Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.8
CVSSv3

CVE-2009-2692

Published: 14/08/2009 Updated: 08/02/2024
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 761
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Linux Kernel

Vulnerability Summary

The Linux kernel 2.6.0 up to and including 2.6.30.4, and 2.4.4 up to and including 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux linux kernel

debian debian linux 4.0

suse linux enterprise real time 10

redhat enterprise linux server 5.0

redhat enterprise linux workstation 5.0

redhat enterprise linux desktop 4.0

redhat enterprise linux desktop 5.0

redhat enterprise linux server 4.0

redhat enterprise linux workstation 4.0

redhat enterprise linux server aus 5.3

redhat enterprise linux eus 5.3

redhat enterprise linux eus 4.8

Vendor Advisories

Ubuntu Security Notice: linux, linux-source-2.6.15 vulnerability
Tavis Ormandy and Julien Tinnes discovered that Linux did not correctly initialize certain socket operation function pointers A local attacker could exploit this to gain root privileges By default, Ubuntu 804 and later with a non-zero /proc/sys/vm/mmap_min_addr setting were not vulnerable ...
Debian Security Advisories: DSA-1864-1 linux-2.6.24 -- privilege escalation
A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation The Common Vulnerabilities and Exposures project identifies the following problem: CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure Local users can exp ...

Exploits

Exploit DB: Linux 2.4/2.6 sock_sendpage() Local ring0 Root Exploit
Linux kernel versions 24 and 26 (32bit) sock_sendpage() local ring0 root exploit The author tested this on RedHat Linux 90, Fedora core 4~11, Whitebox 4, and CentOS 4x ...
Exploit DB: Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)
/* ** ** 0x82-CVE-2009-2692 ** Linux kernel 24/26 (32bit) sock_sendpage() local ring0 root exploit (simple ver) ** Tested RedHat Linux 90, Fedora core 4~11, Whitebox 4, CentOS 4x ** ** -- ** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team ** spender and venglin's code is very excellent ** Thankful to them ** ** Gre ...
Exploit DB: Linux Kernel 2.4/2.6 - 'sock_sendpage()' Local Privilege Escalation (3)
This third version features: Complete support for i386, x86_64, ppc and ppc64; The personality trick published by Tavis Ormandy and Julien Tinnes; The TOC pointer workaround for data items addressing on ppc64 (ie functions on exploit code and libc can be referenced); Improved search and transition to SELinux types with mmap_zero permission http ...
Exploit DB: Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation
/* * Linux sock_sendpage() NULL pointer dereference * Copyright 2009 Ramon de Carvalho Valle &lt;ramon@risesecurityorg&gt; * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * ...
Exploit DB: Linux Kernel 2.x - 'sock_sendpage()' Local Privilege Escalation (4)
&gt; Linux NULL pointer dereference due to incorrect proto_ops initializations &gt; &gt; ------------------------------------------------------------------------- Quick and dirty exploit for this one: wwwfrasunekcom/proto_opstgz Exploit-DB Mirror: githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/9436tg ...
Exploit DB: Linux Kernel 2.4/2.6 (Fedora 11) - 'sock_sendpage()' Local Privilege Escalation (2)
This is the second version of Linux sock_sendpage() NULL pointer dereference exploit Now, it also works with Linux kernel versions which implements COW credentials (eg Fedora 11) For SELinux enforced systems, it automatically searches in the SELinux policy rules for types with mmap_zero permission it can transition, and tries to exploit the sys ...
Exploit DB: Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalation (Metasploit)
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/ ...
Exploit DB: Linux Kernel 2.x (RedHat) - 'sock_sendpage()' Ring0 Privilege Escalation (1)
/* dedicated to my best friend in the whole world, Robin Price the joke is in your hands just too easy -- some nice library functions for reuse here though credits to julien tinnes/tavis ormandy for the bug may want to remove the __attribute__((regparm(3))) for 24 kernels, I have no time to test spender@www:~$ cat redhat_hehe I ...
Exploit DB: Linux Kernel 2.x (Android) - 'sock_sendpage()' Local Privilege Escalation
Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later zenthoughtorg/content/file/android-root-2009-08-16-source Exploit-DB Mirror: githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/9477targz (android-root-20090816targz) # milw0rmcom [2009-08-1 ...

Github Repositories

https://github.com/taviso/iknowthis

iknowthis Linux SystemCall Fuzzer

iknowthis Linux SystemCall Fuzzer NOTE: This is a very old fuzzer, it was used to find some pretty important vulnerabilities back in 2009-2010, but has since been superseded by other fuzzers like syzkaller and trinity Among many interesting discoveries, the most important was perhaps CVE-2009-2692, which was later found in the shadow brokers release as the EXACTCHANGE exploi

https://github.com/moshekaplan/pentesting_notes

Pull requests welcome Preparing your environment Clone the following repositories: githubcom/superkojiman/onetwopunch - Wrapper around nmap/unicorn scanner githubcom/AutoRecon/AutoRecon - Another recon script githubcom/codingo/Reconnoitre - Recon script with suggested follow-up commands githubcom/jivoi/pentest - Fully automated recon https:

https://github.com/jdvalentini/CVE-2009-2692

Linux Null pointer dereference

CVE-2009-2692 Linux Null pointer dereference This is just the compiled binary of the code available in wwwexploit-dbcom/exploits/9545/ Compiled for education purposes It was compiled under CentOS 48

https://github.com/cloudsec/exploit

Some kernel exploit i wrote

Some kernel exploits i wrote: CVE-2009-2692-sock_sendpagec CVE-2009-2698-udp_sendmsgc Intel_sysretc can_bcm_expc csawc nfs_mountc perf_expc perf_stackc

References

CWE-908http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.htmlhttp://www.securityfocus.com/bid/36038http://grsecurity.net/~spender/wunderbar_emporium.tgzhttp://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.htmlhttp://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5http://secunia.com/advisories/36327http://www.vupen.com/english/advisories/2009/2272http://www.debian.org/security/2009/dsa-1865http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5http://secunia.com/advisories/36289https://issues.rpath.com/browse/RPL-3103http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121http://zenthought.org/content/file/android-root-2009-08-16-sourcehttp://secunia.com/advisories/36430http://rhn.redhat.com/errata/RHSA-2009-1223.htmlhttp://rhn.redhat.com/errata/RHSA-2009-1222.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=516949http://secunia.com/advisories/36278http://www.openwall.com/lists/oss-security/2009/08/14/1http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1233.htmlhttp://support.avaya.com/css/P8/documents/100067254http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/3316http://secunia.com/advisories/37471http://secunia.com/advisories/37298http://www.exploit-db.com/exploits/19933http://www.mandriva.com/security/advisories?name=MDVSA-2009:233https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526http://www.exploit-db.com/exploits/9477http://www.securityfocus.com/archive/1/512019/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/archive/1/505912/100/0/threadedhttp://www.securityfocus.com/archive/1/505751/100/0/threadedhttp://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e694958388c50148389b0e9b9e9e8945cf0f1b98http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git%3Ba=commit%3Bh=c18d0fe535a73b219f960d1af3d0c264555a12e3https://usn.ubuntu.com/819-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/9479/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook