Exploit Database - Logo

Linux Kernel (x86-64) - Rowhammer Privilege Escalation

EDB-ID: 36310 Author: Google Security Research Published: 2015-03-09
CVE: CVE-2015-0565 Type: Local Platform: Linux_x86-64
E-DB Verified: Verified Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A
« Previous Exploit Next Exploit » 
Sources:
http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
https://code.google.com/p/google-security-research/issues/detail?id=283

Full PoC: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/36310.tar.gz

This is a proof-of-concept exploit that is able to gain kernel
privileges on machines that are susceptible to the DRAM "rowhammer"
problem.  It runs as an unprivileged userland process on x86-64 Linux.
It works by inducing bit flips in page table entries (PTEs).

For development purposes, the exploit program has a test mode in which
it induces a bit flip by writing to /dev/mem.  qemu_runner.py will run
the exploit program in test mode in a QEMU VM.  It assumes that
"bzImage" (in the current directory) is a Linux kernel image that was
built with /dev/mem enabled (specifically, with the the
CONFIG_STRICT_DEVMEM option disabled).

Mark Seaborn
mseaborn@chromium.org
March 2015
« Previous Exploit Next Exploit »

Related Exploits

Trying to match CVEs (1): CVE-2015-0565
Trying to match OSVDBs (1): 119442
Other Possible E-DB Search Terms: Linux Kernel (x86-64),  Linux Kernel
Date D V Title Author
2016-07-29 Verified Linux Kernel (ARM/ARM64) - 'perf_event_open()' Arbitrary Memory ReadGoogle Secu...
2016-05-04 Verified Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Access /etc/shadow)Google Secu...
2015-08-07 Waiting verification Linux Kernel (x86) - Memory Sinkhole Privilege EscalationChristopher...
2017-10-17 Waiting verification Linux Kernel - 'AF_PACKET' Use-After-FreeSecuriTeam
2016-02-26 Verified Linux Kernel - io_submit L2TP sendmsg Integer OverflowGoogle Secu...
2010-11-10 Waiting verification Linux Kernel 2.4.0 - Stack InfoleaksDan Rosenberg
2004-12-16 Verified Linux Kernel 2.4.28/2.6.9 - Memory Leak Local Denial of ServiceGeorgi Guni...
2004-04-12 Verified Linux Kernel 2.4/2.6 - Sigqueue Blocking Denial of ServiceNikita V. Y...
2005-03-30 Verified Linux Kernel 2.6.10 - File Lock Local Denial of ServiceChoiX
2005-03-29 Verified Linux Kernel 2.6.10 - Local Denial of ServiceChoiX
2007-03-05 Verified Linux Kernel 2.6.17 - 'Sys_Tee' Local Privilege EscalationMichael Ker...
2006-07-15 Verified Linux Kernel 2.6.17.4 - 'proc' Local Privilege Escalationh00lyshit
2009-12-23 Verified Linux Kernel 2.6.18 < 2.6.18-20 - Local Privilege EscalationDigitALL
2008-12-14 Verified Linux Kernel 2.6.27.7-generic/2.6.18/2.6.24-1 - Local Denial of ServiceAdurit-T
2009-05-14 Verified Linux Kernel 2.6.29 - 'ptrace_attach()' Race Condition Privilege Escalationprdelka
2016-11-23 Waiting verification Linux Kernel 2.6.32-642/3.16.0-4 - 'inode' Integer OverflowTodor Donev
2009-10-04 Waiting verification Linux Kernel 2.6.32-rc1 (x86-64) - Register Leakspender
2004-12-07 Verified Linux Kernel 2.6.x - 'AIO_Free_Ring' Local Denial of ServiceDarrick J. ...
2010-02-02 Verified Linux Kernel 2.6.x - KVM 'pit_ioport_read()' Local Denial of ServiceMarcelo Tos...
2013-03-13 Verified Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege EscalationSebastian K...
2011-11-07 Verified Linux Kernel 3.0.4 - '/proc/interrupts' Password Length Local Information DisclosureVasiliy Kul...
2013-06-05 Verified Linux Kernel 3.0.5 - 'test_root()' Local Denial of ServiceJonathan Sa...
2016-03-09 Waiting verification Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'cdc_acm' Nullpointer DereferenceOpenSource ...
2016-03-09 Waiting verification Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'cypress_m8' Nullpointer DereferenceOpenSource ...
2015-10-15 Verified Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypasssoyer
Menu