Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2009-2692

Disclosure Date: August 14, 2009
CVE-2009-2692 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/linux/local/sock_sendpage
Reporter
Unknown

Vendors

  • debian,
  • linux,
  • redhat,
  • suse

Products

  • debian linux 4.0,
  • enterprise linux desktop 4.0,
  • enterprise linux desktop 5.0,
  • enterprise linux eus 4.8,
  • enterprise linux eus 5.3,
  • enterprise linux server 4.0,
  • enterprise linux server 5.0,
  • enterprise linux server aus 5.3,
  • enterprise linux workstation 4.0,
  • enterprise linux workstation 5.0,
  • linux enterprise real time 10,
  • linux kernel

References

Canonical
CVE-2009-2692 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692)
BID-36038 (http://www.securityfocus.com/bid/36038)
Advisory
http://www.redhat.com/support/errata/RHSA-2009-1233.html
SECUNIA-36278 (http://secunia.com/advisories/36278)
DSA-1865 (http://www.debian.org/security/2009/dsa-1865)
http://rhn.redhat.com/errata/RHSA-2009-1223.html
20100625 VMSA-2010-0010 ESX 3.5 third party update for Service Console kernel (http://www.securityfocus.com/archive/1/512019/100/0/threaded)
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5
SECUNIA-37298 (http://secunia.com/advisories/37298)
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121
SECUNIA-36430 (http://secunia.com/advisories/36430)
SECUNIA-37471 (http://secunia.com/advisories/37471)
http://rhn.redhat.com/errata/RHSA-2009-1222.html
20090813 Linux NULL pointer dereference due to incorrect proto_ops initializations (http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html)
https://bugzilla.redhat.com/show_bug.cgi?id=516949
https://issues.rpath.com/browse/RPL-3103
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
EXPLOIT-DB-19933 (http://www.exploit-db.com/exploits/19933)
ADV-2009-2272 (http://www.vupen.com/english/advisories/2009/2272)
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
20090813 Linux NULL pointer dereference due to incorrect proto_ops initializations (http://www.securityfocus.com/archive/1/505751/100/0/threaded)
http://git.kernel.org?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
SECUNIA-36289 (http://secunia.com/advisories/36289)
20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components (http://www.securityfocus.com/archive/1/507985/100/0/threaded)
SECUNIA-36327 (http://secunia.com/advisories/36327)
http://support.avaya.com/css/P8/documents/100067254
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591
http://git.kernel.org?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=c18d0fe535a73b219f960d1af3d0c264555a12e3
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526
http://www.mandriva.com/security/advisories?name=MDVSA-2009:233
EXPLOIT-DB-9477 (http://www.exploit-db.com/exploits/9477)
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657
[oss-security] 20090814 CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privesc (http://www.openwall.com/lists/oss-security/2009/08/14/1)
20090818 rPSA-2009-0121-1 kernel open-vm-tools (http://www.securityfocus.com/archive/1/505912/100/0/threaded)
ADV-2009-3316 (http://www.vupen.com/english/advisories/2009/3316)
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5
Miscellaneous
http://grsecurity.net/~spender/wunderbar_emporium.tgz
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
http://zenthought.org/content/file/android-root-2009-08-16-source

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis