CVE-2019-1999
published 2019-02-28CVE-2019-1999: In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the…
PriorityP346high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.79%
51.6th percentile
In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-120025196.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | android | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 5.2.6-1 (bookworm) | linux 5.2.6-1 (bookworm) |
| android | — | — | |
| linux | linux_kernel | >= 0 < 5.2.6-1 | 5.2.6-1 |
| linux | linux_kernel | >= 0 < 5.2.6-1 | 5.2.6-1 |
| linux | linux_kernel | >= 0 < 5.2.6-1 | 5.2.6-1 |
| linux | linux_kernel | >= 0 < 5.2.6-1 | 5.2.6-1 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_ubuntu5.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h74g-q6cf-5qxm: In binder_alloc_free_page of binder_alloc
ghsa_unreviewed·2022-04-30
CVE-2019-1999 [HIGH] CWE-415 GHSA-h74g-q6cf-5qxm: In binder_alloc_free_page of binder_alloc
In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-120025196.
OSV
CVE-2019-1999: In binder_alloc_free_page of binder_alloc
osv·2019-02-28·CVSS 7.8
CVE-2019-1999 [HIGH] CVE-2019-1999: In binder_alloc_free_page of binder_alloc
In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-120025196.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-05-14·CVSS 5.6
CVE-2019-11683 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan
Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa
Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos,
Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss
discovered that memory previously stored in microarchitectural fill buffers
of an Intel CPU core may be exposed to a malicious process that is
executing on the same CPU core. A local attacker could use this to expose
sensitive information. (CVE-2018-12130)
Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan
van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh
Razavi,
Android
CVE-2019-1999: Binder driver
vendor_android·2019-02-01·CVSS 7.8
CVE-2019-1999 [HIGH] CVE-2019-1999: Binder driver
Android Security Bulletin 2019-02-01
CVE: CVE-2019-1999
Severity: HIGH
Type: EoP
Component: Binder driver
References: A-120025196*
Debian
CVE-2019-1999: linux - In binder_alloc_free_page of binder_alloc.c, there is a possible double free due...
vendor_debian·2019·CVSS 7.8
CVE-2019-1999 [HIGH] CVE-2019-1999: linux - In binder_alloc_free_page of binder_alloc.c, there is a possible double free due...
In binder_alloc_free_page of binder_alloc.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-120025196.
Scope: local
bookworm: resolved (fixed in 5.2.6-1)
bullseye: resolved (fixed in 5.2.6-1)
forky: resolved (fixed in 5.2.6-1)
sid: resolved (fixed in 5.2.6-1)
trixie: resolved (fixed in 5.2.6-1)
Suricata
ET SNMP missing community string attempt 2
suricata·2013-01-09
CVE-1999-0517 ET SNMP missing community string attempt 2
ET SNMP missing community string attempt 2
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 2"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016179; rev:2; metadata:created_at 2013_01_09, cve CVE_1999_0517, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
ET SNMP missing community string attempt 1
suricata·2013-01-09
CVE-1999-0517 ET SNMP missing community string attempt 1
ET SNMP missing community string attempt 1
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 1"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016178; rev:2; metadata:created_at 2013_01_09, cve CVE_1999_0517, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
ET SNMP missing community string attempt 4
suricata·2013-01-09
CVE-1999-0517 ET SNMP missing community string attempt 4
ET SNMP missing community string attempt 4
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 4"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016181; rev:2; metadata:created_at 2013_01_09, cve CVE_1999_0517, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL RPC RQUOTA getquota overflow attempt UDP
suricata·2010-09-23
CVE-1999-0974 GPL RPC RQUOTA getquota overflow attempt UDP
GPL RPC RQUOTA getquota overflow attempt UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2101963; rev:10; metadata:created_at 2010_09_23, cve CVE_1999_0974, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL RPC portmap rusers request UDP
suricata·2010-09-23
CVE-1999-0626 GPL RPC portmap rusers request UDP
GPL RPC portmap rusers request UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12; metadata:created_at 2010_09_23, cve CVE_1999_0626, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL SNMP null community string attempt
suricata·2010-09-23
CVE-1999-0517 GPL SNMP null community string attempt
GPL SNMP null community string attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:2101892; rev:7; metadata:created_at 2010_09_23, cve CVE_1999_0517, signature_severity Major, updated_at 2019_07_26;)
Suricata
GPL RPC tooltalk UDP overflow attempt
suricata·2010-09-23
CVE-1999-0003 GPL RPC tooltalk UDP overflow attempt
GPL RPC tooltalk UDP overflow attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101964; rev:9; metadata:created_at 2010_09_23, cve CVE_1999_0003, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt
suricata·2010-09-23
CVE-1999-0696 GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt
GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101907; rev:11; metadata:created_at 2010_09_23, cve CVE_1999_0696, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL DNS zone transfer UDP
suricata·2010-09-23
CVE-1999-0532 GPL DNS zone transfer UDP
GPL DNS zone transfer UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2101948; rev:8; metadata:created_at 2010_09_23, cve CVE_1999_0532, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL IMAP login buffer overflow attempt
suricata·2010-09-23
CVE-1999-0005 GPL IMAP login buffer overflow attempt
GPL IMAP login buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, cve CVE_1999_0005, confidence High, signature_severity Major, updated_at 2019_07_26;)
Suricata
GPL RPC portmap bootparam request UDP
suricata·2010-09-23
CVE-1999-0647 GPL RPC portmap bootparam request UDP
GPL RPC portmap bootparam request UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2100577; rev:14; metadata:created_at 2010_09_23, cve CVE_1999_0647, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL RPC portmap ttdbserv request UDP
suricata·2010-09-23
CVE-1999-0003 GPL RPC portmap ttdbserv request UDP
GPL RPC portmap ttdbserv request UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100588; rev:18; metadata:created_at 2010_09_23, cve CVE_1999_0003, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL IMAP authenticate overflow attempt
suricata·2010-09-23
CVE-1999-0005 GPL IMAP authenticate overflow attempt
GPL IMAP authenticate overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2101844; rev:12; metadata:created_at 2010_09_23, cve CVE_1999_0005, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Suricata
GPL SNMP public access udp
suricata·2010-09-23
CVE-1999-0517 GPL SNMP public access udp
GPL SNMP public access udp
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:13; metadata:created_at 2010_09_23, cve CVE_1999_0517, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_10_08;)
Suricata
GPL DNS named iquery attempt
suricata·2010-09-23
CVE-1999-0009 GPL DNS named iquery attempt
GPL DNS named iquery attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:2100252; rev:9; metadata:created_at 2010_09_23, cve CVE_1999_0009, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL TFTP Put
suricata·2010-09-23
CVE-1999-0183 GPL TFTP Put
GPL TFTP Put
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Put"; content:"|00 02|"; depth:2; reference:cve,1999-0183; classtype:bad-unknown; sid:2100518; rev:8; metadata:created_at 2010_09_23, cve CVE_1999_0183, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Exploit-DB
Android - binder Use-After-Free of VMA via race Between reclaim and munmap
exploitdb·2019-02-12
CVE-2019-1999 Android - binder Use-After-Free of VMA via race Between reclaim and munmap
Android - binder Use-After-Free of VMA via race Between reclaim and munmap
---
The following bug report solely looks at the situation on the upstream master
branch; while from a cursory look, at least the wahoo kernel also looks
affected, I have only properly tested this on upstream master.
There is a race condition between the direct reclaim path (enters binder through
the binder_shrinker) and the munmap() syscall (enters binder through the ->close
handler of binder_vm_ops).
Coming from the munmap() syscall:
binder_vma_close()->binder_alloc_vma_close()->binder_alloc_set_vma() sets
alloc->vma to NULL without taking any extra locks; binder_vma_close() is called
from remove_vma()alloc;
if (!mutex_trylock(&alloc->mutex))
goto err_get_alloc_mutex_failed;
if (!page->page_ptr)
goto err_pag
Exploit-DB
Greg Matthews - 'Classifieds.cgi' 1.0 Hidden Variable
exploitdb·1998-12-15
CVE-1999-0935 Greg Matthews - 'Classifieds.cgi' 1.0 Hidden Variable
Greg Matthews - 'Classifieds.cgi' 1.0 Hidden Variable
---
source: https://www.securityfocus.com/bid/2019/info
Classifieds.cgi is a perl script (part of the classifieds package by Greg Matthews) which provides simple classified ads to web sites. Due to improper input validation it can be used to execute any command on the host machine, with the privileges of the web server. If the attacker can submit a command to run as a hidden variable that command will be executed. Normally this variable is reserved for the mail program and is accessed from an HTML page with the following piece of code:
Which department do you want your ad to be placed in or you would like to view?
No writeups or analysis indexed.
http://www.securityfocus.com/bid/106851https://seclists.org/bugtraq/2019/Aug/13https://source.android.com/security/bulletin/2019-02-01https://usn.ubuntu.com/3979-1/https://www.debian.org/security/2019/dsa-4495https://www.exploit-db.com/exploits/46357/http://www.securityfocus.com/bid/106851https://seclists.org/bugtraq/2019/Aug/13https://source.android.com/security/bulletin/2019-02-01https://usn.ubuntu.com/3979-1/https://www.debian.org/security/2019/dsa-4495https://www.exploit-db.com/exploits/46357/
2019-02-28
Published