Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Aug 2017 00:07:02 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Andrey Konovalov <andreyknvl@...il.com>,
	willemdebruijn.kernel@...il.com, Dmitry Vyukov <dvyukov@...gle.com>,
	Kostya Serebryany <kcc@...gle.com>
Subject: Re: Re: Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch

On Sun, Aug 13, 2017 at 06:21:55PM +0200, Andrey Konovalov wrote:
> ### Exploitation
> 
> The bug can be exploited by an unprivileged user if:
> 
> 1. User can set up an interface with UFO enabled and MTU < 65535 or
> such interface is already present in the system. The former is
> possible from inside a user namespace.
> 
> 2. User can disable the NETIF_F_UFO interface feature or set the
> SO_NO_CHECK socket option. The former requires CAP_NET_ADMIN. The
> latter is only possible after 40ba330227ad ("udp: disallow UFO for
> sockets with SO_NO_CHECK option") from Jan 11 2016. Both are possible
> from inside a user namespace.
> 
> In particular, the bug can be exploited by an unprivileged user if
> unprivileged user namespaces are available.
> 
> Below is a link to a proof-of-concept exploit, that gets root on a
> range of Ubuntu kernels. The exploit triggers an out-of-bounds write
> on a socket buffer and overwrites
> skb_shared_info.destructor_arg->callback with a pointer to shellcode.
> The exploit includes a SMEP and KASLR bypasses, but no SMAP bypass.
> 
> Link: https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c

Nice collection of Linux kernel exploits you got there:

https://github.com/xairy/kernel-exploits

Also relevant:

https://github.com/xairy/ubuntu-hardening#restict-information-exposed-by-the-kernel
https://github.com/xairy/kaslr-bypass-via-prefetch
https://github.com/xairy/linux-kernel-exploitation

Still, for archival purposes please attach the actual exploits to your
oss-security postings as well.  I've attached your poc.c for this bug.

Alexander

View attachment "poc.c" of type "text/x-c" (22887 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ