McAfee > Theat Center > Virus Detail Page

Overview

Linux/Exploit-PRCTL is a detection for ELF binaries that attempts to exploit a prctl() local privilege escalation vulnerability in the Linux 2.6 kernel. When successful, this malware can provide root user privileges to the malicious user. Several versions of proof of concept code are known to be published on the Internet.

This malware may be used in conjuction with other exploits to penetrate Linux servers remotely.

Characteristics

Linux/Exploit-PRCTL exploits a behavoral flaw in core dump handling in specific Linux 2.6 kernels with suid_dumpable support (CVE-2006-2451). When successfully run, the non-privileged user can attain root user privileges on a Linux machine. This malware may be used in conjuction with other exploits to penetrate Linux servers remotely.

This vulnerability has been patched in Linux 2.6.17.4 stable release.

More information about this vulnerability at:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451
• Linux Kernel 2.6.17.4 patch summary

Symptoms

As the detection searches for generic exploit code rather than a specific payload, it is not possible to list specific symptoms of this threat.

In known variants of this threat,a /tmp/pwned file with setsuid bit enabled is created and executed with root user privileges.

Method of Infection

Linux/Exploit-PRCTL exploits a behavoral flaw in core dump handling in specific Linux 2.6 kernels with suid_dumpable support (CVE-2006-2451).

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

Linux/Exploit-PRCTL is a detection for ELF binaries that attempts to exploit a prctl() local privilege escalation vulnerability in the Linux 2.6 kernel. When successful, this malware can provide root user privileges to the malicious user. Several versions of proof of concept code are known to be published on the Internet.

This malware may be used in conjuction with other exploits to penetrate Linux servers remotely.

Characteristics

Characteristics -

Linux/Exploit-PRCTL exploits a behavoral flaw in core dump handling in specific Linux 2.6 kernels with suid_dumpable support (CVE-2006-2451). When successfully run, the non-privileged user can attain root user privileges on a Linux machine. This malware may be used in conjuction with other exploits to penetrate Linux servers remotely.

This vulnerability has been patched in Linux 2.6.17.4 stable release.

More information about this vulnerability at:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451
• Linux Kernel 2.6.17.4 patch summary

Symptoms

Symptoms -

As the detection searches for generic exploit code rather than a specific payload, it is not possible to list specific symptoms of this threat.

In known variants of this threat,a /tmp/pwned file with setsuid bit enabled is created and executed with root user privileges.

Method of Infection

Method of Infection -

Linux/Exploit-PRCTL exploits a behavoral flaw in core dump handling in specific Linux 2.6 kernels with suid_dumpable support (CVE-2006-2451).

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A