oss-sec mailing list archives
Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch
From: Solar Designer <solar () openwall com>
Date: Mon, 14 Aug 2017 00:07:02 +0200
On Sun, Aug 13, 2017 at 06:21:55PM +0200, Andrey Konovalov wrote:
### Exploitation The bug can be exploited by an unprivileged user if: 1. User can set up an interface with UFO enabled and MTU < 65535 or such interface is already present in the system. The former is possible from inside a user namespace. 2. User can disable the NETIF_F_UFO interface feature or set the SO_NO_CHECK socket option. The former requires CAP_NET_ADMIN. The latter is only possible after 40ba330227ad ("udp: disallow UFO for sockets with SO_NO_CHECK option") from Jan 11 2016. Both are possible from inside a user namespace. In particular, the bug can be exploited by an unprivileged user if unprivileged user namespaces are available. Below is a link to a proof-of-concept exploit, that gets root on a range of Ubuntu kernels. The exploit triggers an out-of-bounds write on a socket buffer and overwrites skb_shared_info.destructor_arg->callback with a pointer to shellcode. The exploit includes a SMEP and KASLR bypasses, but no SMAP bypass. Link: https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
Nice collection of Linux kernel exploits you got there: https://github.com/xairy/kernel-exploits Also relevant: https://github.com/xairy/ubuntu-hardening#restict-information-exposed-by-the-kernel https://github.com/xairy/kaslr-bypass-via-prefetch https://github.com/xairy/linux-kernel-exploitation Still, for archival purposes please attach the actual exploits to your oss-security postings as well. I've attached your poc.c for this bug. Alexander
Attachment:
poc.c
Description:
Current thread:
- Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Andrey Konovalov (Aug 10)
- Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Andrey Konovalov (Aug 13)
- Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Solar Designer (Aug 13)
- Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Thomas Jarosch (Sep 14)
- Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch Andrey Konovalov (Aug 13)