cbcvebase.
CVE-2015-8556
published 2017-03-24

CVE-2015-8556: Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.

PriorityP262critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
13.37%
95.9th percentile
Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianqemu
qemuqemu<= 2.4.1

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/virtfshell/sock
path/tmp/virtfshell
processvirtfs-proxy-helper
commandvirtfs-proxy-helper -n -p /tmp -u <uid> -g <gid> -s /tmp/virtfshell/sock
path/tmp/original_shadow
path/tmp/modified_shadow
  • Monitor for TOCTOU race: a process spawning virtfs-proxy-helper followed immediately by unlink+symlink of its socket path (e.g. /tmp/virtfshell/sock → /etc/shadow) in rapid succession indicates active exploitation.
  • Alert on virtfs-proxy-helper being executed by an unprivileged user with SUID bit set or CAP_CHOWN capability; this is the prerequisite condition for exploitation.
  • Detect inotify_init() followed by fork/execlp of virtfs-proxy-helper and rapid unlink/symlink of the socket path — this is the exploit's race-loop pattern.
  • Alert on unexpected ownership change of /etc/shadow to a non-root UID, which is the indicator that the TOCTOU race was won and chown succeeded.
  • ·Exploitation requires virtfs-proxy-helper to be installed SUID root OR granted CAP_CHOWN; systems without either condition are not vulnerable.
  • ·This vulnerability is Gentoo-package-specific (QEMU before 2.5.0-r1); upstream QEMU and Red Hat qemu-kvm packages are not affected.

CVSS provenance

nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.