CVE-2014-9322
published 2014-12-17CVE-2014-9322: arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which…
PriorityP349high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.50%
71.1th percentile
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | linux | < linux 3.16.7-ckt2-1 (bookworm) | linux 3.16.7-ckt2-1 (bookworm) |
| android | — | — | |
| android | — | — | |
| linux | linux_kernel | < 3.2.65 | 3.2.65 |
| linux | linux_kernel | >= 0 < 3.16.7-ckt2-1 | 3.16.7-ckt2-1 |
| linux | linux_kernel | >= 0 < 3.16.7-ckt2-1 | 3.16.7-ckt2-1 |
| linux | linux_kernel | >= 0 < 3.16.7-ckt2-1 | 3.16.7-ckt2-1 |
| linux | linux_kernel | >= 0 < 3.16.7-ckt2-1 | 3.16.7-ckt2-1 |
| linux | linux_kernel | >= 0 < 3.13.0-43.72 | 3.13.0-43.72 |
| linux | linux_kernel | >= 3.11 < 3.12.35 | 3.12.35 |
| linux | linux_kernel | >= 3.13 < 3.14.26 | 3.14.26 |
| linux | linux_kernel | >= 3.15 < 3.16.35 | 3.16.35 |
| linux | linux_kernel | >= 3.17 < 3.17.5 | 3.17.5 |
| linux | linux_kernel | >= 3.3 < 3.4.106 | 3.4.106 |
| linux | linux_kernel | >= 3.5 < 3.10.62 | 3.10.62 |
| opensuse | evergreen | — | — |
| redhat | enterprise_linux_eus | — | — |
| suse | suse_linux_enterprise_server | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (EC2) vulnerabilities
vendor_ubuntu·2015-02-04·CVSS 5.5
CVE-2014-3610 [MEDIUM] Linux kernel (EC2) vulnerabilities
Title: Linux kernel (EC2) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
Lars Bull reported a race condition in the PIT (programmable interrupt
timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux
kernel. A local guest user with access to PIT i/o ports could exploit this
flaw to cause a denial of service (crash) on the host. (CVE-2014-3611)
Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual
Machine) handles noncanonical writes to certain MSR registers. A privileged
guest us
Ubuntu
Linux kernel (OMAP4) vulnerabilities
vendor_ubuntu·2015-01-13·CVSS 4.9
CVE-2014-7842 [MEDIUM] Linux kernel (OMAP4) vulnerabilities
Title: Linux kernel (OMAP4) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)
A race condition with MMIO and PIO transactions in the KVM (Kernel Virtual
Machine) subsystem of the Linux kernel was discovere
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2015-01-13·CVSS 5.5
CVE-2014-3610 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
Lars Bull reported a race condition in the PIT (programmable interrupt
timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux
kernel. A local guest user with access to PIT i/o ports could exploit this
flaw to cause a denial of service (crash) on the host. (CVE-2014-3611)
Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual
Machine) handles noncanonical writes to certain MSR registers. A privileged
guest user can
Red Hat
kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility
vendor_redhat·2014-12-15·CVSS 7.8
CVE-2014-9322 [HIGH] CWE-841 kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility
kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.
A flaw was found in the way the Linux kernel handled GS segment register base switching when recovering from a #SS (stack segment) fault on an erroneous return to user space. A local, unprivileged user could use this flaw to escalate their privileges on the system.
Statement: This issue does affect the Linux kernel packages as shipped with Red Hat
Enterprise Linux 4, 5, 6, and 7, and Red Hat Enterprise MRG 2. Future Linux
k
Ubuntu
Linux kernel (Utopic HWE) vulnerabilities
vendor_ubuntu·2014-12-12·CVSS 7.5
CVE-2014-3673 [HIGH] Linux kernel (Utopic HWE) vulnerabilities
Title: Linux kernel (Utopic HWE) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)
Rabin Vincent, Robert Swiecki, Russell King discovered that the ftrace
subsystem of the Linux kernel does not properly han
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2014-12-12·CVSS 7.5
CVE-2014-3673 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)
Rabin Vincent, Robert Swiecki, Russell King discovered that the ftrace
subsystem of the Linux kernel does not properly handle private s
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2014-12-12·CVSS 7.5
CVE-2014-3673 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)
Rabin Vincent, Robert Swiecki, Russell King discovered that the ftrace
subsystem of the Linux kernel does not properly handle private s
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2014-12-12·CVSS 7.8
CVE-2014-7825 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the kernel.
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)
Rabin Vincent, Robert Swiecki, Russell King discovered that the ftrace
subsystem of the Linux kernel does not properly handle private s
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities
vendor_ubuntu·2014-12-12·CVSS 7.5
CVE-2014-3673 [HIGH] Linux kernel (Trusty HWE) vulnerabilities
Title: Linux kernel (Trusty HWE) vulnerabilities
Summary: Several security issues were fixed in the kernel.
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)
Rabin Vincent, Robert Swiecki, Russell King discovered that the ftrace
subsystem of the Linux kernel does not properly han
Debian
CVE-2014-9322: linux - arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly h...
vendor_debian·2014·CVSS 7.8
CVE-2014-9322 [HIGH] CVE-2014-9322: linux - arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly h...
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.
Scope: local
bookworm: resolved (fixed in 3.16.7-ckt2-1)
bullseye: resolved (fixed in 3.16.7-ckt2-1)
forky: resolved (fixed in 3.16.7-ckt2-1)
sid: resolved (fixed in 3.16.7-ckt2-1)
trixie: resolved (fixed in 3.16.7-ckt2-1)
GHSA
GHSA-h8qx-jqqh-5mjc: arch/x86/kernel/entry_64
ghsa_unreviewed·2022-05-13
CVE-2014-9322 [HIGH] CWE-269 GHSA-h8qx-jqqh-5mjc: arch/x86/kernel/entry_64
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.
OSV
CVE-2014-9322: arch/x86/kernel/entry_64
osv·2014-12-17·CVSS 7.8
CVE-2014-9322 [HIGH] CVE-2014-9322: arch/x86/kernel/entry_64
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.
OSV
linux vulnerabilities
osv·2014-12-12·CVSS 7.5
CVE-2014-9322 [HIGH] linux vulnerabilities
linux vulnerabilities
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)
Rabin Vincent, Robert Swiecki, Russell King discovered that the ftrace
subsystem of the Linux kernel does not properly handle private syscall
numbers. A local user could exploit this flaw to cause a denial of
OSV
linux-lts-utopic vulnerabilities
osv·2014-12-12·CVSS 7.5
CVE-2014-9322 [HIGH] linux-lts-utopic vulnerabilities
linux-lts-utopic vulnerabilities
Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)
An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)
Rabin Vincent, Robert Swiecki, Russell King discovered that the ftrace
subsystem of the Linux kernel does not properly handle private syscall
numbers. A local user could exploit this flaw to cause a
No detection rules found.
Exploit-DB
Linux Kernel - 'BadIRET' Local Privilege Escalation
exploitdb·2017-07-24·CVSS 7.8
CVE-2014-9322 [HIGH] Linux Kernel - 'BadIRET' Local Privilege Escalation
Linux Kernel - 'BadIRET' Local Privilege Escalation
---
# CVE-2014-9322 PoC for Linux kernel
CVE-2014-9322 (a.k.a BadIRET) proof of concept for Linux kernel.
This PoC uses only syscalls not any libraries, like pthread. Threads are implemented using raw Linux syscalls.
[Raw Linux Threads via System Calls](http://nullprogram.com/blog/2015/05/15/)
# Usage
```
$ make
```
**badiret.elf** is an ELF executable.
**badiret.bin** is a raw binary that can be used as payload.
# Reference
[Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)](https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44205.zip
Exploit-DB
Linux Kernel 3.17.5 - IRET Instruction #SS Fault Handling Crash (PoC)
exploitdb·2015-03-04
CVE-2014-9322 Linux Kernel 3.17.5 - IRET Instruction #SS Fault Handling Crash (PoC)
Linux Kernel 3.17.5 - IRET Instruction #SS Fault Handling Crash (PoC)
---
/* ----------------------------------------------------------------------------------------------------
* cve-2014-9322_poc.c
*
* arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not
* properly handle faults associated with the Stack Segment (SS) segment
* register, which allows local users to gain privileges by triggering an IRET
* instruction that leads to access to a GS Base address from the wrong space.
*
* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
*
* I have no merit to writing this poc, I just implemented first part of Rafal Wojtczuk article (this guy is a genius!)
* More info at : http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerabil
Securelist
Hacking microcontroller firmware through a USB
blogs_securelist·2019-03-21
Hacking microcontroller firmware through a USB
Table of Contents
- Who hacks video game consoles?
- Protection scheme of DualShock 4
- Rumors of super counterfeit DualShock 4
- Basics of embedded firmware analysis
- In the shadow of colossus
- Revelations
- Hacking microcontroller firmware through a USB
- Exploitation
- Crypto fail
- Conclusion
Authors
- Boris Larin
In this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0.
## Who hacks video game consoles?
The manufacture of counterfeit and unlicensed products is widespread in the world of video game consoles. It’s a multi-billion dollar industry in which demand creates supply. You can now find devices for almost all the existing consoles that allow you to play copies of licensed video game ‘backups’ from flash drives, coun
arXiv
Hey Google, What Exactly Do Your Security Patches Tell Us? A Large-Scale Empirical Study on Android Patched Vulnerabilities
arxiv_fulltext·2019-05-22
Hey Google, What Exactly Do Your Security Patches Tell Us? A Large-Scale Empirical Study on Android Patched Vulnerabilities
1.55cm
[1]
\@fnsymbol#1
Hey Google, What Exactly Do Your Security Patches Tell Us?\ Large-Scale Empirical Study on Android Patched Vulnerabilities
Sadegh Farhang Sadegh Farhang and Mehmet Bahadir Kirdan equally contributed to this work.
Pennsylvania State University
[email protected]
Mehmet Bahadir Kirdan 1
Technical University of Munich
[email protected]
Aron Laszka
University of Houston
[email protected]
Jens Grossklags
Technical University of Munich
[email protected]
## Abstract
Android has the largest market share among smartphone platforms worldwide with more than one billion active devices.
Like other platforms, security patches play a pivotal role in keeping Android devices safe from the exploitation of known vulnerabilities. Previous research efforts have documente
Bugzilla
CVE-2014-9322 kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility
bugzilla·2014-12-10·CVSS 4.9
CVE-2014-9322 [MEDIUM] CVE-2014-9322 kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility
CVE-2014-9322 kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility
It was found that because paranoid entry does not contain the swapgs fixup for
bad_iret (unlike error entry), under certain conditions (#SS on iret) it can
happen that bad_iret is reached with usergs instead of kernelgs that it is
expecting.
A local unprivileged user can use this flaw to increase their privileges on
the system.
Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6f442be2fb22be02cafa606f1769fa1e6f894441
Acknowledgements:
Red Hat would like to thank Andy Lutomirski for reporting this issue.
Discussion:
Statement:
This issue does affect the Linux kernel packages as shipped with Red Hat
Enterprise Linux 4, 5, 6, and 7, and Red Hat Enterprise
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=6f442be2fb22be02cafa606f1769fa1e6f894441http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.htmlhttp://marc.info/?l=bugtraq&m=142722450701342&w=2http://marc.info/?l=bugtraq&m=142722544401658&w=2http://osvdb.org/show/osvdb/115919http://rhn.redhat.com/errata/RHSA-2014-1998.htmlhttp://rhn.redhat.com/errata/RHSA-2014-2008.htmlhttp://rhn.redhat.com/errata/RHSA-2014-2028.htmlhttp://rhn.redhat.com/errata/RHSA-2014-2031.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0009.htmlhttp://secunia.com/advisories/62336http://source.android.com/security/bulletin/2016-04-02.htmlhttp://www.exploit-db.com/exploits/36266http://www.openwall.com/lists/oss-security/2014/12/15/6http://www.ubuntu.com/usn/USN-2491-1http://www.zerodayinitiative.com/advisories/ZDI-16-170https://bugzilla.redhat.com/show_bug.cgi?id=1172806https://github.com/torvalds/linux/commit/6f442be2fb22be02cafa606f1769fa1e6f894441https://help.joyent.com/entries/98788667-Security-Advisory-ZDI-CAN-3263-ZDI-CAN-3284-and-ZDI-CAN-3364-Vulnerabilitieshttps://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.17.5http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=6f442be2fb22be02cafa606f1769fa1e6f894441http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.htmlhttp://marc.info/?l=bugtraq&m=142722450701342&w=2http://marc.info/?l=bugtraq&m=142722544401658&w=2http://osvdb.org/show/osvdb/115919http://rhn.redhat.com/errata/RHSA-2014-1998.htmlhttp://rhn.redhat.com/errata/RHSA-2014-2008.htmlhttp://rhn.redhat.com/errata/RHSA-2014-2028.htmlhttp://rhn.redhat.com/errata/RHSA-2014-2031.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0009.htmlhttp://secunia.com/advisories/62336http://source.android.com/security/bulletin/2016-04-02.htmlhttp://www.exploit-db.com/exploits/36266http://www.openwall.com/lists/oss-security/2014/12/15/6http://www.ubuntu.com/usn/USN-2491-1http://www.zerodayinitiative.com/advisories/ZDI-16-170https://bugzilla.redhat.com/show_bug.cgi?id=1172806https://github.com/torvalds/linux/commit/6f442be2fb22be02cafa606f1769fa1e6f894441https://help.joyent.com/entries/98788667-Security-Advisory-ZDI-CAN-3263-ZDI-CAN-3284-and-ZDI-CAN-3364-Vulnerabilitieshttps://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.17.5
2014-12-17
Published