Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Aug 2017 00:07:02 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Andrey Konovalov <andreyknvl@...il.com>,
	willemdebruijn.kernel@...il.com, Dmitry Vyukov <dvyukov@...gle.com>,
	Kostya Serebryany <kcc@...gle.com>
Subject: Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch

On Sun, Aug 13, 2017 at 06:21:55PM +0200, Andrey Konovalov wrote:
> ### Exploitation
> 
> The bug can be exploited by an unprivileged user if:
> 
> 1. User can set up an interface with UFO enabled and MTU < 65535 or
> such interface is already present in the system. The former is
> possible from inside a user namespace.
> 
> 2. User can disable the NETIF_F_UFO interface feature or set the
> SO_NO_CHECK socket option. The former requires CAP_NET_ADMIN. The
> latter is only possible after 40ba330227ad ("udp: disallow UFO for
> sockets with SO_NO_CHECK option") from Jan 11 2016. Both are possible
> from inside a user namespace.
> 
> In particular, the bug can be exploited by an unprivileged user if
> unprivileged user namespaces are available.
> 
> Below is a link to a proof-of-concept exploit, that gets root on a
> range of Ubuntu kernels. The exploit triggers an out-of-bounds write
> on a socket buffer and overwrites
> skb_shared_info.destructor_arg->callback with a pointer to shellcode.
> The exploit includes a SMEP and KASLR bypasses, but no SMAP bypass.
> 
> Link: https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c

Nice collection of Linux kernel exploits you got there:

https://github.com/xairy/kernel-exploits

Also relevant:

https://github.com/xairy/ubuntu-hardening#restict-information-exposed-by-the-kernel
https://github.com/xairy/kaslr-bypass-via-prefetch
https://github.com/xairy/linux-kernel-exploitation

Still, for archival purposes please attach the actual exploits to your
oss-security postings as well.  I've attached your poc.c for this bug.

Alexander

View attachment "poc.c" of type "text/x-c" (22887 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.