Vulnerability Details : CVE-2009-2692
Public exploit exists!
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
Vulnerability category: Memory Corruption
Threat overview for CVE-2009-2692
Top countries where our scanners detected CVE-2009-2692
Top open port discovered on systems with this issue
52869
IPs affected by CVE-2009-2692 42,316
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2009-2692!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2009-2692
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 14 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2009-2692
-
Linux Kernel Sendpage Local Privilege Escalation
Disclosure Date: 2009-08-13First seen: 2020-04-26exploit/linux/local/sock_sendpageThe Linux kernel failed to properly initialize some entries in the proto_ops struct for several protocols, leading to NULL being dereferenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the
CVSS scores for CVE-2009-2692
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2009-2692
-
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Assigned by: nvd@nist.gov (Primary)
-
The product uses or accesses a resource that has not been initialized.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-2692
-
Red Hat 2009-09-14Red Hat is aware of this issue. Please see http://kbase.redhat.com/faq/docs/DOC-18065. Updates for Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG to correct this issue are available: https://rhn.redhat.com/cve/CVE-2009-2692.html
-
http://www.securityfocus.com/archive/1/505751/100/0/threaded
Broken Link;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/archive/1/512019/100/0/threaded
Broken Link;Third Party Advisory;VDB Entry
-
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
Broken Link;Exploit
-
http://secunia.com/advisories/36289
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2009/08/14/1
oss-security - CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privescMailing List;Patch
-
http://secunia.com/advisories/37298
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://www.securityfocus.com/bid/36038
Linux Kernel 'sock_sendpage()' NULL Pointer Dereference VulnerabilityBroken Link;Exploit;Third Party Advisory;VDB Entry
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591
404 Not FoundBroken Link
-
http://www.debian.org/security/2009/dsa-1865
[SECURITY] [DSA 1865-1] New Linux 2.6.18 packages fix several vulnerabilitiesMailing List;Third Party Advisory
-
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
VMSA-2009-0016.6Third Party Advisory
-
http://www.vupen.com/english/advisories/2009/3316
Webmail: access your OVH emails on ovhcloud.com | OVHcloudBroken Link;Vendor Advisory
-
http://secunia.com/advisories/36430
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:015 - openSUSE Security Announce - openSUSE Mailing ListsMailing List
-
https://bugzilla.redhat.com/show_bug.cgi?id=516949
516949 – (CVE-2009-2692) CVE-2009-2692 kernel: uninit op in SOCKOPS_WRAP() leads to privescIssue Tracking;Patch
-
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121
Broken Link
-
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
-
http://www.vupen.com/english/advisories/2009/2272
Webmail: access your OVH emails on ovhcloud.com | OVHcloudBroken Link;Patch;Vendor Advisory
-
http://www.exploit-db.com/exploits/19933
Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalation (Metasploit) - Linux local ExploitExploit;Third Party Advisory;VDB Entry
-
http://secunia.com/advisories/36278
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://support.avaya.com/css/P8/documents/100067254
ASA-2009-464 (RHSA-2009-1469)Third Party Advisory
-
http://zenthought.org/content/file/android-root-2009-08-16-source
Zenthought.orgBroken Link
-
http://secunia.com/advisories/36327
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5
404: File not foundBroken Link;Vendor Advisory
-
http://grsecurity.net/~spender/wunderbar_emporium.tgz
404 Not FoundBroken Link
-
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5
404: File not foundBroken Link;Vendor Advisory
-
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
cr0 blog: Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692)Exploit;Issue Tracking
-
http://rhn.redhat.com/errata/RHSA-2009-1222.html
RHSA-2009:1222 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:233
MandrivaBroken Link
-
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git%3Ba=commit%3Bh=c18d0fe535a73b219f960d1af3d0c264555a12e3
Broken Link
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526
404 Not FoundBroken Link
-
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=c18d0fe535a73b219f960d1af3d0c264555a12e3
-
http://secunia.com/advisories/37471
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
http://www.exploit-db.com/exploits/9477
Linux Kernel 2.x (Android) - 'sock_sendpage()' Local Privilege Escalation - Android local ExploitThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/archive/1/507985/100/0/threaded
Broken Link;Third Party Advisory;VDB Entry
-
http://rhn.redhat.com/errata/RHSA-2009-1223.html
RHSA-2009:1223 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/archive/1/505912/100/0/threaded
Broken Link;Third Party Advisory;VDB Entry
-
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6
404: File not foundBroken Link;Vendor Advisory
-
https://issues.rpath.com/browse/RPL-3103
Broken Link
-
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e694958388c50148389b0e9b9e9e8945cf0f1b98
Broken Link
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657
404 Not FoundBroken Link
-
http://www.redhat.com/support/errata/RHSA-2009-1233.html
SupportBroken Link
- cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:4.8:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_real_time:10:*:*:*:*:*:*:*