cbcvebase.
CVE-2015-1805
published 2015-08-08

CVE-2015-1805: The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed…

PriorityP274high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.41%
69.2th percentile
The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun."

Affected

15 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 3.16.2-2 (bookworm)linux 3.16.2-2 (bookworm)
googleandroid<= 6.0.1
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
linuxlinux_kernel<= 3.15.10
linuxlinux_kernel>= 0 < 3.16.2-23.16.2-2
linuxlinux_kernel>= 0 < 3.16.2-23.16.2-2
linuxlinux_kernel>= 0 < 3.16.2-23.16.2-2
linuxlinux_kernel>= 0 < 3.16.2-23.16.2-2
linuxlinux_kernel>= 0 < 3.13.0-86.1303.13.0-86.130
linuxlinux_kernel>= 0 < 3.13.0-58.973.13.0-58.97

Detection & IOCsextracted from sources · hover to see the quote

hash2733377c14eba0ed6c3313d5aaa51171f6aef5f1d559fc255db9a03a046f0e8f
hashfde9f84def8925eb2796a7870e9c66aa29ffd1d5bda908b2dd1ddb176302eced
hash2441b5948a316ac76baeb12240ba954e200415cef808b8b0760d11bf70dd3bf7
hash909f5ab547432382f34feaa5cd7d5113dc02cda1ef9162e914219c3de4f98b6e
othercom.cleaner.trashcleaner
filenameTrashCleaner
  • Detect the ANDROIDOS_ANDRORAT.HRXC malware family (AndroRAT variant) targeting CVE-2015-1805; look for the package name com.cleaner.trashcleaner on Android devices.
  • Monitor for the Iovyroot exploit (CVE-2015-1805) being used alongside KingoRoot to root ARM 32-bit CPU Android devices, as seen in ZNIU malware campaigns.
  • Flag Android devices running OS versions that have not received patches after April 2016, as they remain vulnerable to CVE-2015-1805 exploitation by this AndroRAT variant.
  • ·The AndroRAT variant's RAT service is remotely configurable, meaning the C2 server can issue different commands dynamically; static IOCs may not capture all payload behaviors.
  • ·The malicious apps carrying this AndroRAT variant were never distributed via Google Play; detections should focus on sideloaded/third-party app store installs.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vulncheck7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
vendor_ubuntu7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.