Date: Mon, 14 Aug 2017 00:07:02 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Andrey Konovalov <andreyknvl@...il.com>, willemdebruijn.kernel@...il.com, Dmitry Vyukov <dvyukov@...gle.com>, Kostya Serebryany <kcc@...gle.com> Subject: Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch On Sun, Aug 13, 2017 at 06:21:55PM +0200, Andrey Konovalov wrote: > ### Exploitation > > The bug can be exploited by an unprivileged user if: > > 1. User can set up an interface with UFO enabled and MTU < 65535 or > such interface is already present in the system. The former is > possible from inside a user namespace. > > 2. User can disable the NETIF_F_UFO interface feature or set the > SO_NO_CHECK socket option. The former requires CAP_NET_ADMIN. The > latter is only possible after 40ba330227ad ("udp: disallow UFO for > sockets with SO_NO_CHECK option") from Jan 11 2016. Both are possible > from inside a user namespace. > > In particular, the bug can be exploited by an unprivileged user if > unprivileged user namespaces are available. > > Below is a link to a proof-of-concept exploit, that gets root on a > range of Ubuntu kernels. The exploit triggers an out-of-bounds write > on a socket buffer and overwrites > skb_shared_info.destructor_arg->callback with a pointer to shellcode. > The exploit includes a SMEP and KASLR bypasses, but no SMAP bypass. > > Link: https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c Nice collection of Linux kernel exploits you got there: https://github.com/xairy/kernel-exploits Also relevant: https://github.com/xairy/ubuntu-hardening#restict-information-exposed-by-the-kernel https://github.com/xairy/kaslr-bypass-via-prefetch https://github.com/xairy/linux-kernel-exploitation Still, for archival purposes please attach the actual exploits to your oss-security postings as well. I've attached your poc.c for this bug. Alexander View attachment "poc.c" of type "text/x-c" (22887 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ