7.2
CVSSv2

CVE-2009-2692

Published: 14/08/2009 Updated: 10/10/2018
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
VMScore: 809
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The Linux kernel 2.6.0 up to and including 2.6.30.4, and 2.4.4 up to and including 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux kernel 2.6.24.7

linux kernel 2.6.25.15

linux linux kernel 2.4.4

linux linux kernel 2.4.5

linux linux kernel 2.4.6

linux linux kernel 2.4.7

linux linux kernel 2.4.8

linux linux kernel 2.4.9

linux linux kernel 2.4.10

linux linux kernel 2.4.11

linux linux kernel 2.4.12

linux linux kernel 2.4.13

linux linux kernel 2.4.14

linux linux kernel 2.4.15

linux linux kernel 2.4.16

linux linux kernel 2.4.17

linux linux kernel 2.4.18

linux linux kernel 2.4.19

linux linux kernel 2.4.20

linux linux kernel 2.4.21

linux linux kernel 2.4.22

linux linux kernel 2.4.23

linux linux kernel 2.4.24

linux linux kernel 2.4.25

linux linux kernel 2.4.26

linux linux kernel 2.4.27

linux linux kernel 2.4.28

linux linux kernel 2.4.29

linux linux kernel 2.4.30

linux linux kernel 2.4.31

linux linux kernel 2.4.32

linux linux kernel 2.4.33

linux linux kernel 2.4.33.2

linux linux kernel 2.4.33.3

linux linux kernel 2.4.33.4

linux linux kernel 2.4.33.5

linux linux kernel 2.4.33.7

linux linux kernel 2.4.34

linux linux kernel 2.4.35.3

linux linux kernel 2.4.36

linux linux kernel 2.4.36.1

linux linux kernel 2.4.36.2

linux linux kernel 2.4.36.3

linux linux kernel 2.4.36.4

linux linux kernel 2.4.36.5

linux linux kernel 2.4.36.6

linux linux kernel 2.4.36.7

linux linux kernel 2.4.36.8

linux linux kernel 2.4.37

linux linux kernel 2.4.37.1

linux linux kernel 2.6

linux linux kernel 2.6.0

linux linux kernel 2.6.1

linux linux kernel 2.6.10

linux linux kernel 2.6.11

linux linux kernel 2.6.11.1

linux linux kernel 2.6.11.2

linux linux kernel 2.6.11.3

linux linux kernel 2.6.11.4

linux linux kernel 2.6.11.5

linux linux kernel 2.6.11.6

linux linux kernel 2.6.11.7

linux linux kernel 2.6.11.8

linux linux kernel 2.6.11.9

linux linux kernel 2.6.11.10

linux linux kernel 2.6.11.11

linux linux kernel 2.6.11.12

linux linux kernel 2.6.12

linux linux kernel 2.6.12.1

linux linux kernel 2.6.12.2

linux linux kernel 2.6.12.3

linux linux kernel 2.6.12.4

linux linux kernel 2.6.12.5

linux linux kernel 2.6.12.6

linux linux kernel 2.6.13

linux linux kernel 2.6.13.1

linux linux kernel 2.6.13.2

linux linux kernel 2.6.13.3

linux linux kernel 2.6.13.4

linux linux kernel 2.6.13.5

linux linux kernel 2.6.14

linux linux kernel 2.6.14.1

linux linux kernel 2.6.14.2

linux linux kernel 2.6.14.3

linux linux kernel 2.6.14.4

linux linux kernel 2.6.14.5

linux linux kernel 2.6.14.6

linux linux kernel 2.6.14.7

linux linux kernel 2.6.15

linux linux kernel 2.6.15.1

linux linux kernel 2.6.15.2

linux linux kernel 2.6.15.3

linux linux kernel 2.6.15.4

linux linux kernel 2.6.15.5

linux linux kernel 2.6.15.6

linux linux kernel 2.6.15.7

linux linux kernel 2.6.16

linux linux kernel 2.6.16.1

linux linux kernel 2.6.16.2

linux linux kernel 2.6.16.10

linux linux kernel 2.6.16.11

linux linux kernel 2.6.16.12

linux linux kernel 2.6.16.13

linux linux kernel 2.6.16.14

linux linux kernel 2.6.16.15

linux linux kernel 2.6.16.16

linux linux kernel 2.6.16.17

linux linux kernel 2.6.16.18

linux linux kernel 2.6.16.19

linux linux kernel 2.6.16.20

linux linux kernel 2.6.16.21

linux linux kernel 2.6.16.22

linux linux kernel 2.6.16.23

linux linux kernel 2.6.16.24

linux linux kernel 2.6.16.25

linux linux kernel 2.6.16.26

linux linux kernel 2.6.16.27

linux linux kernel 2.6.16.28

linux linux kernel 2.6.30

linux linux kernel 2.6.30.1

linux linux kernel 2.6.30.2

linux linux kernel 2.6.30.4

Vendor Advisories

Tavis Ormandy and Julien Tinnes discovered that Linux did not correctly initialize certain socket operation function pointers A local attacker could exploit this to gain root privileges By default, Ubuntu 804 and later with a non-zero /proc/sys/vm/mmap_min_addr setting were not vulnerable ...
A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation The Common Vulnerabilities and Exposures project identifies the following problem: CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure Local users can exp ...

Exploits

Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later zenthoughtorg/content/file/android-root-2009-08-16-source Exploit-DB Mirror: githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/9477targz (android-root-20090816targz) # milw0rmcom [2009-08-1 ...
/* * Linux sock_sendpage() NULL pointer dereference * Copyright 2009 Ramon de Carvalho Valle <ramon@risesecurityorg> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * ...
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/ ...
> Linux NULL pointer dereference due to incorrect proto_ops initializations > > ------------------------------------------------------------------------- Quick and dirty exploit for this one: wwwfrasunekcom/proto_opstgz Exploit-DB Mirror: githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/9436tg ...
/* ** ** 0x82-CVE-2009-2692 ** Linux kernel 24/26 (32bit) sock_sendpage() local ring0 root exploit (simple ver) ** Tested RedHat Linux 90, Fedora core 4~11, Whitebox 4, CentOS 4x ** ** -- ** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team ** spender and venglin's code is very excellent ** Thankful to them ** ** Gre ...
/* dedicated to my best friend in the whole world, Robin Price the joke is in your hands just too easy -- some nice library functions for reuse here though credits to julien tinnes/tavis ormandy for the bug may want to remove the __attribute__((regparm(3))) for 24 kernels, I have no time to test spender@www:~$ cat redhat_hehe I ...
This is the second version of Linux sock_sendpage() NULL pointer dereference exploit Now, it also works with Linux kernel versions which implements COW credentials (eg Fedora 11) For SELinux enforced systems, it automatically searches in the SELinux policy rules for types with mmap_zero permission it can transition, and tries to exploit the sys ...
This third version features: Complete support for i386, x86_64, ppc and ppc64; The personality trick published by Tavis Ormandy and Julien Tinnes; The TOC pointer workaround for data items addressing on ppc64 (ie functions on exploit code and libc can be referenced); Improved search and transition to SELinux types with mmap_zero permission http ...

Mailing Lists

Linux kernel versions 24 and 26 (32bit) sock_sendpage() local ring0 root exploit The author tested this on RedHat Linux 90, Fedora core 4~11, Whitebox 4, and CentOS 4x ...

Metasploit Modules

Linux Kernel Sendpage Local Privilege Escalation

The Linux kernel failed to properly initialize some entries in the proto_ops struct for several protocols, leading to NULL being dereferenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4 This module has been tested successfully on CentOS 5.0 (i386) with kernel version 2.6.18-8.1.1.tl5; and Debian 3.1r8 Sarge (i686) with kernel version 2.4.27-3-386.

msf > use exploit/linux/local/sock_sendpage
      msf exploit(sock_sendpage) > show targets
            ...targets...
      msf exploit(sock_sendpage) > set TARGET <target-id>
      msf exploit(sock_sendpage) > show options
            ...show and set options...
      msf exploit(sock_sendpage) > exploit

Github Repositories

Pull requests welcome Preparing your environment Clone the following repositories: githubcom/superkojiman/onetwopunch - Wrapper around nmap/unicorn scanner githubcom/AutoRecon/AutoRecon - Another recon script githubcom/codingo/Reconnoitre - Recon script with suggested follow-up commands githubcom/jivoi/pentest - Fully automated recon https:

Linux Null pointer dereference

CVE-2009-2692 Linux Null pointer dereference This is just the compiled binary of the code available in wwwexploit-dbcom/exploits/9545/ Compiled for education purposes It was compiled under CentOS 48

iknowthis Linux SystemCall Fuzzer NOTE: This is a very old fuzzer, it was used to find some pretty important vulnerabilities back in 2009-2010, but has since been superseded by other fuzzers like syzkaller and trinity Among many interesting discoveries, the most important was perhaps CVE-2009-2692, which was later found in the shadow brokers release as the EXACTCHANGE exploi

Some kernel exploit i wrote

Some kernel exploits i wrote: CVE-2009-2692-sock_sendpagec CVE-2009-2698-udp_sendmsgc Intel_sysretc can_bcm_expc csawc nfs_mountc perf_expc perf_stackc

Linux_Exploit_Suggester Linux Exploit Suggester; based on operating system release number This program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits Nothing fancy, so a patched/back-ported patch may fool this script Additionally possible to provide '-k

Linux_Exploit_Suggester Linux Exploit Suggester; based on operating system release number This program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits Nothing fancy, so a patched/back-ported patch may fool this script Additionally possible to provide '-k

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

Linux kernel EoP exp

linux-kernel-exploits 简介 在github项目:githubcom/SecWiki/linux-kernel-exploits 的基础上增加了最近几年的提权漏洞Exp,漏洞相关信息的搜集在对应漏洞文件夹下的Readmemd。 红队攻击时,可以通过脚本:githubcom/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggestersh 评估系统可能受到哪些提

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-16995  [Memory corruption caused by BPF verifier] (Linux kern

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits Linux平台提权漏洞集合

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

Localroot-ALL-CVE~

Localroot Collection Linux 2001 // CVE N/A | Sudo prompt overflow in v157 to 165p2 2002 // CVE-2003-0961 | Linux Kernel 2422 - 'do_brk()' Local Privilege Escalation 2003 // CVE-2003-0127 | Linux Kernel 22x/24x (RedHat) - 'ptrace/kmod' Local Privilege Escalation CVE-2003-0961 | Linux Kernel 2422 - 'do_brk()' Local Privilege Es

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820) CVE-2017-1000112  [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494  [Samba Remote execution] (Samba 350-464/4510/4414) CVE-2017-7308  [a signedness issue in AF_PACKET sockets]

Great article related to Linux kernel fuzzing and exploitation

Linux-Kernel-exploit Great articke related to Linux kernel fuzzing and exploitation Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2017: "New Reliable Android Kernel Root Exploitation Techniques" [slides] 2017: "Unleashing Use-Before-Initializati

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

Not ready yet

Linux Kernel Exploitation Some exploitation methods and techniques are outdated and don't work anymore on newer kernels Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2018: "Linux-Kernel-Exploit Stack Smashing" [article] 2018, HitB: "Mirror

A bunch of links related to Linux kernel exploitation

Linux Kernel Exploitation Some exploitation methods and techniques are outdated and don't work anymore on newer kernels Pull requests are welcome Books 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Exploitation techniques 2018: "Linux-Kernel-Exploit Stack Smashing" [article] 2018, HitB: "Mirror

Linux Kernel Exploitation Pull requests are welcome Books 2014: "Android Hacker's Handbook" by Joshua J Drake 2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani Workshops 2020: "Android Kernel Exploitation" by Ashfaq Ansari [workshop] Exploitation Techniques 2020: "Structures that can be u

Android Security Resources.

所有收集类项目 Android Android安全资源收集,初版。600+工具,1500+文章 English Version 目录 资源收集 (11) Github Repo 知名分析工具 ClassyShark -&gt; (3)工具 (7)文章 jeb -&gt; (14)工具 (50)文章 enjarify -&gt; (2)工具 (1)文章 androguard -&gt; (5)工具 (14)文章 jadx -&gt; (3)工具 (3)文章 jd-gui -&a

References

CWE-119http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.htmlhttp://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.htmlhttp://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=c18d0fe535a73b219f960d1af3d0c264555a12e3http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98http://grsecurity.net/~spender/wunderbar_emporium.tgzhttp://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.htmlhttp://rhn.redhat.com/errata/RHSA-2009-1222.htmlhttp://rhn.redhat.com/errata/RHSA-2009-1223.htmlhttp://secunia.com/advisories/36278http://secunia.com/advisories/36289http://secunia.com/advisories/36327http://secunia.com/advisories/36430http://secunia.com/advisories/37298http://secunia.com/advisories/37471http://support.avaya.com/css/P8/documents/100067254http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121http://www.debian.org/security/2009/dsa-1865http://www.exploit-db.com/exploits/19933http://www.exploit-db.com/exploits/9477http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6http://www.mandriva.com/security/advisories?name=MDVSA-2009:233http://www.openwall.com/lists/oss-security/2009/08/14/1http://www.redhat.com/support/errata/RHSA-2009-1233.htmlhttp://www.securityfocus.com/archive/1/505751/100/0/threadedhttp://www.securityfocus.com/archive/1/505912/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/archive/1/512019/100/0/threadedhttp://www.securityfocus.com/bid/36038http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/2272http://www.vupen.com/english/advisories/2009/3316http://zenthought.org/content/file/android-root-2009-08-16-sourcehttps://bugzilla.redhat.com/show_bug.cgi?id=516949https://issues.rpath.com/browse/RPL-3103https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-819-1https://usn.ubuntu.com/819-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/9477/