Lucene search
Qian ZhangEXPLOITPACK:9D752285F4A2795E32FB57E31FD31AB0HistoryOct 10, 2016 - 12:00 a.m.
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Local Privilege Escalation
2016-10-1000:00:00
Qian Zhang
35
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Local Privilege Escalation
# Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call
# Date: 2016.10.8
# Exploit Author: Qian Zhang@MarvelTeam Qihoo 360
# Version: Linux kernel <= 4.6.2
# Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic
# CVE: CVE-2016-4997
# Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10
# Contact: [email protected]
#DESCRIPTION
#===========
#The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields,
#which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ls
compile.sh enjoy enjoy.c pwn pwn.c version.h
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables
[sudo] password for zhang_q:
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn
pwn begin, let the bullets fly . . .
and wait for a minute . . .
pwn over, let's enjoy!
preparing payload . . .
trigger modified tty_release . . .
got root, enjoy :)
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE#
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl
Static hostname: ubuntu
Icon name: computer-vm
Chassis: vm
Machine ID: 355cdf4ce8a048288640c2aa933c018f
Virtualization: vmware
Operating System: Ubuntu 16.04.1 LTS
Kernel: Linux 4.4.0-21-generic
Architecture: x86-64
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE#
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40489.zipRelated
prion
prion
Memory corruption
2016-07-03 21:59:00
cve
cve
CVE-2016-4997
2016-07-03 21:59:00
zdt
zdt
Linux Kernel 4.6.3 Netfilter Privilege Escalation Exploit
2016-11-24 00:00:00
Linux Kernel 4.6.3 Netfilter Privilege Escalation Vulnerability
2016-09-27 00:00:00
metasploit
metasploit
Linux Kernel 4.6.3 Netfilter Privilege Escalation
2016-11-18 18:52:09
packetstorm
packetstorm
Linux Kernel 4.6.3 Netfilter Privilege Escalation
2016-11-23 00:00:00
Linux Kernel 4.6.3 Netfilter Privilege Escalation
2016-09-27 00:00:00
redhatcve
redhatcve
CVE-2016-4997
2016-06-27 06:49:15
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:49:27
debiancve
debiancve
CVE-2016-4997
2016-07-03 21:59:00
ubuntucve
ubuntucve
CVE-2016-4997
2016-06-24 00:00:00
exploitdb
exploitdb
nessus
nessus
Ubuntu 12.04 LTS : linux vulnerabilities (USN-3338-1)
2017-06-22 00:00:00
SUSE SLES12 Security Update : kernel (SUSE-SU-2016:2632-1) (Dirty COW)
2016-10-26 00:00:00
Ubuntu 12.04 LTS : linux regression (USN-3338-2) (Stack Clash)
2017-06-30 00:00:00
suse
suse
Security update for Linux Kernel Live Patch 10 for SLE 12 (important)
2016-10-26 03:06:29
Security update for Linux Kernel Live Patch 9 for SLE 12 (important)
2016-10-26 03:09:01
Security update for the Linux Kernel (important)
2016-06-30 21:07:43
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2016-09-22 00:00:00
Unbreakable Enterprise kernel security update
2016-09-22 00:00:00
Unbreakable Enterprise kernel security update
2016-09-22 00:00:00
openvas
openvas
SUSE: Security Advisory for kernel (SUSE-SU-2016:1710-1)
2016-07-01 00:00:00
Amazon Linux: Security Advisory (ALAS-2016-718)
2016-10-26 00:00:00
CentOS Update for kernel CESA-2016:1847 centos7
2016-09-20 00:00:00
ubuntu
ubuntu
Linux kernel regression
2017-06-29 00:00:00
Linux kernel vulnerabilities
2017-06-21 00:00:00
Linux kernel (Raspberry Pi 2) vulnerabilities
2016-06-27 00:00:00
redhat
redhat
(RHSA-2016:1883) Important: kernel-rt security and bug fix update
2016-09-14 14:42:27
(RHSA-2016:1847) Important: kernel security, bug fix, and enhancement update
2016-09-14 14:34:54
(RHSA-2016:1875) Important: kernel-rt security and bug fix update
2016-09-14 14:34:58
fedora
fedora
[SECURITY] Fedora 22 Update: kernel-4.4.14-200.fc22
2016-07-19 07:20:52
[SECURITY] Fedora 24 Update: kernel-4.6.3-300.fc24
2016-06-30 21:30:47
amazon
amazon
Medium: kernel
2016-06-24 22:21:00
centos
centos
kernel, perf, python security update
2016-09-19 15:43:06
ibm
ibm
Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM
2018-06-18 01:34:02
mageia
mageia
Updated kernel-linus packages fix security vulnerabilities
2016-08-31 18:32:33
Updated kernel-tmb packages fix security vulnerabilities
2016-08-31 18:32:33
Updated kernel packages fix security vulnerability
2016-07-31 23:39:13
cloudfoundry
cloudfoundry
USN 3020-1 Linux kernel (Vivid HWE) vulnerabilities | Cloud Foundry
2016-07-01 00:00:00
debian
debian
[SECURITY] [DSA 3607-1] linux security update
2016-06-28 09:56:48
[SECURITY] [DSA 3607-1] linux security update
2016-06-28 09:56:48
osv
osv
linux - security update
2016-06-28 00:00:00
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
Related for EXPLOITPACK:9D752285F4A2795E32FB57E31FD31AB0