Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

Low

Attack Vector

Local

0

CVE-2009-2692

Disclosure Date: August 14, 2009 •

CVE-2009-2692 CVSS v3 Base Score: 7.8

Metasploit Module

Linux Kernel Sendpage Local Privilege Escalation

Description

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

Products

Metasploit Modules

Linux Kernel Sendpage Local Privilege Escalation (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb)

References

Canonical

CVE-2009-2692 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692)

BID-36038 (http://www.securityfocus.com/bid/36038)

Advisory

http://www.redhat.com/support/errata/RHSA-2009-1233.html

SECUNIA-36278 (http://secunia.com/advisories/36278)

DSA-1865 (http://www.debian.org/security/2009/dsa-1865)

http://rhn.redhat.com/errata/RHSA-2009-1223.html

20100625 VMSA-2010-0010 ESX 3.5 third party update for Service Console kernel (http://www.securityfocus.com/archive/1/512019/100/0/threaded)

http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5

SECUNIA-37298 (http://secunia.com/advisories/37298)

http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121

SECUNIA-36430 (http://secunia.com/advisories/36430)

SECUNIA-37471 (http://secunia.com/advisories/37471)

http://rhn.redhat.com/errata/RHSA-2009-1222.html

20090813 Linux NULL pointer dereference due to incorrect proto_ops initializations (http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html)

https://bugzilla.redhat.com/show_bug.cgi?id=516949

https://issues.rpath.com/browse/RPL-3103

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

EXPLOIT-DB-19933 (http://www.exploit-db.com/exploits/19933)

ADV-2009-2272 (http://www.vupen.com/english/advisories/2009/2272)

http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html

20090813 Linux NULL pointer dereference due to incorrect proto_ops initializations (http://www.securityfocus.com/archive/1/505751/100/0/threaded)

http://git.kernel.org?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

SECUNIA-36289 (http://secunia.com/advisories/36289)

20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components (http://www.securityfocus.com/archive/1/507985/100/0/threaded)

SECUNIA-36327 (http://secunia.com/advisories/36327)

http://support.avaya.com/css/P8/documents/100067254

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591

http://git.kernel.org?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=c18d0fe535a73b219f960d1af3d0c264555a12e3

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526

http://www.mandriva.com/security/advisories?name=MDVSA-2009:233

EXPLOIT-DB-9477 (http://www.exploit-db.com/exploits/9477)

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657

[oss-security] 20090814 CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc (http://www.openwall.com/lists/oss-security/2009/08/14/1)

20090818 rPSA-2009-0121-1 kernel open-vm-tools (http://www.securityfocus.com/archive/1/505912/100/0/threaded)

ADV-2009-3316 (http://www.vupen.com/english/advisories/2009/3316)

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5

Miscellaneous

http://grsecurity.net/~spender/wunderbar_emporium.tgz

http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html

http://zenthought.org/content/file/android-root-2009-08-16-source

Rapid7

Technical Analysis