Lucene search

HistoryFeb 23, 2017 - 12:00 a.m.

Lurking in 11 years of Linux kernel to mention the right vulnerability-exposure-vulnerability warning-the black bar safety net


0.0004 Low




Vulnerability number
Vulnerability overview
The Linux kernel recently also exposed a privilege escalation vulnerability that can be traced back to 2005, the vulnerabilities affect the Linux operating system major releases, including Redhat, Debian, OpenSUSE and Ubuntu. Using this vulnerability, an attacker can be from a low-rights process for kernel code execution. Currently known affected the old version is 2. 6. 18, 2006 9 months, but the vulnerability could in the previous version already exists, perhaps from the support DCCP begin in 2005 10 on the 2. 6. 14 it has been a problem.
In a Seclists. org the release of the vulnerability the author Andrey Konovalov said, will soon release a PoC, this is given during the repair time.
Security researcher Andrey Konovalov recently with Syzkaller fuzzing tools, to discover the DCCP Protocol in the Linux kernel vulnerabilities, exploits the latent time for more than 10 years.
DCCP Protocol
DCCP Protocol is a message-oriented Transport Layer Protocol that can minimize packet header overhead and the terminal processing of the engineering amount. The Agreement may be the establishment, maintenance and removal of the unreliable connection of the data stream and unreliable stream congestion control.
The DCCP Double-free vulnerability allows local low privileged user to modify the Linux kernel memory, cause a denial of service system crash, or elevated, access the system management access permission.
Vulnerability details
This is a UAF vulnerability: in the IPV6_RECVPKTINFO open the case, the kernel parses the DCCP Protocol in the process the judge has received a DCCP_PKT_REQUEST the return package, it will release the parsing process using the SKB address. “The DCCP protocol implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket.”)
According to the current implementation, the parsing DCCP Protocol process if dccp_v6_conn_request have a return value, it will by dccp_rcv_state_process in__kfree_skb freed the parsing process, the received DCCP_PKT_REQUEST return packet, the SKB address. However, if the IPV6_RECVPKTINFO open the case compile the kernel, the skb address will be stored in the ireq->pktopts, and dccp_v6_conn_request the reference count will increase, so the skb it will still be used. Until dccp_rcv_state_process process will be released.
The attacker uses some kernel heap spray technique will be able to control any object and use any of the data rewriting its contents. If you override the object contains any can trigger the function pointer, the attacker can be in the kernel to execute arbitrary code.
This vulnerability is not a remote code execution vulnerability, so an attacker must have the system local account to exploit the vulnerability.
Two months ago, the Linux kernel also exposed a similar to mention the right Vulnerability, CVE-2016-8655, the vulnerability can be traced back to 2011, the low-privileged local user using the Linux kernel af_packet implementation of the race condition, can get root access

The manual repair: call consume_skb, rather than jump discard and call__kfree_skb。
! [](/Article/UploadPic/2017-2/201722319322422. png? www. myhack58. com)

A more detailed solution please click here. If you are an advanced Linux user, then you can apply the patch, rebuild the kernel, or wait for the Publisher to publish the update.