CVE-2010-4170

SystemTap 1.3 - Privilege Escalation via MODPROBE_OPTIONS Environment Variable

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2010-4170. PoCs published by Metasploit, Tavis Ormandy, Tavis Ormandy, bcoles, including Metasploit module exploits/linux/local/systemtap_modprobe_options_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2010-4170, a privilege escalation vulnerability in SystemTap's `staprun` executable. It leverages the `MODPROBE_OPTIONS` environment variable to execute arbitrary commands with root privileges by injecting a malicious configuration file.

Description

The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/46730

This Metasploit module exploits CVE-2010-4170, a privilege escalation vulnerability in SystemTap's `staprun` executable. It leverages the `MODPROBE_OPTIONS` environment variable to execute arbitrary commands with root privileges by injecting a malicious configuration file.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: SystemTap 1.3 and earlier
No auth needed
Prerequisites: Access to a vulnerable SystemTap installation · Write permissions in a directory (e.g., /tmp) · The `staprun` binary must be setuid root
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Tavis Ormandy · bashlocallinux
https://www.exploit-db.com/exploits/15620

This exploit leverages a vulnerability in the Linux kernel's handling of the MODPROBE_OPTIONS environment variable to execute arbitrary commands with elevated privileges. It creates a malicious configuration file to spawn a shell when the 'uprobes' module is loaded via staprun.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Linux kernel (versions prior to the fix in RHSA-2010-0894)
No auth needed
Prerequisites: Access to a system with vulnerable kernel · Ability to set environment variables
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Tavis Ormandy, bcoles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb

This Metasploit module exploits a privilege escalation vulnerability in SystemTap's `staprun` executable (CVE-2010-4170) by leveraging the `MODPROBE_OPTIONS` environment variable to execute arbitrary commands with root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: SystemTap version 1.3 and earlier
No auth needed
Prerequisites: Access to a system with vulnerable SystemTap installation · Write permissions in a directory (e.g., /tmp)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (19)

Core 19
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/63344
Various Sources mailing-list x_refsource_mlist
http://sources.redhat.com/ml/systemtap/2010-q4/msg00230.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051127.html
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/15620
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42263
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0894.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0895.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42306
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/44914
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2348
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024754
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/46920
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42256
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42318
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051122.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46730/

Scores

EPSS 0.2408
EPSS Percentile 96.2%

Details

CWE
CWE-264
Status published
Products (1)
systemtap/systemtap 1.3
Published Dec 07, 2010
Tracked Since Feb 18, 2026