Internet Bug Bounty: Linux kernel: CVE-2017-6074: DCCP double-free vulnerability

Hi!

CVE-2017-6074 [1] is a double-free vulnerability I found in the Linux kernel. It can be exploited to gain
kernel code execution from an unprivileged processes. The kernel needs to be built with CONFIG_IP_DCCP for the vulnerability to be present. A lot of modern distributions enable this option by default.

Fixed on Feb 17, 2017 [2]. The oldest version that I checked is 2.6.18 (Sep 2006), which is vulnerable. However, the bug was introduced before that, probably in the first release with DCCP support (2.6.14, Oct 2005).

I initially reported this vulnerability to [email protected] following the coordinated disclosure process. The timeline and more details about the vulnerability can be found in my announcement on oss-security [3]. A proof-of-concept exploit for the 4.4.0-62-generic #83-Ubuntu kernel can be found here [4, 5].

The reason I’m reporting this now is that I just saw a similar bug [6] in the Windows kernel reported to this program and that reminded me of a Sandbox Escape program that used to be on HackerOne. I thought it makes sense to see if IBB would come back to considering this kind of bugs eligible for a bounty.

Thanks!

[1] https://nvd.nist.gov/vuln/detail/CVE-2017-6074

[2] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4

[3] http://seclists.org/oss-sec/2017/q1/471

[4] https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074

[5] http://seclists.org/oss-sec/2017/q1/503

[6] https://hackerone.com/reports/48100

Impact

This vulnerability allows a local attacker to elevate privileges to root on a machine with vulnerable Linux kernel version.