Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.2
CVSSv2

CVE-2004-0077

Published: 03/03/2004 Updated: 03/05/2018
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
VMScore: 730
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Redhat

Vulnerability Summary

The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

redhat kernel 2.4.20-8

redhat kernel doc 2.4.20-8

redhat bigmem kernel 2.4.20-8

linux linux_kernel 2.2.1

linux linux_kernel 2.2.10

linux linux_kernel 2.2.16

linux linux_kernel 2.2.22

linux linux_kernel 2.2.23

linux linux_kernel 2.2.8

linux linux_kernel 2.2.9

linux linux_kernel 2.4.0

linux linux_kernel 2.2.11

linux linux_kernel 2.2.12

linux linux_kernel 2.2.17

linux linux_kernel 2.2.18

linux linux_kernel 2.2.24

linux linux_kernel 2.2.3

linux linux_kernel 2.4.13

linux linux_kernel 2.4.14

linux linux_kernel 2.4.18

linux linux_kernel 2.4.19

linux linux_kernel 2.4.21

linux linux_kernel 2.4.5

linux linux_kernel 2.4.6

linux linux_kernel 2.6.0

linux linux_kernel 2.6.1

linux linux_kernel 2.4.11

linux linux_kernel 2.4.12

linux linux_kernel 2.4.20

linux linux_kernel 2.4.24

linux linux_kernel 2.4.3

linux linux_kernel 2.4.4

trustix secure_linux 2.0

redhat kernel_source 2.4.20-8

linux linux_kernel 2.2.0

linux linux_kernel 2.2.15

linux linux_kernel 2.2.15_pre20

linux linux_kernel 2.2.20

linux linux_kernel 2.2.21

linux linux_kernel 2.2.6

linux linux_kernel 2.2.7

linux linux_kernel 2.4.1

linux linux_kernel 2.4.10

linux linux_kernel 2.4.17

linux linux_kernel 2.4.2

linux linux_kernel 2.4.23

linux linux_kernel 2.4.9

linux linux_kernel 2.6_test9_cvs

netwosix netwosix_linux 1.0

trustix secure_linux 1.5

linux linux_kernel 2.2.13

linux linux_kernel 2.2.14

linux linux_kernel 2.2.19

linux linux_kernel 2.2.2

linux linux_kernel 2.2.4

linux linux_kernel 2.2.5

linux linux_kernel 2.4.15

linux linux_kernel 2.4.16

linux linux_kernel 2.4.22

linux linux_kernel 2.4.7

linux linux_kernel 2.4.8

linux linux_kernel 2.6.2

Vendor Advisories

Debian Security Advisories: DSA-470-1 linux-kernel-2.4.17-hppa -- several vulnerabilities
Several local root exploits have been discovered recently in the Linux kernel This security advisory updates the hppa kernel 2417 for Debian GNU/Linux The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: CAN-2003-0961: An integer overflow in brk() system call (do_brk() function) ...
Debian Security Advisories: DSA-514-1 kernel-image-sparc-2.2 -- failing function and TLB flush
Paul Starzetz and Wojciech Purczynski of isecpl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit The attack vectors for 24x and 22 ...
Debian Security Advisories: DSA-438-1 linux-kernel-2.4.18-alpha+i386+powerpc -- missing function return value check
Paul Starzetz and Wojciech Purczynski of isecpl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call Due to missing function return value check of internal functions a local attacker can gain root privileges For the stable distribution (woody) this problem has been fixed in version ...
Debian Security Advisories: DSA-456-1 linux-kernel-2.2.19-arm -- failing function and TLB flush
Paul Starzetz and Wojciech Purczynski of isecpl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit The attack vectors for 24x and 22 ...
Debian Security Advisories: DSA-450-1 linux-kernel-2.4.19-mips -- several vulnerabilities
Several local root exploits have been discovered recently in the Linux kernel This security advisory updates the mips kernel 2419 for Debian GNU/Linux The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: CAN-2003-0961: An integer overflow in brk() system call (do_brk() function) ...
Debian Security Advisories: DSA-475-1 linux-kernel-2.4.18-hppa -- several vulnerabilities
Several local root exploits have been discovered recently in the Linux kernel This security advisory updates the PA-RISC kernel 2418 for Debian GNU/Linux The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: CAN-2003-0961: An integer overflow in brk() system call (do_brk() functi ...
Debian Security Advisories: DSA-466-1 linux-kernel-2.2.10-powerpc-apus -- failing function and TLB flush
Paul Starzetz and Wojciech Purczynski of isecpl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit The attack vectors for 24x and 22 ...
Debian Security Advisories: DSA-442-1 linux-kernel-2.4.17-s390 -- several vulnerabilities
Several security related problems have been fixed in the Linux kernel 2417 used for the S/390 architecture, mostly by backporting fixes from 2418 and incorporating recent security fixes The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project: CVE-2002-0429: The iBCS routines in a ...
Debian Security Advisories: DSA-454-1 linux-kernel-2.2.22-alpha -- failing function and TLB flush
Paul Starzetz and Wojciech Purczynski of isecpl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit The attack vectors for 24x and 22 ...
Debian Security Advisories: DSA-440-1 linux-kernel-2.4.17-powerpc-apus -- several vulnerabilities
Several local root exploits have been discovered recently in the Linux kernel This security advisory updates the PowerPC/Apus kernel for Debian GNU/Linux The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update: CAN-2003-0961: An integer overflow in brk() system call (do_brk() function ...
Debian Security Advisories: DSA-444-1 linux-kernel-2.4.17-ia64 -- missing function return value check
Paul Starzetz and Wojciech Purczynski of isecpl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call Due to missing function return value check of internal functions a local attacker can gain root privileges For the stable distribution (woody) this problem has been fixed in version ...

Exploits

Exploit DB: Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator
/* * Proof-of-concept exploit code for do_mremap() #2 * * EDB Note: This is NOT to be confused with CVE-2003-0985 // wwwexploit-dbcom/exploits/141/, which would be "do_mremap() #1" * EDB Note: This will just "test" the vulnerability A exploit version can be found here ~ wwwexploit-dbcom/exploits/160/ * * * Copyright ( ...
Exploit DB: Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Local Privilege Escalation
/* * * mremap missing do_munmap return check kernel exploit * * gcc -O3 -static -fomit-frame-pointer mremap_ptec -o mremap_pte * /mremap_pte [suid] [[shell]] * * Vulnerable kernel versions are all <= 2225, <= 2424 and <= 262 * * Copyright (c) 2004 iSEC Security Research All Rights Reserved * * THIS PROGRAM IS FOR EDU ...

References

NVD-CWE-Otherhttp://www.debian.org/security/2004/dsa-439http://www.securityfocus.com/bid/9686http://security.gentoo.org/glsa/glsa-200403-02.xmlhttp://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txthttp://archives.neohapsis.com/archives/vulnwatch/2004-q1/0040.htmlhttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000820http://www.debian.org/security/2004/dsa-438http://www.debian.org/security/2004/dsa-440http://www.debian.org/security/2004/dsa-441http://www.debian.org/security/2004/dsa-442http://www.debian.org/security/2004/dsa-444http://www.debian.org/security/2004/dsa-450http://www.debian.org/security/2004/dsa-453http://www.debian.org/security/2004/dsa-454http://www.debian.org/security/2004/dsa-456http://www.debian.org/security/2004/dsa-466http://www.debian.org/security/2004/dsa-470http://www.debian.org/security/2004/dsa-514http://www.debian.org/security/2004/dsa-475http://fedoranews.org/updates/FEDORA-2004-079.shtmlhttp://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:015http://www.redhat.com/support/errata/RHSA-2004-065.htmlhttp://www.redhat.com/support/errata/RHSA-2004-066.htmlhttp://www.redhat.com/support/errata/RHSA-2004-069.htmlhttp://www.redhat.com/support/errata/RHSA-2004-106.htmlhttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.404734http://www.novell.com/linux/security/advisories/2004_05_linux_kernel.htmlhttp://www.kb.cert.org/vuls/id/981222http://www.ciac.org/ciac/bulletins/o-082.shtmlhttp://www.osvdb.org/3986http://marc.info/?l=bugtraq&m=107712137732553&w=2http://marc.info/?l=bugtraq&m=107755871932680&w=2http://marc.info/?l=bugtraq&m=107711762014175&w=2https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A837https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A825https://exchange.xforce.ibmcloud.com/vulnerabilities/15244https://nvd.nist.govhttps://www.exploit-db.com/exploits/154/https://www.kb.cert.org/vuls/id/981222
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook