cbcvebase.
CVE-2015-3636
published 2015-08-06

CVE-2015-3636: The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation…

PriorityP279medium4.9CVSS 2.0
AVLACLAuNCNINAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
2.47%
82.5th percentile
The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.

Affected

18 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
debiandebian_linux
debianlinux< linux 4.0.2-1 (bookworm)linux 4.0.2-1 (bookworm)
debianlinux< linux 4.3.1-1 (bookworm)linux 4.3.1-1 (bookworm)
googleandroid
googleandroid
linuxlinux_kernel< 4.34.3
linuxlinux_kernel<= 4.0.2
linuxlinux_kernel>= 0 < 4.3.1-14.3.1-1
linuxlinux_kernel>= 0 < 4.0.2-14.0.2-1
linuxlinux_kernel>= 0 < 4.3.1-14.3.1-1
linuxlinux_kernel>= 0 < 4.0.2-14.0.2-1
linuxlinux_kernel>= 0 < 4.3.1-14.3.1-1
linuxlinux_kernel>= 0 < 4.0.2-14.0.2-1
linuxlinux_kernel>= 0 < 4.3.1-14.3.1-1
linuxlinux_kernel>= 0 < 4.0.2-14.0.2-1
linuxlinux_kernel>= 0 < 3.13.0-54.913.13.0-54.91
redhatenterprise_linux

Detection & IOCsextracted from sources · hover to see the quote

urlhxxp://cgalim[.]com/admin/hr/1.apk
urlhxxp://cgalim[.]com/admin/hr/pu/pu.php
hashf33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a
hashc015292aab1d41acd0674c98cd8e91379c1a645c31da24f8d017722d9b942235
hash70a937b2504b3ad6c623581424c7e53d
  • CVE-2015-3636 is exploited via SOCK_DGRAM socket for IPPROTO_ICMP/IPPROTO_ICMPV6 followed by a connect() after disconnect(); monitor for local processes making ping socket system calls followed by spurious connect/disconnect sequences.
  • Check net.ipv4.ping_group_range sysctl; any value other than '1 0' (default/disabled) means ping socket functionality may be enabled and the system is potentially exploitable by CVE-2015-3636.
  • KevDroid Variant 2 embeds an ELF exploit file named 'POC' inside the APK to exploit CVE-2015-3636; scan APKs for embedded ELF files named 'POC' targeting 32-bit architectures.
  • KevDroid exfiltrates stolen data via HTTP POST to cgalim[.]com; block/alert on HTTP POST traffic to cgalim[.]com/admin/hr/pu/pu.php.
  • ·CVE-2015-3636 only allows privilege escalation (not just DoS) on non-x86-64 architectures; on x86-64 the impact is limited to local Denial of Service.
  • ·The vulnerability is not exploitable if net.ipv4.ping_group_range is set to the default '1 0'; exploitation requires ping socket functionality to be enabled for the attacker's user/group.
  • ·Red Hat Enterprise Linux 5 is NOT affected by CVE-2015-3636; only RHEL 6, 7, and MRG 2 are affected.
  • ·CVE-2015-3636 is distinct from CVE-2016-0821 (LIST_POISON bypass); they are related but separate vulnerabilities in Android/Linux kernel list handling.

CVSS provenance

nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:N/I:N/A:C
osv4.9MEDIUM
vulncheck4.9MEDIUM
vendor_debian4.9MEDIUM
vendor_redhat4.9MEDIUM
vendor_ubuntu4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.