CVE-2015-8556
published 2017-03-24CVE-2015-8556: Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.
PriorityP262critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
13.37%
95.9th percentile
Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | qemu | — | — |
| qemu | qemu | <= 2.4.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for TOCTOU race: a process spawning virtfs-proxy-helper followed immediately by unlink+symlink of its socket path (e.g. /tmp/virtfshell/sock → /etc/shadow) in rapid succession indicates active exploitation. ↗
- →Alert on virtfs-proxy-helper being executed by an unprivileged user with SUID bit set or CAP_CHOWN capability; this is the prerequisite condition for exploitation. ↗
- →Detect inotify_init() followed by fork/execlp of virtfs-proxy-helper and rapid unlink/symlink of the socket path — this is the exploit's race-loop pattern. ↗
- →Alert on unexpected ownership change of /etc/shadow to a non-root UID, which is the indicator that the TOCTOU race was won and chown succeeded. ↗
- ·Exploitation requires virtfs-proxy-helper to be installed SUID root OR granted CAP_CHOWN; systems without either condition are not vulnerable. ↗
- ·This vulnerability is Gentoo-package-specific (QEMU before 2.5.0-r1); upstream QEMU and Red Hat qemu-kvm packages are not affected. ↗
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Qemu: virtfs: local privilege escalation via virtfs-proxy-helper
vendor_redhat·2015-12-14·CVSS 10.0
CVE-2015-8556 [CRITICAL] CWE-250 Qemu: virtfs: local privilege escalation via virtfs-proxy-helper
Qemu: virtfs: local privilege escalation via virtfs-proxy-helper
Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.
A Time of Creation To Time of Usage (TOCTTOU) flaw was discovered in the QEMU emulator built with VirtFS(file system pass-through) support to share folders between host and guest. The flaw occurs if the 'virtfs-proxy-helper' program is installed with SUID permissions or has 'CAP_CHOWN' capability. An unprivileged, local attacker could exploit this flaw to potentially escalate their privileges and gain root access to the system.
Statement: This issue does not affect the versions of the kvm and xen packages as shipped with Red Hat Enterprise Linux 5.
This issue does not affect the versions of the qemu-kvm packages as shipped with Red Hat Ent
Debian
CVE-2015-8556: qemu - Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0...
vendor_debian·2015·CVSS 10.0
CVE-2015-8556 [CRITICAL] CVE-2015-8556: qemu - Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0...
Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-ggvf-46pm-9ccw: Local privilege escalation vulnerability in the Gentoo QEMU package before 2
ghsa_unreviewed·2022-05-17
CVE-2015-8556 [CRITICAL] CWE-362 GHSA-ggvf-46pm-9ccw: Local privilege escalation vulnerability in the Gentoo QEMU package before 2
Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1.
No detection rules found.
http://packetstormsecurity.com/files/134948/Gentoo-QEMU-Local-Privilege-Escalation.htmlhttps://security.gentoo.org/glsa/201602-01https://www.exploit-db.com/exploits/39010/http://packetstormsecurity.com/files/134948/Gentoo-QEMU-Local-Privilege-Escalation.htmlhttps://security.gentoo.org/glsa/201602-01https://www.exploit-db.com/exploits/39010/
2017-03-24
Published