CVE-2013-6282
published 2013-11-20CVE-2013-6282: The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which…
PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-10-06
Exploited in the wild
EPSS
39.71%
98.4th percentile
The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 3.6.4-1~experimental.1 (bookworm) | linux 3.6.4-1~experimental.1 (bookworm) |
| linux | linux_kernel | < 3.2.54 | 3.2.54 |
| linux | linux_kernel | >= 0 < 3.6.4-1~experimental.1 | 3.6.4-1~experimental.1 |
| linux | linux_kernel | >= 0 < 3.6.4-1~experimental.1 | 3.6.4-1~experimental.1 |
| linux | linux_kernel | >= 0 < 3.6.4-1~experimental.1 | 3.6.4-1~experimental.1 |
| linux | linux_kernel | >= 0 < 3.6.4-1~experimental.1 | 3.6.4-1~experimental.1 |
| linux | linux_kernel | >= 3.3 < 3.4.12 | 3.4.12 |
| linux | linux_kernel | >= 3.5 < 3.5.5 | 3.5.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Rootnik drops four static-named APKs (AndroidSettings.apk, BluetoothProviders.apk, WifiProviders.apk, VirusSecurityHunter.apk) to the system partition; detect their presence in /system/ ↗
- →Rootnik stores exploit payloads in a hidden folder '.rtt' under the app data directory; monitor for creation of hidden directories containing ELF executables in Android app data paths ↗
- →Rootnik variant downloads root exploit payload to a hidden file path '.default/.p.apk' within the app data directory; monitor for hidden APK files in Android app data directories ↗
- ·The C2 URL for payload retrieval (api.jaxfire[.]mobi/app/getTabsResBin) is Base64-encoded in the Rootnik binary; static string searches will not find it in plaintext ↗
- ·The Skygofree exploit payload targets only devices listed in its 'device.db' database (205 models); if the device is not listed, it attempts to discover required memory addresses programmatically, broadening the attack surface ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Linux Kernel Improper Input Validation Vulnerability
cisa·2022-09-15·CVSS 8.8
CVE-2013-6282 [HIGH] CWE-20 Linux Kernel Improper Input Validation Vulnerability
Vulnerability: Linux Kernel Improper Input Validation Vulnerability
Affected: Linux Kernel
The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This allows an application to read and write kernel memory which could lead to privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8404663f81d212918ff85f493649a7991209fa04; https://nvd.nist.gov/vuln/detail/CVE-2013-6282
Remediation Due Date: 2022-10-06
Ubuntu
Linux kernel (OMAP4) vulnerabilities
vendor_ubuntu·2014-01-03·CVSS 6.0
CVE-2013-4299 [MEDIUM] Linux kernel (OMAP4) vulnerabilities
Title: Linux kernel (OMAP4) vulnerabilities
Summary: Several security issues were fixed in the kernel.
A flaw was discovered in the Linux kernel's dm snapshot facility. A remote
authenticated user could exploit this flaw to obtain sensitive information
or modify/corrupt data. (CVE-2013-4299)
Hannes Frederic Sowa discovered a flaw in the Linux kernel's UDP
Fragmentation Offload (UFO). An unprivileged local user could exploit this
flaw to cause a denial of service (system crash) or possibly gain
administrative privileges. (CVE-2013-4470)
Multiple integer overflow flaws were discovered in the Alchemy LCD frame-
buffer drivers in the Linux kernel. An unprivileged local user could
exploit this flaw to gain administrative privileges. (CVE-2013-4511)
Nico Golde and Fabian Yamaguchi reported
Debian
CVE-2013-6282: linux - The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5...
vendor_debian·2013·CVSS 8.8
CVE-2013-6282 [HIGH] CVE-2013-6282: linux - The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5...
The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.
Scope: local
bookworm: resolved (fixed in 3.6.4-1~experimental.1)
bullseye: resolved (fixed in 3.6.4-1~experimental.1)
forky: resolved (fixed in 3.6.4-1~experimental.1)
sid: resolved (fixed in 3.6.4-1~experimental.1)
trixie: resolved (fixed in 3.6.4-1~experimental.1)
Red Hat
CVE-2013-6282: The (1) get_user and (2) put_user API functions in the Linux kernel before 3
vendor_redhat·CVSS 8.8
CVE-2013-6282 [HIGH] CVE-2013-6282: The (1) get_user and (2) put_user API functions in the Linux kernel before 3
The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.
Statement: Not vulnerable. This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
GHSA
GHSA-7p8v-5r94-xc7r: The (1) get_user and (2) put_user API functions in the Linux kernel before 3
ghsa_unreviewed·2022-05-17
CVE-2013-6282 [HIGH] CWE-20 GHSA-7p8v-5r94-xc7r: The (1) get_user and (2) put_user API functions in the Linux kernel before 3
The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.
OSV
CVE-2013-6282: The (1) get_user and (2) put_user API functions in the Linux kernel before 3
osv·2013-11-20·CVSS 8.8
CVE-2013-6282 [HIGH] CVE-2013-6282: The (1) get_user and (2) put_user API functions in the Linux kernel before 3
The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.
VulnCheck
Linux Kernel Improper Input Validation Vulnerability
vulncheck·2013·CVSS 8.8
CVE-2013-6282 [HIGH] CWE-20 Linux Kernel Improper Input Validation Vulnerability
Linux Kernel Improper Input Validation Vulnerability
The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This allows an application to read and write kernel memory which could lead to privilege escalation.
Affected: Linux Kernel
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2013-6282; https://ubuntu.com/security/CVE-2013-6282; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/b71a08d20773; https://vulncheck.com/xdb/8dbca12d6df7
Remediation Due: 2022-10-06
No detection rules found.
Exploit-DB
Google Android - get_user/put_user (Metasploit)
exploitdb·2016-12-29
CVE-2013-6282 Google Android - get_user/put_user (Metasploit)
Google Android - get_user/put_user (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class MetasploitModule "Android get_user/put_user Exploit",
'Description' => %q{
This module exploits a missing check in the get_user and put_user API functions
in the linux kernel before 3.5.5. The missing checks on these functions
allow an unprivileged user to read and write kernel memory.
This exploit first reads the kernel memory to identify the commit_creds and
ptmx_fops address, then uses the write primitive to execute shellcode as uid 0.
The exploit was first discovered in the wild in the vroot rooting application.
},
'License' => MSF_LICENSE,
'Author' => [
'fi
Exploit-DB
Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation
exploitdb·2014-02-11·CVSS 8.8
CVE-2013-6282 [HIGH] Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation
Linux Kernel
#include
#include
#include
#include
#include
#include
#include
#include
/* Binder transaction request format */
struct binder_write_read {
signed long write_size; /* bytes to write */
signed long write_consumed; /* bytes consumed by driver */
unsigned long write_buffer;
signed long read_size; /* bytes to read */
signed long read_consumed; /* bytes consumed by driver */
unsigned long read_buffer;
} bwr;
#define BR_NOOP 0x0000720c /* binder memory write value */
#define SC_TABLE 0xc000ee28 /* system call table address */
/* we need to know the lower halfword of the original address of sys_ni_syscall to tailor MMAP_AREA and MMAP_OFF accordingly.
* you can aid yourself with a NOP block. the higher halfword will in any case become 0x720c. on one of my boxes, the other
* halfword
Metasploit
Android get_user/put_user Exploit
metasploit
Android get_user/put_user Exploit
Android get_user/put_user Exploit
This module exploits a missing check in the get_user and put_user API functions in the linux kernel before 3.5.5. The missing checks on these functions allow an unprivileged user to read and write kernel memory. This exploit first reads the kernel memory to identify the commit_creds and ptmx_fops address, then uses the write primitive to execute shellcode as uid 0. The exploit was first discovered in the wild in the vroot rooting application.
Securelist
Skygofree: Following in the footsteps of HackingTeam
blogs_securelist·2018-01-16
Skygofree: Following in the footsteps of HackingTeam
Table of Contents
Malware Features
Android
Reverse shell payload
Exploit payload
Busybox payload
Social payload
Parser payload
Windows
Code similarities
Distribution
Artifacts
Conclusions
Notes
Authors
Nikita Buchka
Alexey Firsh
At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specif
Securelist
Skygofree: Following in the footsteps of HackingTeam
blogs_securelist·2018-01-16
Skygofree: Following in the footsteps of HackingTeam
Table of Contents
- Malware Features
- Distribution
- Artifacts
- Conclusions
Authors
- Nikita Buchka
- Alexey Firsh
At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to
Fortinet
Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part II
blogs_fortinet·2017-07-09
Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part II
FORTIGUARD LABS THREAT RESEARCH
Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part II
By Kai Lu | July 09, 2017
In part I of this blog, I finished the analysis of the native layer of a newly discovered Rootnik malware variant, and got the decrypted real DEX file. Here in part II, we will continue our analysis.
A look into the decrypted real DEX file
The entry of the decrypted DEX file is the class demo.outerappshell.OuterShellApp. The definition of the class OuterShellApp is shown below.
Figure 1. The class demo.outerappshell.OuterShellApp
We will first analyze the function attachBaseContext(). The following is the function aBC() in the class LinkInnerShell.
Figure 2. The function aBC() in the class LinkInnerShell
The program uses DexClassLoader to dynamically
Checkpoint
How the CopyCat malware infected Android devices around the world
blogs_checkpoint·2017-07-06
CVE-2014-4321 How the CopyCat malware infected Android devices around the world
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## How the CopyCat malware infected Android devices around the world
Check Point researchers identified a mobile malware that infected 14 million Android devices, rooting approximately 8 mill
Fortinet
Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java
blogs_fortinet·2017-01-26
Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java
FORTIGUARD LABS THREAT RESEARCH
Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java
By Kai Lu | January 26, 2017
In part I of this blog we finished the analysis of the native layer and got the decrypted secondary dex file. Here in part II we will continue to analyze it. For the sake of continuity, we will maintain continuous section and figure numbers from part I of the blog.
IV. The secondary dex file
The following is the decrypted file, which is a jar format file. It is loaded dynamically as the secondary dex via multidex scheme.
Figure 25. The decrypted secondary apk file containing the dex file
After decompressing the file “decrypt.dump,” you can now see a file named “classes.dex” located in the folder.
Next, l
Checkpoint
More Than 1 Million Google Accounts Breached by Gooligan
blogs_checkpoint·2016-11-30
CVE-2013-6282 More Than 1 Million Google Accounts Breached by Gooligan
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## More Than 1 Million Google Accounts Breached by Gooligan
November 30, 2016
As a result of a lot of hard work done by our security research teams, we revealed today a new and alarming malw
Unit42
Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
blogs_unit42·2015-12-04·CVSS 6.8
[MEDIUM] Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
We recently analyzed a Trojan named "Rootnik" which uses a customized commercial root tool named “Root Assistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators of Rootnik successfully stole at least five exploits that give them root access to Android devices that are running Android 4.3 and earlier. Root Assistant was developed by a Chinese company to help individuals gain root access to their own devices. However, Rootnik uses this tool to attack phones all over the world. Based on the data we have collected, Android users in United States, Malaysia, Thailand, Lebanon and Taiwan have been affected by the Trojan thus far.
Rootnik was able to spread by being embedded in copies of legitimate applications:
- WiFi Analyzer
- Open Camer
Unit42
Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
blogs_unit42·2015-12-04·CVSS 6.8
[MEDIUM] Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
## Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information
Wenjun Hu
Claud Xiao
Zhi Xu
Published: December 4, 2015
Malware
Threat Research
Android
Google Play
Rootnik
We recently analyzed a Trojan named "Rootnik" which uses a customized commercial root tool named “Root Assistant” to gain root access on Android devices. By reverse engineering and repackaging this tool, the creators of Rootnik successfully stole at least five exploits that give them root access to Android devices that are running Android 4.3 and earlier. Root Assistant was developed by a Chinese company to help individuals gain root access to their own devices. However, Rootnik uses this tool to attack phones all over the world. Based on the data we have collected, Android users in Uni
arXiv
Secure Containers in Android: the Samsung KNOX Case Study
arxiv_fulltext·2016-05-27
Secure Containers in Android: the Samsung KNOX Case Study
Secure Containers in Android: \ Samsung KNOX Case Study
Uri Kanonov
School of Computer Science
Tel Aviv University
[email protected]
Avishai Wool
School of Electrical Engineering
Tel Aviv University
[email protected]
### Abstract
Bring Your Own Device (BYOD) is a growing trend among enterprises, aiming to improve workers' mobility and productivity via their smartphones.
The threats and dangers posed by the smartphones to the enterprise are also ever-growing.
Such dangers can be mitigated by running the enterprise software inside a ``secure container'' on the smartphone.
In our work we present a systematic assessment of security critical areas in design and implementation of a secure container for Android
using reverse engineering and attacker-inspired methods.
We do this thro
Bugzilla
CVE kernel non-issue statements
bugzilla·2010-05-13·CVSS 5.0
[MEDIUM] CVE kernel non-issue statements
CVE kernel non-issue statements
This bug is to collect statements for Linux kernel-related CVE's that do not have their own top-level CVE SRT bug because it did not affect any of our supported kernels. These statements were also referred to as NVD statements and are noted on the NVD web site.
(From bug 589808) Do not change the bug alias, it needs to have "CVE" in the title. You can add extra statements in new comments or editing existing comments and they will be picked up correctly.
Discussion:
Statement CVE-2010-0747:
Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not backport an out-of-tree drbd module (drbd8).
Statement CVE-2010-1446:
Not vulnerable. This issue di
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8404663f81d212918ff85f493649a7991209fa04http://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-api-cve-2013-6282http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.5.5http://www.openwall.com/lists/oss-security/2013/11/14/11http://www.securityfocus.com/bid/63734http://www.ubuntu.com/usn/USN-2067-1https://github.com/torvalds/linux/commit/8404663f81d212918ff85f493649a7991209fa04https://www.exploit-db.com/exploits/40975/http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8404663f81d212918ff85f493649a7991209fa04http://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-api-cve-2013-6282http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.5.5http://www.openwall.com/lists/oss-security/2013/11/14/11http://www.securityfocus.com/bid/63734http://www.ubuntu.com/usn/USN-2067-1https://github.com/torvalds/linux/commit/8404663f81d212918ff85f493649a7991209fa04https://www.exploit-db.com/exploits/40975/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-6282
2013-11-20
Published
2022-09-15
Added to CISA KEV
Exploited in the wild