cbcvebase.
CVE-2013-6282
published 2013-11-20

CVE-2013-6282: The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-10-06
Exploited in the wild
EPSS
39.71%
98.4th percentile
The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 3.6.4-1~experimental.1 (bookworm)linux 3.6.4-1~experimental.1 (bookworm)
linuxlinux_kernel< 3.2.543.2.54
linuxlinux_kernel>= 0 < 3.6.4-1~experimental.13.6.4-1~experimental.1
linuxlinux_kernel>= 0 < 3.6.4-1~experimental.13.6.4-1~experimental.1
linuxlinux_kernel>= 0 < 3.6.4-1~experimental.13.6.4-1~experimental.1
linuxlinux_kernel>= 0 < 3.6.4-1~experimental.13.6.4-1~experimental.1
linuxlinux_kernel>= 3.3 < 3.4.123.4.12
linuxlinux_kernel>= 3.5 < 3.5.53.5.5

Detection & IOCsextracted from sources · hover to see the quote

domainapplight[.]mobi
domainjaxfire[.]mobi
domainsuperflashlight[.]mobi
domainshenmeapp[.]info
urlhttp[:]//cdn.applight[.]mobi/applight/2015/1442824462res.bin
filenameAndroidSettings.apk
filenameBluetoothProviders.apk
filenameWifiProviders.apk
filenameVirusSecurityHunter.apk
filenamelog_sdk.dex
path.opt_log
filenamelibabm.so
filenamepsneuter.script
filenameonekeyrootseckill.sh
urlhttp://gt[.]rogsob[.]com/stmp/ad.png
urlhttp://grs[.]gowdsy[.]com:8092/active.do
domaingrs[.]gowdsy[.]com
domaingrs[.]rogsob[.]com
path/data/data/com.web.sdfile/files/mda.ico
path/data/data/com.web.sdfile/.rtt
filenamepsneuter.js
urlhxxp://down.smykttum.com/thinking/group/rtt_0511_669.apk
urlhxxp://down.zigyfdeb.com/backokr/rtt_0310_577.apk
urlhxxp://t.eqqsl.com/ggview/rsddateindex
path/data/data/net.gotsun.android.wifi_configuration/files/.default/.p.apk
  • Rootnik drops four static-named APKs (AndroidSettings.apk, BluetoothProviders.apk, WifiProviders.apk, VirusSecurityHunter.apk) to the system partition; detect their presence in /system/
  • Rootnik stores exploit payloads in a hidden folder '.rtt' under the app data directory; monitor for creation of hidden directories containing ELF executables in Android app data paths
  • Rootnik variant downloads root exploit payload to a hidden file path '.default/.p.apk' within the app data directory; monitor for hidden APK files in Android app data directories
  • ·The C2 URL for payload retrieval (api.jaxfire[.]mobi/app/getTabsResBin) is Base64-encoded in the Rootnik binary; static string searches will not find it in plaintext
  • ·The Skygofree exploit payload targets only devices listed in its 'device.db' database (205 models); if the device is not listed, it attempts to discover required memory addresses programmatically, broadening the attack surface

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.