CVE-2007-4573

Linux Kernel 2.6.x - Ptrace Privilege Escalation

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.

La funcionalidad de emulación de llamada del sistema IA32 en Linux kernel 2.4.x y 2.6.x versiones anteriores a 2.6.22.7, cuando se ejecuta en arquitecturas x86_64, no extiende a cero el registro eax después de ser usada una ruta de entrada 32bit en ptrace, lo cual podría permitir a usuarios locales, obtener privilegios al disparar un acceso fuera de límites en la tabla de llamadas del sistema utilizando el registro %RAX.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-08-28 CVE Reserved
2007-09-21 First Exploit
2007-09-24 CVE Published
2024-08-07 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (43)

URL	Tag	Source
http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.35.3	X_refsource_confirm
http://lkml.org/lkml/2007/9/21/513	Mailing List
http://marc.info/?l=full-disclosure&m=119062587407908&w=2	Mailing List
http://secunia.com/advisories/26917	Third Party Advisory
http://secunia.com/advisories/26919	Third Party Advisory
http://secunia.com/advisories/26934	Third Party Advisory
http://secunia.com/advisories/26953	Third Party Advisory
http://secunia.com/advisories/26955	Third Party Advisory
http://secunia.com/advisories/26978	Third Party Advisory
http://secunia.com/advisories/26994	Third Party Advisory
http://secunia.com/advisories/26995	Third Party Advisory
http://secunia.com/advisories/27212	Third Party Advisory
http://secunia.com/advisories/27227	Third Party Advisory
http://secunia.com/advisories/27912	Third Party Advisory
http://secunia.com/advisories/29058	Third Party Advisory
http://securitytracker.com/id?1018748	Vdb Entry
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.7	X_refsource_confirm
http://www.securityfocus.com/archive/1/480451/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/480705/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/25774	Vdb Entry
http://www.vupen.com/english/advisories/2007/3246	Vdb Entry
https://issues.rpath.com/browse/RPL-1754	X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9735	Signature

URL	Date	SRC
https://www.exploit-db.com/exploits/30604	2007-09-21
https://www.exploit-db.com/exploits/4460	2007-09-27

URL	Date	SRC
http://lkml.org/lkml/2007/9/21/512	2018-10-15

URL	Date	SRC
http://fedoranews.org/updates/FEDORA-2007-229.shtml	2018-10-15
http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00001.html	2018-10-15
http://www.debian.org/security/2007/dsa-1378	2018-10-15
http://www.debian.org/security/2007/dsa-1381	2018-10-15
http://www.debian.org/security/2008/dsa-1504	2018-10-15
http://www.mandriva.com/security/advisories?name=MDKSA-2007:195	2018-10-15
http://www.mandriva.com/security/advisories?name=MDKSA-2007:196	2018-10-15
http://www.mandriva.com/security/advisories?name=MDVSA-2008:008	2018-10-15
http://www.mandriva.com/security/advisories?name=MDVSA-2008:105	2018-10-15
http://www.novell.com/linux/security/advisories/2007_53_kernel.html	2018-10-15
http://www.redhat.com/support/errata/RHSA-2007-0936.html	2018-10-15
http://www.redhat.com/support/errata/RHSA-2007-0937.html	2018-10-15
http://www.redhat.com/support/errata/RHSA-2007-0938.html	2018-10-15
http://www.ubuntu.com/usn/usn-518-1	2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00355.html	2018-10-15
https://access.redhat.com/security/cve/CVE-2007-4573	2007-09-27
https://bugzilla.redhat.com/show_bug.cgi?id=294541	2007-09-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 2.4.35 Search vendor "Linux" for product "Linux Kernel" and version " <= 2.4.35"		x86_64		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 2.6.22.6 Search vendor "Linux" for product "Linux Kernel" and version " <= 2.6.22.6"		x86_64		Affected