cbcvebase.
CVE-2014-0038
published 2014-02-06

CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a…

PriorityP356medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
34.65%
98.2th percentile
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 3.13.4-1 (bookworm)linux 3.13.4-1 (bookworm)
linuxlinux_kernel>= 0 < 3.13.4-13.13.4-1
linuxlinux_kernel>= 0 < 3.13.4-13.13.4-1
linuxlinux_kernel>= 0 < 3.13.4-13.13.4-1
linuxlinux_kernel>= 0 < 3.13.4-13.13.4-1
linuxlinux_kernel>= 3.11 < 3.12.103.12.10
linuxlinux_kernel>= 3.13 < 3.13.23.13.2
linuxlinux_kernel>= 3.4 < 3.4.793.4.79
linuxlinux_kernel>= 3.5 < 3.10.293.10.29
opensuseopensuse

Detection & IOCsextracted from sources · hover to see the quote

commandsyscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)1ul)
other__X32_SYSCALL_BIT 0x40000000 | __NR_recvmmsg = (__X32_SYSCALL_BIT + 537)
path/proc/sys/net/core/somaxconn
path/dev/ptmx
otherkernel offset: net_sysctl_root+96 = 0xffffffff81cdf400+96 (3.11.0-15-generic)
otherkernel offset: net_sysctl_root+96 = 0xffffffff81cdf3a0 (3.11.0-12-generic)
otherkernel offset: net_sysctl_root+96 = 0xffffffff81cc7940 (3.8.0-19-generic)
otherPTMX_FOPS = 0xffffffff81fb30c0 (3.11.0-12-generic)
otherTTY_RELEASE = 0xffffffff8142fec0 (3.11.0-12-generic)
otherCOMMIT_CREDS = 0xffffffff8108ad40 (3.11.0-12-generic)
otherPREPARE_KERNEL_CRED = 0xffffffff8108b010 (3.11.0-12-generic)
filenamerecvmmsg (pre-compiled exploit binary, stored under Msf::Config.data_directory/exploits/CVE-2014-0038/)
path/tmp/a0RwAacU
bytes
0x90 NOP sled filling PAGE_SIZE*3 mapped region
  • Detect x32 ABI recvmmsg syscall (syscall number 0x40000000+537 = 0x40000219) issued with a crafted/non-canonical timeout pointer (e.g. (void*)1) from a non-privileged process — this is the core exploit trigger.
  • Alert on mmap() calls with MAP_FIXED|MAP_ANONYMOUS|PROT_EXEC targeting high kernel-adjacent virtual addresses (0xffffffff8xxxxxxx range masked to user space) from unprivileged processes — exploit maps shellcode near kernel symbol addresses.
  • Monitor for unprivileged processes opening /proc/sys/net/core/somaxconn read-only immediately after a series of x32 recvmmsg syscalls — this is the exploit's privilege-check trigger step.
  • Detect opening /dev/ptmx followed immediately by close() from a process that previously issued x32 recvmmsg syscalls — used in the alternate exploit variant (EDB-31346) to trigger the overwritten fops->release pointer.
  • Flag processes that drop a C source file into /tmp, compile it with gcc, chmod +x the result, and execute it — consistent with the Metasploit module's live-compile exploitation workflow.
  • Alert on the presence of the hardcoded pre-compiled payload filename 'a0RwAacU' under /tmp — this is a static artifact of the Metasploit pre-compiled exploit path.
  • Audit systems for CONFIG_X86_X32=y in the running kernel config — this is the required prerequisite for the vulnerability to be exploitable.
  • Detect long-running (up to 765 seconds) loopback UDP socket activity paired with repeated x32 recvmmsg syscalls — the exploit slowly decrements a kernel pointer byte-by-byte, one byte per ~255 seconds.
  • ·The vulnerability is only exploitable when the kernel is compiled with CONFIG_X86_X32=y. Most major distributions did NOT ship with this option enabled, significantly limiting exposure.
  • ·The hardcoded kernel offsets in the public exploits are specific to three Ubuntu 13.x kernel versions (3.8.0-19-generic, 3.11.0-12-generic, 3.11.0-15-generic); the exploit will fail on any other kernel without manual offset adaptation.
  • ·The exploit requires kallsyms to be protected (not readable) and uses hardcoded offsets instead — detection/mitigation via restricting /proc/kallsyms does not prevent exploitation but was a design consideration.
  • ·The Metasploit module sets WfsDelay to 780 seconds to account for the full exploitation time; defenders should note that exploit activity may span up to 13 minutes before privilege escalation completes.

CVSS provenance

nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vendor_debian6.9LOW
vendor_redhat6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.