Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.9
CVSSv2

CVE-2014-4699

Published: 09/07/2014 Updated: 16/02/2024
CVSS v2 Base Score: 6.9 | Impact Score: 10 | Exploitability Score: 3.4
VMScore: 696
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Linux

Vulnerability Summary

The Linux kernel prior to 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux linux kernel

debian debian linux 7.0

canonical ubuntu linux 13.10

canonical ubuntu linux 12.04

canonical ubuntu linux 14.04

canonical ubuntu linux 10.04

Vendor Advisories

Debian Security Advisories: DSA-2972-1 linux -- security update
Andy Lutomirski discovered that the ptrace syscall was not verifying the RIP register to be valid in the ptrace API on x86_64 processors An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation For the stable distribution (wheezy), this problem has been fixed in version 3260-1+deb ...
Red Hat: CVE-2014-4699
It was found that the Linux kernel's ptrace subsystem allowed a traced process' instruction pointer to be set to a non-canonical memory address without forcing the non-sysret code path when returning to user space A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system Note: The ...
Ubuntu Security Notice: linux vulnerability
The system could be made to crash or run programs as an administrator ...
Ubuntu Security Notice: linux-lts-quantal vulnerability
The system could be made to crash or run programs as an administrator ...
Ubuntu Security Notice: linux-ec2 vulnerability
The system could be made to crash or run programs as an administrator ...
Ubuntu Security Notice: linux vulnerability
The system could be made to crash or run programs as an administrator ...
Ubuntu Security Notice: linux-lts-trusty vulnerability
The system could be made to crash or run programs as an administrator ...
Ubuntu Security Notice: linux-lts-saucy vulnerability
The system could be made to crash or run programs as an administrator ...
Ubuntu Security Notice: linux-lts-raring vulnerability
The system could be made to crash or run programs as an administrator ...
Ubuntu Security Notice: linux-ti-omap4 vulnerabilities
Several security issues were fixed in the kernel ...
Ubuntu Security Notice: linux vulnerability
The system could be made to crash or run programs as an administrator ...
Ubuntu Security Notice: linux vulnerability
The system could be made to crash or run programs as an administrator ...

Exploits

Exploit DB: Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation
/** * CVE-2014-4699 ptrace/sysret PoC * by Vitaly Nikolenko * vnik@hashcrackorg * * &gt; gcc -O2 poc_v0c * * This code is kernel specific On Ubuntu 12040 LTS (320-23-generic), the * following will trigger the #GP in sysret and overwrite the #PF handler so we * can land to our NOP sled mapped at 0x80000000 * However, once landed, t ...
Exploit DB: Linux Kernel ptrace/sysret Local Privilege Escalation
Linux Kernel ptrace/sysret local privilege escalation proof of concept exploit ...

Github Repositories

https://github.com/msecrist-couchbase/smallcb-training-capella

README for couchbase playground aka, "couchbaselive" aka, "small house couchbase" / "smallcb" Dependencies make docker golang tip: after checking out this project, run "go get /" to download golang dependencies tip: you might need to setup your GOPATH env variables example: GOPATH=/Users/steveyen/go Tip: Denis Ros

https://github.com/vnik5287/cve-2014-4699-ptrace

My old sysret / ptrace PoC

writeup duasyntcom/blog/cve-2014-4699-linux-kernel-ptrace-sysret-analysis

References

CWE-362http://www.openwall.com/lists/oss-security/2014/07/04/4http://openwall.com/lists/oss-security/2014/07/08/5http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.4http://openwall.com/lists/oss-security/2014/07/05/4https://bugzilla.redhat.com/show_bug.cgi?id=1115927http://openwall.com/lists/oss-security/2014/07/08/16https://github.com/torvalds/linux/commit/b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43ahttp://www.ubuntu.com/usn/USN-2269-1http://www.ubuntu.com/usn/USN-2268-1http://www.ubuntu.com/usn/USN-2274-1http://www.ubuntu.com/usn/USN-2273-1http://www.ubuntu.com/usn/USN-2272-1http://www.ubuntu.com/usn/USN-2267-1http://www.ubuntu.com/usn/USN-2271-1http://www.debian.org/security/2014/dsa-2972http://www.ubuntu.com/usn/USN-2266-1http://www.ubuntu.com/usn/USN-2270-1https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.47http://secunia.com/advisories/59639https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.11http://secunia.com/advisories/59633http://secunia.com/advisories/59654https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.97http://linux.oracle.com/errata/ELSA-2014-0924.htmlhttp://linux.oracle.com/errata/ELSA-2014-3047.htmlhttp://linux.oracle.com/errata/ELSA-2014-3048.htmlhttp://packetstormsecurity.com/files/127573/Linux-Kernel-ptrace-sysret-Local-Privilege-Escalation.htmlhttp://www.exploit-db.com/exploits/34134http://secunia.com/advisories/60393http://www.osvdb.org/108754http://secunia.com/advisories/60220http://secunia.com/advisories/60380http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43ahttps://nvd.nist.govhttps://www.debian.org/security/./dsa-2972https://github.com/vnik5287/cve-2014-4699-ptracehttps://www.exploit-db.com/exploits/34134/https://access.redhat.com/security/cve/cve-2014-4699https://usn.ubuntu.com/2273-1/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
injectionCVE-2024-30983CVE-2023-4235CVE-2024-21338privilegeencryptionCVE-2023-4232CVE-2024-31497CVE-2024-32341
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook