEV
Exploited in the wild